The Branch Router Accesses the HQ Router at a Dynamic IP Address in Dialup Mode-2

Networking Requirements
The HQ router uses a dynamic IP address, and the branch router accesses the HQ router by using the domain name in dialup mode.
Network Topology

Configuration Key Points

1. Configure router A in the HQ as the IPsec server.

2. Configure router B in the branch as the IPsec client.

3. Keep parameter settings at both ends consistent. The parameter settings in this case are as follows:

Authentication mode: preshared key, with the key set to ruijie.

IKE algorithm: 3DES-MD5, DH2
IPsec negotiation scheme: ESP(3DES-MD5)
Configuration Steps

1. Configure router B in the branch.

The Web page does not support dynamic domain names. Therefore, complete configuration on the Web page and then perform modification on the CLI.
(1) Complete wizard-based setup to meet basic Internet access requirements of users in the HQ and branch. If the users can access the Internet, check whether the next hop address is configured for the WAN interface.

(2) Choose Network>VPN and click Configure. Select Branch and click Next.


(3) Configure basic IPsec information and click Next.




(4) Click Finish.

On the CLI, change the public IP address of the HQ router to a dynamic domain name:
branch(config)#no crypto isakmp key 0 ruijie address 192.168.2.1
branch(config)#crypto isakmp key 0 ruijie hostnameruijie.xicp.net
branch(config)#crypto map Gi0/6 20 ipsec-isakmp
branch(config-crypto-map)#no set peer 192.168.2.1
branch(config-crypto-map)#set peer ruijie.xicp.net
2. Configure router A in the HQ.
On the interface configuration page, click a WAN interface to configure it. Dynamic IP addresses can be allocated in DHCP mode or obtained in dialup mode.


Choose Network > VPN and click Configure. Select Headquarter and click Next.

Select Branch and click Next.




Select IPsec and click Next.




Configure IPsec basic information and click Next.






Click Finish.




Configuration Verification
Choose Network > VPN and click the Topo tab to view the configuration.
Configuration of the HQ router:


Configuration of the branch router:



Check whether the HQ router and branch router can access each other.
Notes (Optional)

1. On the Web page, IPsec supports only peer IP addresses and does not support domain names. IPsec using domain names needs to be configured on the CLI.

2. When a WAN port receives an IPsec request, but no traffic of interest is configured on the device, the error "Failed to find map" may occur. This error is generated because packets from IPsec port 500 are sent to the CPU when the IPsec map does not exist. The error does not affect network data forwarding and management, which is beneficial to network management. An ACL can be configured to filter out requests from undesired IPsec-compliant device that is connected to the EG device.

3. Some Web modules use specific ACLs. For example, the VPN module uses ACL 110 and ACL 199, the ARP guard module uses the ACL 197 and ACL 2397, and the VWAN module uses ACL 198. Therefore, do not use these ACLs on the CLI. especially ACL 199, which prohibits policy configuration on the CLI. Otherwise, ACEs required by the VPN module fail to be configured on the Web page.