Solved

VPN tunnel won't set up from one side?

Posted on 2011-02-16
7
489 Views
Last Modified: 2012-05-11
We had a VPN tunnel from our Cisco firewall going to the firewall of another party, and it's been working fine for quite some time.  However, the other party recently requested that we change the peer address, due to them making some changes with their internet provider.

We changed the address in the config, in all places that the old address existed.  We also adjusted the access lists and any other areas where you'd find the old address.

Now, we are unable to initiate VPN traffic from our side.  The other side can bring the tunnel up, and it stays up for the length of it's keepalive, but then it times out, and we're dead again.

Since the tunnel can be brought up from the other side, it stands to reason that the security is still correct, the peer IP address is good, etc.  The other side claims to be configured for bi-directional setup.

Any thoughts as to why we can't bring up the tunnel from our side now, when all that's changed is the peer?
0
Comment
Question by:aptnetworks
  • 4
  • 2
7 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 34911766
Being non-Cisco'si, I can not get into the details, but is seems obvious that you have a more generous config then they have. Your device is accepting the negotiated proposals and encryption domain, while that is not the same in reverse. You only know for sure if you compare what they negotiate (with the debug command on connect, and getting the negotiated SA parameters when established). The same should be done on their device.
0
 
LVL 1

Author Comment

by:aptnetworks
ID: 34974294
We're going to try to debug the setup attempt, but honestly, doing so is a bit over my head, as far as reading and interpreting the results.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34991216
First you need to know if the issue is in Phase 1 or Phase 2. It might be something simple as the old public IP expected, but the new sent, as part of the Local ID negotiation in Phase 1.
I'm (almost) certain that it is a configuration error on the other site. Sadly, only the responder side of an IPSec tunnel l will show the necessary details for rejecting a connection.

It might be easier to just look at the negotiated parameters on your site, after the tunnel is established from the other site. The SAs of both phases should show you which parameters where negotiated successfully. Compare those with what you have set up to detect the difference.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Accepted Solution

by:
aptnetworks earned 0 total points
ID: 35012791
Turns out the other side has PFS turned on, but we didn't.  Since he built a new router and a new config, it's possible that they added that and just didn't tell us.  He disabled PFS, and the tunnel came up.

Thanks!
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35013107
Strange it worked one way then - it should not. Wrong PFS is detected at latest when payload packets are exchanged.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35275305
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
printer shows as offline while connected to vpn 13 129
Office 365 vs. In-House 4 113
Cisco VPN client v5 migration to Anyconnect VPN? 8 52
Cisco ASA VPN Client Routing 8 41
Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question