cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
3
Replies

IPSEC Lan2Lan VPN 3000 & 877

eoinwhite
Level 1
Level 1

I'm trying build a tunnel between an 877 and VPN 3000. The tunnel appears to com up when I send interesting traffic but I can ping back to HQ.

Attached is 877 config and debug crypto isakmp.

Any ideas ?

3 Replies 3

Yudong Wu
Level 7
Level 7

1. make sure there is no ACL to block your ping packet.

2. Check the routing in both direction.

3. check "show crypto ipsec sa" to see if both encry and decry counter are incrementing when you are doing ping testing.

There are no ACL's on HQ side besides those on the firewall permitting the tunnel ports:

access-list VPN permit icmp any host 84.203.192.67

access-list VPN permit udp any host 84.203.192.67 eq 10000

access-list VPN permit udp any host 84.203.192.67 eq isakmp

access-list VPN permit esp any host 84.203.192.67

I have static routes (for the 10.73.100.0 remote subnet) on the HQ side on the core switches pointing at the concentrator and on the VPN concentrator pointing out the public interface and on the PIX pointing out the public interface.

I'm not sure if the routing around the DMZ/concentrator is set up correctly.

When doing a trace route from HQ to the remote inside address the packets get dropped at the concentrator.

The "show crypto ipsec sa" doesnt seem to even show counters for encryption & decryption on the 877.

The trouble was the any in my access-list the. Either the Concentrator or the router didn't like it so I changed it to 10.0.0.0.

Also I changed the static route on the concentrator pointing to remote inside vlan to the next hop rather than the exit interface.

Don't know why it worked but it did.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: