Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
2
Replies

Hub-and-Spoke IPSec L2L + VPN Clients

ovieira
Level 1
Level 1

‎01-13-2006 09:04 AM - edited ‎02-21-2020 02:11 PM

Hi!

I have a 3 hub-and-spoke network having all 3 CS2801 a L2L IPSec tunnel to the other 2 routers. I have also VPN Client connections to all 3 routers and here is where the problem begins:

- SITE A (main site) has 3 diferent internet links: 1 for IPSec L2L to site B, 1 for IPSec L2L to site C and the other gives regular local Internet access and is the link we use to connect the VPN Clients and we have some problems with some kind of remote connections where the local modem/router has no capability to do VPN-Relay or IPSec port forwarding.

- SITE B and C: both use just one Internet link for the 2 L2L IPSec tunnels plus the VPN Client connections and all is working fine.

After several hours of troubleshooting i have no more sugestions.

Thanks for your help.

Labels:
0 Helpful
2 Replies 2

pradeepde
Level 5
Level 5

‎01-19-2006 09:29 AM

use debug commands to find the symptoms causing this problem

debug crypto ipsecDisplays information about IPsec events.

debug crypto isakmpDisplays messages about Internet Key Exchange (IKE) events.

debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] | [proto udp [sport src_port] [dport dest_port]] [rx | tx | both]Displays the packets that hit the specified interface. This command is useful when you determine the type of traffic on the inside interface of PIXfirst. This command is also used to verify that the translation intended does occur.

logging buffered levelSends syslog messages to an internal buffer that is viewed with the show logging command. Use the clear logging command to clear the message buffer. New messages append to the end of the buffer. This command is used to view the translation that is built. Logging to the buffer must be turned on when required. Turn off logging to buffer with no logging buffer level and/or no logging on.

debug icmp traceShows Internet Control Message Protocol (ICMP) packet information, the source IP address, and the destination address of the packets that arrive at, depart from, and traverse the PIX Firewall. This includes pings to the PIX Firewall unit's own interfaces. Use no debug icmp trace to turn off debug icmp trace.

0 Helpful

attrgautam
Level 5
Level 5

‎01-19-2006 08:11 PM

" we use to connect the VPN Clients and we have some problems with some kind of remote connections where the local modem/router has no capability to do VPN-Relay or IPSec port forwarding. "

Dont get this. Did u do a debug on the router for these VPN connections. Can you show the relevant config pls

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents