Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
0
Helpful
4
Replies

LAN-to-LAN IPSec VPN tunnels between VPN Concentrator 3005 and 1710 routers

JUSTIN LOUCKS
Level 1
Level 1

‎11-15-2002 11:57 AM - edited ‎02-21-2020 12:10 PM

I have a question about troubleshooting IPSec VPN tunnels configured between a Cisco VPN Concentrator and Cisco 1710 routers. We have a number of the 1710 routers deployed and they are configured to create a IPSec tunnel back to our VPN Concentrator here at the main location. My question is whether or not there is a command or procedure that would allow me to force that VPN tunnel to come up. If a client machine at the location on the fast ethernet (inside) interface side of the router sends traffic destined for the corporate location, the VPN tunnel is activated and everything works. I am hoping to be able to simulate and/or test these functions while telneted into the router and without needing a client machine at the local site to produce traffic for me.

Also, I cannot get the tunnel to be activated in a reverse direction. (i.e. Traffic generated and routed from Corporate to the remote site will not re-establish the tunnel between the two devices).

Any feedback and/or ideas would be greatly appreciated.

Labels:
0 Helpful
4 Replies 4

kdurrett
Level 3
Level 3

‎11-15-2002 12:45 PM

Simple, as long as your inside ethernet interface is part of your interesting traffic, just do a exetended ping from that interface. Specify your ethernet as the source. Or you can specify your inside interface as your source telnet ip and so you can test by trying to telnet to your remote network. What that does is whenever telneting from the router, it will source from the inside ethernet ip so if its interesting traffic it will bring up the tunnel.

Kurtis Durrett

0 Helpful

JUSTIN LOUCKS
Level 1
Level 1
In response to kdurrett

‎11-18-2002 06:37 AM

I have tried this, but with no success thus far. I know that in a PIX firewall you can specify the interface that you want to ping from, but there is no command I know of for a router IOS to do this. I have done the following in an attempt to force the tunnel up:

Telnet to the outside interface of the remote router. From there, I log on and perform a telnet to the inside interface of the remote router (the only way I can get to that inside interface until the tunnel comes up). I then perform ping statements from that telnet session back to the corporate network. This should be tunnel destined traffic and it should be seen as coming from the internal interface (interesting traffic network), correct?

Again, any assistance/ideas would be appreciated...

0 Helpful

kdurrett
Level 3
Level 3
In response to JUSTIN LOUCKS

‎11-18-2002 07:22 AM

Just to clear this up, in old pix code you had to specify which interface the destination traffic was located so it knew which interface to send it out of. Pretty smart pix. For exampe, outside 192.168.1.2 and inside 192.168.2.1 with your default route 192.168.1.1. You could say (earlier pix code, 5.2 i think) ping inside 192.168.1.1 but since that was located on outside, you would never get a response. So in order to ping that you would have to type ping outside 192.168.1.1.

Now what your saying your doing from the router wont work that way. Since no matter what interface you telnet to, when you ping or telnet its going to source from the interface thats "closest". Here's how to do a extended ping, someone might have a link which would be nice for ya.

router#ping ip

Target IP address: 198.133.219.25

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: fastethernet0/0

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 198.133.219.25, timeout is 2 seconds:

.U.U.

Which of course they are blocking pings here so I cant ping it. So, basically when you get down to extended commands, type yes and then you can source your interface or the ip (can even be a loopback) that you want your ping to be sorced from.

Kurtis Durrett

0 Helpful

JUSTIN LOUCKS
Level 1
Level 1
In response to kdurrett

‎11-18-2002 07:43 AM

Thanks!! I think this will work. I am pretty new to Cisco administration and did not know about the extended ping command. Learn something new everyday...

Also, the PIX version I have is 5.1 so I guess that explains my familiarity with the old command structure. Yet another change I'll have to get used to when I get around to upgrading that.

Thanks again,

Justin Loucks

0 Helpful
Customers Also Viewed These Support Documents