09-21-2004 11:07 AM
Hi Everyone.
We have the following Problem:
We use a Concentrator 3005 for Lan to Lan VPN and RAS VPN. So far everything ok.
But now we need to add a new LAN to LAN VPN, where the remote peer has a dynamic IP Address (like DHCP) from the DSL provider.
Now: When i try to configure
IPSEC> Lan-to-Lan connection it does not support 0.0.0.0 for remote peer.
Ive also tried to solve this by using the a new Group and Lan to Lan as option.
I've even tried the Basegroup.
And here i got some understandable messages:
Group [VPNC_Base_Group]
Received remote IP Proxy Subnet data in ID Payload:
Address 10.74.0.0, Mask 255.255.224.0, Protocol 0, Port 0
57226 09/21/2004 20:59:00.990 SEV=5 IKE/34 RPT=917 62.202.10.132
Group [VPNC_Base_Group]
Received local IP Proxy Subnet data in ID Payload:
Address 10.41.5.0, Mask 255.255.255.0, Protocol 0, Port 0
57229 09/21/2004 20:59:00.990 SEV=4 IKE/61 RPT=9 62.202.10.132
Group [VPNC_Base_Group]
Tunnel rejected: Policy not found for Src:10.74.0.0, Dst: 10.41.5.0!
57231 09/21/2004 20:59:00.990 SEV=4 IKEDBG/0 RPT=10
QM FSM error (P2 struct &0x1d2f064, mess id 0x8561878c)!
57232 09/21/2004 20:59:01.000 SEV=4 AUTH/23 RPT=789 62.202.10.132
User [VPNC_Base_Group] Group [] disconnected: duration: 0:00:00
57233 09/21/2004 20:59:01.000 SEV=4 AUTH/85 RPT=788
LAN-to-LAN tunnel to headend device 62.202.10.132 disconnected: duration: 0:00:0
0
I'd rather not use the basegroup for this kind of things, but does anyone has a step by step: how to configure lan to lan with Dynamic Peer IP Address?
Grateful for any help!
Greetings
Jarle
09-21-2004 05:45 PM
This should get you going (you do have to use the Base Group):
09-21-2004 10:17 PM
Hi,
how does the routing in this example work?
The configured default Gateway of the router (172.18.124.1) is unkown to the router, except for the case the router gets an ip-address (per dhcp) in the same ip-net. But I think this isn't the normal (real life) case, or?
regards
Mark
11-08-2004 07:18 PM
We're finding ourselves in a similar situation, where the bas group is less than ideal. Has anyone ever opened a PERS case asking for dynamic support on the L2L configuration? Or how about other peer validation methods? We've just picked up a Linksys
RV042 and it has a few interesting options, including DDNS support to validate a remote L2L peer who is on a dynamic connection.
If not, I'll ask my account team to open one for us.
11-09-2004 12:26 AM
We ended up using the Basegroup.....
Since we had a lot of groups already configured, it gave us a lot of config changes, since the basegroup had to be changed.
If it is not abselutely required to use The consentrator, i would suggest to use a router....
Greetings
Jarle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide