01-03-2005 05:28 AM
We're attempting to set up a tunnel to allow http traffic between two LANs via an IPSEC tunnel. Unfortunately, the tunnel only comes up when I select "network autodiscovery" routing under the lan-to-lan connection. I would prefer to simply use network lists for the local and remote sites, but as soon as I select the lists I've set up, the tunnel goes down and stays down.
In addition, when the tunnel comes up (with network autodiscovery selected), I can ping the peer on the other side from the VPN concentrator but cannot ping any hosts on networks behind that router. My traceroute to those hosts goes to the public interface and then to the Internet, instead of heading to the peer IP address on the other end of the tunnel.
Any thoughts?
01-04-2005 05:20 AM
Have you run any debugs!
debug crypto isakmp/ipsec?
debugging the src IP ??
01-04-2005 07:08 AM
Since I only have access to the VPN concentrator, here are the results of the debug I was able to run.
8801 01/04/2005 08:03:40.270 SEV=7 IPSECDBG/1 RPT=2712
Could not find assigned address for tunnel!
8802 01/04/2005 08:03:43.250 SEV=7 IPSECDBG/10 RPT=191
IPSEC ipsec_output() can call key_acquire() because 3 seconds have elapsed since
last IKE negotiation began (src 0xc0a83787, dst 0x023aa0c4)
8804 01/04/2005 08:03:43.260 SEV=7 IPSECDBG/14 RPT=193
Sending KEY_ACQUIRE to IKE for src 192.168.55.135, dst 166.89.199.178
8805 01/04/2005 08:03:43.260 SEV=4 IKE/41 RPT=163
IKE Initiator: New Phase 2, Intf 2, IKE Peer 166.89.101.254
local Proxy Address 192.168.55.0, remote Proxy Address 166.89.192.0,
SA (L2L: TPD.)
8809 01/04/2005 08:03:43.260 SEV=9 IPSECDBG/6 RPT=744
IPSEC key message parse - msgtype 6, len 208, vers 1, pid 00000000, seq 172, err
0, type 2, mode 0, state 32, label 0, pad 0, spi 0x00000000, encrKeyLen 0, hash
KeyLen 0, ivlen 0, alg 0, hmacAlg 0, lifetype 0, lifetime1 1118540, lifetime2 0,
dsId 300
8813 01/04/2005 08:03:43.260 SEV=9 IPSECDBG/1 RPT=2713
Processing KEY_GETSPI msg!
8814 01/04/2005 08:03:43.270 SEV=7 IPSECDBG/13 RPT=165
Reserved SPI 0x54b45ce7
8815 01/04/2005 08:03:46.750 SEV=7 IPSECDBG/10 RPT=192
IPSEC ipsec_output() can call key_acquire() because 3 seconds have elapsed since
last IKE negotiation began (src 0xc0a83787, dst 0x023aa0c4)
8817 01/04/2005 08:03:46.760 SEV=7 IPSECDBG/14 RPT=194
Sending KEY_ACQUIRE to IKE for src 192.168.55.135, dst 166.89.199.178
8818 01/04/2005 08:03:50.250 SEV=7 IPSECDBG/10 RPT=193
IPSEC ipsec_output() can call key_acquire() because 3 seconds have elapsed since
last IKE negotiation began (src 0xc0a83787, dst 0x023aa0c4)
8820 01/04/2005 08:03:50.260 SEV=7 IPSECDBG/14 RPT=195
Sending KEY_ACQUIRE to IKE for src 192.168.55.135, dst 166.89.199.178
01-04-2005 10:48 AM
Although my tunnel is showing as "up", I'm getting this debug result when I tracert to the peer at teh other end:
(Note that the source interface for the traceroute and ping is showing as my "private" interface.
10395 01/04/2005 11:44:52.480 SEV=7 IPSECDBG/1 RPT=2906
Could not find assigned address for tunnel!
What exactly does this mean?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide