Filter
Top Products
WS 2000 Wireless Switch System Reference Guide4-22
I am using a direct cable connection between by two VPN gateways for testing and cannot get a
tunnel established, yet it works when I setup them up across another network or router. What gives?
The packet processing architecture of the WS 2000 VPN solution requires a WAN default gateway to work properly. When
connecting two gateways directly, you really do not need a default gateway when the two addresses are on the same
subnet. As a workaround, you can point the WS 2000 switch’s WAN default gateway to be the other VPN gateway, and vice-
versa.
My WS 2000 switch is a DHCP client on my WAN interface. How can I setup a tunnel without knowing
my WAN IP address?
First of all, one end of a VPN tunnel must have a static IP address. Assuming the other end of your VPN tunnel has a static
IP, here is how you configure your WS 2000 switch to use a DHCP WAN address with VPN.
1. Your VPN tunnel entry must have the Local WAN IP set to 0.0.0.0.
2. If you are using the IKE, the Local ID type (and corresponding Remote ID type on the other end) cannot be set to IP, since
the IP address is not known.
How can I setup the WS 2000 switch to accept VPN tunnels from gateways that have a DHCP WAN
address?
To accept a VPN tunnel from a unknown (DHCP) address, the WS 2000 Wireless Switch operates in what is called responder-
only mode. That is, it cannot initiate the VPN connection. It can only wait for a VPN connection to come in. Clients behind a
responder-only cannot connect to the remote subnet until the remote subnet has connected to them.
To setup responder-only mode, set the Remote Gateway to 0.0.0.0. If you are using IKE the following restrictions are in place:
• Remote ID type cannot be IP. We do not know the IP of the remote since it is DHCP.
• IKE Authentication Mode cannot be set to PSK if IKE mode is set to Main Mode.
• You may not use xAuth for this tunnel.
I have two WS 2000 switches and both have DHCP WAN addresses. Is there any possible way to open
a VPN tunnel between them?
Yes, but the configuration for each tunnel will need to change anytime a WAN IP lease expires. You can make this work
temporarily by performing the following steps:
1. Set 0.0.0.0 as the local WAN IP for each gateway.
2. Configure the opposite WS 2000 switch’s current DHCP address as the Remote Gateway. This is the field that needs to
change every time the DHCP addresses change.
3. If using IKE, you cannot use ID type IP for either Local or Remote ID types.
I have set up my tunnel and the status still says “Not Connected.” What should I do now?
VPN tunnels are negotiated on an as-needed basis. If you have not sent any traffic between the two subnets, the tunnel will
not be established. Once a packed is sent between the two subnets, the VPN tunnel setup will occur.
I still can’t get my tunnel to work after attempting to initiate traffic between the 2 subnets. What now?
Here are some troubleshooting tips:
1. Verify that you can ping each of the remote gateway IP addresses from clients on either side. Failed pings can indicates
general network connection problems.