CES 251 to CES 1600 1

[HelpTheWestie]

Hi

Help....

I have a Contivity 251 and a Contivity 1600. I'm trying to set-up an IPsec tunnel. The Contivity 251 is the initiator, and does not have a static IPaddress. The Contivity 1600 is the responder.

How can i set-up the contivity 251 to use a different source address when creating the ipsec tunnel?

I can get the tunnel to work when i enter in the remote ipaddress... but this is always changing!!

ta

 

[biv343]

What I've done before (if I'm understanding your question properly) is this:

In the 221/251, under VPN/Branch Office, set the local ID type to DNS. Under content, enter in the initiator ID (this much match on the 1600). My IP Address should be 0.0.0.0. Peer ID = IP, then the secure gateway address is the external IP of the 1600.

Under Advanced, make sure your phase 1 negotiation mode is set to aggressice.

Make sure compression is disabled on the branch office group on the 1600 - the 200 series boxes don't like that. I've also had the best luck turing PFS off on both ends.

 

[HelpTheWestie]

You have got the question correct.

Here are my setting for the ces 1600

Encryption:
- ESP - Triple DES with SHA1 Integrity: Enabled
IKE Encryption and Diffie-Hellman Group: Triple DES with Group 2 (1024-bit prime)
Vendor ID: Enabled
Aggressive Mode ISAKMP Initial Contact Payload: Disabled
Perfect Forward Secrecy: Enabled
Compression: Disabled
Rekey Timeout: 08:00:00
Rekey Data Count: (None)
ISAKMP Retransmission Interval: 4
ISAKMP Retransmission Max Attempts: 2
Keepalive interval: 00:01:00
Keepalive (On-Demand connections): DISABLED
Anti Replay: DISABLED

So i need to enable Aggressive Mode ISAKMP Initial Contact Payload on the CES1600 and on the CES251?

On the CES1600 do i have to change the Subject Alternative Name Type to DNS?? and where do i enter the 0.0.0.0 on the CES1600, Initiator ID or Subject Alternative Name

Ta

 

[biv343]

Had to go look at the config of one I put in a while back. My brain isn't working as good as it used to.

Enable Aggressive Mode initial contact on the CES1600.

Connection type is responder.

Initiator ID on the CES needs to match the local ID you configured on the 251.

You won't need to enter the 0.0.0.0 on the CES - the initiator ID is all thats needed. It gets passed to the CES in the phase 1 contact. You don't even need to specify the public IP of the 1600, but you do need to specify it in the 251.

Hope this helps.

 

[HelpTheWestie]

After 2 weeks and alot of playing it is working!! By using the log on the 251 i was able to enter the right Peer ID Values

Thanks for your help biv343

 

[biv343]

You're welcome. Glad it worked out.

First one of these I did I took screen shots of the 221 once it came up - took me a while to figure it out, and I didn't want to go through it again. Then I lost the screenshot.

Keep an eye out for the 2.5 software for the 221/251 - it's going to have some QOS features in case you ever use these guys for VOIP at home offices. Should be out by end of June.