Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is possible to terminate VPN IPSec on external and public interface ?

Hi

I have used a VPN3030 concentrator since 4 years in a classical way: 1 public interface (for Lan-to-Lan IPSec and remote-acces (NAT-T)connections) and 1 private interface.

I need to connect to an external (not internet) network and offer Remote-access capabilities. Could I use the external interface of my VPN3030 for that purpose ?

Thanks in advance

patrice

10 REPLIES
Cisco Employee

Re: Is possible to terminate VPN IPSec on external and public in

Patrice,

I got a question for you.

When you said, you need to connect to an external network, what do you mean by that. A device which has a non-routable IP address on its external interface?

Thanks

Gilbert

Rate it, if this helps.

New Member

Re: Is possible to terminate VPN IPSec on external and public in

Gilbert,

The external network is a private Wan network used for the data exchange between branch and main offices.

This WAN uses RFC1918.

Thanks

Patrice

Cisco Employee

Re: Is possible to terminate VPN IPSec on external and public in

Patrice,

If the remote users/network can access the Concentrator, then yes, you should be able to give remote access to those users/network.

Thanks

Gilbert

Rate this post, if it helps!

New Member

Re: Is possible to terminate VPN IPSec on external and public in

Gilbert,

I'm sorry but, I've tried different configurations but that's still not work.

Actually, when I activate NAT-T, the VPN3030 log shows the add of an implied filter using the physical public interface IP address, even I tick the external interface to act as the public one

Regards,

Patrice

Cisco Employee

Re: Is possible to terminate VPN IPSec on external and public in

Patrice,

Going back to your question - "I need to connect to an external (not internet) network and offer Remote-access capabilities"

I need some explanation in here.

What is the IP address of the concentrator - External IP address (public interface)

When you said connect to an external network - What do you mean by that? L2L to a router from the concentrator or VPN client connections to the concentrator?

Can you ping the concentrator from the device which is trying to connect?

Please explain!

Thanks

Gilbert

New Member

Re: Is possible to terminate VPN IPSec on external and public in

Hi Gilbert,

The public interface of the VPN 3030 is linked to Internet to offer L2L and remote-access IPSec connections.

A corporate network exists and I would like to use the available VPN3030 external interface to offer the same services

That'all

Regards,

Patrice

Re: Is possible to terminate VPN IPSec on external and public in

Hi Patrice,

When the VPN client user tries to terminate IPsec over TCP connection on the external interface of VPN Concentrator, the Concentrator does not accept IPsec over TCP connections on this interface regardless of it is allowed in a filter and sends pack a reset packet.

Try the VPN client connection with IPsec over User Datagram Protocol (UDP), which works on the external interface.

Let me know how it goes.

Regards

Parminder

New Member

Re: Is possible to terminate VPN IPSec on external and public in

Hi Parmider,

Sorry for the delay.

You're right: VPN3030 can receive IPSec over UDP connections on the external interface simultaneously with a IPsec ovec TCP connection.

Thank you for your help.

Patrice

Cisco Employee

Re: Is possible to terminate VPN IPSec on external and public in

Hi Patrice,

Please confirm the following :

1. The External Interface is marked 'Public'.

2. It has the Public filter enabled.

3. Try to connect and if it does not connect then do the following :

a. Goto Configuration -> System -> Events -> Classes and make sure that the following classes are enabled with severity 1-13 :

IKE, IKEDBG, IPSEC, IPSECDBG

b. Goto Monitoring -> Filterable Event Logs and clear the logs.

c. Try to establish the tunnel and go back to Monitoring -> Filterable Event Logs. Obtain the logs and send to us.

HTH,

Please rate if it helps.

Regards,

Kamal

New Member

Re: Is possible to terminate VPN IPSec on external and public in

Hi 'HTH'

Now, It's a fact: IPsec over TCP can only be established on the only one "public" marked interface of the VPN3xxx.

Then, I will investigate on the ASA5xxx capabilities.

thank for your help.

Regards,

Patrice

130
Views
5
Helpful
10
Replies
CreatePlease login to create content