IPSec Tunnel - Dynamic IP on remote side

**TreyH** · 08-10-2017, 08:02 AM

I'm currently running 12.2.1 and have 45 Cradlepoint routers, with dynamic IP addresses, establishing IPSec tunnels to my Untangle box. I'm using "0.0.0.0" as the 'Remote Host' for the tunnel setup on the Untangle box.

Experimenting with v13, it seems I must use the public IP of the remote host. The tunnel fails if I try to use "0.0.0.0" in the 'Remote Host' field of the tunnel config. Is there a way to setup the IPSec tunnel on the Untangle box for dynamic ip addresses on the remote side (for v13)? The Untangle box itself has a static public IP.

**donhwyo** · 08-10-2017, 11:39 AM

I am using 0.0.0.0 in the server listening address. I am on latest 13 and use dyndns.

**mahotz** · 08-10-2017, 12:07 PM

Instead of 0.0.0.0 try using %any (with the percent sign) in the Remote Host field. That tells IPsec to accept any IP address for the remote side.

**donhwyo** · 08-10-2017, 12:17 PM

0.0.0.0 works for me.

**TreyH** · 08-10-2017, 12:38 PM

Thanks for the replies. Would it matter if my test box is in transparent bridge mode behind an ASA versus my production box is in router mode? The IPsec log has rolled since then but the error we were getting was something like "could not resolve 0.0.0.0". When we plugged in the remote's public ip the tunnel started working. Didn't try "%any"; we'll do some more testing....

**mahotz** · 08-10-2017, 12:43 PM

I don't think the different modes should make any difference. I'm actually surprised 0.0.0.0 ever worked in the Remote Host field.

**dmorris** · 08-10-2017, 01:14 PM

Originally Posted by TreyH

Thanks for the replies. Would it matter if my test box is in transparent bridge mode behind an ASA versus my production box is in router mode? The IPsec log has rolled since then but the error we were getting was something like "could not resolve 0.0.0.0". When we plugged in the remote's public ip the tunnel started working. Didn't try "%any"; we'll do some more testing....

If its running behind another router doing NAT, yes thats going to add complications.

**TreyH** · 08-10-2017, 03:23 PM

This is the error if we use "%any" for Remote Host:

Aug 10 16:40:54 untangle charon: 08[IKE] unable to resolve %any, initiate aborted

If I plug in the public IP of the remote unit then the tunnel works. Will investigate the ASA tomorrow.....

Thread: IPSec Tunnel - Dynamic IP on remote side

LinkBack

Thread Tools

IPSec Tunnel - Dynamic IP on remote side

Posting Permissions