cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5331
Views
0
Helpful
1
Replies

SRP527w IKE aggressive mode Remote ID cannot be set manually

cullypaterson
Level 1
Level 1

Greetings,

  I've found an issue with my SRP527W that is prohibiting me setting up a useful site to site VPN.  In short, the "Enable ID: Default/Manual" option in the IKE policy screen does not seem to behave as advertised.  Not matter what it's set to the remote end always ends up receiving the IP address of the DSL interface as its peer id.

The scenario is an SRP527W with a dynamically assigned DSL IP address connecting to a Netscreen SSG5 on a static IP.  I have confirmed that:

- A Main Mode VPN works (but is no use on an ongoing basis due to the dynamic IP)

- An aggressive mode VPN works if the Netscreen has its peer ID set to the public IP of the SRP (....same dynamic IP issue)

However if I try to set a manual Remote ID in the SRP IKE Policy it does not get sent as part of the phase 1 negotiations.  Debug logs on the Netscreen shows that it receives the DSL public IP no matter what.

Dumping the router config to XML (http://routeraddress/admin/config.xml&xuser=admin&xpassword=xxxxx) shows no sign of the IP address that has been set via the interface (despite the setting visibly staying set in the interface).  The rest of the VPN config shows up there.

Current firmware version: 1.01.26  (003)

Can anyone else confirm the same behaviour?

Thanks

Cully

1 Reply 1

Andrew Hickman
Cisco Employee
Cisco Employee

Hi Cully,

The manual remote ID setting is used for dealing with NAT Traversal.  Here, remote ID tells the SRP what to expect the remote gateway to annouce itself as, if that remote gateway was positioned behind a local NAT gateway.  i.e. Remote ID allows the SRP to manage the difference between the remote gatway address (the public address of the NAT gateway) and the address actually configured on the remote IPSec peer.

To deal with one IPSec host having a dynamic IP, the statically configured device would need to be configured to accept association requests from any peer.  (i.e. equivalent to setting remote endpoint as "any" in the SRP IPSec Policy).

Regards,

Andy