Core issue
This configuration sets the base group of the VPN Concentrator to accept a pre-shared key. You cannot configure the VPN Concentrator for a LAN-to-LAN tunnel in this scenario because the address is assigned dynamically to the remote device and is not always the same (and might not be known). For this reason, you can only use this configuration with the base group.
Resolution
Complete these steps in order to configure a dynamic-to-static tunnel between the VPN Concentrator and remote device with a dynamic IP address.
The VPN Concentrator is now configured for a dynamic-to-static VPN tunnel.
Note: Configure the remote device for a normal LAN-to-LAN VPN tunnel as it knows the IP address of the VPN Concentrator. Then ensure that the policies match on both sides for Internet Security Association and Key Management Protocol (ISAKMP) and IPsec. In this case, only the remote device is able to bring up the tunnel.
For additional help with screenshots, refer to LAN-to-LAN Tunnels on a VPN 3000 Concentrator with a PIX Firewall Configured for DHCP.
In order to resolve connectivity issues on the VPN Concentrator, refer to Troubleshooting Connection Problems on the VPN 3000 Concentrator.