05-21-2010 04:17 AM
Hi everyone..
I'm setting up an IPSec tunnel between your primary site (with checkpoint) and a customer, having an Cisco WRV210.
The tunnel is established, and working, since I can ping from our site, to the customer, but the customer LAN can't ping our setup.. here comes the setup
Customer LAN:
192.168.10.0/24
Our LAN:
10.1.23.32/27
Ping from 10.1.23.34 to 192.168.10.1 (wrv210 ip) - Succes
Ping from 192.168.10.1 to 10.1.23.34 - Fails
In my checkpoint log file, i can't see any icmp attempts, from our customer.
Since there is no log in the Cisco WRV210, other than to set up an syslog server, i can't see what it is doing.. I do not have any accessible PC on the remote site, to send logs to..
Do you guys have any idea, about whats wrong?
Any help is appreciated
05-21-2010 05:37 AM
UPDATE:
Here's are VPN Log from our customer
000 [Fri 07:15:08] packet from xx.xx.xx.xx:500: ignoring unknown Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d4bf6794c...]
001 [Fri 07:15:08] "TunnelA" #4: responding to Main Mode
002 [Fri 07:15:08] "TunnelA" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
003 [Fri 07:15:08] "TunnelA" #4: STATE_MAIN_R1: sent MR1, expecting MI2
004 [Fri 07:15:09] "TunnelA" #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
005 [Fri 07:15:09] "TunnelA" #4: STATE_MAIN_R2: sent MR2, expecting MI3
006 [Fri 07:15:09] "TunnelA" #4: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx'
007 [Fri 07:15:09] "TunnelA" #4: I did not send a certificate because I do not have one.
008 [Fri 07:15:09] "TunnelA" #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
009 [Fri 07:15:09] "TunnelA" #4: [WRV210 Response:] ISAKMP SA established
010 [Fri 07:15:09] "TunnelA" #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
011 [Fri 07:15:09] "TunnelA" #5: responding to Quick Mode {msgid:2973e856}
012 [Fri 07:15:09] "TunnelA" #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
013 [Fri 07:15:09] "TunnelA" #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
014 [Fri 07:15:09] "TunnelA" #5: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
015 [Fri 07:15:09] "TunnelA" #5: [WRV210 Response:] IPSec SA established
016 [Fri 07:15:09] "TunnelA" #5: STATE_QUICK_R2: IPsec SA established {ESP=>0x052096a9 <0x3a57f094 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
017 [Fri 07:15:09] "TunnelA" #5: discarding duplicate packet; already STATE_QUICK_R2
018 [Fri 07:15:10] "TunnelA" #5: discarding duplicate packet; already STATE_QUICK_R2
05-21-2010 04:34 PM
If pings work one way, that means the VPN tunnel itself is up and running.
The issue is more than likely an access-list on the customer's side, not configuration on VPN tunnel.
05-24-2010 11:51 PM
Hi halijenn,
Thanks for your reply.
I'm having the same thought, i just don't know where to configure the ACL on the Cisco WRV210.. I only have a limited web interface.. I Can't access any command line..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: