Option: Configuring IPSec Dynamic Endpoints

IPSec tunnels can also be established using dynamic peer security gateways, in which the remote end of the tunnels do not have a statically assigned IPv4 or IPv6 address. Since the remote address is not known and is assigned from an address pool each time the remote host reboots, establishment of the tunnel relies on using IKE main mode with preshared global keys. Both policy-based and link-type tunnels are supported as follows:

• Policy-based tunnels used shared mode.
• Link-type or routed tunnels use dedicated mode. Each tunnel allocates a service interface from a pool of interfaces configured for the dynamic peers. Routing protocols can be configured to run on these service interfaces to learn routes over the IPSec tunnel that is used as a link.

This section includes the following topics:

• Dynamic Endpoint Tunnel Architecture
• Configuring an IKE Access Profile
• Configuring the Service Set
• Configuring the Interface Identifier