I am not much into this topic, almost 8 years ago we got help setting up site to site ipsec tunnels between our two sites it has been working flawlessly all years and still do.
There are many multiple networks at both sites which communicate with each other.
No we abandon one of our ISP:s and it will be replaced with one that does not offer fix ip, it will be a DHCP address that is changed now and then.
From reading manuals I understand that I need to setup peer with address 0.0.0.0:500 and generate policy=yes.
But then I don’t know what to do in the very many Policies Action we have on both sites for connections between all site to site net communication.
In Policy Action there are demand to fill in SA Src. Address and SA Dst. Address.
I could put in the dhcp address there manually, but it will be lost in a couple of hours and then all breaks down, how do I solve this ?
I have looked around in the forums and on internet, it seems like only way is to make some more or less unreliable script that need to be run by scheduler updating the IPSEC settings.
We have now migrated the network by adding two l2tp leg to all affected offices (whilst ipsec was running during full production).
After all l2tp links were up and running as they should, we implemented ospf in the whole network and fiddled around with it so all routes were distributed correctly, putting in cost’s, routing filters and so on.
This was first time we worked with ospf, a fantastic protocol I must say, although the routing tables become very large at some places, bit we don’t care as long it works.
We was a bit worried that all those ospf stuff would break connection to some important server, but it did not as far we know till now. But we carefully leaved all static routes and put in costs to the benefit for core routers to minimize impact of various staging problems and brain glitches.
We even staged from older routers to newer and kicked the old ones out during full production, small breaks of maximum 10 seconds was noticed.
All dual l2tp links and other links were tested to see that ospf was routing around the problems, it did so within seconds over whole network.
The we simply removed one ipsec policy and nat rule from each side of ipsec link’s and tested connectivity till all ipsec stuff was removed.