Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Hub-and-Spoke IPSec L2L + VPN Clients

Hi!

I have a 3 hub-and-spoke network having all 3 CS2801 a L2L IPSec tunnel to the other 2 routers. I have also VPN Client connections to all 3 routers and here is where the problem begins:

- SITE A (main site) has 3 diferent internet links: 1 for IPSec L2L to site B, 1 for IPSec L2L to site C and the other gives regular local Internet access and is the link we use to connect the VPN Clients and we have some problems with some kind of remote connections where the local modem/router has no capability to do VPN-Relay or IPSec port forwarding.

- SITE B and C: both use just one Internet link for the 2 L2L IPSec tunnels plus the VPN Client connections and all is working fine.

After several hours of troubleshooting i have no more sugestions.

Thanks for your help.

2 REPLIES
Bronze

Re: Hub-and-Spoke IPSec L2L + VPN Clients

use debug commands to find the symptoms causing this problem

debug crypto ipsecDisplays information about IPsec events.

debug crypto isakmpDisplays messages about Internet Key Exchange (IKE) events.

debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] | [proto udp [sport src_port] [dport dest_port]] [rx | tx | both]Displays the packets that hit the specified interface. This command is useful when you determine the type of traffic on the inside interface of PIXfirst. This command is also used to verify that the translation intended does occur.

logging buffered levelSends syslog messages to an internal buffer that is viewed with the show logging command. Use the clear logging command to clear the message buffer. New messages append to the end of the buffer. This command is used to view the translation that is built. Logging to the buffer must be turned on when required. Turn off logging to buffer with no logging buffer level and/or no logging on.

debug icmp traceShows Internet Control Message Protocol (ICMP) packet information, the source IP address, and the destination address of the packets that arrive at, depart from, and traverse the PIX Firewall. This includes pings to the PIX Firewall unit's own interfaces. Use no debug icmp trace to turn off debug icmp trace.

Silver

Re: Hub-and-Spoke IPSec L2L + VPN Clients

" we use to connect the VPN Clients and we have some problems with some kind of remote connections where the local modem/router has no capability to do VPN-Relay or IPSec port forwarding. "

Dont get this. Did u do a debug on the router for these VPN connections. Can you show the relevant config pls

123
Views
0
Helpful
2
Replies
CreatePlease to create content