Good afternoon,
I'm trying to setup a VPN tunnel between (2) controllers via site-to-site VPN configuration. The configuration we are using is as follows:
Main Site
crypto-local isakmp key "******" fqdn-any
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto-local ipsec-map dyn-sts 100
peer-ip 0.0.0.0
peer-fqdn any-fqdn
vlan 0
src-net 10.68.128.0 255.255.252.0
dst-net 10.68.208.0 255.255.255.0
set transform-set "default-transform"
pre-connect enable
trusted enable
force-natt enable
Remote Site
crypto-local isakmp key "******" address 155.75.135.10 netmask 255.255.255.255
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto-local ipsec-map dyn-sts 100
peer-ip 155.75.135.10
local-fqdn 100
vlan 0
src-net 10.68.208.0 255.255.255.0
dst-net 10.68.128.0 255.255.252.0
set transform-set "default-transform"
pre-connect enable
trusted enable
force-natt enable
In logs we see IKEv1 attempts, but on the Main controllers, we are seeing the following message:
Ignoring map dyn-sts since Peer-ip is 0.0.0.0
We are using a dynamic IP at the remote site, so we can't specify an IP. Any ideas why we are receiving this or any ideas what we could be missing?
Thanks.
FYI - the remote controller is running 6.4.4.6 and has no licenses as of right now. My other thought is, the reason for the VPN tunnel is to route traffic and share networks, but is it accomplishing the same thing by just setting up master/local setup and setting next hop for those internal networks as the master controller? Would that traffic go through the IPSec tunnel assuming the local controller is gateway at remote site?