I am new to the concentrator and vpn's in general. I understand that the concentrator is based on UDP by default. Why when I configure a 1720 router with IPSEC IOS, I can create a vpn between my two networks, but when I try to use the LAN to LAN feature under "Tunneling protocols, IPSEC LAN to LAN" portion of the concentrator the tunnel will not come up? The only way I get the tunnel to come up is with the Base user configuration set to preshared key, checkbox on IPSEC and tunnel type Remote Access. If I choose LAN to LAN in base user, logout the session, the tunnel will never come back up. If I switch it back to Remote Access, initiate traffic, the tunnel comes up. I am assuming I have to set up NAT on the 1720, but thought this kind of work was eliminated with the concentrator. Can someone explain why this is?
I have gone through these settings and verified them. If I know I can get the tunnel up with the base settings, then LAN to LAN does not require any changes to access lists on the routers involved on the edge of each internet connection do they?
The access-lists need to match on both ends of the Tunnel to allow traffic between the two networks.
If you have 10.1.1.x at end-1(IOS) and 172.16.x.x at end-2 (VPN), then the Access Lists should be
At end-1: access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255
At end-2 :
Remote Network List = 10.1.1.0/0.0.0.255
Local Network List= 172.16.0.0/0.0.255.255
Then from the IOS box, try an extended ping to VPN's Private LAN Address. Make sure that you specify the Source Address (in the extended ping) as IOS's internal LAN address. If this works, then you should have connectivity between the networks.
Agreed, thanks, I have discovered the root cause for the problem. When telling the concentrator the network lists participating in the LAN to LAN tunnel, it will allow you to choose the preconfigured local LAN, but you must specify the remote network number and wildcard mask. The preconfigured network list for the Remote area will not work. I tried deleting the network and recreating an entirely new IP network and could never get it to work. So, you have to be specific, Network List--Use IP Address and Wildcard Mask Below--
then fill in the blanks.
Save me from a false sense of security, otherwise, have a good weekend and thanks!!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...