Can't establish VPN from remote end.

Unanswered Question
Dec 9th, 2008

Hi folks,

I was wondering if you kind people wouldn't mind helping me?

I have a router at a remote site (let's call it site A) which over ADSL connects to our HQ via VPN, site A has an 857 router and the HQ has a 3000 concentrator. We have another couple of sites with different or older routers, 837, 1751 etc. All the sites use the same config, only IP's and key changes.

Only site A however doesn't keep it's VPN up, and the VPN will only establish itself if I create the connection from the HQ (I ping site A IP address from HQ). If I connect to the router over ADSL and I ping tyhe corporate network ensuring that the source address is site A it still doesn't bring the VPN up. Since the config is exactly the same on the 3000 as the other VPN's I assume the problem must lie with the 857 and some config line that's either not there or is incorrect.

I've attached the running config, sh ver and sh diag.

thanks

Dave

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
John Blakley Wed, 12/10/2008 - 07:10

Your config looks right. Can you post "sh crypt session" and sh crypt ipsec sa?

HTH,

John

ajagadee Wed, 12/10/2008 - 21:01

Hi,

Based on your configuration and show crypto ipsec sa, I believe that the Crypto ACLs are not mirroring on the Router and VPN3000 Headend side.

The 857 Crypto ACL is below:

ip access-list extended NETS

permit ip 10.254.42.0 0.0.0.255 any

permit ip 172.16.15.0 0.0.0.255 any

But the IPSEC SA's are built between 10.254.42.0/24 to 10.0.0.0/8 and 172.16.15.0 to 10.0.0.0/8 . So, this tells me that the VPN3000 is configure for

Local Network List:

10.0.0.0 0.0.0.255

Remote Network List:

10.254.42.0 0.0.0.255

172.16.15.0 0.0.0.255

So, this could very well be the reason that you are only able to bring up the tunnel from the VPN3000 and not the 857.

You have two options:

1. Reconfigure the network list on the VPN3000 to include any source traffic destined to your subnets to be encrypted.

or

2. Change the access-list from any to 10.0.0.0/8 on the router.

Also, I am not sure how you are routing your internet traffic for users behind the 857. If you want to send all the traffic to the VPN3000 including internet, then you have to change the VPN3000 network list to any.

Regards,

Arul

*Pls rate if it helps*

d.hodgson Tue, 12/23/2008 - 15:48

sorry for not replying until now, I was off sick. Thanks for your help, it was the ACL's and once changed rectified the problem.

Dave

John Blakley Thu, 12/11/2008 - 07:31

Dave,

On your router you have:

permit ip 10.254.42.0 0.0.0.255 any

permit ip 172.16.15.0 0.0.0.255 any

On the concentrator, verify that the tunnel policy allows for:

10.254.42.0/0.0.0.255

172.16.15.0/0.0.0.255

If you still have problems, you can post the relevant portions of the concentrator config also.

HTH,

John

d.hodgson Tue, 12/23/2008 - 15:47

sorry for not replying until now, I was off sick. Thanks for your help, it was the ACL's and once changed rectified the problem.

Dave

Actions

This Discussion