VPN issue
Hi Guys,
We have recently setup a 3 way VPN. one HQ and 2 Branches. 2 sites are configured with NBN and fibre 400. One site is with ADSL2+. IPsec VPN between NBN site and Fibre400 is working fine. But, the ADSL2+ site is showing that the VPN is configured and online but, not able to ping any IP either way. Any idea why?
Regards,
Ajoy
We have recently setup a 3 way VPN. one HQ and 2 Branches. 2 sites are configured with NBN and fibre 400. One site is with ADSL2+. IPsec VPN between NBN site and Fibre400 is working fine. But, the ADSL2+ site is showing that the VPN is configured and online but, not able to ping any IP either way. Any idea why?
Regards,
Ajoy
For the non-working tunnel, are the subnets different? You need to do this.
For site to site, make sure MAIN mode is ON (not Aggressive)
Look at NAT Traversal - It may need to be ON for the non-working tunnel. Try this both ways.
For site to site, make sure MAIN mode is ON (not Aggressive)
Look at NAT Traversal - It may need to be ON for the non-working tunnel. Try this both ways.
Not being able to ping first suggests a routing problem and, perhaps, a Windows firewall problem:
If the VPN devices are separate from the gateway device at each site:
The remote gateway must direct traffic back to it's own local VPN device IP.
If the gateway and the VPN device are the same, then this is generally not necessary as the device "knows" how to route packets internal to itself.
(Not a problem for incoming traffic).
If the gateway and the VPN device are separate and the gateway has something like stateful packet inspection on the LAN side, then this may have to be changed because return packets only go through the gateway and there will be no known "state".
Windows firewall can block PING except on the local subnet. So the scope for PING or ECHO has to include the remote subnet or at least the pinging computer on that subnet.
If the VPN devices are separate from the gateway device at each site:
The remote gateway must direct traffic back to it's own local VPN device IP.
If the gateway and the VPN device are the same, then this is generally not necessary as the device "knows" how to route packets internal to itself.
(Not a problem for incoming traffic).
If the gateway and the VPN device are separate and the gateway has something like stateful packet inspection on the LAN side, then this may have to be changed because return packets only go through the gateway and there will be no known "state".
Windows firewall can block PING except on the local subnet. So the scope for PING or ECHO has to include the remote subnet or at least the pinging computer on that subnet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
(IPSEC is two parts: 1= IKE Main phase (key setup), 2nd is Tunnel: QUICK Mode.(real tunnel))
You probably also need to setup routes to the tunnels. (depends on hardware in use though).