Solved

VPN tunnel won't set up from one side?

Posted on 2011-02-16
7
487 Views
Last Modified: 2012-05-11
We had a VPN tunnel from our Cisco firewall going to the firewall of another party, and it's been working fine for quite some time.  However, the other party recently requested that we change the peer address, due to them making some changes with their internet provider.

We changed the address in the config, in all places that the old address existed.  We also adjusted the access lists and any other areas where you'd find the old address.

Now, we are unable to initiate VPN traffic from our side.  The other side can bring the tunnel up, and it stays up for the length of it's keepalive, but then it times out, and we're dead again.

Since the tunnel can be brought up from the other side, it stands to reason that the security is still correct, the peer IP address is good, etc.  The other side claims to be configured for bi-directional setup.

Any thoughts as to why we can't bring up the tunnel from our side now, when all that's changed is the peer?
0
Comment
Question by:aptnetworks
  • 4
  • 2
7 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Being non-Cisco'si, I can not get into the details, but is seems obvious that you have a more generous config then they have. Your device is accepting the negotiated proposals and encryption domain, while that is not the same in reverse. You only know for sure if you compare what they negotiate (with the debug command on connect, and getting the negotiated SA parameters when established). The same should be done on their device.
0
 
LVL 1

Author Comment

by:aptnetworks
Comment Utility
We're going to try to debug the setup attempt, but honestly, doing so is a bit over my head, as far as reading and interpreting the results.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
First you need to know if the issue is in Phase 1 or Phase 2. It might be something simple as the old public IP expected, but the new sent, as part of the Local ID negotiation in Phase 1.
I'm (almost) certain that it is a configuration error on the other site. Sadly, only the responder side of an IPSec tunnel l will show the necessary details for rejecting a connection.

It might be easier to just look at the negotiated parameters on your site, after the tunnel is established from the other site. The SAs of both phases should show you which parameters where negotiated successfully. Compare those with what you have set up to detect the difference.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Accepted Solution

by:
aptnetworks earned 0 total points
Comment Utility
Turns out the other side has PFS turned on, but we didn't.  Since he built a new router and a new config, it's possible that they added that and just didn't tell us.  He disabled PFS, and the tunnel came up.

Thanks!
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Strange it worked one way then - it should not. Wrong PFS is detected at latest when payload packets are exchanged.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now