We have been banging our heads on this for over a week now.
How can we setup a VPN tunnel with a Dynamic IP to a Cisco ASA?
We have the following configured in the vshield manager:
Peer site name: Customer
Peer ID: Customer-ASA
Peer IP: (Blank = Any)
Peer Subnets = 172.16.32.0/24
Local Subnets = 172.17.32.0/24
MTU: 1500
Encryption: 3DES, DH2, PFS Enable
On the ASA, We tried aggresiive mode and main mode, name of the device is "Customer-ASA"
crypto isakmp identity key-id Customer-ASA
access-list ******** extended permit ip object-group LOCAL-NETWORK object-group XXXX
object-group network XXXX
network-object 172.17.32.0 255.255.255.0
object-group network LOCAL-NETWORK
network-object 172.16.32.0 255.255.255.0
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 30 match address ********
crypto map VPNMAP 30 set pfs
crypto map VPNMAP 30 set peer <ourIP>
crypto map VPNMAP 30 set transform-set ESP-3DES-SHA
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Anyone have any success setting up a connection from the edge to a dynamic IP? ALso we are using v 5.0.2
Anyone? I have acase open with vmware, but if anyone has any ideas I'd be open to hear them. I will post back here if it ever gets resolved.
Turns out that peer-ID is not supported for authenication. Only hostname or IP can be used. Hope this helps someone else in the future. VMware states thet have made note of the issue and they plan to address it in a future release.