Yudong Wu Fri, 09/25/2009 - 07:51

1. make sure there is no ACL to block your ping packet.

2. Check the routing in both direction.

3. check "show crypto ipsec sa" to see if both encry and decry counter are incrementing when you are doing ping testing.

eoinwhite Mon, 09/28/2009 - 03:00

There are no ACL's on HQ side besides those on the firewall permitting the tunnel ports:


access-list VPN permit icmp any host 84.203.192.67


access-list VPN permit udp any host 84.203.192.67 eq 10000


access-list VPN permit udp any host 84.203.192.67 eq isakmp


access-list VPN permit esp any host 84.203.192.67



I have static routes (for the 10.73.100.0 remote subnet) on the HQ side on the core switches pointing at the concentrator and on the VPN concentrator pointing out the public interface and on the PIX pointing out the public interface.


I'm not sure if the routing around the DMZ/concentrator is set up correctly.


When doing a trace route from HQ to the remote inside address the packets get dropped at the concentrator.


The "show crypto ipsec sa" doesnt seem to even show counters for encryption & decryption on the 877.


eoinwhite Wed, 09/30/2009 - 08:21

The trouble was the any in my access-list the. Either the Concentrator or the router didn't like it so I changed it to 10.0.0.0.


Also I changed the static route on the concentrator pointing to remote inside vlan to the next hop rather than the exit interface.


Don't know why it worked but it did.

Actions

This Discussion