VPN - Re: 3-site VPN implementation w/Terminal Server - Netopia update

This is Interesting: Free IT Magazines  
Home > Archive > VPN > September 2005 > Re: 3-site VPN implementation w/Terminal Server - Netopia update





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: 3-site VPN implementation w/Terminal Server - Netopia update
Vince

2005-09-26, 2:46 am

I am having a serious problem with my 3-site VPN configuration. For
some reason, even though the IPSec tunnels are created, I can't ping
addresses on the remote subnets.

All sites are using ADSL, w/fixed IP addresses, although 2 sites have
underlying PPPOE encapsulation.

Each site is using a Netopia 3386-ENT router w/latest Firmware (8.5).
No firewall filter sets (perhaps this is an issue?). 3DES IPSec IKE
tunnels config'd in mesh between sites.

The computers at each site connect fine to the Internet; the routers
are using the first fixed IP of the ISP-provided address range, NAT'ing
for all hosts behind the router. It _appears_ that the IPSec tunnels
pass IKE Phase 2 negotiation, as indicated by my "WAN Event History"
log, but for some reason, I cannot ping the remote routers' IP
addresses or any other active IP hosts on the remote subnets. The
bizarre thing is, when I setup sites A and B with the IPSec tunnels, I
experienced the same symptoms (no IP pingability across the tunnel) for
about 3 hours, then all of a sudden, traffic was moving fine (hosts
were pingable between the 2 sites, rdp session established across the
VPN). Great! Or so I thought. It remained fine overnight. The next
day, when I attempted to create the mesh tunnelling to site C, IP
traffic stopped passing through the tunnels between sites A and B. Now
I have all 3 sites telling me that the IPSec tunnels are created, but I
can't get any traffic to travel across them. I've got the tunnels
"nailed" w/Timeouts of 0 and 24-hour "scheduled" connections.

Here is the router status info from site B (actual fixed IPs masked for
my protection):

Quick View

Default IP Gateway: 71.138.2xx.xx
Primary DNS Server: 206.13.29.12 Gateway installed -- Primary
Secondary DNS Server: 206.13.30.12 Domain Name: sbcglobal.net

----------------MAC Address--------IP
Address-------Status--------------------
Ethernet LAN: 00-0f-cc-20-6b-f4 192.168.1.1
Ethernet WAN1: 00-0f-cc-20-6b-f6 71.138.2xx.xx 100Mbps Full Duplex


Current WAN Connection Status
Profile Name--------Rate------%Use--Remote Address-----Est-More
Info----------
Easy Setup Profile IP 127.0.0.2 Lsd NAT
71.138.2xx.xx



VPN QuickView
LED Status
-PWR---------WAN Link
---------------ETHERNET-----------+--------LEDS---------
1 2 3 4 | '-'= Off
'G'= Green
G G G G G G | 'R'= Red
'F'= Flash




VPN Quick View

Profile Name----------Type----Rx Pckts---Tx Pckts--RxDiscard--Remote
Address--
Easy Setup Profile PPPoE 2029 1782 347
127.0.0.2
BtoA IPsec 26 451 0
71.138.1xx.xx
BtoC IPsec 61 0 0
66.125.3x.xx


WAN Event History
Current Date -- 9/25/05
04:56:35 PM

-Date-----Time-----Event------------------------------------------------------
----------------------------------SCROLL
UP-----------------------------------
09/25/05 16:56:32 IKE: phase 2 complete sg 66.125.3x,xx
09/25/05 16:55:30 IKE: phase 2 complete sg 71.138.1xx.xx
09/25/05 16:54:25 IKE: phase 2 complete sg 66.125.3x.xx
09/25/05 16:53:59 IKE: phase 2 complete sg 71.138.1xx.xx
09/25/05 16:53:32 IKE: phase 2 complete sg 66.125.3x,xx
09/25/05 16:53:26 IKE: phase 2 complete sg 66.125.3x.xx
09/25/05 16:52:49 IKE: phase 2 complete sg 71.138.1xx.xx
09/25/05 16:52:46 IKE: phase 2 complete sg 66.125.3x.xx
09/25/05 16:52:32 IKE: phase 2 complete sg 66.125.3x.xx
09/25/05 16:52:30 IKE: phase 2 complete sg 71.138.1xx.xx
09/25/05 16:52:25 IKE: phase 2 complete sg 66.125.3x.xx
09/25/05 16:52:23 IKE: phase 2 complete sg 66.125.3x.xx
09/25/05 16:52:20 IKE: phase 2 complete sg 66.125.3x.xx
09/25/05 16:52:19 IKE: phase 2 complete sg 66.125.3x.xx
---------------------------------SCROLL
DOWN----------------------------------
Clear History...

(Should the phase 2 re-negotiation take place so frequently?)


Here's the IPSec tunnel info:

Site A
IPSec TunnelA-B
Local Subnet: 192.168.0.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.1.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site B static ip)

IPSec TunnelA-C
Local Subnet: 192.168.0.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.2.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site C static ip)

Site B
IPSec TunnelB-A
Local Subnet: 192.168.1.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.0.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site A static ip)

IPSec TunnelB-C
Local Subnet: 192.168.1.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.2.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site C static ip)

Site C
IPSec TunnelC-A
Local Subnet: 192.168.2.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.0.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site A static ip)

IPSec TunnelC-B
Local Subnet: 192.168.2.0
Local SNM: 255.255.255.0
Remote Subnet: 192.168.1.0
Remote SNM: 255.255.255.0
Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site B static ip)

If anyone can offer insight to my dilemma (paging Mike Dreschler....),
I would greatly appreciate any

help you can provide.

Please let me know if I need to post more info about my config's.

Thanks in advance,

Vince

Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com