?
Solved

VPN tunnel won't set up from one side?

Posted on 2011-02-16
7
Medium Priority
?
493 Views
Last Modified: 2012-05-11
We had a VPN tunnel from our Cisco firewall going to the firewall of another party, and it's been working fine for quite some time.  However, the other party recently requested that we change the peer address, due to them making some changes with their internet provider.

We changed the address in the config, in all places that the old address existed.  We also adjusted the access lists and any other areas where you'd find the old address.

Now, we are unable to initiate VPN traffic from our side.  The other side can bring the tunnel up, and it stays up for the length of it's keepalive, but then it times out, and we're dead again.

Since the tunnel can be brought up from the other side, it stands to reason that the security is still correct, the peer IP address is good, etc.  The other side claims to be configured for bi-directional setup.

Any thoughts as to why we can't bring up the tunnel from our side now, when all that's changed is the peer?
0
Comment
Question by:aptnetworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 71

Expert Comment

by:Qlemo
ID: 34911766
Being non-Cisco'si, I can not get into the details, but is seems obvious that you have a more generous config then they have. Your device is accepting the negotiated proposals and encryption domain, while that is not the same in reverse. You only know for sure if you compare what they negotiate (with the debug command on connect, and getting the negotiated SA parameters when established). The same should be done on their device.
0
 
LVL 1

Author Comment

by:aptnetworks
ID: 34974294
We're going to try to debug the setup attempt, but honestly, doing so is a bit over my head, as far as reading and interpreting the results.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34991216
First you need to know if the issue is in Phase 1 or Phase 2. It might be something simple as the old public IP expected, but the new sent, as part of the Local ID negotiation in Phase 1.
I'm (almost) certain that it is a configuration error on the other site. Sadly, only the responder side of an IPSec tunnel l will show the necessary details for rejecting a connection.

It might be easier to just look at the negotiated parameters on your site, after the tunnel is established from the other site. The SAs of both phases should show you which parameters where negotiated successfully. Compare those with what you have set up to detect the difference.
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 1

Accepted Solution

by:
aptnetworks earned 0 total points
ID: 35012791
Turns out the other side has PFS turned on, but we didn't.  Since he built a new router and a new config, it's possible that they added that and just didn't tell us.  He disabled PFS, and the tunnel came up.

Thanks!
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35013107
Strange it worked one way then - it should not. Wrong PFS is detected at latest when payload packets are exchanged.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35275305
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question