02-12-2009 08:41 AM
Hi,
I am trying to find the best way to setup a VPN between a remote C800 series router and an ASA5505 at the headend. The remote router has a dynamic WAN IP and I want to be able to connect back down the tunnel to the router's LAN from the LAN at the ASA end. I have the remote router registering with dnyDNS but can't get the ASA to use a domain-name for the peer.
Thanks
Shailen
02-12-2009 11:52 AM
The only way your ASA will use hostnames for the vpn connection is when using Digital certificates for IKE authentication or if the connection is coming via aggressive mode. That means that the use of domain name for the peer on under the crypto map is something the ASA does not support.
02-16-2009 03:22 PM
Thank you for that feedback. So I have tried to setup an easy vpn connection and have been able to use the reverse router feature to install a route on the ASA. This seems to provide me with the connectivity in both directions however it seems to only work if the remote site initiates traffic first. Then the head end can communicate with the remote LAN. Can you please tell me how else I can achieve this i.e. VPN with the Headend able to initiate traffic while the remote site is not using a static IP address.
Thanks
Shailen
02-16-2009 03:32 PM
Unfortunately since the remote end has a dynamic ip address the central side will not be able to start the vpn connection, it is the one with the dynamic ip address the one that has to do it.
02-16-2009 03:39 PM
From what I have seen the remote client intiates the VPN session as soon as it boots up and the session will stay up for the configured idle time. When the tunnel is up the headend can only communicate with the remote LAN when traffic initiated from the remote LAN. Communication is only available for a small period of time. The tunnel never goes down and the SA's are still present. I have setup the remote site to get NTP of the headend LAN so this way there is always some traffic initiated from the remote device. This is a work around until I can find a proper solution.
02-16-2009 03:46 PM
OK let me see if I got it right, when the remote end initiates the tunnel it can pass traffic fine but then after a period of time the tunnel is not able to pass any more traffic regardless of the fact that the tunnel shows up along with the SA active?
02-16-2009 03:51 PM
Yep that is correct. When that happens I need to get onto the remote router and either clear the ISKAMP SA or try do an extended ping to the headend.
02-16-2009 03:54 PM
Got it, can you post your configs of both headends?
02-16-2009 03:55 PM
Yep I will do as soon as get back to my office.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: