cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

IPSEC VPN tunnel can only ping routers on both sides

Hello,

I have been at this for a day and can not figure out why I cannot get this VPN tunnel to work.  1335 on my side, 3120 on the other side.  I have tried in aggressive and main mode.  IKE works, IPSEC works, tunnel comes up.  From both sides I can ping the router on the other side, but I can't pass traffic to/from the LANs.

I used the wizard on the 1335 and then hand wrote the config on the 3120 based off of the 1335, making sure all of the addresses were correct including the vpn selectors lists.  Ive tried fqdn local-id.   Could someone help out?  Thanks!

"ip crypto map VPN" is on both external interfaces.

1335:

ip crypto

!

crypto ike policy 100

  initiate aggressive

  respond aggressive

  local-id address xx.140.67.2

  peer xx.140.52.3

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

!

crypto ike remote-id address xx.140.52.3 preshared-key a1234567890b ike-policy 100 crypto map VPN 10 no-mode-config no-xauth nat-t v1 disable nat-t

v2 force

!

ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  description TunnelToM

  match address ip VPN-10-vpn-selectors1

  set peer xx.140.52.3

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip access-list extended VPN-10-vpn-selectors1

  permit ip 172.16.16.0 0.0.0.255  172.16.18.0 0.0.0.255

!

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list Self self

  nat source list Natting interface vlan 666 overload

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors1 stateless

  allow list SSH self

3120:

ip crypto

!

crypto ike policy 100

  initiate aggressive

  respond aggressive

  local-id address xx.140.52.3

  peer xx.140.67.2

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

!

crypto ike remote-id address xx.140.67.2 preshared-key a1234567890b ike-policy 100 crypto map VPN 10 no-mode-config no-xauth nat-t v1 disable nat-t v2 force

!

ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  description TunnelToC

  match address ip VPN-10-vpn-selectors1

  set peer xx.140.67.2

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip access-list extended VPN-10-vpn-selectors1

  permit ip 172.16.18.0 0.0.0.255  172.16.16.0 0.0.0.255

!

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list self self

  nat source list Natting interface eth 0/1 overload

!

ip policy-class Public

  allow list SSH self

  allow reverse list VPN-10-vpn-selectors1 stateless

Labels (1)
0 Kudos
9 Replies
Highlighted
New Contributor

Re: IPSEC VPN tunnel can only ping routers on both sides

I realize that you'd not want dynamic connections for this type of VPN but will it cause this if each side is?  I've tried what seems like everything..

Highlighted
New Contributor III

Re: IPSEC VPN tunnel can only ping routers on both sides

What Firmware are you using? I am using R11.02.E

Have you tried the commands:

  nat-traversal v1 disable

  nat-traversal v2 disable

under crypto ike policy xxx?

Also a group setting under your attribute 1 settings may be needed. Here is an example of what I am talking about...

ip crypto

ip crypto ffe

!

crypto ike policy 100

  initiate main

  respond anymode

  local-id fqdn domain.net

  nat-traversal v1 disable

  nat-traversal v2 disable

  peer xx.xx.xx.xx

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

    group x

!

crypto ike remote-id any preshared-key a1234567890b

!

ip crypto ipsec transform-set esp-3des-esp-MD5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  description ipsec2

  match address ip VPN-10-vpn-selectors1

  set peer xx.xx.xx.xx

  set transform-set esp-3des-esp-MD5-hmac

  ike-policy xxx

Let me know if this helps.

Highlighted
New Contributor

Re: IPSEC VPN tunnel can only ping routers on both sides

Thank you for the reply.

! ADTRAN, Inc. OS version R11.9.0.E

! Boot ROM version 15.01.B1

! Platform: NetVanta 1335, part number 1700515E2

! ADTRAN OS version R11.5.1.E

! Boot ROM version 17.01.01.00

! Platform: NetVanta 3120, part number 1700601G2

I tried

nat-traversal v1 disable

  nat-traversal v2 disable

under crypto ike policy 100

on both sides to no avail.

I also added "group 2" to both sides under attribute 1.  Not a thing..  I can still ping routers on both sides, from either side.

Highlighted
Contributor
Contributor

Re: IPSEC VPN tunnel can only ping routers on both sides

I can't see anything wrong with your config.  Stating the obvious just in case, how do you know that the hosts in each LAN are not receiving any packets?  They may have been configured not to respond to ICMP requests, or not to respond to requests from subnets outside the local network.  Have you checked what packets are captured at the Netvanta and at the hosts?

On the PC you can check the logs after you increase verbosity, use wireshark, or tcpdump (depending on your OS).

On Netvanta you can try something like this:  https://supportforums.adtran.com/message/2248#2248

--

Regards,

Mick

Highlighted
Contributor
Contributor

Re: IPSEC VPN tunnel can only ping routers on both sides

BTW, how have you specified the crypto map on the external interface of the 3120?  I am asking because on the 3120 you will need a line like so:

interface eth0/1

[snip ...]

ip access-policy Public

ip crypto map VPN

If you just upload a config file to the Netvanta you may not know that the last line should include "ip" in front of it.  A lot of Netvanta documentation shows this line as "crypto map VPN" without the "ip" on the front.  However, when I tried to enter "crypto map VPN" on the CLI the 3120 would not accept it unless I typed "ip" in front.

Hope this helps.

--

Regards,

Mick

Highlighted
New Contributor

Re: IPSEC VPN tunnel can only ping routers on both sides

Thanks!  The devices I'm pinging are 2 access points per side and a network printer.  Pretty sure it's the tunnel and not the end point not responding to ICMP echo.

Highlighted
New Contributor

Re: IPSEC VPN tunnel can only ping routers on both sides

Yes, " ip crypto map VPN" is on the public interface on both.

Highlighted
New Contributor

Re: IPSEC VPN tunnel can only ping routers on both sides

Wait...  I have no idea what happened.  All I did was log in to both routers to double check Mick's suggestion.  Didn't change a thing.  Logged out.  Tried to ping the printer on the other side.  It worked!  I hate it when things start working for no reason because now I'll never know what was wrong.  Carrier blocking IPSEC?  I'm not going to argue with success though.  Thank you all for your support!

Highlighted
Contributor
Contributor

Re: IPSEC VPN tunnel can only ping routers on both sides

Glad you got it working. 

It can take up to 4 or 5 pings or more before the tunnel comes up.  So you may need to ping it more than once, or specify the count. I usually use a count of 6 pings just to be sure and it always comes up before then.

--

Regards,

Mick