Using a dynamic IP address for a VPN endpoint

There are some restrictions when a VPN endpoint has a Dynamic IP address (assigned using DHCP, PPPoA, or PPPoE).

The following restrictions apply:

  • The VPN gateway must be use some other identifier than the IP address, such as DNS name, email address, or (if certificate authentication is used) the certificate’s Distinguished Name (DN) as the phase-1 ID.
  • IKEv1 main mode with pre-shared key authentication is not supported. Aggressive mode allows the use of pre-shared keys, but for security reasons certificate-based authentication is also recommended when IKEv1 is set in aggressive mode.