05-28-2007 02:22 AM
hi guys,
i've being working on establishing a vpn between a vpn 3000 and a
checkpoint, the problem i am having on the vpn3000 is that if i dont
select "reverse route injection" it wont establish the vpn.
i thought it may have being because the local lan routes didnt exist
on the vpn 3000, so i added statics to match the network lists, but it
still wouldnt come up, as soon as i enable reverse route injection it
works fine.
any ideas?
thanks
Adam Baxter.
Solved! Go to Solution.
05-29-2007 05:09 AM
Adam,
Take out the static routes and also dis-able reverse route injection.
Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.
Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.
Cheers
gilbert
05-28-2007 02:23 AM
and i am trying to send a ping to bring up the tunnel.
05-28-2007 03:35 AM
Hi Adam,
Are you performing any load bancing stuff on the vpn concentrator?
Topology:
---------
lan1--(concentrator)-------(checkpoint)--Lan2
In the above topology,If you select RRI on the concentrator,a route for Lan2 networks will be forwarded by the concentrator to the Lan1 segments via concentrator's private interface.
Hope it help. Plz rate all helpful posts.
--Jaffer
05-29-2007 01:16 AM
no load balanding.
05-29-2007 04:34 AM
Well,Please have a look at the following link to get an idea of Reverse route injection.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_rrie.htm
05-29-2007 05:09 AM
Adam,
Take out the static routes and also dis-able reverse route injection.
Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.
Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.
Cheers
gilbert
05-30-2007 08:52 PM
guys, i figured it out.... silly mistake
thanks for the help
06-01-2007 11:05 PM
Dear adam,
It seems to me that before you enable RRI, you need to enable routing in the Private port for redistributing stuff. There are three rules for injecting reverse routes. However, when you established a L-2-L VPN using Public interface you will find that VPN3000 uses the default gateway address as the next hop of the injected route, not the peer's address.
Cheers,
James Ren
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: