vShield Edge VPN to a Dynamic IP?

jschmitz1 · ‎03-13-2013

We have been banging our heads on this for over a week now.

How can we setup a VPN tunnel with a Dynamic IP to a Cisco ASA?

We have the following configured in the vshield manager:

Peer site name: Customer

Peer ID: Customer-ASA

Peer IP: (Blank = Any)

Peer Subnets = 172.16.32.0/24

Local Subnets = 172.17.32.0/24

MTU: 1500

Encryption: 3DES, DH2, PFS Enable

On the ASA, We tried aggresiive mode and main mode, name of the device is "Customer-ASA"

crypto isakmp identity key-id Customer-ASA

access-list ******** extended permit ip object-group LOCAL-NETWORK object-group XXXX

object-group network XXXX

network-object 172.17.32.0 255.255.255.0

object-group network LOCAL-NETWORK

network-object 172.16.32.0 255.255.255.0

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map VPNMAP 30 match address ********

crypto map VPNMAP 30 set pfs

crypto map VPNMAP 30 set peer <ourIP>

crypto map VPNMAP 30 set transform-set ESP-3DES-SHA

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Anyone have any success setting up a connection from the edge to a dynamic IP? ALso we are using v 5.0.2

jschmitz1 · ‎03-19-2013

Anyone? I have acase open with vmware, but if anyone has any ideas I'd be open to hear them. I will post back here if it ever gets resolved.

jschmitz1 · ‎03-22-2013

Turns out that peer-ID is not supported for authenication. Only hostname or IP can be used. Hope this helps someone else in the future. VMware states thet have made note of the issue and they plan to address it in a future release.

All

vShield Edge VPN to a Dynamic IP?