I am new to this forum, and hope to get some answers here. I currently have a site to site VPN setup with two 3120s I am trying to add another 3120 to the VPN so that I will have three location. I need sites A, B, and C to all communicate with eachother. I cannot figure out how to connect the third 3120 to the VPN it will not connect. If I disconnect one of the other sites I can get it to work. Can someone post how this should be setup? I use the GUI to set this up. Thank you.
Apparently I did setup correctly turns out to activate the connection I needed to ping the remote. If the connection goes down, the only way to re-activate is either ping or have a device try to connect to the other side. Is there a keep alive setting?
Hi wtcguy:
Thank you for submitting your question in the Support Community, and welcome!
The guide Configuring a VPN for Multiple Subnets in AOS - Quick Configuration Guide explains some important concepts and includes both GUI and CLI configuration examples. Additional explanation and guidance may be needed, but it's a great place to start.
Are you trying to setup a mesh so that all three sites have a VPN tunnel to each other (a triangle shape), or will two remote sites connect to a main site (a V shape) and possible reach from one remote to the other through the main site? Also, do all sites have a static public IP address?
Chris
I am trying to setup a mesh VPN tunnel to each other. I have Site A and B Connected but cannot get site C connected to either A or B. I looked at the Document you suggested, it discusses setting up multiple subnets, I need to setup multiple sites. I have been looking for a guide that describes the process, but have been unlucky so far. Any help would greatly be appreciated.
Thank you
Got it. Do all three sites have static public IP addresses? A related question: are you configuring main mode tunnels or aggressive mode? Aggressive mode is typically used when one side always initiates the tunnel and the initiator can use a dynamic IP. One side must have a static IP (not the initiator).
You need to have a separate VPN tunnel (crypto map) for each connection; two in each 3120 connecting to the other sites.
We can try to provide guidance using the GUI but it may be faster to post your configs to this thread (remove passwords, pre-shared keys, etc. using a text editor first).
Chris
Yes each site has Static IP and they are using Main mode.
Okay, for each 3120, you need to configure two VPN tunnels. Both should be static/main mode and use IP address for the local and remote IDs. The local ID will be the same for both tunnels (the unit's own public IP address). The remote ID on each tunnel should match the static IP of the respective site's far end. Select the Internet interface to use for both tunnels.
Make sure the initiate and respond options and pre-shared key (PSK) are the same for both 3120s terminating a given tunnel, as well as Phase 1 IKE and Phase 2 IPsec encryption attributes and lifetimes.
The local network(s) should be the same for both tunnels. The remote network(s) for a given tunnel should reflect the LAN subnet(s) at the far end. The local/remote networks setup in 3120s at each end of a tunnel should mirror each other (with local and remote networks flipped).
I recommend going over these parameters and be careful that your attributes match properly for each end of the same tunnel. Also be careful not to copy parameters between two tunnels which should be unique (such as remote network, remote ID/peer, and possibly PSK).
Let us know how it goes or if you have additional questions!
Chris
Here are the config files. This first one does not connect to the second config file the second config connects to the third but will not connect to the first config file site.
FIRST CONFIG FILE
!
!
! ADTRAN OS version R10.9.6.E
! Boot ROM version 17.01.01.00
! Platform: NetVanta 3120, part number 1700601G2
! Serial number LBADTN1204AG137
!
!
hostname "NetVanta3120"
enable password XXXXXXXX
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip default-gateway 192.168.20.26
ip routing
host "XXXXXX.XXXXX.XXX" 192.168.1.10
host "XXXXXX.XXXXX.XXX" 192.168.20.10
domain-proxy
name-server 192.168.30.26 8.8.8.8
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "admin" password "XXXXXXX"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.199
!
ip dhcp pool "Private"
network 192.168.30.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
netbios-node-type h-node
default-router 192.168.30.26
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id address XXX.199.182.138
peer XXX.13.33.201
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id address XXX.13.33.201 preshared-key XXXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
ip crypto map VPN 10 ipsec-ike
description Pitt
match address ip VPN-10-vpn-selectors8
set peer XXX.13.33.201
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
!
!
!
vlan 1
name "Default"
!
!
interface eth 0/1
ip address XX.199.182.138 255.255.255.0
ip access-policy Public
ip crypto map VPN
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address 192.168.30.26 255.255.255.0
ip access-policy Private
no shutdown
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to UNIT
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors8
permit ip 192.168.30.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip access-list extended web-acl-10
remark IPEDGE Net Request
permit tcp any host XX.199.182.138 eq 4029 log
!
ip access-list extended web-acl-11
remark LAN BLF
permit tcp any host XX.199.182.138 eq 6000 log
!
ip access-list extended web-acl-12
remark EM HTTP
permit tcp any host XX.199.182.138 eq 8080 log
!
ip access-list extended web-acl-13
remark EM HTTPS 2
permit tcp any host XX.199.182.138 eq 9443 log
!
ip access-list extended web-acl-14
remark Webmin
permit tcp any host XX.199.182.138 eq 10000 log
!
ip access-list extended web-acl-15
remark IPEDGE Net Connection
permit tcp any host XX.199.182.138 range 12000 13791 log
!
ip access-list extended web-acl-16
remark IPEDGE Net Node to Node
permit tcp any host XX.199.182.138 range 16000 19999 log
!
ip access-list extended web-acl-17
remark Remote APP
permit tcp any host XX.199.182.138 eq 90 log
!
ip access-list extended web-acl-18
remark Message Access
permit tcp any host XX.199.182.138 eq 42507 log
!
ip access-list extended web-acl-19
remark SIP
permit udp any host XX.199.182.138 eq 5060 log
!
ip access-list extended web-acl-20
remark HTTPS
permit tcp any host XX.199.182.138 eq https log
!
ip access-list extended web-acl-21
remark XMPP Client 1
permit tcp any host XX.199.182.138 eq 5222 log
!
ip access-list extended web-acl-22
remark XMPP Server
permit tcp any host XX.199.182.138 eq 5269 log
!
ip access-list extended web-acl-23
remark XMPP Client 2
permit tcp any host XX.199.182.138 eq 5280 log
!
ip access-list extended web-acl-24
remark Net Server
permit tcp any host XX.199.182.138 range 8767 8768 log
!
ip access-list extended web-acl-25
remark SNMP
permit udp any host XX.199.182.138 eq snmp log
!
ip access-list extended web-acl-4
remark Remote IPT Registration
permit udp any host XX.199.182.138 range 1718 1719 log
!
ip access-list extended web-acl-5
remark Remtoe IPT Megaco
permit tcp any host XX.199.182.138 eq 2944 log
!
ip access-list extended web-acl-6
remark Remote IP Audio
permit udp any host XX.199.182.138 range 21000 26999 log
!
ip access-list extended web-acl-7
remark Redirects to 8080
permit tcp any host XX.199.182.138 eq www log
!
ip access-list extended web-acl-8
remark SMDI
permit tcp any host XX.199.182.138 eq 1000 log
!
ip access-list extended web-acl-9
remark LAN DSS Survive
permit tcp any host XX.199.182.138 range 3000 3001 log
!
!
!
ip policy-class Private
allow list VPN-10-vpn-selectors8 stateless
allow list self self
nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors8 stateless
nat destination list web-acl-4 address 192.168.20.10
nat destination list web-acl-5 address 192.168.20.10
nat destination list web-acl-6 address 192.168.20.10
nat destination list web-acl-7 address 192.168.20.10
nat destination list web-acl-8 address 192.168.20.10
nat destination list web-acl-9 address 192.168.20.10
nat destination list web-acl-10 address 192.168.20.10
nat destination list web-acl-11 address 192.168.20.10
nat destination list web-acl-12 address 192.168.20.10
nat destination list web-acl-13 address 192.168.20.10
nat destination list web-acl-14 address 192.168.20.10
nat destination list web-acl-15 address 192.168.20.10
nat destination list web-acl-16 address 192.168.20.10
nat destination list web-acl-17 address 192.168.20.10
nat destination list web-acl-18 address 192.168.20.10
nat destination list web-acl-19 address 192.168.20.10
nat destination list web-acl-20 address 192.168.20.10
nat destination list web-acl-21 address 192.168.20.10
nat destination list web-acl-22 address 192.168.20.10
nat destination list web-acl-23 address 192.168.20.10
nat destination list web-acl-24 address 192.168.20.10
nat destination list web-acl-25 address 192.168.20.10
!
!
ip route 0.0.0.0 0.0.0.0 XX.199.182.142
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
no login
!
line telnet 0 4
login local-userlist
password password
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
ntp source ethernet 0/1
ntp server 0.pool.ntp.org source ethernet 0/1
ntp server 1.pool.ntp.org source ethernet 0/1
ntp server 2.pool.ntp.org
!
!
!
!
!
end
SECOND CONFIG FILE
!
!
! ADTRAN OS version R10.9.6.E
! Boot ROM version 17.01.01.00
! Platform: NetVanta 3120, part number 1700601G2
! Serial number LBADTN1204AG320
!
!
hostname "NetVanta3120"
enable password encrypted 151e9429764620329e6863024e9ed77e8626
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip routing
host "XXX.XXXXXXX.XXX" 192.168.1.10
host "xxx.xxxxxx.xxx" 192.168.20.10
domain-proxy
name-server 208.67.220.220 208.67.221.221
!
!
no auto-config
!
no event-history
no logging forwarding
no logging console
logging forwarding priority-level info
no logging email
!
service password-encryption
!
username "XXXXX" password encrypted "XXXXXX"
username "XXXXX" password encrypted "XXXXXX"
username "XXXXX" password encrypted "XXXXXX"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
no ip firewall alg sip
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool "Private"
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
netbios-node-type h-node
default-router 192.168.1.26
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id address XXX.13.33.201
peer XX.176.216.29
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike policy 101
initiate main
respond anymode
local-id address XXX.13.33.201
peer XX.199.182.138
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id address XXX.199.182.138 preshared-key XXXXXXX ike-policy 101 crypto map VPN 20 no-mode-config no-xauth
crypto ike remote-id address XXX.176.216.29 preshared-key XXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
ip crypto map VPN 10 ipsec-ike
description NetVanta3120
match address ip VPN-10-vpn-selectors2
set peer XXX.176.216.29
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
ip crypto map VPN 20 ipsec-ike
description Pitt
match address ip VPN-20-vpn-selectors
set peer XXX.199.182.138
set transform-set esp-3des-esp-md5-hmac
ike-policy 101
!
!
!
!
vlan 1
name "Default"
!
!
interface eth 0/1
speed 100
ip address XXX.13.33.201 255.255.255.248
ip access-policy Public
ip crypto map VPN
no rtp quality-monitoring
no awcp
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address 192.168.1.26 255.255.255.0
ip access-policy Private
no rtp quality-monitoring
no awcp
no shutdown
!
interface ppp 1
no shutdown
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors2
permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
!
ip access-list extended VPN-20-vpn-selectors
permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
!
ip access-list extended web-acl-10
remark Remote IPT Audio-21000-26999
permit udp any host XXX.13.33.201 range 21000 26999 log
!
ip access-list extended web-acl-12
remark SMDI-1000
permit tcp any host XXX.13.33.201 eq 1000 log
!
ip access-list extended web-acl-13
remark LAN DSS and Survive-3000-3001
permit udp any host XXX.13.33.201 range 3000 3001 log
!
ip access-list extended web-acl-14
remark IPEDGE Net Request-4029
permit tcp any host XXX.13.33.201 eq 4029 log
!
ip access-list extended web-acl-15
remark LAN BLF-6000
permit tcp any host XXX.13.33.201 eq 6000 log
!
ip access-list extended web-acl-16
remark EM HTTPS-8080
permit tcp any host XXX.13.33.201 eq 8080 log
!
ip access-list extended web-acl-17
remark EM HTTPS-9443
permit tcp any host XXX.13.33.201 eq 9443 log
!
ip access-list extended web-acl-18
remark Webmin-10000
permit tcp any host XXX.13.33.201 eq 10000 log
!
ip access-list extended web-acl-19
remark IPedge Net Node to Node-16000-19999
permit tcp any host XXX.13.33.201 range 16000 19999 log
!
ip access-list extended web-acl-20
remark Mobile App-90
permit tcp any host XXX.13.33.201 eq 90 log
!
ip access-list extended web-acl-21
remark Messaging access UCEdge-42507
permit tcp any host XXX.13.33.201 eq 42507 log
!
ip access-list extended web-acl-23
remark HTTPS-443
permit tcp any host XXX.13.33.201 eq https log
!
ip access-list extended web-acl-24
remark XMPP Client 1-5222
deny tcp any host XXX.13.33.201 eq 5222 log
!
ip access-list extended web-acl-25
remark XMPP Server-5269
deny tcp any host XXX.13.33.201 eq 5269 log
!
ip access-list extended web-acl-26
remark XMPP Client 2-5280
permit tcp any host XXX.13.33.201 eq 5280 log
!
ip access-list extended web-acl-27
remark Net Server-8767-8768
permit tcp any host XXX.13.33.201 range 8767 8768 log
!
ip access-list extended web-acl-28
remark SNMP-161
permit udp any host XXX.13.33.201 eq snmp log
!
ip access-list extended web-acl-29
remark Meeting-8444
permit tcp any host XXX.13.33.201 eq 8444 log
!
ip access-list extended web-acl-30
remark 1. FonLinkHUD-5269
permit tcp any any eq 5269 log
!
ip access-list extended web-acl-31
remark 1. FonHUD3-5222
permit tcp any any eq 5222 log
!
ip access-list extended web-acl-32
remark 1. FonLink-4569
permit udp any any eq 4569 log
!
ip access-list extended web-acl-37
remark 1. FonCall Setup-UDP-5060
permit udp any any eq 5060 log
!
ip access-list extended web-acl-38
remark Redirects to 8080
permit tcp any host XXX.13.33.201 eq www log
!
ip access-list extended web-acl-39
remark Remote IPT Registration-1718-1719
permit udp any any range 1718 1719 log
!
ip access-list extended web-acl-40
remark 1. Fon RTP Voice Traffice 10000-15999
permit udp any any range 10000 15999 log
!
ip access-list extended web-acl-9
remark Remote IPT Megaco-2944
permit tcp any host XXX.13.33.201 eq 2944 log
!
!
!
ip policy-class Private
allow list VPN-20-vpn-selectors stateless
allow list VPN-10-vpn-selectors2 stateless
allow list self self
nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
allow reverse list VPN-20-vpn-selectors stateless
allow reverse list VPN-10-vpn-selectors2 stateless
nat destination list web-acl-40 address 192.168.1.23
nat destination list web-acl-37 address 192.168.1.10
nat destination list web-acl-32 address 192.168.1.23
nat destination list web-acl-30 address 192.168.1.23
nat destination list web-acl-25 address 192.168.1.10
nat destination list web-acl-31 address 192.168.1.23
nat destination list web-acl-24 address 192.168.1.10
nat destination list web-acl-26 address 192.168.1.10
nat destination list web-acl-9 address 192.168.1.10
nat destination list web-acl-10 address 192.168.1.10
nat destination list web-acl-39 address 192.168.1.10
nat destination list web-acl-12 address 192.168.1.10
nat destination list web-acl-13 address 192.168.1.10
nat destination list web-acl-14 address 192.168.1.10
nat destination list web-acl-15 address 192.168.1.10
nat destination list web-acl-38 address 192.168.1.10
nat destination list web-acl-16 address 192.168.1.10
nat destination list web-acl-17 address 192.168.1.10
nat destination list web-acl-23 address 192.168.1.10
nat destination list web-acl-18 address 192.168.1.10
nat destination list web-acl-19 address 192.168.1.10
nat destination list web-acl-28 address 192.168.1.10
nat destination list web-acl-20 address 192.168.1.10
nat destination list web-acl-21 address 192.168.1.10
nat destination list web-acl-27 address 192.168.1.10
nat destination list web-acl-29 address 192.168.1.10
!
!
ip route 0.0.0.0 0.0.0.0 XXX.13.33.206
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
login
!
line telnet 0 4
login local-userlist
password encrypted 1810d9a74d50ae8ffc59b58965b5818d829a
no shutdown
line ssh 0 4
login local-userlist
shutdown
!
!
ntp source ethernet 0/1
ntp server 0.pool.ntp.org source ethernet 0/1
ntp server 1.pool.ntp.org source ethernet 0/1
ntp server 2.pool.ntp.org
ntp server 3.pool.ntp.org
!
!
!
!
!
end
THIRD CONFIG FILE
!
!
! ADTRAN OS version R10.9.6.E
! Boot ROM version 17.01.01.00
! Platform: NetVanta 3120, part number 1700601G2
! Serial number LBADTN1223AK109
!
!
hostname "NetVanta3120"
enable password XXXXX
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip default-gateway 192.168.20.26
ip routing
host "XXXXXX.XXXXX.XXX" 192.168.1.10
host "XXXXXX.XXXXX.XXX" 192.168.20.10
domain-proxy
name-server 208.67.220.220 208.67.221.221
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "XXXX" password "XXXXXX"
username "XXXX" password "XXXXXXX"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.199
!
ip dhcp pool "Private"
network 192.168.20.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
netbios-node-type h-node
default-router 192.168.20.26
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id address XXX.176.216.29
peer XXX.13.33.201
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id address XXX.13.33.201 preshared-key XXXXXXXXX ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
ip crypto map VPN 10 ipsec-ike
description NetVanta3120
match address ip VPN-10-vpn-selectors1
set peer XXX.13.33.201
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
!
!
!
vlan 1
name "Default"
!
!
interface eth 0/1
ip address XXX.176.216.29 255.255.255.0
ip access-policy Public
ip crypto map VPN
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address 192.168.20.26 255.255.255.0
ip access-policy Private
no shutdown
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to UNIT
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors1
permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
!
ip access-list extended web-acl-10
remark IPEDGE Net Request-4029
permit tcp any host XXX.176.216.29 eq 4029 log
!
ip access-list extended web-acl-11
remark LAN BLF-6000
permit tcp any host XXX.176.216.29 eq 6000 log
!
ip access-list extended web-acl-12
remark EM HTTPS-8080
permit tcp any host XXX.176.216.29 eq 8080 log
!
ip access-list extended web-acl-13
remark EM HTTPS-9443
permit tcp any host XXX.176.216.29 eq 9443 log
!
ip access-list extended web-acl-14
remark Webmin-10000
permit tcp any host XXX.176.216.29 eq 10000 log
!
ip access-list extended web-acl-17
remark Remote APP
permit tcp any host XXX.176.216.29 eq 90 log
!
ip access-list extended web-acl-18
remark Messaging access UCEdge-42507
permit tcp any host XXX.176.216.29 eq 42507 log
!
ip access-list extended web-acl-20
remark HTTPS-443
permit tcp any host XXX.176.216.29 eq https log
!
ip access-list extended web-acl-23
remark XMPP Client 2-5280
permit tcp any host XXX.176.216.29 eq 5280 log
!
ip access-list extended web-acl-24
remark Net Server-8767-8768
permit tcp any host XXX.176.216.29 range 8767 8768 log
!
ip access-list extended web-acl-25
remark SNMP-161
permit udp any host XXX.176.216.29 eq snmp log
!
ip access-list extended web-acl-26
remark 1. Fon RTP Voice Traffice 10000-20000
permit udp any host XXX.176.216.29 range 10000 20000 log
!
ip access-list extended web-acl-27
remark 1. FonCall Setup-UDP-5060
permit udp any host XXX.176.216.29 eq 5060 log
!
ip access-list extended web-acl-28
remark 1. FonLinkHUD-5269
permit tcp any any eq 5269 log
!
ip access-list extended web-acl-29
remark 1. FonHUD3-5222
permit tcp any any eq 5222 log
!
ip access-list extended web-acl-30
remark 1. FonLink-4569
permit tcp any any eq 4569 log
!
ip access-list extended web-acl-4
remark Remote IPT Registration-1718-1719
permit udp any host XXX.176.216.29 range 1718 1719 log
!
ip access-list extended web-acl-5
remark Remtoe IPT Megaco-2944
permit tcp any host XXX.176.216.29 eq 2944 log
!
ip access-list extended web-acl-6
remark Remote IP Audio-21000-26999
permit udp any host XXX.176.216.29 range 21000 26999 log
!
ip access-list extended web-acl-7
remark Redirects to 8080
permit tcp any host XXX.176.216.29 eq www log
!
ip access-list extended web-acl-8
remark SMDI-1000
permit tcp any host XXX.176.216.29 eq 1000 log
!
ip access-list extended web-acl-9
remark LAN DSS and Survive-3000-3001
permit tcp any host XXX.176.216.29 range 3000 3001 log
!
!
!
ip policy-class Private
allow list VPN-10-vpn-selectors1 stateless
allow list self self
nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors1 stateless
nat destination list web-acl-26 address 192.168.20.7
nat destination list web-acl-27 address 192.168.20.7
nat destination list web-acl-30 address 192.168.20.7
nat destination list web-acl-28 address 192.168.20.7
nat destination list web-acl-29 address 192.168.20.7
nat destination list web-acl-23 address 192.168.20.10
nat destination list web-acl-5 address 192.168.20.10
nat destination list web-acl-6 address 192.168.20.10
nat destination list web-acl-4 address 192.168.20.10
nat destination list web-acl-8 address 192.168.20.10
nat destination list web-acl-9 address 192.168.20.10
nat destination list web-acl-10 address 192.168.20.10
nat destination list web-acl-11 address 192.168.20.10
nat destination list web-acl-7 address 192.168.20.10
nat destination list web-acl-12 address 192.168.20.10
nat destination list web-acl-13 address 192.168.20.10
nat destination list web-acl-20 address 192.168.20.10
nat destination list web-acl-14 address 192.168.20.10
nat destination list web-acl-17 address 192.168.20.10
nat destination list web-acl-25 address 192.168.20.10
nat destination list web-acl-18 address 192.168.20.10
nat destination list web-acl-24 address 192.168.20.10
!
!
ip route 0.0.0.0 0.0.0.0 XXX.176.216.1
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
no login
!
line telnet 0 4
login local-userlist
password password
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
ntp source ethernet 0/1
ntp server 0.pool.ntp.org source ethernet 0/1
ntp server 1.pool.ntp.org source ethernet 0/1
ntp server 2.pool.ntp.org
!
!
!
!
!
end
Only to add that if you are using SSL certificates instead of PSK, you will have to use the same CA certificate for all peers.
PS. Our posts crossed over. Only the second configuration has entries for both of the other two peers. You need to repeat the same for configuration one and configuration three.
PPS. You probably want to edit your post and remove the passwords and user names.
--
Regards,
Mick
Yes I understand that. I am currently only trying to connect config 1 to config 2 and config 2 to config 3 so Config 2 would have both in it correct? and only config 1 and config three would have tunnels to config 2 once I have that working I will then build 1 to 3 as well. I am stuck in getting 2 to communicate with both 1 and 3. I appreciate any help.
Thank you
Yes, this is correct, config 2 should have a tunnel configured for each of the other peers.
I had a quick look at your config files and can't see anything amiss. How far is the connection attempt getting? Do you at least get IKE SAs created (phase 1) when you ping the private subnet of the remote peer to start a tunnel going? Can you run a debugging session on both A & B and see what each reports. Then repeat between B & C.
--
Regards,
Mick
You mentioned using the GUI, so if you need a hand capturing debug:
enable
debug crypto ike
Now you can ping a host on the remote end and see what the debug looks like when the tunnel tries to build. Deciphering the output can be challenging. You can attach the text log files, but some info could be visible that may be sensitive to you, such as public IP addresses and so forth. I might suggest calling ADTRAN and opening a ticket (or open a case here).
Some things to look for are obvious errors, as well as how many messages of quick mode and main mode you see in the sequence. The pattern will repeat so you should be able to see after a few cycles how far it gets. For example, "Sent first message of quick mode," or "received second message of main mode." Determining how far it gets into these message sequences can itself reveal it source of the problem, since each message relates to a specific aspect of the IKE and IPsec attributes.
Best,
Chris
Are you having better luck with your VPN? Keep us posted when you have a minute.
Apparently I did setup correctly turns out to activate the connection I needed to ping the remote. If the connection goes down, the only way to re-activate is either ping or have a device try to connect to the other side. Is there a keep alive setting?
Yep, the simplest way to take care of this is to create a ping probe. The document Configuring Network Monitor in AOS is a great resource and includes a configuration example. You can make the period 30 seconds or something like that to keep ping traffic low, and that should be perfect to keep your tunnels up. The source and destination will need to be IP addresses that will be sent over the VPN, such as the LAN interfaces of your routers. To keep it simple, maybe you could setup the main site router with probes to the other two.
Chris
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor