Is possible to terminate VPN IPSec on external and public interface ?

Unanswered Question
Feb 26th, 2007

Hi

I have used a VPN3030 concentrator since 4 years in a classical way: 1 public interface (for Lan-to-Lan IPSec and remote-acces (NAT-T)connections) and 1 private interface.

I need to connect to an external (not internet) network and offer Remote-access capabilities. Could I use the external interface of my VPN3030 for that purpose ?

Thanks in advance

patrice

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ggilbert Mon, 02/26/2007 - 09:45

Patrice,

I got a question for you.

When you said, you need to connect to an external network, what do you mean by that. A device which has a non-routable IP address on its external interface?

Thanks

Gilbert

Rate it, if this helps.

coquinpat Mon, 02/26/2007 - 23:43

Gilbert,

The external network is a private Wan network used for the data exchange between branch and main offices.

This WAN uses RFC1918.

Thanks

Patrice

ggilbert Tue, 02/27/2007 - 11:57

Patrice,

If the remote users/network can access the Concentrator, then yes, you should be able to give remote access to those users/network.

Thanks

Gilbert

Rate this post, if it helps!

coquinpat Wed, 02/28/2007 - 01:43

Gilbert,

I'm sorry but, I've tried different configurations but that's still not work.

Actually, when I activate NAT-T, the VPN3030 log shows the add of an implied filter using the physical public interface IP address, even I tick the external interface to act as the public one

Regards,

Patrice

ggilbert Wed, 02/28/2007 - 07:54

Patrice,

Going back to your question - "I need to connect to an external (not internet) network and offer Remote-access capabilities"

I need some explanation in here.

What is the IP address of the concentrator - External IP address (public interface)

When you said connect to an external network - What do you mean by that? L2L to a router from the concentrator or VPN client connections to the concentrator?

Can you ping the concentrator from the device which is trying to connect?

Please explain!

Thanks

Gilbert

coquinpat Thu, 03/01/2007 - 04:41

Hi Gilbert,

The public interface of the VPN 3030 is linked to Internet to offer L2L and remote-access IPSec connections.

A corporate network exists and I would like to use the available VPN3030 external interface to offer the same services

That'all

Regards,

Patrice

Parminder Sian Mon, 03/05/2007 - 21:28

Hi Patrice,

When the VPN client user tries to terminate IPsec over TCP connection on the external interface of VPN Concentrator, the Concentrator does not accept IPsec over TCP connections on this interface regardless of it is allowed in a filter and sends pack a reset packet.

Try the VPN client connection with IPsec over User Datagram Protocol (UDP), which works on the external interface.

Let me know how it goes.

Regards

Parminder

coquin Thu, 04/05/2007 - 23:56

Hi Parmider,

Sorry for the delay.

You're right: VPN3030 can receive IPSec over UDP connections on the external interface simultaneously with a IPsec ovec TCP connection.

Thank you for your help.

Patrice

Kamal Malhotra Mon, 03/05/2007 - 23:40

Hi Patrice,

Please confirm the following :

1. The External Interface is marked 'Public'.

2. It has the Public filter enabled.

3. Try to connect and if it does not connect then do the following :

a. Goto Configuration -> System -> Events -> Classes and make sure that the following classes are enabled with severity 1-13 :

IKE, IKEDBG, IPSEC, IPSECDBG

b. Goto Monitoring -> Filterable Event Logs and clear the logs.

c. Try to establish the tunnel and go back to Monitoring -> Filterable Event Logs. Obtain the logs and send to us.

HTH,

Please rate if it helps.

Regards,

Kamal

coquin Fri, 04/06/2007 - 00:02

Hi 'HTH'

Now, It's a fact: IPsec over TCP can only be established on the only one "public" marked interface of the VPN3xxx.

Then, I will investigate on the ASA5xxx capabilities.

thank for your help.

Regards,

Patrice

Actions

This Discussion