13 Replies Latest reply on Apr 7, 2014 9:26 AM by levi

    VPN

    bti2009 New Member

      Any step by step example to set up a VPN between 2 NetVanta 3120 units?  Both locations have a Broadband connection.  Went through the wizard, step by step but it is still not working.  No tunnels are created?  Any help is much apprecitated.  Thank you in advance for any information to assist in this setup!

        • Re: VPN
          jayh Hall_of_Fame

          Can you please post the running configuration for both units with passwords and sensitive information redacted?

            • Re: VPN
              bti2009 New Member

              ?Here are the configs and an excellent "VISIO" for the network..... You be the judge.  Thank you so much for looking at this.  The plan is to get an AVAYA IP phone working at the Braintree site that will connect to an AVAYA IPOffice at the Barouche location through a VPN tunnel created with the NetVanta units.  The Braintree site is the 173.xxx.xxx.xxx location.  We have Verizon FIOS at each location for our Broadband and the 2 NetVanta 3120 units behind the Verizon routers.  Let me know if there is any other questions you have and thank you again for your help!!

                • Re: VPN
                  nativepdx New Member

                  Kevin,

                   

                  your trying to peer with the FIOS router.  The public IP needs to be on the adtran .  Can FIOS modems be set to bridge mode?

                  • Re: VPN
                    jayh Hall_of_Fame

                    First and foremost, get rid of the NAT in the Verizon routers ahead of your devices.

                     

                    Insist that Verizon configure their interface to you so that you have public IPs.  Per your "Visio", these would be 173.48.90.144 at Braintree and 72.93.200.194 at Barouche.  This will solve and/or prevent all kinds of strange problems now and in the future.

                     

                    Your crypto policies are also mismatched.

                     

                    At Barouche you are initiating with aggressive mode and responding to aggressive.

                     

                    crypto ike policy 100

                      initiate aggressive

                      respond aggressive

                      local-id fqdn Barouche

                      peer 173.48.90.144

                      attribute 1

                        encryption 3des

                        hash md5

                        authentication pre-share

                    !

                    At Braintree you are initiating main and responding to any.

                     

                    crypto ike policy 100

                      initiate main

                      respond anymode

                      local-id fqdn braintree

                      peer 72.93.200.194

                      attribute 1

                        encryption 3des

                        hash md5

                        authentication pre-share

                    !

                    If interesting traffic starts the tunnel from Braintree it will fail.  Probably best to respond anymode on both sides and make them consistent in terms of initiation.

                     

                    General cleanup:

                     

                    Standardize on capitalization and the like.  Barouche is capitalized and braintree is not.  Fortunately you're consistent here but if you make a typo in one place you will stare-and-compare for a long time and not find it. 

                     

                    service password-encryption will hide your passwords from casual eyes.

                     

                    And admin/password isn't a very good choice, nor is 12345 for a pre-shared key outside of a lab environment. 

                     

                    Something is really off with your port-forward and interface configuration at Barouche as well. Your WAN interface is set for DHCP.  Crypto and port-forward won't traverse Verizon's NAT unless their port-forward is correctly configured to point to your device, which is subject to change with DHCP.  Yet another reason to get rid of Verizon's NAT.

                     

                    Is the port-forward destination really 198.162.1.210 ?  East Kootenay Community College in Canada?  This really looks like a typo'ed 192.168.1.210 private address.  The whole port-forward configuration just looks wrong, I'm not sure what you're trying to accomplish there.  Probably best to leave it out until you get the crypto working.

                    1 of 1 people found this helpful
                      • Re: VPN
                        bti2009 New Member

                        Ok, the Verizon routers have Static Public IP's as shown in the visio (I laugh when I type that).  We will make the changes you have suggested below on the IKE policy and the general clean up.  Can I disable NAT in the Verizon router myself, or is this something they need to do?  The Port forward in the Braintree unit is pointing to the Phone system we need to access with the IP Phone, I am not at that location but I can have them remove that.  Thank you again for your help!!

                          • Re: VPN
                            jayh Hall_of_Fame

                            bti2009 wrote:

                             

                            Ok, the Verizon routers have Static Public IP's as shown in the visio (I laugh when I type that).  We will make the changes you have suggested below on the IKE policy and the general clean up.  Can I disable NAT in the Verizon router myself, or is this something they need to do?

                            I don't know.  If Verizon owns and manages those routers you'll need to involve them.  I haven't worked much with FIOS.  Perhaps someone else on the forum can help.

                            The Port forward in the Braintree unit is pointing to the Phone system we need to access with the IP Phone, I am not at that location but I can have them remove that.

                             

                            OK, it's almost certainly a typo in the IP address and the way it's configured doesn't seem to make much sense.  Get your crypto working first and then add it if you need it.

                              • Re: VPN
                                bti2009 New Member

                                ?Verizon does not manage the router.  I have access to the GUI to make changes.

                                  • Re: VPN
                                    jayh Hall_of_Fame

                                    bti2009 wrote:

                                     

                                    ?Verizon does not manage the router.  I have access to the GUI to make changes.

                                    Go for it then.  If the Verizon handoff ahead of that router is ethernet you might not even need or want that router, just connect the 3120 directly to the public interface from Verizon.  The extra router is another single point-of-failure in series, and doesn't seem to be doing anything useful.

                                     

                                    If on the other hand the Verizon router is the media converter between their fiber network and the interface incoming to it is fiber, then obviously it needs to stay in place.  Configure it as a bridging device without NAT in that case. 

                                      • Re: VPN
                                        bti2009 New Member

                                        ?I think we have all the settings correct in these configs.  Could you look at these and let me know if you see any issues?  The tunnel is still not up.  Thank you!

                                         

                                        Kevin English

                                        Project Manager

                                        Blackmount Technologies, Inc.

                                          • Re: VPN
                                            jayh Hall_of_Fame

                                            It looks like you are still doing NAT in the Verizon router.  Reconfigure those on both ends so that you have public IPs from Verizon on the Adtran devices themselves, not 192.168.1.x and 192.168.2.x. 

                                            1 of 1 people found this helpful
                                          • Re: VPN
                                            bti2009 New Member

                                            ?

                                             

                                             

                                            Kevin English

                                             

                                            Project Manager

                                             

                                            Blackmount Technologies, Inc.

                                              • Re: VPN
                                                mick Visitor

                                                Kevin, your 3120s do not have a public facing IP (e.g. 173.48.90.144) but a private IP (192.168.2.233) which is *not* routable through the Internet.  The rules you have set up will only work if the 3120s have public facing IPs.  The easiest way to achieve this is to set up both of your FIOS modems into fully bridged mode, assuming that the FIOS admin interface offers such an option.

                                                 

                                                If there is no such facility in the FIOS modems then you might  be able to rig something up with the bridge and cross-connect commands, but I am not really sure - raise a ticket with Adtran support to see if it is possible.

                                                 

                                                Regards,

                                                1 of 1 people found this helpful
                                • Re: VPN
                                  levi Employee

                                  bti2009:

                                   

                                  I went ahead and flagged this post as "Assumed Answered." If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                                  Thanks,

                                   

                                  Levi