VPN - Re: 3-site VPN implementation w/Terminal Server - Netopia update

This is Interesting: Free IT Magazines  
Home > Archive > VPN > October 2005 > Re: 3-site VPN implementation w/Terminal Server - Netopia update





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: 3-site VPN implementation w/Terminal Server - Netopia update
Mike Drechsler - SPAM PROTECTED EMAIL

2005-10-01, 2:46 am

Vince wrote:
> OK, here's where I stand with this frustrating setup.
>
> Site A: phase2 renegotiation with Site B takes place every few
> seconds. Can ping router addresses
> ate sites B and C, but can only ping remote host IP addresses at site
> C.
> Site B: phase2 renegotiation with Site A takes place every few
> seconds. Can ping router addresses
> ate sites A and C, but can't ping remote host IP addresses at sites A
> or C.
> Site C: phase1 and 2 renegotiations occur at scheduled intervals. Can
> ping router addresses
> ate sites A and B, but can't ping remote host IP addresses at sites A
> or B.
>
> If anyone can offer insight to what I am doing wrong, I would greatly
> appreciate it. Mike, I am in
> dire need of your wisdom.
>
> Here's a recap of the tunnel info, along with my router config dumps:
>
> Site A (207)
> IPSec TunnelA-B
> Local Subnet: 192.168.0.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.1.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: 71.138.2xx.xx (Site B static ip)
> cp 2 tag AtoB
SNIP
> cp 2 ipsec ike phase1 2
> cp 2 ipsec ip remote members 192.168.1.0/24 sg 71.138.2xx.xx local
> members 19\
> 2.168.0.0/24 ;[Net 0]
SNIP
>
> IPSec TunnelA-C
> Local Subnet: 192.168.0.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.2.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: 66.125.3x.xxx (Site C static ip)
> cp 3 tag SBCto805
SNIP
> cp 3 ipsec ike phase1 2
> cp 3 ipsec ip remote members 192.168.2.0/24 sg 66.125.3x.xxx local
> members 192.\
> 168.0.0/24 ;[Net 0]
SNIP
> Site B (Montebello)
> IPSec TunnelB-A
> Local Subnet: 192.168.1.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.0.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: 71.138.1xx.xxx (Site A static ip)
> cp 4 tag BtoA
SNIP
> cp 4 ipsec ike phase1 2
> cp 4 ipsec ip remote members 192.168.0.0/24 sg 71.138.1xx.xxx local
> members 192\
> ..168.1.0/24 ;[Net 0]
SNIP
>
> IPSec TunnelB-C
> Local Subnet: 192.168.1.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.2.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: 66.125.3x.xxx (Site C static ip)
> cp 3 tag BtoC
SNIP
> cp 3 ipsec ike phase1 2
> cp 3 ipsec ip remote members 192.168.2.0/24 sg 66.125.3x.xxx local
> members 192.\
> 168.1.1/24 ;[Net 0]
SNIP
>
>
> Site C
> IPSec TunnelC-A
> Local Subnet: 192.168.2.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.0.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: 71.138.1xx.xxx (Site A static ip)
> cp 3 tag CtoA
SNIP
> cp 3 ipsec ike phase1 2
> cp 3 ipsec ip remote members 192.168.0.0/24 sg 71.138.1xx.xxx local
> members 192\
> ..168.2.0/24 ;[Net 0]
SNIP
>
>
> IPSec TunnelC-B
> Local Subnet: 192.168.2.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.1.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: 71.138.2xx.xx (Site B static ip)
> cp 2 tag CtoB
SNIP
> cp 2 ipsec ike phase1 2
> cp 2 ipsec ip remote members 192.168.1.0/24 sg 71.138.2xx.xx local
> members 19\
> 2.168.2.0/24 ;[Net 0]
SNIP
>
> The IKE config is identical on all 3 routers, as determined by using
> Beyond Compare:
> ike phase1 2 authentication method shared-secret
> ike phase1 2 authentication shared-secret ascii *****
> ike phase1 2 dangling-sas no
> ike phase1 2 encryption 3des
> ike phase1 2 group 2
> ike phase1 2 hash md5
> ike phase1 2 id 2
> ike phase1 2 identity local ipv4-address 0.0.0.0
> ike phase1 2 identity remote ipv4-address 0.0.0.0
> ike phase1 2 independent rekeys yes
> ike phase1 2 initial-contact yes
> ike phase1 2 invalid-spi-recovery no
> ike phase1 2 mode main
> ike phase1 2 negotiation normal
> ike phase1 2 port policy permissive
> ike phase1 2 sa lifetime seconds 28800
> ike phase1 2 sa lifetime kbytes none
> ike phase1 2 sa use-policy new-sas-immediately
> ike phase1 2 tag "DHC IKE Profile"
> ike phase1 2 vendor-id yes
>
>
> Since this last config dump, I have tried scheduling the phase 2
> duration to be half that of phase 1 (4 hours instead of 8), following
> some recommendations I found elsewhere. No help.
>

Ok, I think I know what you have going on. You are using the same IKE
phase 1 session for 2 different endpoints. You should setup a separate
phase 1 IKE connection for each router pair with it's own password. I
personally like randomly generated passwords for these. I don't even
bother to remember the password, I just generate a new one if I ever
need to change it.

So on each site, you should have 2 connection profiles and 2 IKE
profiles. One for each remote router that will be connecting to that
router. They should not share an ike configuration even though the
router lets you do this.


--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com