Solutions for Handling Dynamically Addressed Peers
There often exist areas of IPSec design that could benefit from more flexible peering options. From this demand arose the creation of solutions to handle dynamically addressed IPSec peers. Although these solutions are used less frequently than the static peering design alternatives that we have discussed in previous chapters, they are commonly deployed when network designers anticipate that they will not know the addresses of certain remote IPSec peers within their greater VPN implementation. Dynamic peering solutions can add value to situations in which the peer of an IPSec VPN is not known in advance or is anticipated to change over time.
For Cisco IOS and ASA-based IPSec VPN implementations, dynamic crypto maps were created as the foundation for addressing the need for dynamic peering alternatives. Tunnel Endpoint Discovery (TED) extends the functionality of dynamic crypto maps, enabling the local peer to proactively discover remote IPSec VPN peers, the addresses of which are unknown. This chapter explores the design issues surrounding the two core components of dynamic peering solutionsdynamic crypto maps and TED.