Solved

Remote end of ipsec tunnel not responding

Posted on 2014-10-29
6
422 Views
Last Modified: 2014-10-30
Hi

I have just setup an ipsec tunnel between and Mikrotik RB951G and a Cisco ASA 5505
using SHA hash algo and 3DES encryption

I followed the following presentation: http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC

The tunnel seems to be up, I have SAs for both directions, though only one has current bytes (RB => Cisco) and the info appearing in the ipsec log seems pretty positive

I have pinged a host that is present on the remote LAN, but get I no response, it just times'out

What I can't figure out is how do my packets know how to get to the remote LAN ?
I haven't created a explicit route; only the ipsec policy knows of the association between our two LANs
I don't know how I would create such a route because I don't have an 'ipsec' interface to point to

any ideas
thanks
yann
0
Comment
Question by:Yann Shukor
  • 3
  • 2
6 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 40412592
I think you just answered your own question.

Check your routes, NAT and ACL settings.
Usually, traffic destined for VPN need to be excluded from NAT
A traceroute or packet-trace on the ASA will show you the path the traffic is taking
0
 

Author Comment

by:Yann Shukor
ID: 40412594
I indeed have a rule which excludes traffic between the two LANs from being NATed
Traceroute from my end (Mikrotik) doesn't get any further than the router
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 250 total points
ID: 40412607
Traceroute from my end (Mikrotik) doesn't get any further than the router
A set of  asterixs (***********) would mean the traffic is blocked (ACL issue)
A destination unreachable would indicate the router doesn't know where to send the traffic (Route issue)
ICMP Traffic (especially a traceroute - type 8) through VPN would not display past the VPN entry point (meaning your setup is correct, but the ASA is not responding).

If Mikrltiks have packet-trace feature, then try that or have the engineer on the other end run a detailed packet-trace from the ASA
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Yann Shukor
ID: 40412635
I'll have to wait till my customer is present to check whether his LAN knows how to reach my LAN

The question remains though: how do I create a route to my client's LAN ?
I can't point it at an IPSEC interface, because there isn't one
I tried to point it at my router's WAN IP address but that didn't work: unreachable, then at my routers WAN interface : but the pings still don't get any responses
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 40412727
As pointed out sounds more like a phase 2 problem, if you have esablished SA, and can see bytes moving, then usually one of the sections (bytes encaps or decaps) will be at Zero. this points you to the physical location of the problem, see Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

P
0
 

Author Closing Comment

by:Yann Shukor
ID: 40412868
In fact it was my Orange Livebox which was preventing the VPN
from functionning correctly (even with rule allowing port 500
and 4500)  
I used my other WAN uplink (which uses another router) and
the VPN hooked up straight away allowing my pings through
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now