Solved

VPN tunnel won't set up from one side?

Posted on 2011-02-16
7
490 Views
Last Modified: 2012-05-11
We had a VPN tunnel from our Cisco firewall going to the firewall of another party, and it's been working fine for quite some time.  However, the other party recently requested that we change the peer address, due to them making some changes with their internet provider.

We changed the address in the config, in all places that the old address existed.  We also adjusted the access lists and any other areas where you'd find the old address.

Now, we are unable to initiate VPN traffic from our side.  The other side can bring the tunnel up, and it stays up for the length of it's keepalive, but then it times out, and we're dead again.

Since the tunnel can be brought up from the other side, it stands to reason that the security is still correct, the peer IP address is good, etc.  The other side claims to be configured for bi-directional setup.

Any thoughts as to why we can't bring up the tunnel from our side now, when all that's changed is the peer?
0
Comment
Question by:aptnetworks
  • 4
  • 2
7 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 34911766
Being non-Cisco'si, I can not get into the details, but is seems obvious that you have a more generous config then they have. Your device is accepting the negotiated proposals and encryption domain, while that is not the same in reverse. You only know for sure if you compare what they negotiate (with the debug command on connect, and getting the negotiated SA parameters when established). The same should be done on their device.
0
 
LVL 1

Author Comment

by:aptnetworks
ID: 34974294
We're going to try to debug the setup attempt, but honestly, doing so is a bit over my head, as far as reading and interpreting the results.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34991216
First you need to know if the issue is in Phase 1 or Phase 2. It might be something simple as the old public IP expected, but the new sent, as part of the Local ID negotiation in Phase 1.
I'm (almost) certain that it is a configuration error on the other site. Sadly, only the responder side of an IPSec tunnel l will show the necessary details for rejecting a connection.

It might be easier to just look at the negotiated parameters on your site, after the tunnel is established from the other site. The SAs of both phases should show you which parameters where negotiated successfully. Compare those with what you have set up to detect the difference.
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 1

Accepted Solution

by:
aptnetworks earned 0 total points
ID: 35012791
Turns out the other side has PFS turned on, but we didn't.  Since he built a new router and a new config, it's possible that they added that and just didn't tell us.  He disabled PFS, and the tunnel came up.

Thanks!
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35013107
Strange it worked one way then - it should not. Wrong PFS is detected at latest when payload packets are exchanged.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35275305
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RDP Sonicwall 8 100
2012 r2 branch office DNS 2 61
Review of a VPN cert policy 4 51
Costs of MS Direct Access & does it disable Wifi if cant connect to Office LAN 1 41
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question