cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bti2009
New Contributor II

VPN

Any step by step example to set up a VPN between 2 NetVanta 3120 units?  Both locations have a Broadband connection.  Went through the wizard, step by step but it is still not working.  No tunnels are created?  Any help is much apprecitated.  Thank you in advance for any information to assist in this setup!

Labels (1)
Tags (2)
13 Replies
jayh
Honored Contributor
Honored Contributor

Re: VPN

Can you please post the running configuration for both units with passwords and sensitive information redacted?

bti2009
New Contributor II

Re: VPN

?Here are the configs and an excellent "VISIO" for the network..... You be the judge.  Thank you so much for looking at this.  The plan is to get an AVAYA IP phone working at the Braintree site that will connect to an AVAYA IPOffice at the Barouche location through a VPN tunnel created with the NetVanta units.  The Braintree site is the 173.xxx.xxx.xxx location.  We have Verizon FIOS at each location for our Broadband and the 2 NetVanta 3120 units behind the Verizon routers.  Let me know if there is any other questions you have and thank you again for your help!!

nativepdx
New Contributor II

Re: VPN

Kevin,

your trying to peer with the FIOS router.  The public IP needs to be on the adtran .  Can FIOS modems be set to bridge mode?

jayh
Honored Contributor
Honored Contributor

Re: VPN

First and foremost, get rid of the NAT in the Verizon routers ahead of your devices.

Insist that Verizon configure their interface to you so that you have public IPs.  Per your "Visio", these would be 173.48.90.144 at Braintree and 72.93.200.194 at Barouche.  This will solve and/or prevent all kinds of strange problems now and in the future.

Your crypto policies are also mismatched.

At Barouche you are initiating with aggressive mode and responding to aggressive.

crypto ike policy 100

  initiate aggressive

  respond aggressive

  local-id fqdn Barouche

  peer 173.48.90.144

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

!

At Braintree you are initiating main and responding to any.

crypto ike policy 100

  initiate main

  respond anymode

  local-id fqdn braintree

  peer 72.93.200.194

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

!

If interesting traffic starts the tunnel from Braintree it will fail.  Probably best to respond anymode on both sides and make them consistent in terms of initiation.

General cleanup:

Standardize on capitalization and the like.  Barouche is capitalized and braintree is not.  Fortunately you're consistent here but if you make a typo in one place you will stare-and-compare for a long time and not find it. 

service password-encryption will hide your passwords from casual eyes.

And admin/password isn't a very good choice, nor is 12345 for a pre-shared key outside of a lab environment. 

Something is really off with your port-forward and interface configuration at Barouche as well. Your WAN interface is set for DHCP.  Crypto and port-forward won't traverse Verizon's NAT unless their port-forward is correctly configured to point to your device, which is subject to change with DHCP.  Yet another reason to get rid of Verizon's NAT.

Is the port-forward destination really 198.162.1.210 ?  East Kootenay Community College in Canada?  This really looks like a typo'ed 192.168.1.210 private address.  The whole port-forward configuration just looks wrong, I'm not sure what you're trying to accomplish there.  Probably best to leave it out until you get the crypto working.

bti2009
New Contributor II

Re: VPN

​Ok, the Verizon routers have Static Public IP's as shown in the visio (I laugh when I type that).  We will make the changes you have suggested below on the IKE policy and the general clean up.  Can I disable NAT in the Verizon router myself, or is this something they need to do?  The Port forward in the Braintree unit is pointing to the Phone system we need to access with the IP Phone, I am not at that location but I can have them remove that.  Thank you again for your help!!

jayh
Honored Contributor
Honored Contributor

Re: VPN


bti2009 wrote:



​Ok, the Verizon routers have Static Public IP's as shown in the visio (I laugh when I type that).  We will make the changes you have suggested below on the IKE policy and the general clean up.  Can I disable NAT in the Verizon router myself, or is this something they need to do?


I don't know.  If Verizon owns and manages those routers you'll need to involve them.  I haven't worked much with FIOS.  Perhaps someone else on the forum can help.


The Port forward in the Braintree unit is pointing to the Phone system we need to access with the IP Phone, I am not at that location but I can have them remove that.


OK, it's almost certainly a typo in the IP address and the way it's configured doesn't seem to make much sense.  Get your crypto working first and then add it if you need it.

bti2009
New Contributor II

Re: VPN

?Verizon does not manage the router.  I have access to the GUI to make changes.

jayh
Honored Contributor
Honored Contributor

Re: VPN


bti2009 wrote:



?Verizon does not manage the router.  I have access to the GUI to make changes.



Go for it then.  If the Verizon handoff ahead of that router is ethernet you might not even need or want that router, just connect the 3120 directly to the public interface from Verizon.  The extra router is another single point-of-failure in series, and doesn't seem to be doing anything useful.

If on the other hand the Verizon router is the media converter between their fiber network and the interface incoming to it is fiber, then obviously it needs to stay in place.  Configure it as a bridging device without NAT in that case. 

bti2009
New Contributor II

Re: VPN

?I think we have all the settings correct in these configs.  Could you look at these and let me know if you see any issues?  The tunnel is still not up.  Thank you!

Kevin English

Project Manager

Blackmount Technologies, Inc.

bti2009
New Contributor II

Re: VPN

?

Kevin English

Project Manager

Blackmount Technologies, Inc.

jayh
Honored Contributor
Honored Contributor

Re: VPN

It looks like you are still doing NAT in the Verizon router.  Reconfigure those on both ends so that you have public IPs from Verizon on the Adtran devices themselves, not 192.168.1.x and 192.168.2.x. 

Re: VPN

Kevin, your 3120s do not have a public facing IP (e.g. 173.48.90.144) but a private IP (192.168.2.233) which is *not* routable through the Internet.  The rules you have set up will only work if the 3120s have public facing IPs.  The easiest way to achieve this is to set up both of your FIOS modems into fully bridged mode, assuming that the FIOS admin interface offers such an option.

If there is no such facility in the FIOS modems then you might  be able to rig something up with the bridge and cross-connect commands, but I am not really sure - raise a ticket with Adtran support to see if it is possible.

Regards,

Anonymous
Not applicable

Re: VPN

:

I went ahead and flagged this post as "Assumed Answered." If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi