Wireless Access

Reply
MVP
Posts: 376
Registered: ‎05-09-2013

Site-to-Site VPN - Peer ip 0.0.0.0 ignored

Good afternoon,

 

I'm trying to setup a VPN tunnel between (2) controllers via site-to-site VPN configuration. The configuration we are using is as follows:

 

Main Site

crypto-local isakmp key "******" fqdn-any
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac

crypto-local ipsec-map dyn-sts 100
  peer-ip 0.0.0.0
  peer-fqdn any-fqdn
  vlan 0
  src-net 10.68.128.0 255.255.252.0
  dst-net 10.68.208.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
  trusted enable
  force-natt enable

 

Remote Site

crypto-local isakmp key "******" address 155.75.135.10 netmask 255.255.255.255
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac

crypto-local ipsec-map dyn-sts 100
  peer-ip 155.75.135.10
  local-fqdn 100
  vlan 0
  src-net 10.68.208.0 255.255.255.0
  dst-net 10.68.128.0 255.255.252.0
  set transform-set "default-transform"
  pre-connect enable
  trusted enable
  force-natt enable

 

 

In logs we see IKEv1 attempts, but on the Main controllers, we are seeing the following message:

Ignoring map dyn-sts since Peer-ip is 0.0.0.0

 

We are using a dynamic IP at the remote site, so we can't specify an IP. Any ideas why we are receiving this or any ideas what we could be missing?

 

Thanks.

 

FYI - the remote controller is running 6.4.4.6 and has no licenses as of right now. My other thought is, the reason for the VPN tunnel is to route traffic and share networks, but is it accomplishing the same thing by just setting up master/local setup and setting next hop for those internal networks as the master controller? Would that traffic go through the IPSec tunnel assuming the local controller is gateway at remote site?


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Regular Contributor I
Posts: 183
Registered: ‎10-20-2010

Re: Site-to-Site VPN - Peer ip 0.0.0.0 ignored

Is VLAN 0 the vlan of the interface facing the public IP?  If not I think it needs to be.

Search Airheads
Showing results for 
Search instead for 
Did you mean: