Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
942
Views
0
Helpful
6
Replies

Can't ping across IPsec VPN from 867VAE-K9 to Cradlepoint IBR650

kernel269
Level 1
Level 1

‎09-16-2019 05:13 PM

I'm building multiple IPSec VPNs over cellular networks using a Cradlepoint IBR650 on either end.  On the head end is the 867VAE-K9 behind one of these Cradlepoints terminating one end of every tunnel and each other end is another Cradlepoint terminating the other end.  Currently, I'm trying to get one of these tunnels up and so far it has been a challenge.  I've managed to get what looks like to be IKE Phase 1 and 2 both at the complete stage and my show commands are showing UP-ACTIVE for Crypto Session and QM IDLE ACTIVE for Crypto ISAKMP SA yet I can't seem to ping the machine on the other end.  Can anyone give me their thoughts or requests?

Labels:
0 Helpful
6 Replies 6

Mohammed al Baqari
Level 11
Level 11

‎09-16-2019 07:33 PM

Start with checking IPSec SA using show crypto ipsec SA command to see if
the encrypt or decrypt counters are increasing. This will show you whether
the traffic is leaving your router and not coming back or not leaving at
all. This way you know where you need to look.

***** Please remember to rate useful posts.
0 Helpful

kernel269
Level 1
Level 1
In response to Mohammed al Baqari

‎09-22-2019 06:26 PM

Sorry for not getting back to you earlier.  I had this set up to email me when I had a reply, but that didn't seem to work.  All counters stay at 0.  Looks as though it's not leaving the Cisco router.

0 Helpful

kernel269
Level 1
Level 1
In response to Mohammed al Baqari

‎09-24-2019 04:49 AM - edited ‎09-25-2019 08:37 AM

I've included my run output and ipsec sa output for inspection.  Is there anything else you or anyone else would like to see?

 

(Attachments removed as new attachments provided in later post.)

0 Helpful

kernel269
Level 1
Level 1
In response to kernel269

‎09-25-2019 08:25 AM - edited ‎09-26-2019 07:54 AM

Accidentally repeated message removed.

0 Helpful

kernel269
Level 1
Level 1
In response to Mohammed al Baqari

‎09-25-2019 04:43 PM

Update...  (Rev 2)

From the machine hooked up to the Cisco router, I can ping the LAN gateway address across the VPN on the Cradlepoint, but cannot ping the machine address inside the Cradlepoint LAN.  When pinging the Cradlepoint LAN gateway, the ipsec sa output shows all the "encap", "encrypt", "digest", "decap", "decrypt", and "verify" counters counting up, but only "encap", "encrypt", and "digest" continue counting when I ping the machine inside the Cradlepoint LAN.

 

From the machine hooked up to the Cradlepoint,  I can ping the LAN gateway address across the VPN on the Cisco router, but cannot ping the machine address inside the Cisco router LAN.  When pinging the Cisco router LAN gateway, the ipsec sa output shows all the counters counting, but only the "decap", "decrypt", and "verify" continue counting when pinging into machine inside the Cisco router LAN.

 

Do you have any suggestions?

 

Included are my new run and ipsec sa outputs as I have been changing things and trying to look at things at a different angle if you would like to look.

Preview file
3 KB
Preview file
7 KB
0 Helpful

kernel269
Level 1
Level 1
In response to Mohammed al Baqari

‎09-27-2019 11:09 AM

Looks like my issue was simply the Windows firewall as it put the network I was connected to into the "Public" domain.  Shut down the firewall and pings all around.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents