| Mike Drechsler - SPAM PROTECTED EMAIL 2005-09-26, 7:46 am |
| Vince wrote:
> I am having a serious problem with my 3-site VPN configuration. For
> some reason, even though the IPSec tunnels are created, I can't ping
> addresses on the remote subnets.
>
> All sites are using ADSL, w/fixed IP addresses, although 2 sites have
> underlying PPPOE encapsulation.
>
> Each site is using a Netopia 3386-ENT router w/latest Firmware (8.5).
> No firewall filter sets (perhaps this is an issue?). 3DES IPSec IKE
> tunnels config'd in mesh between sites.
>
> The computers at each site connect fine to the Internet; the routers
> are using the first fixed IP of the ISP-provided address range, NAT'ing
> for all hosts behind the router. It _appears_ that the IPSec tunnels
> pass IKE Phase 2 negotiation, as indicated by my "WAN Event History"
> log, but for some reason, I cannot ping the remote routers' IP
> addresses or any other active IP hosts on the remote subnets. The
> bizarre thing is, when I setup sites A and B with the IPSec tunnels, I
> experienced the same symptoms (no IP pingability across the tunnel) for
> about 3 hours, then all of a sudden, traffic was moving fine (hosts
> were pingable between the 2 sites, rdp session established across the
> VPN). Great! Or so I thought. It remained fine overnight. The next
> day, when I attempted to create the mesh tunnelling to site C, IP
> traffic stopped passing through the tunnels between sites A and B. Now
> I have all 3 sites telling me that the IPSec tunnels are created, but I
> can't get any traffic to travel across them. I've got the tunnels
> "nailed" w/Timeouts of 0 and 24-hour "scheduled" connections.
>
> Here is the router status info from site B (actual fixed IPs masked for
> my protection):
>
> Quick View
>
> Default IP Gateway: 71.138.2xx.xx
> Primary DNS Server: 206.13.29.12 Gateway installed -- Primary
> Secondary DNS Server: 206.13.30.12 Domain Name: sbcglobal.net
>
> ----------------MAC Address--------IP
> Address-------Status--------------------
> Ethernet LAN: 00-0f-cc-20-6b-f4 192.168.1.1
> Ethernet WAN1: 00-0f-cc-20-6b-f6 71.138.2xx.xx 100Mbps Full Duplex
>
>
> Current WAN Connection Status
> Profile Name--------Rate------%Use--Remote Address-----Est-More
> Info----------
> Easy Setup Profile IP 127.0.0.2 Lsd NAT
> 71.138.2xx.xx
>
>
>
> VPN QuickView
> LED Status
> -PWR---------WAN Link
> ---------------ETHERNET-----------+--------LEDS---------
> 1 2 3 4 | '-'= Off
> 'G'= Green
> G G G G G G | 'R'= Red
> 'F'= Flash
>
>
>
>
> VPN Quick View
>
> Profile Name----------Type----Rx Pckts---Tx Pckts--RxDiscard--Remote
> Address--
> Easy Setup Profile PPPoE 2029 1782 347
> 127.0.0.2
> BtoA IPsec 26 451 0
> 71.138.1xx.xx
> BtoC IPsec 61 0 0
> 66.125.3x.xx
>
>
> WAN Event History
> Current Date -- 9/25/05
> 04:56:35 PM
>
> -Date-----Time-----Event------------------------------------------------------
> ----------------------------------SCROLL
> UP-----------------------------------
> 09/25/05 16:56:32 IKE: phase 2 complete sg 66.125.3x,xx
> 09/25/05 16:55:30 IKE: phase 2 complete sg 71.138.1xx.xx
> 09/25/05 16:54:25 IKE: phase 2 complete sg 66.125.3x.xx
> 09/25/05 16:53:59 IKE: phase 2 complete sg 71.138.1xx.xx
> 09/25/05 16:53:32 IKE: phase 2 complete sg 66.125.3x,xx
> 09/25/05 16:53:26 IKE: phase 2 complete sg 66.125.3x.xx
> 09/25/05 16:52:49 IKE: phase 2 complete sg 71.138.1xx.xx
> 09/25/05 16:52:46 IKE: phase 2 complete sg 66.125.3x.xx
> 09/25/05 16:52:32 IKE: phase 2 complete sg 66.125.3x.xx
> 09/25/05 16:52:30 IKE: phase 2 complete sg 71.138.1xx.xx
> 09/25/05 16:52:25 IKE: phase 2 complete sg 66.125.3x.xx
> 09/25/05 16:52:23 IKE: phase 2 complete sg 66.125.3x.xx
> 09/25/05 16:52:20 IKE: phase 2 complete sg 66.125.3x.xx
> 09/25/05 16:52:19 IKE: phase 2 complete sg 66.125.3x.xx
> ---------------------------------SCROLL
> DOWN----------------------------------
> Clear History...
>
> (Should the phase 2 re-negotiation take place so frequently?)
>
>
> Here's the IPSec tunnel info:
>
> Site A
> IPSec TunnelA-B
> Local Subnet: 192.168.0.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.1.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site B static ip)
>
> IPSec TunnelA-C
> Local Subnet: 192.168.0.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.2.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site C static ip)
>
> Site B
> IPSec TunnelB-A
> Local Subnet: 192.168.1.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.0.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site A static ip)
>
> IPSec TunnelB-C
> Local Subnet: 192.168.1.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.2.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site C static ip)
>
> Site C
> IPSec TunnelC-A
> Local Subnet: 192.168.2.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.0.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site A static ip)
>
> IPSec TunnelC-B
> Local Subnet: 192.168.2.0
> Local SNM: 255.255.255.0
> Remote Subnet: 192.168.1.0
> Remote SNM: 255.255.255.0
> Remote Tunnel Endpoint: xxx.xxx.xxx.xxx (Site B static ip)
>
> If anyone can offer insight to my dilemma (paging Mike Dreschler....),
> I would greatly appreciate any
>
> help you can provide.
>
> Please let me know if I need to post more info about my config's.
>
> Thanks in advance,
>
> Vince
>
On the surface things look ok except that the Phase 2 connections are
renegotiating constantly. Go into the WAN connection profiles and take
a look at things like Emulation options->Advanced IPsec options to make
sure the lifetime values look sane. You can either set them to 0 on
both sides to make the Phase 2 connections last until the Phase 1 level
connection expires or pick something rational like 8 hours (28800
seconds).
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
|