cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
695
Views
8
Helpful
7
Replies

Can't establish VPN from remote end.

d.hodgson
Level 1
Level 1

Hi folks,

I was wondering if you kind people wouldn't mind helping me?

I have a router at a remote site (let's call it site A) which over ADSL connects to our HQ via VPN, site A has an 857 router and the HQ has a 3000 concentrator. We have another couple of sites with different or older routers, 837, 1751 etc. All the sites use the same config, only IP's and key changes.

Only site A however doesn't keep it's VPN up, and the VPN will only establish itself if I create the connection from the HQ (I ping site A IP address from HQ). If I connect to the router over ADSL and I ping tyhe corporate network ensuring that the source address is site A it still doesn't bring the VPN up. Since the config is exactly the same on the 3000 as the other VPN's I assume the problem must lie with the 857 and some config line that's either not there or is incorrect.

I've attached the running config, sh ver and sh diag.

thanks

Dave

7 Replies 7

John Blakley
VIP Alumni
VIP Alumni

Your config looks right. Can you post "sh crypt session" and sh crypt ipsec sa?

HTH,

John

HTH, John *** Please rate all useful posts ***

Attached..

sh crypto eng conn act

sh crypto sess

sh crypto ipsec sa

thanks

Dave

Hi,

Based on your configuration and show crypto ipsec sa, I believe that the Crypto ACLs are not mirroring on the Router and VPN3000 Headend side.

The 857 Crypto ACL is below:

ip access-list extended NETS

permit ip 10.254.42.0 0.0.0.255 any

permit ip 172.16.15.0 0.0.0.255 any

But the IPSEC SA's are built between 10.254.42.0/24 to 10.0.0.0/8 and 172.16.15.0 to 10.0.0.0/8 . So, this tells me that the VPN3000 is configure for

Local Network List:

10.0.0.0 0.0.0.255

Remote Network List:

10.254.42.0 0.0.0.255

172.16.15.0 0.0.0.255

So, this could very well be the reason that you are only able to bring up the tunnel from the VPN3000 and not the 857.

You have two options:

1. Reconfigure the network list on the VPN3000 to include any source traffic destined to your subnets to be encrypted.

or

2. Change the access-list from any to 10.0.0.0/8 on the router.

Also, I am not sure how you are routing your internet traffic for users behind the 857. If you want to send all the traffic to the VPN3000 including internet, then you have to change the VPN3000 network list to any.

Regards,

Arul

*Pls rate if it helps*

sorry for not replying until now, I was off sick. Thanks for your help, it was the ACL's and once changed rectified the problem.

Dave

John Blakley
VIP Alumni
VIP Alumni

Dave,

On your router you have:

permit ip 10.254.42.0 0.0.0.255 any

permit ip 172.16.15.0 0.0.0.255 any

On the concentrator, verify that the tunnel policy allows for:

10.254.42.0/0.0.0.255

172.16.15.0/0.0.0.255

If you still have problems, you can post the relevant portions of the concentrator config also.

HTH,

John

HTH, John *** Please rate all useful posts ***

sorry for not replying until now, I was off sick. Thanks for your help, it was the ACL's and once changed rectified the problem.

Dave

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: