cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
wtcguy
New Contributor II

Multi Site to Site VPN with 3120s

Jump to solution

I‌ am new to this forum, and hope to get some answers here.  I currently have a site to site VPN setup with two 3120s I am trying to add another 3120 to the VPN so that I will have three location. I need sites A, B, and C to all communicate with eachother.  I cannot figure out how to connect the third 3120 to the VPN it will not connect.  If I disconnect one of the other sites I can get it to work.  Can someone post how this should be setup?  I use the GUI to set this up.  Thank you.

Labels (1)
Tags (4)
0 Kudos
1 Solution

Accepted Solutions
wtcguy
New Contributor II

Re: Multi Site to Site VPN with 3120s

Jump to solution

‌Apparently I did setup correctly turns out to activate the connection I needed to ping the remote.  If the connection goes down, the only way to re-activate is either ping or have a device try to connect to the other side.  Is there a keep alive setting?

View solution in original post

14 Replies
Anonymous
Not applicable

Re: Multi Site to Site VPN with 3120s

Jump to solution

Hi wtcguy:

Thank you for submitting your question in the Support Community, and welcome!

The guide Configuring a VPN for Multiple Subnets in AOS - Quick Configuration Guide explains some important concepts and includes both GUI and CLI configuration examples.  Additional explanation and guidance may be needed, but it's a great place to start.

Are you trying to setup a mesh so that all three sites have a VPN tunnel to each other (a triangle shape), or will two remote sites connect to a main site (a V shape) and possible reach from one remote to the other through the main site?  Also, do all sites have a static public IP address?

Chris

wtcguy
New Contributor II

Re: Multi Site to Site VPN with 3120s

Jump to solution

I am trying to setup a mesh VPN tunnel to each other.  I have Site A and B Connected but cannot get site C connected to either A or B.  I looked at the Document you suggested, it discusses setting up multiple subnets, I need to setup multiple sites.  I have been looking for a guide that describes the process, but have been unlucky so far.  Any help would greatly be appreciated.

Thank you

Anonymous
Not applicable

Re: Multi Site to Site VPN with 3120s

Jump to solution

Got it.  Do all three sites have static public IP addresses?  A related question: are you configuring main mode tunnels or aggressive mode?  Aggressive mode is typically used when one side always initiates the tunnel and the initiator can use a dynamic IP.  One side must have a static IP (not the initiator).

You need to have a separate VPN tunnel (crypto map) for each connection; two in each 3120 connecting to the other sites.

We can try to provide guidance using the GUI but it may be faster to post your configs to this thread (remove passwords, pre-shared keys, etc. using a text editor first).

Chris

wtcguy
New Contributor II

Re: Multi Site to Site VPN with 3120s

Jump to solution

‌Yes each site has Static IP and they are using Main mode.

Anonymous
Not applicable

Re: Multi Site to Site VPN with 3120s

Jump to solution

Okay, for each 3120, you need to configure two VPN tunnels.  Both should be static/main mode and use IP address for the local and remote IDs.  The local ID will be the same for both tunnels (the unit's own public IP address).  The remote ID on each tunnel should match the static IP of the respective site's far end.  Select the Internet interface to use for both tunnels.

Make sure the initiate and respond options and pre-shared key (PSK) are the same for both 3120s terminating a given tunnel, as well as Phase 1 IKE and Phase 2 IPsec encryption attributes and lifetimes.

The local network(s) should be the same for both tunnels.  The remote network(s) for a given tunnel should reflect the LAN subnet(s) at the far end.  The local/remote networks setup in 3120s at each end of a tunnel should mirror each other (with local and remote networks flipped).

I recommend going over these parameters and be careful that your attributes match properly for each end of the same tunnel.  Also be careful not to copy parameters between two tunnels which should be unique (such as remote network, remote ID/peer, and possibly PSK).

Let us know how it goes or if you have additional questions!

Chris

wtcguy
New Contributor II

Re: Multi Site to Site VPN with 3120s

Jump to solution

Here are the config files.  This first one does not connect to the second config file the second config connects to the third but will not connect to the first config file site.

FIRST CONFIG FILE

!
!
! ADTRAN OS version R10.9.6.E
! Boot ROM version 17.01.01.00
! Platform: NetVanta 3120, part number 1700601G2
! Serial number LBADTN1204AG137
!
!
hostname "NetVanta3120"
enable password XXXXXXXX
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip default-gateway 192.168.20.26
ip routing
host "XXXXXX.XXXXX.XXX" 192.168.1.10
host "XXXXXX.XXXXX.XXX" 192.168.20.10
domain-proxy
name-server 192.168.30.26 8.8.8.8
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "admin" password "XXXXXXX"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.199
!
ip dhcp pool "Private"
  network 192.168.30.0 255.255.255.0
  dns-server 8.8.8.8 8.8.4.4
  netbios-node-type h-node
  default-router 192.168.30.26
!
!
!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address XXX.199.182.138
  peer XXX.13.33.201
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id address XXX.13.33.201 preshared-key XXXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
ip crypto map VPN 10 ipsec-ike
  description Pitt
  match address ip VPN-10-vpn-selectors8
  set peer XXX.13.33.201
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
vlan 1
  name "Default"
!
!
interface eth 0/1
  ip address  XX.199.182.138  255.255.255.0
  ip access-policy Public
  ip crypto map VPN
  no shutdown
  no lldp send-and-receive
!
!
interface switchport 0/1
  no shutdown
!
interface switchport 0/2
  no shutdown
!
interface switchport 0/3
  no shutdown
!
interface switchport 0/4
  no shutdown
!
!
!
interface vlan 1
  ip address  192.168.30.26  255.255.255.0
  ip access-policy Private
  no shutdown
!
!
!
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to UNIT
  permit ip any  any     log
!
ip access-list extended VPN-10-vpn-selectors8
  permit ip 192.168.30.0 0.0.0.255  192.168.1.0 0.0.0.255   
!
ip access-list extended web-acl-10
  remark IPEDGE Net Request
  permit tcp any  host XX.199.182.138 eq 4029   log
!
ip access-list extended web-acl-11
  remark LAN BLF
  permit tcp any  host XX.199.182.138 eq 6000   log
!
ip access-list extended web-acl-12
  remark EM HTTP
  permit tcp any  host XX.199.182.138 eq 8080   log
!
ip access-list extended web-acl-13
  remark EM HTTPS 2
  permit tcp any  host XX.199.182.138 eq 9443   log
!
ip access-list extended web-acl-14
  remark Webmin
  permit tcp any  host XX.199.182.138 eq 10000   log
!
ip access-list extended web-acl-15
  remark IPEDGE Net Connection
  permit tcp any  host XX.199.182.138 range 12000 13791   log
!
ip access-list extended web-acl-16
  remark IPEDGE Net Node to Node
  permit tcp any  host XX.199.182.138 range 16000 19999   log
!
ip access-list extended web-acl-17
  remark Remote APP
  permit tcp any  host XX.199.182.138 eq 90   log
!
ip access-list extended web-acl-18
  remark Message Access
  permit tcp any  host XX.199.182.138 eq 42507   log
!
ip access-list extended web-acl-19
  remark SIP
  permit udp any  host XX.199.182.138 eq 5060    log
!
ip access-list extended web-acl-20
  remark HTTPS
  permit tcp any  host XX.199.182.138 eq https   log
!
ip access-list extended web-acl-21
  remark XMPP Client 1
  permit tcp any  host XX.199.182.138 eq 5222   log
!
ip access-list extended web-acl-22
  remark XMPP Server
  permit tcp any  host XX.199.182.138 eq 5269   log
!
ip access-list extended web-acl-23
  remark XMPP Client 2
  permit tcp any  host XX.199.182.138 eq 5280   log
!
ip access-list extended web-acl-24
  remark Net Server
  permit tcp any  host XX.199.182.138 range 8767 8768   log
!
ip access-list extended web-acl-25
  remark SNMP
  permit udp any  host XX.199.182.138 eq snmp    log
!
ip access-list extended web-acl-4
  remark Remote IPT Registration
  permit udp any  host XX.199.182.138 range 1718 1719    log
!
ip access-list extended web-acl-5
  remark Remtoe IPT Megaco
  permit tcp any  host XX.199.182.138 eq 2944   log
!
ip access-list extended web-acl-6
  remark Remote IP Audio
  permit udp any  host XX.199.182.138 range 21000 26999    log
!
ip access-list extended web-acl-7
  remark Redirects to 8080
  permit tcp any  host XX.199.182.138 eq www   log
!
ip access-list extended web-acl-8
  remark SMDI
  permit tcp any  host XX.199.182.138 eq 1000   log
!
ip access-list extended web-acl-9
  remark LAN DSS Survive
  permit tcp any  host XX.199.182.138 range 3000 3001   log
!
!
!
ip policy-class Private
  allow list VPN-10-vpn-selectors8 stateless
  allow list self self
  nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
  allow reverse list VPN-10-vpn-selectors8 stateless
  nat destination list web-acl-4 address 192.168.20.10
  nat destination list web-acl-5 address 192.168.20.10
  nat destination list web-acl-6 address 192.168.20.10
  nat destination list web-acl-7 address 192.168.20.10
  nat destination list web-acl-8 address 192.168.20.10
  nat destination list web-acl-9 address 192.168.20.10
  nat destination list web-acl-10 address 192.168.20.10
  nat destination list web-acl-11 address 192.168.20.10
  nat destination list web-acl-12 address 192.168.20.10
  nat destination list web-acl-13 address 192.168.20.10
  nat destination list web-acl-14 address 192.168.20.10
  nat destination list web-acl-15 address 192.168.20.10
  nat destination list web-acl-16 address 192.168.20.10
  nat destination list web-acl-17 address 192.168.20.10
  nat destination list web-acl-18 address 192.168.20.10
  nat destination list web-acl-19 address 192.168.20.10
  nat destination list web-acl-20 address 192.168.20.10
  nat destination list web-acl-21 address 192.168.20.10
  nat destination list web-acl-22 address 192.168.20.10
  nat destination list web-acl-23 address 192.168.20.10
  nat destination list web-acl-24 address 192.168.20.10
  nat destination list web-acl-25 address 192.168.20.10
!
!
ip route 0.0.0.0 0.0.0.0 XX.199.182.142
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
  no login
!
line telnet 0 4
  login local-userlist
  password password
  no shutdown
line ssh 0 4
  login local-userlist
  no shutdown
!
!
ntp source ethernet 0/1
ntp server 0.pool.ntp.org source ethernet 0/1
ntp server 1.pool.ntp.org source ethernet 0/1
ntp server 2.pool.ntp.org
!
!
!
!
!
end

SECOND CONFIG FILE

!
!
! ADTRAN OS version R10.9.6.E
! Boot ROM version 17.01.01.00
! Platform: NetVanta 3120, part number 1700601G2
! Serial number LBADTN1204AG320
!
!
hostname "NetVanta3120"
enable password encrypted 151e9429764620329e6863024e9ed77e8626
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip routing
host "XXX.XXXXXXX.XXX" 192.168.1.10
host "xxx.xxxxxx.xxx" 192.168.20.10
domain-proxy
name-server 208.67.220.220 208.67.221.221
!
!
no auto-config
!
no event-history
no logging forwarding
no logging console
logging forwarding priority-level info
no logging email
!
service password-encryption
!
username "XXXXX" password encrypted "XXXXXX"
username "XXXXX" password encrypted "XXXXXX"
username "XXXXX" password encrypted "XXXXXX"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
no ip firewall alg sip
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool "Private"
  network 192.168.1.0 255.255.255.0
  dns-server 8.8.8.8 8.8.4.4
  netbios-node-type h-node
  default-router 192.168.1.26
!
!
!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address XXX.13.33.201
  peer XX.176.216.29
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike policy 101
  initiate main
  respond anymode
  local-id address XXX.13.33.201
  peer XX.199.182.138
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id address XXX.199.182.138 preshared-key XXXXXXX ike-policy 101 crypto map VPN 20 no-mode-config no-xauth
crypto ike remote-id address XXX.176.216.29 preshared-key XXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
ip crypto map VPN 10 ipsec-ike
  description NetVanta3120
  match address ip VPN-10-vpn-selectors2
  set peer XXX.176.216.29
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
ip crypto map VPN 20 ipsec-ike
  description Pitt
  match address ip VPN-20-vpn-selectors
  set peer XXX.199.182.138
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 101
!
!
!
!
vlan 1
  name "Default"
!
!
interface eth 0/1
  speed 100
  ip address  XXX.13.33.201  255.255.255.248
  ip access-policy Public
  ip crypto map VPN
  no rtp quality-monitoring
  no awcp
  no shutdown
  no lldp send-and-receive
!
!
interface switchport 0/1
  no shutdown
!
interface switchport 0/2
  no shutdown
!
interface switchport 0/3
  no shutdown
!
interface switchport 0/4
  no shutdown
!
!
!
interface vlan 1
  ip address  192.168.1.26  255.255.255.0
  ip access-policy Private
  no rtp quality-monitoring
  no awcp
  no shutdown
!
interface ppp 1
  no shutdown
!
!
!
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to NetVanta
  permit ip any  any     log
!
ip access-list extended VPN-10-vpn-selectors2
  permit ip 192.168.1.0 0.0.0.255  192.168.20.0 0.0.0.255   
!
ip access-list extended VPN-20-vpn-selectors
  permit ip 192.168.1.0 0.0.0.255  192.168.30.0 0.0.0.255   
!
ip access-list extended web-acl-10
  remark Remote IPT Audio-21000-26999
  permit udp any  host XXX.13.33.201 range 21000 26999    log
!
ip access-list extended web-acl-12
  remark SMDI-1000
  permit tcp any  host XXX.13.33.201 eq 1000   log
!
ip access-list extended web-acl-13
  remark LAN DSS and Survive-3000-3001
  permit udp any  host XXX.13.33.201 range 3000 3001    log
!
ip access-list extended web-acl-14
  remark IPEDGE Net Request-4029
  permit tcp any  host XXX.13.33.201 eq 4029   log
!
ip access-list extended web-acl-15
  remark LAN BLF-6000
  permit tcp any  host XXX.13.33.201 eq 6000   log
!
ip access-list extended web-acl-16
  remark EM HTTPS-8080
  permit tcp any  host XXX.13.33.201 eq 8080   log
!
ip access-list extended web-acl-17
  remark EM HTTPS-9443
  permit tcp any  host XXX.13.33.201 eq 9443   log
!
ip access-list extended web-acl-18
  remark Webmin-10000
  permit tcp any  host XXX.13.33.201 eq 10000   log
!
ip access-list extended web-acl-19
  remark IPedge Net Node to Node-16000-19999
  permit tcp any  host XXX.13.33.201 range 16000 19999   log
!
ip access-list extended web-acl-20
  remark Mobile App-90
  permit tcp any  host XXX.13.33.201 eq 90   log
!
ip access-list extended web-acl-21
  remark Messaging access UCEdge-42507
  permit tcp any  host XXX.13.33.201 eq 42507   log
!
ip access-list extended web-acl-23
  remark HTTPS-443
  permit tcp any  host XXX.13.33.201 eq https   log
!
ip access-list extended web-acl-24
  remark XMPP Client 1-5222
  deny   tcp any  host XXX.13.33.201 eq 5222   log
!
ip access-list extended web-acl-25
  remark XMPP Server-5269
  deny   tcp any  host XXX.13.33.201 eq 5269   log
!
ip access-list extended web-acl-26
  remark XMPP Client 2-5280
  permit tcp any  host XXX.13.33.201 eq 5280   log
!
ip access-list extended web-acl-27
  remark Net Server-8767-8768
  permit tcp any  host XXX.13.33.201 range 8767 8768   log
!
ip access-list extended web-acl-28
  remark SNMP-161
  permit udp any  host XXX.13.33.201 eq snmp    log
!
ip access-list extended web-acl-29
  remark Meeting-8444
  permit tcp any  host XXX.13.33.201 eq 8444   log
!
ip access-list extended web-acl-30
  remark 1. FonLinkHUD-5269
  permit tcp any  any eq 5269   log
!
ip access-list extended web-acl-31
  remark 1. FonHUD3-5222
  permit tcp any  any eq 5222   log
!
ip access-list extended web-acl-32
  remark 1. FonLink-4569
  permit udp any  any eq 4569    log
!
ip access-list extended web-acl-37
  remark 1. FonCall Setup-UDP-5060
  permit udp any  any eq 5060    log
!
ip access-list extended web-acl-38
  remark Redirects to 8080
  permit tcp any  host XXX.13.33.201 eq www   log
!
ip access-list extended web-acl-39
  remark Remote IPT Registration-1718-1719
  permit udp any  any range 1718 1719    log
!
ip access-list extended web-acl-40
  remark 1. Fon RTP Voice Traffice 10000-15999
  permit udp any  any range 10000 15999    log
!
ip access-list extended web-acl-9
  remark Remote IPT Megaco-2944
  permit tcp any  host XXX.13.33.201 eq 2944   log
!
!
!
ip policy-class Private
  allow list VPN-20-vpn-selectors stateless
  allow list VPN-10-vpn-selectors2 stateless
  allow list self self
  nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
  allow reverse list VPN-20-vpn-selectors stateless
  allow reverse list VPN-10-vpn-selectors2 stateless
  nat destination list web-acl-40 address 192.168.1.23
  nat destination list web-acl-37 address 192.168.1.10
  nat destination list web-acl-32 address 192.168.1.23
  nat destination list web-acl-30 address 192.168.1.23
  nat destination list web-acl-25 address 192.168.1.10
  nat destination list web-acl-31 address 192.168.1.23
  nat destination list web-acl-24 address 192.168.1.10
  nat destination list web-acl-26 address 192.168.1.10
  nat destination list web-acl-9 address 192.168.1.10
  nat destination list web-acl-10 address 192.168.1.10
  nat destination list web-acl-39 address 192.168.1.10
  nat destination list web-acl-12 address 192.168.1.10
  nat destination list web-acl-13 address 192.168.1.10
  nat destination list web-acl-14 address 192.168.1.10
  nat destination list web-acl-15 address 192.168.1.10
  nat destination list web-acl-38 address 192.168.1.10
  nat destination list web-acl-16 address 192.168.1.10
  nat destination list web-acl-17 address 192.168.1.10
  nat destination list web-acl-23 address 192.168.1.10
  nat destination list web-acl-18 address 192.168.1.10
  nat destination list web-acl-19 address 192.168.1.10
  nat destination list web-acl-28 address 192.168.1.10
  nat destination list web-acl-20 address 192.168.1.10
  nat destination list web-acl-21 address 192.168.1.10
  nat destination list web-acl-27 address 192.168.1.10
  nat destination list web-acl-29 address 192.168.1.10
!
!
ip route 0.0.0.0 0.0.0.0 XXX.13.33.206
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
  login
!
line telnet 0 4
  login local-userlist
  password encrypted 1810d9a74d50ae8ffc59b58965b5818d829a
  no shutdown
line ssh 0 4
  login local-userlist
  shutdown
!
!
ntp source ethernet 0/1
ntp server 0.pool.ntp.org source ethernet 0/1
ntp server 1.pool.ntp.org source ethernet 0/1
ntp server 2.pool.ntp.org
ntp server 3.pool.ntp.org
!
!
!
!
!
end

THIRD CONFIG FILE

!
!
! ADTRAN OS version R10.9.6.E
! Boot ROM version 17.01.01.00
! Platform: NetVanta 3120, part number 1700601G2
! Serial number LBADTN1223AK109
!
!
hostname "NetVanta3120"
enable password XXXXX
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip default-gateway 192.168.20.26
ip routing
host "XXXXXX.XXXXX.XXX" 192.168.1.10
host "XXXXXX.XXXXX.XXX" 192.168.20.10
domain-proxy
name-server 208.67.220.220 208.67.221.221
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "XXXX" password "XXXXXX"
username "XXXX" password "XXXXXXX"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.199
!
ip dhcp pool "Private"
  network 192.168.20.0 255.255.255.0
  dns-server 8.8.8.8 8.8.4.4
  netbios-node-type h-node
  default-router 192.168.20.26
!
!
!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address XXX.176.216.29
  peer XXX.13.33.201
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id address XXX.13.33.201 preshared-key XXXXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
ip crypto map VPN 10 ipsec-ike
  description NetVanta3120
  match address ip VPN-10-vpn-selectors1
  set peer XXX.13.33.201
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
vlan 1
  name "Default"
!
!
interface eth 0/1
  ip address  XXX.176.216.29  255.255.255.0
  ip access-policy Public
  ip crypto map VPN
  no shutdown
  no lldp send-and-receive
!
!
interface switchport 0/1
  no shutdown
!
interface switchport 0/2
  no shutdown
!
interface switchport 0/3
  no shutdown
!
interface switchport 0/4
  no shutdown
!
!
!
interface vlan 1
  ip address  192.168.20.26  255.255.255.0
  ip access-policy Private
  no shutdown
!
!
!
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to UNIT
  permit ip any  any     log
!
ip access-list extended VPN-10-vpn-selectors1
  permit ip 192.168.20.0 0.0.0.255  192.168.1.0 0.0.0.255   
  permit ip 192.168.20.0 0.0.0.255  192.168.30.0 0.0.0.255   
!
ip access-list extended web-acl-10
  remark IPEDGE Net Request-4029
  permit tcp any  host XXX.176.216.29 eq 4029   log
!
ip access-list extended web-acl-11
  remark LAN BLF-6000
  permit tcp any  host XXX.176.216.29 eq 6000   log
!
ip access-list extended web-acl-12
  remark EM HTTPS-8080
  permit tcp any  host XXX.176.216.29 eq 8080   log
!
ip access-list extended web-acl-13
  remark EM HTTPS-9443
  permit tcp any  host XXX.176.216.29 eq 9443   log
!
ip access-list extended web-acl-14
  remark Webmin-10000
  permit tcp any  host XXX.176.216.29 eq 10000   log
!
ip access-list extended web-acl-17
  remark Remote APP
  permit tcp any  host XXX.176.216.29 eq 90   log
!
ip access-list extended web-acl-18
  remark Messaging access UCEdge-42507
  permit tcp any  host XXX.176.216.29 eq 42507   log
!
ip access-list extended web-acl-20
  remark HTTPS-443
  permit tcp any  host XXX.176.216.29 eq https   log
!
ip access-list extended web-acl-23
  remark XMPP Client 2-5280
  permit tcp any  host XXX.176.216.29 eq 5280   log
!
ip access-list extended web-acl-24
  remark Net Server-8767-8768
  permit tcp any  host XXX.176.216.29 range 8767 8768   log
!
ip access-list extended web-acl-25
  remark SNMP-161
  permit udp any  host XXX.176.216.29 eq snmp    log
!
ip access-list extended web-acl-26
  remark 1. Fon RTP Voice Traffice 10000-20000
  permit udp any  host XXX.176.216.29 range 10000 20000    log
!
ip access-list extended web-acl-27
  remark 1. FonCall Setup-UDP-5060
  permit udp any  host XXX.176.216.29 eq 5060    log
!
ip access-list extended web-acl-28
  remark 1. FonLinkHUD-5269
  permit tcp any  any eq 5269   log
!
ip access-list extended web-acl-29
  remark 1. FonHUD3-5222
  permit tcp any  any eq 5222   log
!
ip access-list extended web-acl-30
  remark 1. FonLink-4569
  permit tcp any  any eq 4569   log
!
ip access-list extended web-acl-4
  remark Remote IPT Registration-1718-1719
  permit udp any  host XXX.176.216.29 range 1718 1719    log
!
ip access-list extended web-acl-5
  remark Remtoe IPT Megaco-2944
  permit tcp any  host XXX.176.216.29 eq 2944   log
!
ip access-list extended web-acl-6
  remark Remote IP Audio-21000-26999
  permit udp any  host XXX.176.216.29 range 21000 26999    log
!
ip access-list extended web-acl-7
  remark Redirects to 8080
  permit tcp any  host XXX.176.216.29 eq www   log
!
ip access-list extended web-acl-8
  remark SMDI-1000
  permit tcp any  host XXX.176.216.29 eq 1000   log
!
ip access-list extended web-acl-9
  remark LAN DSS and Survive-3000-3001
  permit tcp any  host XXX.176.216.29 range 3000 3001   log
!
!
!
ip policy-class Private
  allow list VPN-10-vpn-selectors1 stateless
  allow list self self
  nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
  allow reverse list VPN-10-vpn-selectors1 stateless
  nat destination list web-acl-26 address 192.168.20.7
  nat destination list web-acl-27 address 192.168.20.7
  nat destination list web-acl-30 address 192.168.20.7
  nat destination list web-acl-28 address 192.168.20.7
  nat destination list web-acl-29 address 192.168.20.7
  nat destination list web-acl-23 address 192.168.20.10
  nat destination list web-acl-5 address 192.168.20.10
  nat destination list web-acl-6 address 192.168.20.10
  nat destination list web-acl-4 address 192.168.20.10
  nat destination list web-acl-8 address 192.168.20.10
  nat destination list web-acl-9 address 192.168.20.10
  nat destination list web-acl-10 address 192.168.20.10
  nat destination list web-acl-11 address 192.168.20.10
  nat destination list web-acl-7 address 192.168.20.10
  nat destination list web-acl-12 address 192.168.20.10
  nat destination list web-acl-13 address 192.168.20.10
  nat destination list web-acl-20 address 192.168.20.10
  nat destination list web-acl-14 address 192.168.20.10
  nat destination list web-acl-17 address 192.168.20.10
  nat destination list web-acl-25 address 192.168.20.10
  nat destination list web-acl-18 address 192.168.20.10
  nat destination list web-acl-24 address 192.168.20.10
!
!
ip route 0.0.0.0 0.0.0.0 XXX.176.216.1
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
  no login
!
line telnet 0 4
  login local-userlist
  password password
  no shutdown
line ssh 0 4
  login local-userlist
  no shutdown
!
!
ntp source ethernet 0/1
ntp server 0.pool.ntp.org source ethernet 0/1
ntp server 1.pool.ntp.org source ethernet 0/1
ntp server 2.pool.ntp.org
!
!
!
!
!
end

Re: Multi Site to Site VPN with 3120s

Jump to solution

Only to add that if you are using SSL certificates instead of PSK, you will have to use the same CA certificate for all peers.

PS. Our posts crossed over.  Only the second configuration has entries for both of the other two peers.  You need to repeat the same for configuration one and configuration three.

PPS.  You probably want to edit your post and remove the passwords and user names.

--

Regards,

Mick

wtcguy
New Contributor II

Re: Multi Site to Site VPN with 3120s

Jump to solution

Yes I understand that.  I am currently only trying to connect config 1 to config 2 and config 2 to config 3 so Config 2 would have both in it correct?  and only config 1 and config three would have tunnels to config 2  once I have that working I will then build 1 to 3 as well.  I am stuck in getting 2 to communicate with both 1 and 3.  I appreciate any help.

Thank you

Re: Multi Site to Site VPN with 3120s

Jump to solution

Yes, this is correct, config 2 should have a tunnel configured for each of the other peers.

I had a quick look at your config files and can't see anything amiss.  How far is the connection attempt getting?  Do you at least get IKE SAs created (phase 1) when you ping the private subnet of the remote peer to start a tunnel going?  Can you run a debugging session on both A & B and see what each reports.  Then repeat between B & C.

--

Regards,

Mick

Anonymous
Not applicable

Re: Multi Site to Site VPN with 3120s

Jump to solution

You mentioned using the GUI, so if you need a hand capturing debug:

  • Telnet or SSH into each unit
  • Logon with the same username and password that you use in the GUI
  • Enter command
    enable
    • Default enable password is password
  • Start text logging to a file (debug output will scroll too fast to analyze)
    • If using Putty (popular terminal application for Windows), right-click the window title bar and select Change Settings... → Logging → select Printable Output and browse to a location to store the file → Apply
  • Enter command
    debug crypto ike

Now you can ping a host on the remote end and see what the debug looks like when the tunnel tries to build.  Deciphering the output can be challenging.  You can attach the text log files, but some info could be visible that may be sensitive to you, such as public IP addresses and so forth.  I might suggest calling ADTRAN and opening a ticket (or open a case here).

Some things to look for are obvious errors, as well as how many messages of quick mode and main mode you see in the sequence.  The pattern will repeat so you should be able to see after a few cycles how far it gets.  For example, "Sent first message of quick mode," or "received second message of main mode."  Determining how far it gets into these message sequences can itself reveal it source of the problem, since each message relates to a specific aspect of the IKE and IPsec attributes.

Best,

Chris

Anonymous
Not applicable

Re: Multi Site to Site VPN with 3120s

Jump to solution

Are you having better luck with your VPN?  Keep us posted when you have a minute. 

wtcguy
New Contributor II

Re: Multi Site to Site VPN with 3120s

Jump to solution

‌Apparently I did setup correctly turns out to activate the connection I needed to ping the remote.  If the connection goes down, the only way to re-activate is either ping or have a device try to connect to the other side.  Is there a keep alive setting?

Anonymous
Not applicable

Re: Multi Site to Site VPN with 3120s

Jump to solution

‌Yep, the simplest way to take care of this is to create a ping probe.  The document Configuring Network Monitor in AOS is a great resource and includes a configuration example.  You can make the period 30 seconds or something like that to keep ping traffic low, and that should be perfect to keep your tunnels up.  The source and destination will need to be IP addresses that will be sent over the VPN, such as the LAN interfaces of your routers.  To keep it simple, maybe you could setup the main site router with probes to the other two.

Chris

Anonymous
Not applicable

Re: Multi Site to Site VPN with 3120s

Jump to solution

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor