14 Replies Latest reply on Jun 30, 2015 1:32 PM by noor

    Multi Site to Site VPN with 3120s

    wtcguy New Member

      I am new to this forum, and hope to get some answers here.  I currently have a site to site VPN setup with two 3120s I am trying to add another 3120 to the VPN so that I will have three location. I need sites A, B, and C to all communicate with eachother.  I cannot figure out how to connect the third 3120 to the VPN it will not connect.  If I disconnect one of the other sites I can get it to work.  Can someone post how this should be setup?  I use the GUI to set this up.  Thank you.

        • Re: Multi Site to Site VPN with 3120s
          cj! Beta_User

          Hi wtcguy:

           

          Thank you for submitting your question in the Support Community, and welcome!

           

          The guide Configuring a VPN for Multiple Subnets in AOS - Quick Configuration Guide explains some important concepts and includes both GUI and CLI configuration examples.  Additional explanation and guidance may be needed, but it's a great place to start.

           

          Are you trying to setup a mesh so that all three sites have a VPN tunnel to each other (a triangle shape), or will two remote sites connect to a main site (a V shape) and possible reach from one remote to the other through the main site?  Also, do all sites have a static public IP address?

           

          Chris

            • Re: Multi Site to Site VPN with 3120s
              wtcguy New Member

              I am trying to setup a mesh VPN tunnel to each other.  I have Site A and B Connected but cannot get site C connected to either A or B.  I looked at the Document you suggested, it discusses setting up multiple subnets, I need to setup multiple sites.  I have been looking for a guide that describes the process, but have been unlucky so far.  Any help would greatly be appreciated.

               

              Thank you

                • Re: Multi Site to Site VPN with 3120s
                  cj! Beta_User

                  Got it.  Do all three sites have static public IP addresses?  A related question: are you configuring main mode tunnels or aggressive mode?  Aggressive mode is typically used when one side always initiates the tunnel and the initiator can use a dynamic IP.  One side must have a static IP (not the initiator).

                   

                  You need to have a separate VPN tunnel (crypto map) for each connection; two in each 3120 connecting to the other sites.

                   

                  We can try to provide guidance using the GUI but it may be faster to post your configs to this thread (remove passwords, pre-shared keys, etc. using a text editor first).

                   

                  Chris

                    • Re: Multi Site to Site VPN with 3120s
                      wtcguy New Member

                      Yes each site has Static IP and they are using Main mode.

                        • Re: Multi Site to Site VPN with 3120s
                          cj! Beta_User

                          Okay, for each 3120, you need to configure two VPN tunnels.  Both should be static/main mode and use IP address for the local and remote IDs.  The local ID will be the same for both tunnels (the unit's own public IP address).  The remote ID on each tunnel should match the static IP of the respective site's far end.  Select the Internet interface to use for both tunnels.

                           

                          Make sure the initiate and respond options and pre-shared key (PSK) are the same for both 3120s terminating a given tunnel, as well as Phase 1 IKE and Phase 2 IPsec encryption attributes and lifetimes.

                           

                          The local network(s) should be the same for both tunnels.  The remote network(s) for a given tunnel should reflect the LAN subnet(s) at the far end.  The local/remote networks setup in 3120s at each end of a tunnel should mirror each other (with local and remote networks flipped).

                           

                          I recommend going over these parameters and be careful that your attributes match properly for each end of the same tunnel.  Also be careful not to copy parameters between two tunnels which should be unique (such as remote network, remote ID/peer, and possibly PSK).

                           

                          Let us know how it goes or if you have additional questions!

                           

                          Chris

                            • Re: Multi Site to Site VPN with 3120s
                              wtcguy New Member

                              Here are the config files.  This first one does not connect to the second config file the second config connects to the third but will not connect to the first config file site.

                               

                              FIRST CONFIG FILE

                               

                              !
                              !
                              ! ADTRAN OS version R10.9.6.E
                              ! Boot ROM version 17.01.01.00
                              ! Platform: NetVanta 3120, part number 1700601G2
                              ! Serial number LBADTN1204AG137
                              !
                              !
                              hostname "NetVanta3120"
                              enable password XXXXXXXX
                              !
                              clock timezone -5-Eastern-Time
                              !
                              ip subnet-zero
                              ip classless
                              ip default-gateway 192.168.20.26
                              ip routing
                              host "XXXXXX.XXXXX.XXX" 192.168.1.10
                              host "XXXXXX.XXXXX.XXX" 192.168.20.10
                              domain-proxy
                              name-server 192.168.30.26 8.8.8.8
                              !
                              !
                              no auto-config
                              !
                              event-history on
                              no logging forwarding
                              logging forwarding priority-level info
                              no logging email
                              !
                              no service password-encryption
                              !
                              username "admin" password "XXXXXXX"
                              !
                              !
                              ip firewall
                              no ip firewall alg msn
                              no ip firewall alg mszone
                              no ip firewall alg h323
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              no dot11ap access-point-control
                              !
                              !
                              !
                              !
                              !
                              ip dhcp excluded-address 192.168.20.1 192.168.20.199
                              !
                              ip dhcp pool "Private"
                                network 192.168.30.0 255.255.255.0
                                dns-server 8.8.8.8 8.8.4.4
                                netbios-node-type h-node
                                default-router 192.168.30.26
                              !
                              !
                              !
                              ip crypto
                              !
                              crypto ike policy 100
                                initiate main
                                respond anymode
                                local-id address XXX.199.182.138
                                peer XXX.13.33.201
                                attribute 1
                                  encryption 3des
                                  hash md5
                                  authentication pre-share
                              !
                              crypto ike remote-id address XXX.13.33.201 preshared-key XXXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
                              !
                              ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
                                mode tunnel
                              !
                              ip crypto map VPN 10 ipsec-ike
                                description Pitt
                                match address ip VPN-10-vpn-selectors8
                                set peer XXX.13.33.201
                                set transform-set esp-3des-esp-md5-hmac
                                ike-policy 100
                              !
                              !
                              !
                              !
                              vlan 1
                                name "Default"
                              !
                              !
                              interface eth 0/1
                                ip address  XX.199.182.138  255.255.255.0
                                ip access-policy Public
                                ip crypto map VPN
                                no shutdown
                                no lldp send-and-receive
                              !
                              !
                              interface switchport 0/1
                                no shutdown
                              !
                              interface switchport 0/2
                                no shutdown
                              !
                              interface switchport 0/3
                                no shutdown
                              !
                              interface switchport 0/4
                                no shutdown
                              !
                              !
                              !
                              interface vlan 1
                                ip address  192.168.30.26  255.255.255.0
                                ip access-policy Private
                                no shutdown
                              !
                              !
                              !
                              !
                              ip access-list standard wizard-ics
                                remark Internet Connection Sharing
                                permit any
                              !
                              !
                              ip access-list extended self
                                remark Traffic to UNIT
                                permit ip any  any     log
                              !
                              ip access-list extended VPN-10-vpn-selectors8
                                permit ip 192.168.30.0 0.0.0.255  192.168.1.0 0.0.0.255   
                              !
                              ip access-list extended web-acl-10
                                remark IPEDGE Net Request
                                permit tcp any  host XX.199.182.138 eq 4029   log
                              !
                              ip access-list extended web-acl-11
                                remark LAN BLF
                                permit tcp any  host XX.199.182.138 eq 6000   log
                              !
                              ip access-list extended web-acl-12
                                remark EM HTTP
                                permit tcp any  host XX.199.182.138 eq 8080   log
                              !
                              ip access-list extended web-acl-13
                                remark EM HTTPS 2
                                permit tcp any  host XX.199.182.138 eq 9443   log
                              !
                              ip access-list extended web-acl-14
                                remark Webmin
                                permit tcp any  host XX.199.182.138 eq 10000   log
                              !
                              ip access-list extended web-acl-15
                                remark IPEDGE Net Connection
                                permit tcp any  host XX.199.182.138 range 12000 13791   log
                              !
                              ip access-list extended web-acl-16
                                remark IPEDGE Net Node to Node
                                permit tcp any  host XX.199.182.138 range 16000 19999   log
                              !
                              ip access-list extended web-acl-17
                                remark Remote APP
                                permit tcp any  host XX.199.182.138 eq 90   log
                              !
                              ip access-list extended web-acl-18
                                remark Message Access
                                permit tcp any  host XX.199.182.138 eq 42507   log
                              !
                              ip access-list extended web-acl-19
                                remark SIP
                                permit udp any  host XX.199.182.138 eq 5060    log
                              !
                              ip access-list extended web-acl-20
                                remark HTTPS
                                permit tcp any  host XX.199.182.138 eq https   log
                              !
                              ip access-list extended web-acl-21
                                remark XMPP Client 1
                                permit tcp any  host XX.199.182.138 eq 5222   log
                              !
                              ip access-list extended web-acl-22
                                remark XMPP Server
                                permit tcp any  host XX.199.182.138 eq 5269   log
                              !
                              ip access-list extended web-acl-23
                                remark XMPP Client 2
                                permit tcp any  host XX.199.182.138 eq 5280   log
                              !
                              ip access-list extended web-acl-24
                                remark Net Server
                                permit tcp any  host XX.199.182.138 range 8767 8768   log
                              !
                              ip access-list extended web-acl-25
                                remark SNMP
                                permit udp any  host XX.199.182.138 eq snmp    log
                              !
                              ip access-list extended web-acl-4
                                remark Remote IPT Registration
                                permit udp any  host XX.199.182.138 range 1718 1719    log
                              !
                              ip access-list extended web-acl-5
                                remark Remtoe IPT Megaco
                                permit tcp any  host XX.199.182.138 eq 2944   log
                              !
                              ip access-list extended web-acl-6
                                remark Remote IP Audio
                                permit udp any  host XX.199.182.138 range 21000 26999    log
                              !
                              ip access-list extended web-acl-7
                                remark Redirects to 8080
                                permit tcp any  host XX.199.182.138 eq www   log
                              !
                              ip access-list extended web-acl-8
                                remark SMDI
                                permit tcp any  host XX.199.182.138 eq 1000   log
                              !
                              ip access-list extended web-acl-9
                                remark LAN DSS Survive
                                permit tcp any  host XX.199.182.138 range 3000 3001   log
                              !
                              !
                              !
                              ip policy-class Private
                                allow list VPN-10-vpn-selectors8 stateless
                                allow list self self
                                nat source list wizard-ics interface eth 0/1 overload
                              !
                              ip policy-class Public
                                allow reverse list VPN-10-vpn-selectors8 stateless
                                nat destination list web-acl-4 address 192.168.20.10
                                nat destination list web-acl-5 address 192.168.20.10
                                nat destination list web-acl-6 address 192.168.20.10
                                nat destination list web-acl-7 address 192.168.20.10
                                nat destination list web-acl-8 address 192.168.20.10
                                nat destination list web-acl-9 address 192.168.20.10
                                nat destination list web-acl-10 address 192.168.20.10
                                nat destination list web-acl-11 address 192.168.20.10
                                nat destination list web-acl-12 address 192.168.20.10
                                nat destination list web-acl-13 address 192.168.20.10
                                nat destination list web-acl-14 address 192.168.20.10
                                nat destination list web-acl-15 address 192.168.20.10
                                nat destination list web-acl-16 address 192.168.20.10
                                nat destination list web-acl-17 address 192.168.20.10
                                nat destination list web-acl-18 address 192.168.20.10
                                nat destination list web-acl-19 address 192.168.20.10
                                nat destination list web-acl-20 address 192.168.20.10
                                nat destination list web-acl-21 address 192.168.20.10
                                nat destination list web-acl-22 address 192.168.20.10
                                nat destination list web-acl-23 address 192.168.20.10
                                nat destination list web-acl-24 address 192.168.20.10
                                nat destination list web-acl-25 address 192.168.20.10
                              !
                              !
                              ip route 0.0.0.0 0.0.0.0 XX.199.182.142
                              !
                              no tftp server
                              no tftp server overwrite
                              http server
                              http secure-server
                              no snmp agent
                              no ip ftp server
                              ip ftp server default-filesystem flash
                              no ip scp server
                              no ip sntp server
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              sip udp 5060
                              sip tcp 5060
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              line con 0
                                no login
                              !
                              line telnet 0 4
                                login local-userlist
                                password password
                                no shutdown
                              line ssh 0 4
                                login local-userlist
                                no shutdown
                              !
                              !
                              ntp source ethernet 0/1
                              ntp server 0.pool.ntp.org source ethernet 0/1
                              ntp server 1.pool.ntp.org source ethernet 0/1
                              ntp server 2.pool.ntp.org
                              !
                              !
                              !
                              !
                              !
                              end

                               

                              SECOND CONFIG FILE

                               

                              !
                              !
                              ! ADTRAN OS version R10.9.6.E
                              ! Boot ROM version 17.01.01.00
                              ! Platform: NetVanta 3120, part number 1700601G2
                              ! Serial number LBADTN1204AG320
                              !
                              !
                              hostname "NetVanta3120"
                              enable password encrypted 151e9429764620329e6863024e9ed77e8626
                              !
                              clock timezone -5-Eastern-Time
                              !
                              ip subnet-zero
                              ip classless
                              ip routing
                              host "XXX.XXXXXXX.XXX" 192.168.1.10
                              host "xxx.xxxxxx.xxx" 192.168.20.10
                              domain-proxy
                              name-server 208.67.220.220 208.67.221.221
                              !
                              !
                              no auto-config
                              !
                              no event-history
                              no logging forwarding
                              no logging console
                              logging forwarding priority-level info
                              no logging email
                              !
                              service password-encryption
                              !
                              username "XXXXX" password encrypted "XXXXXX"
                              username "XXXXX" password encrypted "XXXXXX"
                              username "XXXXX" password encrypted "XXXXXX"
                              !
                              !
                              ip firewall
                              no ip firewall alg msn
                              no ip firewall alg mszone
                              no ip firewall alg h323
                              no ip firewall alg sip
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              no dot11ap access-point-control
                              !
                              !
                              !
                              !
                              !
                              ip dhcp excluded-address 192.168.1.1 192.168.1.199
                              !
                              ip dhcp pool "Private"
                                network 192.168.1.0 255.255.255.0
                                dns-server 8.8.8.8 8.8.4.4
                                netbios-node-type h-node
                                default-router 192.168.1.26
                              !
                              !
                              !
                              ip crypto
                              !
                              crypto ike policy 100
                                initiate main
                                respond anymode
                                local-id address XXX.13.33.201
                                peer XX.176.216.29
                                attribute 1
                                  encryption 3des
                                  hash md5
                                  authentication pre-share
                              !
                              crypto ike policy 101
                                initiate main
                                respond anymode
                                local-id address XXX.13.33.201
                                peer XX.199.182.138
                                attribute 1
                                  encryption 3des
                                  hash md5
                                  authentication pre-share
                              !
                              crypto ike remote-id address XXX.199.182.138 preshared-key XXXXXXX ike-policy 101 crypto map VPN 20 no-mode-config no-xauth
                              crypto ike remote-id address XXX.176.216.29 preshared-key XXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
                              !
                              ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
                                mode tunnel
                              !
                              ip crypto map VPN 10 ipsec-ike
                                description NetVanta3120
                                match address ip VPN-10-vpn-selectors2
                                set peer XXX.176.216.29
                                set transform-set esp-3des-esp-md5-hmac
                                ike-policy 100
                              ip crypto map VPN 20 ipsec-ike
                                description Pitt
                                match address ip VPN-20-vpn-selectors
                                set peer XXX.199.182.138
                                set transform-set esp-3des-esp-md5-hmac
                                ike-policy 101
                              !
                              !
                              !
                              !
                              vlan 1
                                name "Default"
                              !
                              !
                              interface eth 0/1
                                speed 100
                                ip address  XXX.13.33.201  255.255.255.248
                                ip access-policy Public
                                ip crypto map VPN
                                no rtp quality-monitoring
                                no awcp
                                no shutdown
                                no lldp send-and-receive
                              !
                              !
                              interface switchport 0/1
                                no shutdown
                              !
                              interface switchport 0/2
                                no shutdown
                              !
                              interface switchport 0/3
                                no shutdown
                              !
                              interface switchport 0/4
                                no shutdown
                              !
                              !
                              !
                              interface vlan 1
                                ip address  192.168.1.26  255.255.255.0
                                ip access-policy Private
                                no rtp quality-monitoring
                                no awcp
                                no shutdown
                              !
                              interface ppp 1
                                no shutdown
                              !
                              !
                              !
                              !
                              ip access-list standard wizard-ics
                                remark Internet Connection Sharing
                                permit any
                              !
                              !
                              ip access-list extended self
                                remark Traffic to NetVanta
                                permit ip any  any     log
                              !
                              ip access-list extended VPN-10-vpn-selectors2
                                permit ip 192.168.1.0 0.0.0.255  192.168.20.0 0.0.0.255   
                              !
                              ip access-list extended VPN-20-vpn-selectors
                                permit ip 192.168.1.0 0.0.0.255  192.168.30.0 0.0.0.255   
                              !
                              ip access-list extended web-acl-10
                                remark Remote IPT Audio-21000-26999
                                permit udp any  host XXX.13.33.201 range 21000 26999    log
                              !
                              ip access-list extended web-acl-12
                                remark SMDI-1000
                                permit tcp any  host XXX.13.33.201 eq 1000   log
                              !
                              ip access-list extended web-acl-13
                                remark LAN DSS and Survive-3000-3001
                                permit udp any  host XXX.13.33.201 range 3000 3001    log
                              !
                              ip access-list extended web-acl-14
                                remark IPEDGE Net Request-4029
                                permit tcp any  host XXX.13.33.201 eq 4029   log
                              !
                              ip access-list extended web-acl-15
                                remark LAN BLF-6000
                                permit tcp any  host XXX.13.33.201 eq 6000   log
                              !
                              ip access-list extended web-acl-16
                                remark EM HTTPS-8080
                                permit tcp any  host XXX.13.33.201 eq 8080   log
                              !
                              ip access-list extended web-acl-17
                                remark EM HTTPS-9443
                                permit tcp any  host XXX.13.33.201 eq 9443   log
                              !
                              ip access-list extended web-acl-18
                                remark Webmin-10000
                                permit tcp any  host XXX.13.33.201 eq 10000   log
                              !
                              ip access-list extended web-acl-19
                                remark IPedge Net Node to Node-16000-19999
                                permit tcp any  host XXX.13.33.201 range 16000 19999   log
                              !
                              ip access-list extended web-acl-20
                                remark Mobile App-90
                                permit tcp any  host XXX.13.33.201 eq 90   log
                              !
                              ip access-list extended web-acl-21
                                remark Messaging access UCEdge-42507
                                permit tcp any  host XXX.13.33.201 eq 42507   log
                              !
                              ip access-list extended web-acl-23
                                remark HTTPS-443
                                permit tcp any  host XXX.13.33.201 eq https   log
                              !
                              ip access-list extended web-acl-24
                                remark XMPP Client 1-5222
                                deny   tcp any  host XXX.13.33.201 eq 5222   log
                              !
                              ip access-list extended web-acl-25
                                remark XMPP Server-5269
                                deny   tcp any  host XXX.13.33.201 eq 5269   log
                              !
                              ip access-list extended web-acl-26
                                remark XMPP Client 2-5280
                                permit tcp any  host XXX.13.33.201 eq 5280   log
                              !
                              ip access-list extended web-acl-27
                                remark Net Server-8767-8768
                                permit tcp any  host XXX.13.33.201 range 8767 8768   log
                              !
                              ip access-list extended web-acl-28
                                remark SNMP-161
                                permit udp any  host XXX.13.33.201 eq snmp    log
                              !
                              ip access-list extended web-acl-29
                                remark Meeting-8444
                                permit tcp any  host XXX.13.33.201 eq 8444   log
                              !
                              ip access-list extended web-acl-30
                                remark 1. FonLinkHUD-5269
                                permit tcp any  any eq 5269   log
                              !
                              ip access-list extended web-acl-31
                                remark 1. FonHUD3-5222
                                permit tcp any  any eq 5222   log
                              !
                              ip access-list extended web-acl-32
                                remark 1. FonLink-4569
                                permit udp any  any eq 4569    log
                              !
                              ip access-list extended web-acl-37
                                remark 1. FonCall Setup-UDP-5060
                                permit udp any  any eq 5060    log
                              !
                              ip access-list extended web-acl-38
                                remark Redirects to 8080
                                permit tcp any  host XXX.13.33.201 eq www   log
                              !
                              ip access-list extended web-acl-39
                                remark Remote IPT Registration-1718-1719
                                permit udp any  any range 1718 1719    log
                              !
                              ip access-list extended web-acl-40
                                remark 1. Fon RTP Voice Traffice 10000-15999
                                permit udp any  any range 10000 15999    log
                              !
                              ip access-list extended web-acl-9
                                remark Remote IPT Megaco-2944
                                permit tcp any  host XXX.13.33.201 eq 2944   log
                              !
                              !
                              !
                              ip policy-class Private
                                allow list VPN-20-vpn-selectors stateless
                                allow list VPN-10-vpn-selectors2 stateless
                                allow list self self
                                nat source list wizard-ics interface eth 0/1 overload
                              !
                              ip policy-class Public
                                allow reverse list VPN-20-vpn-selectors stateless
                                allow reverse list VPN-10-vpn-selectors2 stateless
                                nat destination list web-acl-40 address 192.168.1.23
                                nat destination list web-acl-37 address 192.168.1.10
                                nat destination list web-acl-32 address 192.168.1.23
                                nat destination list web-acl-30 address 192.168.1.23
                                nat destination list web-acl-25 address 192.168.1.10
                                nat destination list web-acl-31 address 192.168.1.23
                                nat destination list web-acl-24 address 192.168.1.10
                                nat destination list web-acl-26 address 192.168.1.10
                                nat destination list web-acl-9 address 192.168.1.10
                                nat destination list web-acl-10 address 192.168.1.10
                                nat destination list web-acl-39 address 192.168.1.10
                                nat destination list web-acl-12 address 192.168.1.10
                                nat destination list web-acl-13 address 192.168.1.10
                                nat destination list web-acl-14 address 192.168.1.10
                                nat destination list web-acl-15 address 192.168.1.10
                                nat destination list web-acl-38 address 192.168.1.10
                                nat destination list web-acl-16 address 192.168.1.10
                                nat destination list web-acl-17 address 192.168.1.10
                                nat destination list web-acl-23 address 192.168.1.10
                                nat destination list web-acl-18 address 192.168.1.10
                                nat destination list web-acl-19 address 192.168.1.10
                                nat destination list web-acl-28 address 192.168.1.10
                                nat destination list web-acl-20 address 192.168.1.10
                                nat destination list web-acl-21 address 192.168.1.10
                                nat destination list web-acl-27 address 192.168.1.10
                                nat destination list web-acl-29 address 192.168.1.10
                              !
                              !
                              ip route 0.0.0.0 0.0.0.0 XXX.13.33.206
                              !
                              no tftp server
                              no tftp server overwrite
                              http server
                              http secure-server
                              no snmp agent
                              no ip ftp server
                              ip ftp server default-filesystem flash
                              no ip scp server
                              no ip sntp server
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              sip udp 5060
                              sip tcp 5060
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              line con 0
                                login
                              !
                              line telnet 0 4
                                login local-userlist
                                password encrypted 1810d9a74d50ae8ffc59b58965b5818d829a
                                no shutdown
                              line ssh 0 4
                                login local-userlist
                                shutdown
                              !
                              !
                              ntp source ethernet 0/1
                              ntp server 0.pool.ntp.org source ethernet 0/1
                              ntp server 1.pool.ntp.org source ethernet 0/1
                              ntp server 2.pool.ntp.org
                              ntp server 3.pool.ntp.org
                              !
                              !
                              !
                              !
                              !
                              end

                               

                              THIRD CONFIG FILE

                               

                              !
                              !
                              ! ADTRAN OS version R10.9.6.E
                              ! Boot ROM version 17.01.01.00
                              ! Platform: NetVanta 3120, part number 1700601G2
                              ! Serial number LBADTN1223AK109
                              !
                              !
                              hostname "NetVanta3120"
                              enable password XXXXX
                              !
                              clock timezone -5-Eastern-Time
                              !
                              ip subnet-zero
                              ip classless
                              ip default-gateway 192.168.20.26
                              ip routing
                              host "XXXXXX.XXXXX.XXX" 192.168.1.10
                              host "XXXXXX.XXXXX.XXX" 192.168.20.10
                              domain-proxy
                              name-server 208.67.220.220 208.67.221.221
                              !
                              !
                              no auto-config
                              !
                              event-history on
                              no logging forwarding
                              logging forwarding priority-level info
                              no logging email
                              !
                              no service password-encryption
                              !
                              username "XXXX" password "XXXXXX"
                              username "XXXX" password "XXXXXXX"
                              !
                              !
                              ip firewall
                              no ip firewall alg msn
                              no ip firewall alg mszone
                              no ip firewall alg h323
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              no dot11ap access-point-control
                              !
                              !
                              !
                              !
                              !
                              ip dhcp excluded-address 192.168.20.1 192.168.20.199
                              !
                              ip dhcp pool "Private"
                                network 192.168.20.0 255.255.255.0
                                dns-server 8.8.8.8 8.8.4.4
                                netbios-node-type h-node
                                default-router 192.168.20.26
                              !
                              !
                              !
                              ip crypto
                              !
                              crypto ike policy 100
                                initiate main
                                respond anymode
                                local-id address XXX.176.216.29
                                peer XXX.13.33.201
                                attribute 1
                                  encryption 3des
                                  hash md5
                                  authentication pre-share
                              !
                              crypto ike remote-id address XXX.13.33.201 preshared-key XXXXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
                              !
                              ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
                                mode tunnel
                              !
                              ip crypto map VPN 10 ipsec-ike
                                description NetVanta3120
                                match address ip VPN-10-vpn-selectors1
                                set peer XXX.13.33.201
                                set transform-set esp-3des-esp-md5-hmac
                                ike-policy 100
                              !
                              !
                              !
                              !
                              vlan 1
                                name "Default"
                              !
                              !
                              interface eth 0/1
                                ip address  XXX.176.216.29  255.255.255.0
                                ip access-policy Public
                                ip crypto map VPN
                                no shutdown
                                no lldp send-and-receive
                              !
                              !
                              interface switchport 0/1
                                no shutdown
                              !
                              interface switchport 0/2
                                no shutdown
                              !
                              interface switchport 0/3
                                no shutdown
                              !
                              interface switchport 0/4
                                no shutdown
                              !
                              !
                              !
                              interface vlan 1
                                ip address  192.168.20.26  255.255.255.0
                                ip access-policy Private
                                no shutdown
                              !
                              !
                              !
                              !
                              ip access-list standard wizard-ics
                                remark Internet Connection Sharing
                                permit any
                              !
                              !
                              ip access-list extended self
                                remark Traffic to UNIT
                                permit ip any  any     log
                              !
                              ip access-list extended VPN-10-vpn-selectors1
                                permit ip 192.168.20.0 0.0.0.255  192.168.1.0 0.0.0.255   
                                permit ip 192.168.20.0 0.0.0.255  192.168.30.0 0.0.0.255   
                              !
                              ip access-list extended web-acl-10
                                remark IPEDGE Net Request-4029
                                permit tcp any  host XXX.176.216.29 eq 4029   log
                              !
                              ip access-list extended web-acl-11
                                remark LAN BLF-6000
                                permit tcp any  host XXX.176.216.29 eq 6000   log
                              !
                              ip access-list extended web-acl-12
                                remark EM HTTPS-8080
                                permit tcp any  host XXX.176.216.29 eq 8080   log
                              !
                              ip access-list extended web-acl-13
                                remark EM HTTPS-9443
                                permit tcp any  host XXX.176.216.29 eq 9443   log
                              !
                              ip access-list extended web-acl-14
                                remark Webmin-10000
                                permit tcp any  host XXX.176.216.29 eq 10000   log
                              !
                              ip access-list extended web-acl-17
                                remark Remote APP
                                permit tcp any  host XXX.176.216.29 eq 90   log
                              !
                              ip access-list extended web-acl-18
                                remark Messaging access UCEdge-42507
                                permit tcp any  host XXX.176.216.29 eq 42507   log
                              !
                              ip access-list extended web-acl-20
                                remark HTTPS-443
                                permit tcp any  host XXX.176.216.29 eq https   log
                              !
                              ip access-list extended web-acl-23
                                remark XMPP Client 2-5280
                                permit tcp any  host XXX.176.216.29 eq 5280   log
                              !
                              ip access-list extended web-acl-24
                                remark Net Server-8767-8768
                                permit tcp any  host XXX.176.216.29 range 8767 8768   log
                              !
                              ip access-list extended web-acl-25
                                remark SNMP-161
                                permit udp any  host XXX.176.216.29 eq snmp    log
                              !
                              ip access-list extended web-acl-26
                                remark 1. Fon RTP Voice Traffice 10000-20000
                                permit udp any  host XXX.176.216.29 range 10000 20000    log
                              !
                              ip access-list extended web-acl-27
                                remark 1. FonCall Setup-UDP-5060
                                permit udp any  host XXX.176.216.29 eq 5060    log
                              !
                              ip access-list extended web-acl-28
                                remark 1. FonLinkHUD-5269
                                permit tcp any  any eq 5269   log
                              !
                              ip access-list extended web-acl-29
                                remark 1. FonHUD3-5222
                                permit tcp any  any eq 5222   log
                              !
                              ip access-list extended web-acl-30
                                remark 1. FonLink-4569
                                permit tcp any  any eq 4569   log
                              !
                              ip access-list extended web-acl-4
                                remark Remote IPT Registration-1718-1719
                                permit udp any  host XXX.176.216.29 range 1718 1719    log
                              !
                              ip access-list extended web-acl-5
                                remark Remtoe IPT Megaco-2944
                                permit tcp any  host XXX.176.216.29 eq 2944   log
                              !
                              ip access-list extended web-acl-6
                                remark Remote IP Audio-21000-26999
                                permit udp any  host XXX.176.216.29 range 21000 26999    log
                              !
                              ip access-list extended web-acl-7
                                remark Redirects to 8080
                                permit tcp any  host XXX.176.216.29 eq www   log
                              !
                              ip access-list extended web-acl-8
                                remark SMDI-1000
                                permit tcp any  host XXX.176.216.29 eq 1000   log
                              !
                              ip access-list extended web-acl-9
                                remark LAN DSS and Survive-3000-3001
                                permit tcp any  host XXX.176.216.29 range 3000 3001   log
                              !
                              !
                              !
                              ip policy-class Private
                                allow list VPN-10-vpn-selectors1 stateless
                                allow list self self
                                nat source list wizard-ics interface eth 0/1 overload
                              !
                              ip policy-class Public
                                allow reverse list VPN-10-vpn-selectors1 stateless
                                nat destination list web-acl-26 address 192.168.20.7
                                nat destination list web-acl-27 address 192.168.20.7
                                nat destination list web-acl-30 address 192.168.20.7
                                nat destination list web-acl-28 address 192.168.20.7
                                nat destination list web-acl-29 address 192.168.20.7
                                nat destination list web-acl-23 address 192.168.20.10
                                nat destination list web-acl-5 address 192.168.20.10
                                nat destination list web-acl-6 address 192.168.20.10
                                nat destination list web-acl-4 address 192.168.20.10
                                nat destination list web-acl-8 address 192.168.20.10
                                nat destination list web-acl-9 address 192.168.20.10
                                nat destination list web-acl-10 address 192.168.20.10
                                nat destination list web-acl-11 address 192.168.20.10
                                nat destination list web-acl-7 address 192.168.20.10
                                nat destination list web-acl-12 address 192.168.20.10
                                nat destination list web-acl-13 address 192.168.20.10
                                nat destination list web-acl-20 address 192.168.20.10
                                nat destination list web-acl-14 address 192.168.20.10
                                nat destination list web-acl-17 address 192.168.20.10
                                nat destination list web-acl-25 address 192.168.20.10
                                nat destination list web-acl-18 address 192.168.20.10
                                nat destination list web-acl-24 address 192.168.20.10
                              !
                              !
                              ip route 0.0.0.0 0.0.0.0 XXX.176.216.1
                              !
                              no tftp server
                              no tftp server overwrite
                              http server
                              http secure-server
                              no snmp agent
                              no ip ftp server
                              ip ftp server default-filesystem flash
                              no ip scp server
                              no ip sntp server
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              sip udp 5060
                              sip tcp 5060
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              !
                              line con 0
                                no login
                              !
                              line telnet 0 4
                                login local-userlist
                                password password
                                no shutdown
                              line ssh 0 4
                                login local-userlist
                                no shutdown
                              !
                              !
                              ntp source ethernet 0/1
                              ntp server 0.pool.ntp.org source ethernet 0/1
                              ntp server 1.pool.ntp.org source ethernet 0/1
                              ntp server 2.pool.ntp.org
                              !
                              !
                              !
                              !
                              !
                              end

                              • Re: Multi Site to Site VPN with 3120s
                                mick Visitor

                                Only to add that if you are using SSL certificates instead of PSK, you will have to use the same CA certificate for all peers.

                                 

                                PS. Our posts crossed over.  Only the second configuration has entries for both of the other two peers.  You need to repeat the same for configuration one and configuration three.

                                PPS.  You probably want to edit your post and remove the passwords and user names.

                                --

                                Regards,

                                Mick

                                  • Re: Multi Site to Site VPN with 3120s
                                    wtcguy New Member

                                    Yes I understand that.  I am currently only trying to connect config 1 to config 2 and config 2 to config 3 so Config 2 would have both in it correct?  and only config 1 and config three would have tunnels to config 2  once I have that working I will then build 1 to 3 as well.  I am stuck in getting 2 to communicate with both 1 and 3.  I appreciate any help.

                                     

                                    Thank you

                                      • Re: Multi Site to Site VPN with 3120s
                                        mick Visitor

                                        Yes, this is correct, config 2 should have a tunnel configured for each of the other peers.

                                         

                                        I had a quick look at your config files and can't see anything amiss.  How far is the connection attempt getting?  Do you at least get IKE SAs created (phase 1) when you ping the private subnet of the remote peer to start a tunnel going?  Can you run a debugging session on both A & B and see what each reports.  Then repeat between B & C.

                                        --

                                        Regards,

                                        Mick

                                          • Re: Multi Site to Site VPN with 3120s
                                            cj! Beta_User

                                            You mentioned using the GUI, so if you need a hand capturing debug:

                                             

                                            • Telnet or SSH into each unit
                                            • Logon with the same username and password that you use in the GUI
                                            • Enter command
                                              enable
                                              • Default enable password is password
                                            • Start text logging to a file (debug output will scroll too fast to analyze)
                                              • If using Putty (popular terminal application for Windows), right-click the window title bar and select Change Settings... → Logging → select Printable Output and browse to a location to store the file → Apply
                                            • Enter command
                                              debug crypto ike

                                             

                                            Now you can ping a host on the remote end and see what the debug looks like when the tunnel tries to build.  Deciphering the output can be challenging.  You can attach the text log files, but some info could be visible that may be sensitive to you, such as public IP addresses and so forth.  I might suggest calling ADTRAN and opening a ticket (or open a case here).

                                             

                                            Some things to look for are obvious errors, as well as how many messages of quick mode and main mode you see in the sequence.  The pattern will repeat so you should be able to see after a few cycles how far it gets.  For example, "Sent first message of quick mode," or "received second message of main mode."  Determining how far it gets into these message sequences can itself reveal it source of the problem, since each message relates to a specific aspect of the IKE and IPsec attributes.

                                             

                                            Best,

                                            Chris

                                          • Re: Multi Site to Site VPN with 3120s
                                            cj! Beta_User

                                            Are you having better luck with your VPN?  Keep us posted when you have a minute. 

                                              • Re: Multi Site to Site VPN with 3120s
                                                wtcguy New Member

                                                Apparently I did setup correctly turns out to activate the connection I needed to ping the remote.  If the connection goes down, the only way to re-activate is either ping or have a device try to connect to the other side.  Is there a keep alive setting?

                                                  • Re: Multi Site to Site VPN with 3120s
                                                    cj! Beta_User

                                                    Yep, the simplest way to take care of this is to create a ping probe.  The document Configuring Network Monitor in AOS is a great resource and includes a configuration example.  You can make the period 30 seconds or something like that to keep ping traffic low, and that should be perfect to keep your tunnels up.  The source and destination will need to be IP addresses that will be sent over the VPN, such as the LAN interfaces of your routers.  To keep it simple, maybe you could setup the main site router with probes to the other two.

                                                     

                                                    Chris

                                                      • Re: Multi Site to Site VPN with 3120s
                                                        Employee

                                                        I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                                                         

                                                        Thanks,

                                                        Noor