- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: IPSEC VPN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC VPN
Hi,
Setup a site to site vpn to third party (amazonaws) from our CP R81.20 but the tunnel is not coming up.
initiating traffic on our back end, i can see on the tcpdump ext int that we are sending a isakmp and receive 1 back but thats where it stops. Tunnel does not come up
Any ideas please ?
IP xxxxxxx.co.uk.isakmp > xxxxxxxxxxxx.amazonaws.com.isakmp: isakmp: parent_sa ikev2_init[I]
IPxxxxxxxxxxxamazonaws.com.isakmp > xxxxxxxxx.co.uk.isakmp: isakmp: parent_sa ikev2_init[R]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
Are you using numbered or unnumbered vti's? Set as permanent tunnel? Mesage me offline, happy to do remote if you allow it. Im fairly experienced with Azure VPN tunnels, though have done couple with AWS as well.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It is just setup as a site to site vpn, we do not use vti's on our CP
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay..is it set as permanent tunnel via community object tunnel management or no? How do you have below configured?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Set Permanent is not ticked and vpn tunnel sharing is "one vpn tunnel per subnet pair"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, no problem. All debug shows is that you guys are I as initiator, and AWS is R, as in responder, but clearly config is not matching somewhere, as even phase 1 does not seem to be working.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you also do simple vpn debug?
vpn debug trunc
vpn debug ikeon
-try generate some traffic
vpn debug ikeoff (after 2-3 mins)
Look for ike and vpnd files in $FWDIR.log dir
Get them off the fw and examine for any relevant IPs, or you can simply grep -i from ssh as well
ie from expert mode -> grep -i 2.3.4.5 vpnd.elg (just replace 2.3.4.5 with actual peer external IP)
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And which documentation did you follow when configuring the S2S VPN ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I just followed the phase 1 and 2 proposals set by the third party. Sorry im not great on CP.
If the third party use vti im guessing that would not be an issue if we dont ?
Rgds,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats fine, dont worry, we are here to help! Put it this way, for route based VPN, you need VTI. Have a look at my post below, I know its about Azure, but I explained it the best I could. Happy to do remote if you allow that, not an issue. I really feel I could help you with it.
Best,
Andy
