My company has been using a site2site VPN connecting the branch office and the HQ. Originally, the HQ only allow the branch network (172.29.4.64/27) to access the HQ network (192.168.10.0/24), and it works fine. Now the branch needs to access another network (192.168.31.0/24) in the HQ. So we both sides added the ACL for the NO NAT and the interesting VPN traffic. But it doesn't work - The 172.29.4.64/27 network still can NOT access the 192.168.31.0/24 network in the HQ. You don't need to think about the problem of the routing and configuration, as the configuraton for 192.168.31.0/24 is same as the configuraton for 192.168.10.0/24. I did some tests and found that the ACL for the interesting VPN traffic does NOT work. It still only allow the 172.29.4.65/27 network to access 192.168.10.0/24. To me it is really weird, I am wondering if it is caused by the protocol.[I am using the esp-des esp-sha-hmac for the transform set.] As the problem doesn't happen on the VPN that uses esp-des esp-md5-hmac protocol.
Could you please help me to figure it out? Thanks in advance!!
You are saying "As the problem doesn't happen on the VPN that uses esp-des esp-md5-hmac protocol". Basically this is the same VPN. It is between the same endpoints, and you should have only one esp-des esp-md5-hmac protocol.
Start from the existing VPN that works and add the crypto ACL and NAT 0 statements required for the new traffic on both ends.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...