Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VPN tunnel not tunneling!


  • Please log in to reply
6 replies to this topic

#1 bigstevec87

bigstevec87

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 14 November 2017 - 06:52 PM

Hello, first post here in years..let me start by saying I'm what I'd call an 'advanced user', who has been placed into the role of IT guy for my employer, I apologize if I give too much or not enough detail in my descriptions.

 

My place is a small chain with several locations. Each location has a VPN which is tunneled to our HQ, and the workstations connect via RDP to our server. Also, from any of our locations I can type in 192.168.0.1 and login directly to the main router at HQ. The cradlepoint at one of our locations had to be reset and reconfigured, all configurations compared with a working location...but the tunnel will not connect :( I know the Pre-shared key matches, and I have the IP addresses right...is there somewhere else I should be looking?

 

Thanks,

 

Steve

 



BC AdBot (Login to Remove)

 


#2 toofarnorth

toofarnorth

  • Members
  • 367 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 14 November 2017 - 07:26 PM

Hello

 

What kind of VPN are you using?


tfn



#3 bigstevec87

bigstevec87
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 14 November 2017 - 08:39 PM

IpSec

#4 toofarnorth

toofarnorth

  • Members
  • 367 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 15 November 2017 - 06:09 AM

The things I have struggled with regarding IPSEC are:

Protocols are not set up right both in stage 1 and 2. They need to be equal on both ends.
MD5, SHA, DES etc etc

Also local/remote network policy 192.168.0.1/24 isn't the same as 192.168.0.0/24
This is one sneaky little bugger!

Hth

 

tfn

 



#5 bigstevec87

bigstevec87
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 15 November 2017 - 02:19 PM

So it is working now, simple firmware update on the main router :/ thanks for the info tfn, glad you mentioned the .0 vs .1 difference, I wondered about that.

#6 bigstevec87

bigstevec87
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 18 November 2017 - 05:58 PM

Ok, I thought the problem was fixed because the routers say the tunnel is up, but no ping either direction? here are the config and SA logs:

 

<Central location>
 
 
Tunnel Waiter10 (00000009-bb2b-3f16-b8bd-c1264651d390)
  enabled: True
  retransmission_timeout: 27
  state: up
  Connection (00000009-bb2b-3f16-b8bd-c1264651d390)
    version: IKEv1
    local: ['108.47.15.110']
    remote: ['166.211.139.243']
    Child Configuration (00000009-bb2b-3f16-b8bd-c1264651d390)
      mode: TUNNEL
      local_ts: ['192.168.0.0/24']
      remote_ts: ['192.169.0.0/24']
    IKE SA (00000009-bb2b-3f16-b8bd-c1264651d390)
      state: ESTABLISHED
      version: IKEv1
      algorithms: AES_CBC, PRF_HMAC_MD5, MODP_768
      local: 108.47.15.110:500
      remote: 166.211.139.243:500
      lifetime_seconds: 4522 of 26676
      Child SA (00000009-bb2b-3f16-b8bd-c1264651d390)
        state: INSTALLED
        algorithms: AES_CBC, HMAC_MD5_96, MODP_768
        local_ts: ['192.168.0.0/24[24]']
        remote_ts: ['192.169.0.0/24']
        lifetime_seconds: 1617 of 3600
        data_in: 0 / 0
        data_out: 89153 / 880
        spi_in: ccc32619
        spi_out: c6136965
 
 
<remote location:>
 
Waiter10
up
IKEv1
855 of 26956
166.211.139.243:500 <-> 108.47.15.110:500
854 of 3600
50226 / 480
0 / 0
Tunnel Waiter10 (00000000-bb2b-3f16-b8bd-c1264651d390)
  enabled: True
  retransmission_timeout: 27
  state: up
  Connection (00000000-bb2b-3f16-b8bd-c1264651d390)
    version: IKEv1
    local: ['166.211.139.243']
    remote: ['108.47.15.110']
    Child Configuration (00000000-bb2b-3f16-b8bd-c1264651d390)
      mode: TUNNEL
      local_ts: ['192.169.0.0/24']
      remote_ts: ['192.168.0.0/24[24]']
    IKE SA (00000000-bb2b-3f16-b8bd-c1264651d390)
      state: ESTABLISHED
      version: IKEv1
      algorithms: AES_CBC, PRF_HMAC_MD5, MODP_768
      local: 166.211.139.243:500
      remote: 108.47.15.110:500
      lifetime_seconds: 855 of 26956
      Child SA (00000000-bb2b-3f16-b8bd-c1264651d390)
        state: INSTALLED
        algorithms: AES_CBC, HMAC_MD5_96, MODP_768
        local_ts: ['192.169.0.0/24']
        remote_ts: ['192.168.0.0/24[24]']
        lifetime_seconds: 854 of 3600
        data_in: 50226 / 480
        data_out: 0 / 0
        spi_in: cf36230a
        spi_out: c649bf0a
 
 
<remote SP database>
 
"src 192.168.0.0/24 dst 192.169.0.0/24 sport 24 
dir fwd priority 187680 
tmpl src 108.47.15.110 dst 166.211.139.243
proto esp reqid 2 mode tunnel
src 192.168.0.0/24 dst 192.169.0.0/24 sport 24 
dir in priority 187680 
tmpl src 108.47.15.110 dst 166.211.139.243
proto esp reqid 2 mode tunnel
 
 
<remote SA database>
 
src 192.169.0.0/24 dst 192.168.0.0/24 dport 24 
dir out priority 187680 
tmpl src 166.211.139.243 dst 108.47.15.110
proto esp reqid 2 mode tunnel" "src 166.211.139.243 dst 108.47.15.110
proto esp spi 0xc649bf0a reqid 2 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(md5) 0x45c6024f3963db6b042ca78a910e6db1 96
enc cbc(aes) 0x09f2a487bb5476333aa8f1c94c403e2e
src 108.47.15.110 dst 166.211.139.243
proto esp spi 0xcf36230a reqid 2 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(md5) 0xa4b55aba0a109bd55dbf15d7f3787642 96
enc cbc(aes) 0xf67061b5804e48be9e4bb33ef0f5c317"


#7 toofarnorth

toofarnorth

  • Members
  • 367 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 18 November 2017 - 06:57 PM

Hello again :)

I would look at policy rules. Most likely you will have to add some rules to allow traffic to pass through the VPN tunnel.

 

tfn






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users