Forums before death by AOL, social media and spammers... "We can't have nice things"
| comp.dcom.vpn | VPN protocols, clients, awesomeness | 2,349 messages |
[ << oldest | < older | list | newer > | newest >> ]
| Message 1,756 of 2,349 |
| Mike Drechsler - SPAM PROTECTED EMA to Vince |
| Re: 3-site VPN implementation w/Terminal |
| 01 Oct 05 05:44:39 |
XPost: microsoft.public.windows.terminal_services From: mike-newsgroup@-DELETETHISPART-.upcraft.com Vince wrote: > OK, here's where I stand with this frustrating setup. > > Site A: phase2 renegotiation with Site B takes place every few > seconds. Can ping router addresses > ate sites B and C, but can only ping remote host IP addresses at site > C. > Site B: phase2 renegotiation with Site A takes place every few > seconds. Can ping router addresses > ate sites A and C, but can't ping remote host IP addresses at sites A > or C. > Site C: phase1 and 2 renegotiations occur at scheduled intervals. Can > ping router addresses > ate sites A and B, but can't ping remote host IP addresses at sites A > or B. > > If anyone can offer insight to what I am doing wrong, I would greatly > appreciate it. Mike, I am in > dire need of your wisdom. > > Here's a recap of the tunnel info, along with my router config dumps: > > Site A (207) > IPSec TunnelA-B > Local Subnet: 192.168.0.0 > Local SNM: 255.255.255.0 > Remote Subnet: 192.168.1.0 > Remote SNM: 255.255.255.0 > Remote Tunnel Endpoint: 71.138.2xx.xx (Site B static ip) > cp 2 tag AtoB SNIP > cp 2 ipsec ike phase1 2 > cp 2 ipsec ip remote members 192.168.1.0/24 sg 71.138.2xx.xx local > members 19\ > 2.168.0.0/24 ;[Net 0] SNIP > > IPSec TunnelA-C > Local Subnet: 192.168.0.0 > Local SNM: 255.255.255.0 > Remote Subnet: 192.168.2.0 > Remote SNM: 255.255.255.0 > Remote Tunnel Endpoint: 66.125.3x.xxx (Site C static ip) > cp 3 tag SBCto805 SNIP > cp 3 ipsec ike phase1 2 > cp 3 ipsec ip remote members 192.168.2.0/24 sg 66.125.3x.xxx local > members 192.\ > 168.0.0/24 ;[Net 0] SNIP > Site B (Montebello) > IPSec TunnelB-A > Local Subnet: 192.168.1.0 > Local SNM: 255.255.255.0 > Remote Subnet: 192.168.0.0 > Remote SNM: 255.255.255.0 > Remote Tunnel Endpoint: 71.138.1xx.xxx (Site A static ip) > cp 4 tag BtoA SNIP > cp 4 ipsec ike phase1 2 > cp 4 ipsec ip remote members 192.168.0.0/24 sg 71.138.1xx.xxx local > members 192\ > ..168.1.0/24 ;[Net 0] SNIP > > IPSec TunnelB-C > Local Subnet: 192.168.1.0 > Local SNM: 255.255.255.0 > Remote Subnet: 192.168.2.0 > Remote SNM: 255.255.255.0 > Remote Tunnel Endpoint: 66.125.3x.xxx (Site C static ip) > cp 3 tag BtoC SNIP > cp 3 ipsec ike phase1 2 > cp 3 ipsec ip remote members 192.168.2.0/24 sg 66.125.3x.xxx local > members 192.\ > 168.1.1/24 ;[Net 0] SNIP > > > Site C > IPSec TunnelC-A > Local Subnet: 192.168.2.0 > Local SNM: 255.255.255.0 > Remote Subnet: 192.168.0.0 > Remote SNM: 255.255.255.0 > Remote Tunnel Endpoint: 71.138.1xx.xxx (Site A static ip) > cp 3 tag CtoA SNIP > cp 3 ipsec ike phase1 2 > cp 3 ipsec ip remote members 192.168.0.0/24 sg 71.138.1xx.xxx local > members 192\ > ..168.2.0/24 ;[Net 0] SNIP > > > IPSec TunnelC-B > Local Subnet: 192.168.2.0 > Local SNM: 255.255.255.0 > Remote Subnet: 192.168.1.0 > Remote SNM: 255.255.255.0 > Remote Tunnel Endpoint: 71.138.2xx.xx (Site B static ip) > cp 2 tag CtoB SNIP > cp 2 ipsec ike phase1 2 > cp 2 ipsec ip remote members 192.168.1.0/24 sg 71.138.2xx.xx local > members 19\ > 2.168.2.0/24 ;[Net 0] SNIP > > The IKE config is identical on all 3 routers, as determined by using > Beyond Compare: > ike phase1 2 authentication method shared-secret > ike phase1 2 authentication shared-secret ascii ***** > ike phase1 2 dangling-sas no > ike phase1 2 encryption 3des > ike phase1 2 group 2 > ike phase1 2 hash md5 > ike phase1 2 id 2 > ike phase1 2 identity local ipv4-address 0.0.0.0 > ike phase1 2 identity remote ipv4-address 0.0.0.0 > ike phase1 2 independent rekeys yes > ike phase1 2 initial-contact yes > ike phase1 2 invalid-spi-recovery no > ike phase1 2 mode main > ike phase1 2 negotiation normal > ike phase1 2 port policy permissive > ike phase1 2 sa lifetime seconds 28800 > ike phase1 2 sa lifetime kbytes none > ike phase1 2 sa use-policy new-sas-immediately > ike phase1 2 tag "DHC IKE Profile" > ike phase1 2 vendor-id yes > > > Since this last config dump, I have tried scheduling the phase 2 > duration to be half that of phase 1 (4 hours instead of 8), following > some recommendations I found elsewhere. No help. > Ok, I think I know what you have going on. You are using the same IKE phase 1 session for 2 different endpoints. You should setup a separate phase 1 IKE connection for each router pair with it's own password. I personally like randomly generated passwords for these. I don't even bother to remember the password, I just generate a new one if I ever need to change it. So on each site, you should have 2 connection profiles and 2 IKE profiles. One for each remote router that will be connecting to that router. They should not share an ike configuration even though the router lets you do this. -- WARNING! Email address has been altered for spam resistance. Please remove the -deletethispart-. section before replying directly. Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com) --- SoupGate-Win32 v1.05 * Origin: you cannot sedate... all the things you hate (1:229/2) |
(c) 1994, bbs@darkrealms.ca