VPN Problem

Unanswered Question
Feb 4th, 2007

Hi sir,

My company has been using a site2site VPN connecting the branch office and the HQ. Originally, the HQ only allow the branch network (172.29.4.64/27) to access the HQ network (192.168.10.0/24), and it works fine. Now the branch needs to access another network (192.168.31.0/24) in the HQ. So we both sides added the ACL for the NO NAT and the interesting VPN traffic. But it doesn't work - The 172.29.4.64/27 network still can NOT access the 192.168.31.0/24 network in the HQ. You don't need to think about the problem of the routing and configuration, as the configuraton for 192.168.31.0/24 is same as the configuraton for 192.168.10.0/24. I did some tests and found that the ACL for the interesting VPN traffic does NOT work. It still only allow the 172.29.4.65/27 network to access 192.168.10.0/24. To me it is really weird, I am wondering if it is caused by the protocol.[I am using the esp-des esp-sha-hmac for the transform set.] As the problem doesn't happen on the VPN that uses esp-des esp-md5-hmac protocol.

Could you please help me to figure it out? Thanks in advance!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniel Voicu Sun, 02/04/2007 - 23:03

Hi there,

You are saying "As the problem doesn't happen on the VPN that uses esp-des esp-md5-hmac protocol". Basically this is the same VPN. It is between the same endpoints, and you should have only one esp-des esp-md5-hmac protocol.

Start from the existing VPN that works and add the crypto ACL and NAT 0 statements required for the new traffic on both ends.

Can you attach a sanitized config?

Please rate if this helped.

Regards,

Daniel

Actions

This Discussion