Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
4
Replies

VPN Concentrator and Lan to Lan VPN with Dynamic IP (DHCP) Peer

jsteffensen
Level 1
Level 1

‎09-21-2004 11:07 AM

Hi Everyone.

We have the following Problem:

We use a Concentrator 3005 for Lan to Lan VPN and RAS VPN. So far everything ok.

But now we need to add a new LAN to LAN VPN, where the remote peer has a dynamic IP Address (like DHCP) from the DSL provider.

Now: When i try to configure

IPSEC> Lan-to-Lan connection it does not support 0.0.0.0 for remote peer.

Ive also tried to solve this by using the a new Group and Lan to Lan as option.

I've even tried the Basegroup.

And here i got some understandable messages:

Group [VPNC_Base_Group]

Received remote IP Proxy Subnet data in ID Payload:

Address 10.74.0.0, Mask 255.255.224.0, Protocol 0, Port 0

57226 09/21/2004 20:59:00.990 SEV=5 IKE/34 RPT=917 62.202.10.132

Group [VPNC_Base_Group]

Received local IP Proxy Subnet data in ID Payload:

Address 10.41.5.0, Mask 255.255.255.0, Protocol 0, Port 0

57229 09/21/2004 20:59:00.990 SEV=4 IKE/61 RPT=9 62.202.10.132

Group [VPNC_Base_Group]

Tunnel rejected: Policy not found for Src:10.74.0.0, Dst: 10.41.5.0!

57231 09/21/2004 20:59:00.990 SEV=4 IKEDBG/0 RPT=10

QM FSM error (P2 struct &0x1d2f064, mess id 0x8561878c)!

57232 09/21/2004 20:59:01.000 SEV=4 AUTH/23 RPT=789 62.202.10.132

User [VPNC_Base_Group] Group [] disconnected: duration: 0:00:00

57233 09/21/2004 20:59:01.000 SEV=4 AUTH/85 RPT=788

LAN-to-LAN tunnel to headend device 62.202.10.132 disconnected: duration: 0:00:0

0

I'd rather not use the basegroup for this kind of things, but does anyone has a step by step: how to configure lan to lan with Dynamic Peer IP Address?

Grateful for any help!

Greetings

Jarle

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎09-21-2004 05:45 PM

This should get you going (you do have to use the Base Group):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml

0 Helpful

d-mark
Level 1
Level 1
In response to gfullage

‎09-21-2004 10:17 PM

Hi,

how does the routing in this example work?

The configured default Gateway of the router (172.18.124.1) is unkown to the router, except for the case the router gets an ip-address (per dhcp) in the same ip-net. But I think this isn't the normal (real life) case, or?

regards

Mark

0 Helpful

mdeloach
Level 1
Level 1
In response to d-mark

‎11-08-2004 07:18 PM

We're finding ourselves in a similar situation, where the bas group is less than ideal. Has anyone ever opened a PERS case asking for dynamic support on the L2L configuration? Or how about other peer validation methods? We've just picked up a Linksys

RV042 and it has a few interesting options, including DDNS support to validate a remote L2L peer who is on a dynamic connection.

If not, I'll ask my account team to open one for us.

0 Helpful

jsteffensen
Level 1
Level 1
In response to mdeloach

‎11-09-2004 12:26 AM

We ended up using the Basegroup.....

Since we had a lot of groups already configured, it gave us a lot of config changes, since the basegroup had to be changed.

If it is not abselutely required to use The consentrator, i would suggest to use a router....

Greetings

Jarle

0 Helpful
Customers Also Viewed These Support Documents