Solved

Remote end of ipsec tunnel not responding

Posted on 2014-10-29
6
470 Views
Last Modified: 2014-10-30
Hi

I have just setup an ipsec tunnel between and Mikrotik RB951G and a Cisco ASA 5505
using SHA hash algo and 3DES encryption

I followed the following presentation: http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC

The tunnel seems to be up, I have SAs for both directions, though only one has current bytes (RB => Cisco) and the info appearing in the ipsec log seems pretty positive

I have pinged a host that is present on the remote LAN, but get I no response, it just times'out

What I can't figure out is how do my packets know how to get to the remote LAN ?
I haven't created a explicit route; only the ipsec policy knows of the association between our two LANs
I don't know how I would create such a route because I don't have an 'ipsec' interface to point to

any ideas
thanks
yann
0
Comment
Question by:Yann Shukor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 40412592
I think you just answered your own question.

Check your routes, NAT and ACL settings.
Usually, traffic destined for VPN need to be excluded from NAT
A traceroute or packet-trace on the ASA will show you the path the traffic is taking
0
 

Author Comment

by:Yann Shukor
ID: 40412594
I indeed have a rule which excludes traffic between the two LANs from being NATed
Traceroute from my end (Mikrotik) doesn't get any further than the router
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 250 total points
ID: 40412607
Traceroute from my end (Mikrotik) doesn't get any further than the router
A set of  asterixs (***********) would mean the traffic is blocked (ACL issue)
A destination unreachable would indicate the router doesn't know where to send the traffic (Route issue)
ICMP Traffic (especially a traceroute - type 8) through VPN would not display past the VPN entry point (meaning your setup is correct, but the ASA is not responding).

If Mikrltiks have packet-trace feature, then try that or have the engineer on the other end run a detailed packet-trace from the ASA
0
Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

 

Author Comment

by:Yann Shukor
ID: 40412635
I'll have to wait till my customer is present to check whether his LAN knows how to reach my LAN

The question remains though: how do I create a route to my client's LAN ?
I can't point it at an IPSEC interface, because there isn't one
I tried to point it at my router's WAN IP address but that didn't work: unreachable, then at my routers WAN interface : but the pings still don't get any responses
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 40412727
As pointed out sounds more like a phase 2 problem, if you have esablished SA, and can see bytes moving, then usually one of the sections (bytes encaps or decaps) will be at Zero. this points you to the physical location of the problem, see Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

P
0
 

Author Closing Comment

by:Yann Shukor
ID: 40412868
In fact it was my Orange Livebox which was preventing the VPN
from functionning correctly (even with rule allowing port 500
and 4500)  
I used my other WAN uplink (which uses another router) and
the VPN hooked up straight away allowing my pings through
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question