@Clayman wrote:
When I do a "show log security all", I'm seeing the following logs....
Apr 2 10:31:52 :103060: <DBUG> |ike| 192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_responder_recv_SA:1000 Ike Phase 1 received SA
Apr 2 10:31:52 :103060: <DBUG> |ike| 192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_recv_ID:2097 received IKE ID Type 11 exchange:192.168.22.1
Apr 2 10:31:52 :103060: <DBUG> |ike| 192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_recv_ID:2112 got IKE KEY-ID, got remote-switch-ip:192.168.22.1-mask:255.255.255.255
Apr 2 10:31:52 :103060: <DBUG> |ike| 192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_recv_ID:2166 Master-Local
Apr 2 10:31:52 :103017: <INFO> |ike| Could not validate IKE Phase 1 ID of peer for Master-Local VPN
Apr 2 10:31:52 :103063: <DBUG> |ike| 192.168.22.1:4500-> exchange_run: step 0 done:0 handler failed
I've re-entered the key a dozen times. I've completed whiped & re-configured both controllers. I've disabled control plane security. I'm at a loss now as to why I can't get these two controllers to talk.
Clayman,
I couple things here that are important:
- Create a specific IPSEC key on the master for the public ip address of the local: Under Configuration> Network > Controller > System Settings, look for the Local Controller IPSEC keys parameter. There is probably one for 0.0.0.0. Create one specifically for the public address of the local controller. This is important, because it will determine routing.
- Once you setup the master/local relationship, don't expect the controllers to be able to ping each other.
- Create a route on the local controller pointing to the ipsec map for any subnets that you want clients on the local to reach:
config t
ip route 10.0.0.0 255.255.0.0 ipsec nameofipsecmap
HINT: type show ip route to see the name of the ipsec map
Do the same thing on the master controller for routes that are behind the local controller.
You should be able to create a VLAN on the local controller that is fully routable and then ping the ip address of that from the master.
If you feel you cannot ping an address from one controller to the other, use the "show datapath session table <ip address>" command on the opposite side to see if you are seeing the pings.