Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

3030 Concentrator: Lan to Lan VPN problem on Private Interface


I have a 3030 series concentrator, with three interfaces.

"Ethernet 1 (Private)" faces our internal network. It's IP is (of course IPs have been changed to protect the innocent).

"Ethernet 2 (Public)" faces the Internet. It's IP is

"Ethernet 3 (External)" faces our company WAN. It's IP is

For routing, our default route points out Ethernet2 towards the Internet, and we have static routes facing inside and to our WAN.

Most of our Lan to Lan VPNs are built over the Internet, and work fine. However, we have some sites that we want to VPN with, over our WAN.

So for Ethernet3, we modified it to be a Public Interface (by selecting the checkbox), applied the Public (Default) filter, and added static routes for our partner VPN devices.

However, we cannot initiate the VPN. We've setup a network sniffer, and found the problem.

Let's say our remote VPN endpoint is And we have a static route out Ethernet3 for that.

During IKE phase1, the conversation is correctly between and and However, once ESP starts, the source of the packets becomes

That public IP ( is of course not routable on our WAN. So we never get any reply packets from our remote VPN peer (

Here's a more detailed packet trace... ISAKMP Identity Protection (Main Mode) ISAKMP Identity Protection (Main Mode) ISAKMP Identity Protection (Main Mode) ISAKMP Quick Mode ISAKMP Quick Mode ESP ESP (SPI=0x2eb63db6) ESP ESP (SPI=0x2eb63db6) ESP ESP (SPI=0x2eb63db6) ESP ESP (SPI=0x2eb63db6)

What could be making the VPN Concentrator switch what IP it sources the packets from?




Re: 3030 Concentrator: Lan to Lan VPN problem on Private Interfa

Try this steps:

>Check internal routing on the concentrator

>Inserted the static route on the inside router which connected to the private interface of the concentrator

Try these links: