Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
5
Replies

LAN to LAN VPN Help

PeterHaase
Level 1
Level 1

‎05-04-2015 07:05 AM

Hi,

 

I'm new to VPN's and I am trying to configure a VPN from our company to another company. I have configure the VPN and it shows as being up. When I am logged into our router I am able to ping a remote address but when I try and ping from my workstation it times out. The VPN is setup from our external IP to the other companies IPsec gateway address. I am using an access list on the VPN as their are 10 encryption domains we need to contact. Internally we use NAT for all our internet traffic. I think I am meant to configure the internal traffic not to use NAT but am unsure if this is correct or how I should be configuring it.

Any help is appreciated.

Thanks

Peter Haase

Labels:
0 Helpful
5 Replies 5

rizwanr74
Level 7
Level 7

‎05-04-2015 10:23 AM

Please post your running config for the tunnel piece, for easier trouble shooting purpose.

 

thanks

 

0 Helpful

PeterHaase
Level 1
Level 1
In response to rizwanr74

‎05-04-2015 11:55 AM

Here is the config for the tunnel

 

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
lifetime 28800

crypto isakmp key xxxxxxxxxx address 198.208.254.1 no-xauth
crypto ipsec transform-set GM esp-aes 256 esp-sha-hmac

crypto map VPNMAP 1 ipsec-isakmp
description Tunnel to198.208.254.1
set peer 198.208.254.1
set transform-set GM
match address GMTeam

crypto map VPNMAP 65535 ipsec-isakmp dynamic DMAP

 

The GMTeam ACL includes the 10 encryption domains we were given. The crypto map is included on our external interface.

 

Peter

0 Helpful

rizwanr74
Level 7
Level 7
In response to PeterHaase

‎05-05-2015 11:09 AM

Check what are permitted in the ACL: GMTeam includes your work-station subnet is included in ACL and be sure to nat-exempt all tunnel-bound traffic from natting.

 

Let me know, if this helps.

 

thanks

 

0 Helpful

PeterHaase
Level 1
Level 1
In response to rizwanr74

‎05-06-2015 01:26 PM

Thanks for your help, we have the VPN up and running now.

I had a deny entry in the wrong place in one ACL and I needed to nat my workstation IP tomy routers external IP for the ping test to work.

 

Peter

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to PeterHaase

‎05-06-2015 02:55 PM

Peter

 

It is good to know that you solved your own problem. Thanks for posting back to the forum to tell us that is it fixed and how you fixed it. That may help some other reader of the forum to figure out their own problem.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents