Netvanta 3430 - Enhanced at all locations
Layout:
central location - we'll call it #1 172.16.1
remote location - #2 172.16.2
remote location - #3 172.16.3
I can setup a VPN link (using the GUI) between location #1 and #2
When setting up the VPN between locations #1 and #3 - the connection fails with various errors:
CRYPTO_IKE.NEGOTIATION IkePrepIsakmpKeyMat: IkeGetPreSharedKey failed
CRYPTO_IKE.NEGOTIATION IkeMMConstructIDMsg: IkePrepareIsakmpKeyMat failed
CRYPTO_IKE.NEGOTIATION IkeKEWaitProcess: IkeMMConstructIDMsg failed
CRYPTO_IKE.NEGOTIATION IkeProcessData : IkeKEWaitProcess failed
I have tried changing the various options - but to no avail...
I am hoping that I can establish a GRE tunnel to this site - ( I will test this onsite later this week)
So now the question is how can I establish a "VPN" from Site #1 to #3 - and have the traffic route correctly.
I have tested a GRE tunnel (from #1 to my house) and can get it established - with a separate IP address subnet on the GRE tunnel - and can ping the two sides of the tunnel, but I cannot route traffic across the GRE between the private LANs; I am assuming this is some sort of firewall issue - if this could work this would be fine (I understand the lack of security issue)...
But ideally having a secure connection would be best - so assuming that GRE can be established, can I create a VPN over the GRE and have it behave just like the already established VPN?
Or is there another way to solve this problem?
Paul
Did you put an access policy on your GRE interface permitting traffic through the firewall? Once FW is enabled on an AOS device, it applies across all interfaces. You need separate policies to make sure your traffic gets through the interfaces.
Are your routers all running the same version of firmware?
Can you attach a sample of your config?
Thanks for the reply
Unfortunately I a GUI handicapped - so I do need help putting down the access policy for the GRE interface since this isn't easily implemented through the GUI.
Here is the config as requested (Homebase - central location):
! ADTRAN, Inc. OS version R10.6.0.E
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
!
!
hostname "Homebase"
enable password Password
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
domain-name "Homebase.contoso.com"
domain-proxy
name-server 75.75.75.75 75.75.76.76
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "admin" password "Password"
!
banner motd #
****** Important Banner Message ******
Enable and Telnet passwords are configured to "password".
HTTP and HTTPS default username is "admin" and password is "password".
Please change them immediately.
The ethernet 0/1 interface is enabled with an address of 10.10.10.1
Telnet, HTTP, and HTTPS access are also enabled.
To remove this message, while in configuration mode type "no banner motd".
****** Important Banner Message ******
#
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
ip crypto
!
crypto ike policy 101
initiate main
respond anymode
local-id address 1.2.3.177
peer 2.3.4.106
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id address 2.3.4.106 preshared-key keyonetwothree ike-policy 101 crypto map VPN 20 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 20 ipsec-ike
description Eastside
match address VPN-20-vpn-selectors
set peer 2.3.4.106
set transform-set esp-3des-esp-md5-hmac
reverse-route
ike-policy 101
!
no ethernet cfm
!
interface eth 0/1
description Inside
ip address 172.16.1.254 255.255.255.0
ip access-policy Private
no shutdown
!
!
interface eth 0/2
description Internet
ip address 1.2.3.177 255.255.255.252
ip mtu 1500
ip access-policy Public
crypto map VPN
no rtp quality-monitoring
no shutdown
!
interface tunnel 1 gre ip
description HFTunnel
ip address 172.16.0.1 255.255.255.252
ip mtu 1400
ip access-policy Private
tunnel source 1.2.3.177
tunnel destination 3.6.9.165
tunnel key 12345678
keepalive
no shutdown
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-20-vpn-selectors
permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!
ip access-list extended web-acl-10
remark RDP33891
permit tcp any host 172.16.1.254 eq 33891 log
!
ip access-list extended web-acl-11
remark RDP33892
permit tcp any host 1.2.3.177 eq 33892 log
!
ip access-list extended web-acl-13
remark PPTPVPN
permit gre any host 1.2.3.177 log
permit tcp any host 1.2.3.177 eq 1723 log
!
ip access-list extended web-acl-7
remark RDP33894
permit tcp any host 1.2.3.177 eq 33894 log
!
ip access-list extended web-acl-8
remark RDP33893
permit tcp any host 1.2.3.177 eq 33893 log
!
ip access-list extended wizard-remote-access
remark do not hand edit this ACL
permit icmp any any echo log
permit tcp any any eq https log
!
ip policy-class Private
allow list VPN-20-vpn-selectors stateless
allow list self self
nat source list wizard-ics interface eth 0/2 overload
!
ip policy-class Public
allow reverse list VPN-20-vpn-selectors stateless
allow list wizard-remote-access self
nat destination list web-acl-7 address 172.16.1.4 port 3389
nat destination list web-acl-8 address 172.16.1.3 port 3389
nat destination list web-acl-10 address 172.16.1.1 port 3389
nat destination list web-acl-11 address 172.16.1.2 port 3389
nat destination list web-acl-13 address 172.16.1.4
!
ip route 0.0.0.0 0.0.0.0 1.2.3.178
ip route 172.16.3.0 255.255.255.0 172.16.1.30
ip route 172.16.4.0 255.255.255.0 172.16.0.2
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
ip sip udp 5060
ip sip tcp 5060
!
line con 0
login
password Password
!
line telnet 0 4
login
password Password
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
sntp server us.pool.ntp.org version 3
!
ntp source ethernet 0/2
!
end
Again what I need to do is get subnets 172.16.1.x connected/routing to 172.16.3.x (172.16.2.x works via the VPN put in place by the wizard).
Thanks,
Paul
Apologies for a slow response to your reply.
If I understand correctly...
IPSec VPN is up - Site 1 to Site 2.
IPSec VPN will not work - Site 1 to Site 3
As an alternative, you wish to use a GRE tunnel - Site 1 to Site 3.
Your GRE tunnel config looks correct and since you are anchoring to your WAN port, which is firewalled, you may need to allow GRE through the public access policy. You have the ACL for that but I see that it is applied as a NAT destination in the public policy, which means you are forwarding any GRE packets to 172.16.1.4. I believe you want it configured like this:
ip policy-class Public
allow reverse list VPN-20-vpn-selectors stateless
allow list wizard-remote-access self
allow list web-acl-13 self
nat destination list web-acl-7 address 172.16.1.4 port 3389
nat destination list web-acl-8 address 172.16.1.3 port 3389
nat destination list web-acl-10 address 172.16.1.1 port 3389
nat destination list web-acl-11 address 172.16.1.2 port 3389
Also, once your GRE tunnel comes up, you will just need a route for the 3 network. Right now I see that route is "ip route 172.16.3.0 255.255.255.0 172.16.1.30" but if the 3 network is on the other side of the GRE tunnel then the route should be "ip route 172.16.3.0 255.255.255.0 172.16.0.2".
If I am understanding your needs correctly, then I believe this change in your configuration should work.
Thanks for the reply - I will test this out and report back.
Paul
Hi Paul, have you had any success with your configuration?
I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor