[Cialug] IPSec VPN not passing traffic
Jonathan C. Bailey
jbailey at co.marshall.ia.us
Wed Sep 8 09:55:19 CDT 2010
Hmmm... I'd have to go digging through my IOS collection, it seems. I believed I have one of the "security" lines loaded on it at the moment...
Jonathan Bailey
Marshall County, Iowa
1 E Main St, Marshalltown, IA 50158
P: 641-844-2804 / C: 641-351-9631
----- Original Message -----
From: "Dave Weis" <djweis at internetsolver.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Wednesday, September 8, 2010 9:49:47 AM
Subject: Re: [Cialug] IPSec VPN not passing traffic
That's a wonderful question :-)
Not sure though.
> -----Original Message-----
> From: cialug-bounces at cialug.org
> [mailto:cialug-bounces at cialug.org] On Behalf Of Jonathan C. Bailey
> Sent: Wednesday, September 08, 2010 9:37 AM
> To: Central Iowa Linux Users Group
> Subject: Re: [Cialug] IPSec VPN not passing traffic
>
> What IOS line would that be?
>
>
> ----- Original Message -----
> From: "Dave Weis" <djweis at internetsolver.com>
> To: "cialug at cialug.org" <cialug at cialug.org>
> Sent: Wednesday, September 8, 2010 9:21:57 AM
> Subject: Re: [Cialug] IPSec VPN not passing traffic
>
> The arp entry should be on the vpn server. A 3745 with the
> right ios should be capable also.
>
>
> ----- Original Message -----
> From: cialug-bounces at cialug.org <cialug-bounces at cialug.org>
> To: Central Iowa Linux Users Group <cialug at cialug.org>
> Sent: Wed Sep 08 09:20:58 2010
> Subject: Re: [Cialug] IPSec VPN not passing traffic
>
> I never saw anything in the racoon configuration for proxy arp.. Hmm..
>
> BTW, the ARP entry you mention - should it be on the VPN
> server with a client IP/VPN server MAC? That would seem to
> make sense (maybe).
>
> Also, what about a 3745 instead of the ASA? Or a 1700 series
> router? We've got some extra Cisco stuff at the moment...
>
>
> -Jon
>
> ----- Original Message -----
> From: "Dave Weis" <djweis at internetsolver.com>
> To: "Central Iowa Linux Users Group" <cialug at cialug.org>
> Sent: Wednesday, September 8, 2010 9:12:17 AM
> Subject: Re: [Cialug] IPSec VPN not passing traffic
>
>
> Around this point is where I break out the ASA and implement
> it in 10 minutes... :-)
>
> From my brief looking this can be caused by either missing
> the proxyarp keyword somewhere or having an incorrect left or
> right side statement.
>
> Can you try to add the arp entry manually?
>
> /sbin/arp -s 192.168.x.x c0:0f:fe:ba:be pub
>
> Replace IP and mac address as appropriate
>
> dave
>
> --
> Dave Weis
> 515-224-9229
> djweis at internetsolver.com
> http://www.internetsolver.com/
> Please check out our Complete Support Service
> http://www.internetsolver.com/completesupport/
>
>
>
> > -----Original Message-----
> > From: cialug-bounces at cialug.org
> > [mailto:cialug-bounces at cialug.org] On Behalf Of Jonathan C. Bailey
> > Sent: Wednesday, September 08, 2010 9:07 AM
> > To: Central Iowa Linux Users Group
> > Subject: Re: [Cialug] IPSec VPN not passing traffic
> >
> > Yes, our core router has a route for 192.168.22.0/24 via
> 10.81.10.60.
> > Forwarding is also enabled on 10.81.10.60.
> >
> > Whenever 10.81.10.60 gets traffic for a connected VPN user,
> it sends
> > out ARP requests like it doesn't know about that user.
> >
> > Jonathan Bailey
> > Marshall County, Iowa
> > 1 E Main St, Marshalltown, IA 50158
> > P: 641-844-2804 / C: 641-351-9631
> >
> > ----- Original Message -----
> > From: "Dave Weis" <djweis at internetsolver.com>
> > To: "Central Iowa Linux Users Group" <cialug at cialug.org>
> > Sent: Wednesday, September 8, 2010 8:29:52 AM
> > Subject: Re: [Cialug] IPSec VPN not passing traffic
> >
> >
> > >
> > > Also, the traffic *is* getting from client to VPN server
> and being
> > > decrypted, just not going anywhere on the internal network.
> > >
> >
> > I missed part of this but does everything on the network know the
> > routing to get to the vpn clients? If you traceroute from
> an unrelated
> > machine to a VPN client, where does it stop?
> >
> > Dave
> >
> >
> > --
> > Dave Weis
> > 515-224-9229
> > djweis at internetsolver.com
> > http://www.internetsolver.com/
> > Please check out our Complete Support Service
> > http://www.internetsolver.com/completesupport/
> >
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list