Can't establish VPN from remote end.

Unanswered Question
Dec 9th, 2008
User Badges:

Hi folks,


I was wondering if you kind people wouldn't mind helping me?


I have a router at a remote site (let's call it site A) which over ADSL connects to our HQ via VPN, site A has an 857 router and the HQ has a 3000 concentrator. We have another couple of sites with different or older routers, 837, 1751 etc. All the sites use the same config, only IP's and key changes.

Only site A however doesn't keep it's VPN up, and the VPN will only establish itself if I create the connection from the HQ (I ping site A IP address from HQ). If I connect to the router over ADSL and I ping tyhe corporate network ensuring that the source address is site A it still doesn't bring the VPN up. Since the config is exactly the same on the 3000 as the other VPN's I assume the problem must lie with the 857 and some config line that's either not there or is incorrect.

I've attached the running config, sh ver and sh diag.


thanks

Dave



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
John Blakley Wed, 12/10/2008 - 07:10
User Badges:
  • Purple, 4500 points or more

Your config looks right. Can you post "sh crypt session" and sh crypt ipsec sa?


HTH,


John

ajagadee Wed, 12/10/2008 - 21:01
User Badges:
  • Cisco Employee,

Hi,


Based on your configuration and show crypto ipsec sa, I believe that the Crypto ACLs are not mirroring on the Router and VPN3000 Headend side.


The 857 Crypto ACL is below:


ip access-list extended NETS

permit ip 10.254.42.0 0.0.0.255 any

permit ip 172.16.15.0 0.0.0.255 any


But the IPSEC SA's are built between 10.254.42.0/24 to 10.0.0.0/8 and 172.16.15.0 to 10.0.0.0/8 . So, this tells me that the VPN3000 is configure for


Local Network List:


10.0.0.0 0.0.0.255


Remote Network List:


10.254.42.0 0.0.0.255

172.16.15.0 0.0.0.255


So, this could very well be the reason that you are only able to bring up the tunnel from the VPN3000 and not the 857.


You have two options:


1. Reconfigure the network list on the VPN3000 to include any source traffic destined to your subnets to be encrypted.


or


2. Change the access-list from any to 10.0.0.0/8 on the router.


Also, I am not sure how you are routing your internet traffic for users behind the 857. If you want to send all the traffic to the VPN3000 including internet, then you have to change the VPN3000 network list to any.


Regards,

Arul


*Pls rate if it helps*




d.hodgson Tue, 12/23/2008 - 15:48
User Badges:

sorry for not replying until now, I was off sick. Thanks for your help, it was the ACL's and once changed rectified the problem.


Dave

John Blakley Thu, 12/11/2008 - 07:31
User Badges:
  • Purple, 4500 points or more

Dave,


On your router you have:


permit ip 10.254.42.0 0.0.0.255 any

permit ip 172.16.15.0 0.0.0.255 any


On the concentrator, verify that the tunnel policy allows for:


10.254.42.0/0.0.0.255

172.16.15.0/0.0.0.255


If you still have problems, you can post the relevant portions of the concentrator config also.


HTH,


John

d.hodgson Tue, 12/23/2008 - 15:47
User Badges:

sorry for not replying until now, I was off sick. Thanks for your help, it was the ACL's and once changed rectified the problem.


Dave

Actions

This Discussion