Correct R600VPN To R600VPN LAN-To-LAN Settings?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Correct R600VPN To R600VPN LAN-To-LAN Settings?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Correct R600VPN To R600VPN LAN-To-LAN Settings?
Correct R600VPN To R600VPN LAN-To-LAN Settings?
2020-12-26 02:17:54 - last edited 2021-04-18 10:21:36
Model: TL-R600VPN  
Hardware Version: V4
Firmware Version: 4.0.4 Build 20200313 Rel.41831

  I am trying to make sure my setup will work in a production setting soon. I have the main office and two satellite locations.

 

  Right now, the main office and one satellite location each have a TL-R600VPN using LAN-to-LAN IPsec VPN policies for a connection. All is connected and running. Both have DCD enabled at 30 seconds. Connections do need to initiate from either direction at times, but assume the satellite location internet would go down more often as the main office internet connection is usually up all the time. Main office is static IP and this satellite office is dynamic IP using Dynamic DNS service to update IP <-> hostname. I have the satellite office set to Initiator Mode with Local ID as hostname and Remote ID set to IP address.  The main office set to Responder Mode with Local ID set to IP Address and Remote ID set to Name. Can both sides be set to Initiator Mode?

 

  So, both were connected when I needed to reboot the satellite office R600VPN. After reboot, satellite office has a different IP address and attempts negotiation in initiator mode. Main office does not respond that I can tell. Log file at main office shows nothing related. This connection attempt goes on for a couple of hours with no VPN established. I can see the main office DCD dropped the previous tunnel. After I have had enough, I change the main office VPN policy Negotiation Mode to Initiator and main office starts negotiating with satellite office. Connection then made successfully.

 

 --->  Why did the first attempt from satellite office to main office fail? Was it because the satellite office had a different IP address and since the main office was in responding mode, it doesn't lookup the dynamic host name when a negotiation attempt comes in? Maybe it looks at the new remote IP address and says: "I don't know that association"? And did the second attempt initiated by the main office work because in initiator mode, the main office looks up the IP address of the satellite office hostname? If I cannot set Initiator Mode on both sides, am I forced to have the main office set to Initiator Mode and the satellite office set to Responder Mode?

 

  Thank you very much.

  0      
  0      
#1
Options
1 Reply
Re: Correct R600VPN To R600VPN LAN-To-LAN Settings?
2020-12-29 13:16:17 - last edited 2021-04-18 10:21:36

I guess let me ask the question differently.

 

  What are the proper (only?) settings when one end is dynamic IP and the other end is static IP as far as VPN Negotiation Mode selection? I am wondering when this router checks the remote hostname? Does it only check when initiating a tunnel?

 

  Not that I have this situation, but to better understand, can two TL-R600VPNs be used if both ends were dynamic IP using hostname as remote ID?

  0  
  0  
#2
Options