Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 1 subscriber
  • Views 8332 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN issues...

ccnaman
Hello everyone.

 I have set up a site to site VPN with a Cisco ASA. Tunnel is up and I can ping the remote network from my ASG, but not from my local network. I think I am missing something stupid but don't know what. Any ideas?

Thanks in advance.

Richard


This thread was automatically locked due to age.
Parents
  • 0
    Here are the lines from the IPsec live log when enabling the connection...

    Thanks,

    2013:11:25-10:33:40 dartmofw01 pluto[29783]: listening for IKE messages
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: forgetting secrets
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading secrets from "/etc/ipsec.secrets"
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded PSK secret for xx.***.***.*** 2xx.***.***.***
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded private key from 'dartmofw01.bcso-ma.org.pem'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: added connection description "S_NEW_TRI"
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: initiating Main Mode
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: forgetting secrets
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading secrets from "/etc/ipsec.secrets"
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded PSK secret for xx.***.***.*** xx.***.xx.***
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded private key from 'dartmofw01.bcso-ma.org.pem'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: Changing to directory '/etc/ipsec.d/crls'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [FRAGMENTATION c0000000]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: enabling possible NAT-traversal with method RFC 3947
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [Cisco-Unity]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: received Vendor ID payload [XAUTH]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [8296ef3de06aa4bf11b4d422eb0c576f]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: received Vendor ID payload [Dead Peer Detection]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: Peer ID is ID_IPV4_ADDR: '***.xx.***.***'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ISAKMP SA established
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #125: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#124}
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #125: sent QI2, IPsec SA established {ESP=>0x7da72ac7 
Reply
  • 0
    Here are the lines from the IPsec live log when enabling the connection...

    Thanks,

    2013:11:25-10:33:40 dartmofw01 pluto[29783]: listening for IKE messages
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: forgetting secrets
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading secrets from "/etc/ipsec.secrets"
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded PSK secret for xx.***.***.*** 2xx.***.***.***
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded private key from 'dartmofw01.bcso-ma.org.pem'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: added connection description "S_NEW_TRI"
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: initiating Main Mode
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: forgetting secrets
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading secrets from "/etc/ipsec.secrets"
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded PSK secret for xx.***.***.*** xx.***.xx.***
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded private key from 'dartmofw01.bcso-ma.org.pem'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: Changing to directory '/etc/ipsec.d/crls'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [FRAGMENTATION c0000000]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: enabling possible NAT-traversal with method RFC 3947
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [Cisco-Unity]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: received Vendor ID payload [XAUTH]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [8296ef3de06aa4bf11b4d422eb0c576f]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: received Vendor ID payload [Dead Peer Detection]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: Peer ID is ID_IPV4_ADDR: '***.xx.***.***'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ISAKMP SA established
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #125: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#124}
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #125: sent QI2, IPsec SA established {ESP=>0x7da72ac7 
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML