9 Replies Latest reply on Oct 29, 2015 11:40 AM by mick

    IPSEC VPN tunnel can only ping routers on both sides

    curtc New Member

      Hello,

      I have been at this for a day and can not figure out why I cannot get this VPN tunnel to work.  1335 on my side, 3120 on the other side.  I have tried in aggressive and main mode.  IKE works, IPSEC works, tunnel comes up.  From both sides I can ping the router on the other side, but I can't pass traffic to/from the LANs.

      I used the wizard on the 1335 and then hand wrote the config on the 3120 based off of the 1335, making sure all of the addresses were correct including the vpn selectors lists.  Ive tried fqdn local-id.   Could someone help out?  Thanks!

       

      "ip crypto map VPN" is on both external interfaces.

       

      1335:

      ip crypto

      !

      crypto ike policy 100

        initiate aggressive

        respond aggressive

        local-id address xx.140.67.2

        peer xx.140.52.3

        attribute 1

          encryption 3des

          hash md5

          authentication pre-share

      !

      crypto ike remote-id address xx.140.52.3 preshared-key a1234567890b ike-policy 100 crypto map VPN 10 no-mode-config no-xauth nat-t v1 disable nat-t

      v2 force

      !

      ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

        mode tunnel

      !

      ip crypto map VPN 10 ipsec-ike

        description TunnelToM

        match address ip VPN-10-vpn-selectors1

        set peer xx.140.52.3

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 100

      ip access-list extended VPN-10-vpn-selectors1

        permit ip 172.16.16.0 0.0.0.255  172.16.18.0 0.0.0.255

      !

      ip policy-class Private

        allow list VPN-10-vpn-selectors1 stateless

        allow list Self self

        nat source list Natting interface vlan 666 overload

      !

      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors1 stateless

        allow list SSH self

       

       

       

      3120:

      ip crypto

      !

      crypto ike policy 100

        initiate aggressive

        respond aggressive

        local-id address xx.140.52.3

        peer xx.140.67.2

        attribute 1

          encryption 3des

          hash md5

          authentication pre-share

      !

      crypto ike remote-id address xx.140.67.2 preshared-key a1234567890b ike-policy 100 crypto map VPN 10 no-mode-config no-xauth nat-t v1 disable nat-t v2 force

      !

      ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

        mode tunnel

      !

      ip crypto map VPN 10 ipsec-ike

        description TunnelToC

        match address ip VPN-10-vpn-selectors1

        set peer xx.140.67.2

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 100

      ip access-list extended VPN-10-vpn-selectors1

        permit ip 172.16.18.0 0.0.0.255  172.16.16.0 0.0.0.255

      !

      ip policy-class Private

        allow list VPN-10-vpn-selectors1 stateless

        allow list self self

        nat source list Natting interface eth 0/1 overload

      !

      ip policy-class Public

        allow list SSH self

        allow reverse list VPN-10-vpn-selectors1 stateless

        • Re: IPSEC VPN tunnel can only ping routers on both sides
          curtc New Member

          I realize that you'd not want dynamic connections for this type of VPN but will it cause this if each side is?  I've tried what seems like everything..

            • Re: IPSEC VPN tunnel can only ping routers on both sides
              dayo76 New Member

              What Firmware are you using? I am using R11.02.E

              Have you tried the commands:

                nat-traversal v1 disable

                nat-traversal v2 disable

              under crypto ike policy xxx?

               

              Also a group setting under your attribute 1 settings may be needed. Here is an example of what I am talking about...

               

              ip crypto

              ip crypto ffe

              !

              crypto ike policy 100

                initiate main

                respond anymode

                local-id fqdn domain.net

                nat-traversal v1 disable

                nat-traversal v2 disable

                peer xx.xx.xx.xx

                attribute 1

                  encryption 3des

                  hash md5

                  authentication pre-share

                  group x

              !

              crypto ike remote-id any preshared-key a1234567890b

              !

              ip crypto ipsec transform-set esp-3des-esp-MD5-hmac esp-3des esp-md5-hmac

                mode tunnel

              !

              ip crypto map VPN 10 ipsec-ike

                description ipsec2

                match address ip VPN-10-vpn-selectors1

                set peer xx.xx.xx.xx

                set transform-set esp-3des-esp-MD5-hmac

                ike-policy xxx

               

              Let me know if this helps.

                • Re: IPSEC VPN tunnel can only ping routers on both sides
                  curtc New Member

                  Thank you for the reply.

                   

                  ! ADTRAN, Inc. OS version R11.9.0.E

                  ! Boot ROM version 15.01.B1

                  ! Platform: NetVanta 1335, part number 1700515E2

                   

                  ! ADTRAN OS version R11.5.1.E

                  ! Boot ROM version 17.01.01.00

                  ! Platform: NetVanta 3120, part number 1700601G2

                   

                  I tried

                  nat-traversal v1 disable

                    nat-traversal v2 disable

                  under crypto ike policy 100

                  on both sides to no avail.

                   

                  I also added "group 2" to both sides under attribute 1.  Not a thing..  I can still ping routers on both sides, from either side.

              • Re: IPSEC VPN tunnel can only ping routers on both sides
                curtc New Member

                Wait...  I have no idea what happened.  All I did was log in to both routers to double check Mick's suggestion.  Didn't change a thing.  Logged out.  Tried to ping the printer on the other side.  It worked!  I hate it when things start working for no reason because now I'll never know what was wrong.  Carrier blocking IPSEC?  I'm not going to argue with success though.  Thank you all for your support!