Below is a picture of my topology
HQ has cisco ASA behind the peplink-360 which is in VPN passthrough mode and forwarding all the VPN request/response/traffic through it. Branch has only peplink-310. Site-to-site VPN are terminating at ciscoASA and peplink-310.
HQ Peplink-360 has a static IP and Branch peplink-310 has PPPoE dialer but a fixed IP. As the Cisco ASA on HQ has a private address 172.16.1.2 on outside public interface and its gateway is 172.16.1.1(which is LAN of HQ Peplink-360)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
things are not looking good as there is a double NAT here and a private IP on the ASA. troubleshooting results shows that on Branch Peplink-310: The peer ID is coming in as 172.16.1.2 (which is Cisco ASA outside and have crypto maps), and we require the ID to be 41.10.161.45(WAN IP on HQ Peplink-360) as per your configuration.
HQ Pepelink-360(which is in PASS through mode and has cisco ASA behind it for vpn termination)has a static IP. BUT the Branch Peplink-310(where VPN terminates) has a PPPoE dialer but a fixed IP address(can we count a fixed IP as a static IP and can have aggressive mode?)
we cannot use Drop in mode as cisco gateway is configured as 172.16.1.1 which is LAN of HQ peplink-2. and this will changed to a public ip in drop-in mode which requires to change cisco configuration like outside interface, NAT rules and much more…Agree???
I tried main mode for IKE1 but failed now configured the Branch Peplink-2 in aggressive mode by removing peer IP and having local ID mydevice@branch and remote ID mydevice@hq. but things are quite same…NO Success
do i need to do aggressive mode on the CiscoASA as well or keep it in main mode? any configuration on HQ Peplink-360 which in is Passthrough mode?
Thank you in advance.Below is a picture of my topology
HQ has cisco ASA behind the peplink-360 which is in VPN passthrough mode and forwarding all the VPN request/response/traffic through it. Branch has only peplink-310. Site-to-site VPN are terminating at ciscoASA and peplink-310.
HQ Peplink-360 has a static IP and Branch peplink-310 has PPPoE dialer but a fixed IP. As the Cisco ASA on HQ has a private address 172.16.1.2 on outside public interface and its gateway is 172.16.1.1(which is LAN of HQ Peplink-360)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
things are not looking good as there is a double NAT here and a private IP on the ASA. troubleshooting results shows that on Branch Peplink-310: The peer ID is coming in as 172.16.1.2 (which is Cisco ASA outside and have crypto maps), and we require the ID to be 41.10.161.45(WAN IP on HQ Peplink-360) as per your configuration.
HQ Pepelink-360(which is in PASS through mode and has cisco ASA behind it for vpn termination)has a static IP. BUT the Branch Peplink-310(where VPN terminates) has a PPPoE dialer but a fixed IP address(can we count a fixed IP as a static IP and can have aggressive mode?)
we cannot use Drop in mode as cisco gateway is configured as 172.16.1.1 which is LAN of HQ peplink-2. and this will changed to a public ip in drop-in mode which requires to change cisco configuration like outside interface, NAT rules and much more…Agree???
I tried main mode for IKE1 but failed now configured the Branch Peplink-2 in aggressive mode by removing peer IP and having local ID mydevice@branch and remote ID mydevice@hq. but things are quite same…NO Success
do i need to do aggressive mode on the CiscoASA as well or keep it in main mode? any configuration on HQ Peplink-360 which in is Passthrough mode?
Thank you in advance.