IPSec-VPN with dynamic IP
Posted: Fri Feb 24, 2006 7:27 pm
I'm trying to get an IPSec-tunnel up between two mt-routers (ROS 2.9.13). The router at the central-site has a static public IP-address (x.91.97.147)
the other router at the remote-site has a dynamic public address. following the manual, as far is i understand, this is the configuration:
central-site (y.z.45.51):
remote-site (y.z.14.51/24):
but packets are rejected. log file on the remote-site:
and on the central site:
any hints? is it correct to use aggressive mode and have the central-site router set to "generate-policy=yes"?
tia.
the other router at the remote-site has a dynamic public address. following the manual, as far is i understand, this is the configuration:
central-site (y.z.45.51):
Code: Select all
/ ip ipsec peer
add address=0.0.0.0/32:500 secret="******" generate-policy=yes exchange-mode=aggressive \
send-initial-contact=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 \
lifetime=1d lifebytes=0 disabled=no
Code: Select all
/ ip ipsec policy
add src-address=y.z.14.0/24:any dst-address=y.z.45.0/24:any protocol=all action=encrypt level=require \
ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=x.91.97.147 proposal=default \
manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=x.91.97.147/32:500 secret="******" generate-policy=no exchange-mode=aggressive \
send-initial-contact=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 \
lifetime=1d lifebytes=0 disabled=no
but packets are rejected. log file on the remote-site:
Code: Select all
10:02:56 ipsec,ike,info queuing SA request, phase 1 with peer 217.91.97.147 will be established first
10:02:56 ipsec,ike,info initiating phase 1, starting mode Aggressive (local 84.57.7.20:500) (remote
unknown)
10:02:56 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:02:57 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:02:58 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:02:59 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:03:00 ipsec,info ipsec packet discarded: src=53.109.14.51 dst=53.102.45.51
10:03:28 ipsec,ike,info dequeuing SA request to 217.91.97.147, phase 1 wait timed out
10:03:57 ipsec,ike,info phase 1 negotiation timed out
Code: Select all
17:25:11 ipsec,ike,info received ISAKMP packet from 84.57.7.20:500, phase 1, Aggressive
17:25:11 ipsec,ike,info peer not configured
17:25:21 ipsec,ike,info received ISAKMP packet from 84.57.7.20:500, phase 1, Aggressive
17:25:21 ipsec,ike,info peer not configured
17:25:31 ipsec,ike,info received ISAKMP packet from 84.57.7.20:500, phase 1, Aggressive
17:25:31 ipsec,ike,info peer not configured
tia.