my setup is straigthforward nothing special ... l2l vpn tunnel between ASA5520 (static ip) as hub
and Cisco RV215w (dynamic ip) as spoke.
The setup is working fine ... asa terminates l2l ipsec vpn coming from rv215w.
The tunnels are stable. As attachment you can find my config.
We are planing about 300 locations terminating on ASA which should be fine for a ASA5520
as long as you terminate all sessions on defaultl2lgroup. But we would like to terminate each
session on a different tunnel group in order to block each location/rv215w in case of theft.
The problem is;
as soon as i am configuring a tunnelgroup for each spoke ASA is not able to assign
vpn session to spoke. Here is the error message:
4|Feb 20 2014|16:13:11|713903|||||Group = DefaultRAGroup, IP = 192.168.2.251, Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch.
4|Feb 20 2014|16:13:11|713255|||||IP = 192.168.2.251, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name '192.168.2.251'.
When I create the tunnelgroup with ip address there is no problem. ASA is able to assign the ip to tunnelgroup and everything is fine.
As the rv215w has dynamic ip on outside interface this is not an option. The problem is that RV215w is sending its outside ip as ike key.
I was not able to change the ike key from ip to something else ... e.g. hostname
I found a good solution for ASA and IOS as spoke but no way for rv215w. ASA and IOS you can configure the ike key:
crypto isakmp identity key-id SPOKE1
Would be glad to here if there is another solution how we can solve the problem to block each rv215w in case of theft.
Hope i was clear in my problem description. Looking forward to here from you.