the other router at the remote-site has a dynamic public address. following the manual, as far is i understand, this is the configuration:
central-site (y.z.45.51):
Code: Select all
/ ip ipsec peer
add address=0.0.0.0/32:500 secret="******" generate-policy=yes exchange-mode=aggressive \
send-initial-contact=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 \
lifetime=1d lifebytes=0 disabled=no
Code: Select all
/ ip ipsec policy
add src-address=y.z.14.0/24:any dst-address=y.z.45.0/24:any protocol=all action=encrypt level=require \
ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=x.91.97.147 proposal=default \
manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=x.91.97.147/32:500 secret="******" generate-policy=no exchange-mode=aggressive \
send-initial-contact=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 \
lifetime=1d lifebytes=0 disabled=no
but packets are rejected. log file on the remote-site:
Code: Select all
10:02:56 ipsec,ike,info queuing SA request, phase 1 with peer 217.91.97.147 will be established first
10:02:56 ipsec,ike,info initiating phase 1, starting mode Aggressive (local 84.57.7.20:500) (remote
unknown)
10:02:56 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:02:57 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:02:58 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:02:59 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:03:00 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:03:28 ipsec,ike,info dequeuing SA request to 217.91.97.147, phase 1 wait timed out
10:03:57 ipsec,ike,info phase 1 negotiation timed out
Code: Select all
17:25:11 ipsec,ike,info received ISAKMP packet from 84.57.7.20:500, phase 1, Aggressive
17:25:11 ipsec,ike,info peer not configured
17:25:21 ipsec,ike,info received ISAKMP packet from 84.57.7.20:500, phase 1, Aggressive
17:25:21 ipsec,ike,info peer not configured
17:25:31 ipsec,ike,info received ISAKMP packet from 84.57.7.20:500, phase 1, Aggressive
17:25:31 ipsec,ike,info peer not configured
tia.