cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1279
Views
8
Helpful
8
Replies

Why site-to-site VPN is working but ezvpn is not?

hy123
Level 1
Level 1

I am using a 831 as a ezvpn server. It's tested ok in my office. But when it's running in a remote site, the vpn client cannot get any ISAKMP packet from the router and no connection can be made, while site-to-site vpn is working fine in the same router. I think there should be something blocking the ezvpn ISAKMP packet. But the packets in ezvpn and site-to-site vpn should be the same. Why one is working and the other is not?

Here I attached my router configuration and the 'deb cry isa' rusult. Please take a look. Thanks a lot.

8 Replies 8

jackko
Level 7
Level 7

those two could be using different ports.

for site-to-site,

udp 500

for remote/ezvpn,

udp 4500

just wondering if there is an inbound acl blocking the port 4500. perhaps post the entire config with public ip masked.

Thanks, Jack,

Your info is very important to me.

Do you know if there's any command to change ISAKMP port to UDP 500 or other? I am sure there's no blocking in my vpn client side because I can make a connection to other vpn servers. On this vpn server side, the ISP is a cable company. Do you have any experience that the ISP blocks the outbound UDP ports? What else reason do you think should be posible?

Thanks again.

according to the posted config, there is an inbound acl named "access-list 111".

access-list 111 permit udp any any eq 4500

further, i believe the acl below is required as well:

access-list 111 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255

Thanks, Jack,

Thank you very much for your reminding.

But even I took off the total acl in e1, it's still not working. It really confused me. The VPN client keep saying the peer is not responding, and from the log window, no receiving message is showing up.

cbac (i.e. ip inspect) has been applied on the e1 interface, so even the acl is removed, the router will not permit the packet.

Thanks, Jack,

You are right. I had tried to remove acl and ip inspet before, but it didn't work, so I neglect this posibility. Do you know how to flush cbac without reboot it? I don't have opportunity to try now. I will let you know the result.

Thanks a lot.

Hi, Jack,

The problem is solved.

Thanks,

Henry

it's good to learn that your issue has been resolved. would you mind share the resolution?

according to cisco:

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.