IPSEC configuration failed to work

Latest reply: Dec 8, 2015 09:54:52 1916 1 0 0

Hi,

We are doing some IPSec VPN testing with the AR1220-S. A number of IPSec policy were set with nearly the same configurations. Details please refer to the configuration file attached.

acl name GigaEthernet0/0/0 2998
rule 5 permit
acl name GigabitEthernet0/0/1 2999
rule 5 deny source 192.168.190.0 0.0.0.255
rule 10 deny source 192.168.192.0 0.0.0.255
rule 15 deny source 192.168.193.0 0.0.0.255
rule 20 deny source 192.168.194.0 0.0.0.255
#
acl name center_all 3000
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.190.0 0.0.0.255
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.192.0 0.0.0.255
rule 15 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.193.0 0.0.0.255
rule 20 permit ip source 0.0.0.0 255.255.255.0 destination 0.0.0.0 255.255.255.0
acl name subnet_192 3002
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.190.0 0.0.0.255
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.192.0 0.0.0.255
rule 15 permit ip source 0.0.0.0 255.255.255.0 destination 0.0.0.0 255.255.255.0
acl name subnet_193 3003
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.190.0 0.0.0.255
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.193.0 0.0.0.255
rule 15 permit ip source 0.0.0.0 255.255.255.0 destination 0.0.0.0 255.255.255.0
acl name b_Cellular0/0/0_1 3994
rule 5 permit ip source 0.0.0.0 255.255.255.0 destination 0.0.0.0 255.255.255.0
acl name c_GigabitEthernet0/0/1_2 3995
rule 5 permit ip source 0.0.0.0 255.255.255.0 destination 0.0.0.0 255.255.255.0
acl name p_GigabitEthernet0/0/1_1 3996
rule 5 permit ip source 0.0.0.0 255.255.255.0 destination 0.0.0.0 255.255.255.0
acl name b_GigabitEthernet0/0/1_1 3997
rule 5 permit ip source 0.0.0.0 255.255.255.0 destination 0.0.0.0 255.255.255.0
acl name subnet_194 3998
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.190.0 0.0.0.255
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.194.0 0.0.0.255
acl name c_GigabitEthernet0/0/1_1 3999
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.190.0 0.0.0.255
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.192.0 0.0.0.255
rule 15 permit ip source 0.0.0.0 255.255.255.0 destination 0.0.0.0 255.255.255.0
#
ipsec proposal sj_vpn
esp authentication-algorithm md5
esp encryption-algorithm 3des
ipsec proposal center_vpn_1
esp authentication-algorithm md5
esp encryption-algorithm 3des
ipsec proposal branch_vpn_11
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
prf hmac-sha2-256
#
ike proposal 2
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
prf hmac-sha2-256
#
ike proposal 3
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
prf hmac-sha2-256
#
ike proposal 4
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
prf hmac-sha2-256
#
ike peer center_vpn_1 v1
pre-shared-key cipher IKEpeerkey0
ike-proposal 2
ike peer center_vpn_all v1
pre-shared-key cipher IKEpeerkey4
ike-proposal 1
local-address 123.123.123.9
remote-address 59.59.59.5
ike peer center_vpn_192 v1
pre-shared-key cipher IKEpeerkey3
ike-proposal 1
local-address 123.123.123.9
remote-address 124.21.219.33
ike peer center_vpn_193 v1
pre-shared-key cipher IKEpeerkey2
ike-proposal 1
local-address 123.123.123.9
remote-address 223.232.9.35
ike peer branch_vpn_11 v1
pre-shared-key cipher IKEpeerkey1
ike-proposal 4
remote-address 223.232.9.35
#
ipsec policy-template center_vpn_1_PT 1
security acl 3999
ike-peer center_vpn_1
proposal center_vpn_1
#
ipsec policy center_vpn_1 1 isakmp template center_vpn_1_PT
ipsec policy center_VPN_1 190 isakmp
security acl 3000
ike-peer center_vpn_all
proposal sj_vpn
ipsec policy center_VPN_1 192 isakmp
security acl 3002
ike-peer center_vpn_all
proposal sj_vpn
ipsec policy center_VPN_1 193 isakmp
security acl 3003
ike-peer center_vpn_all
proposal sj_vpn

The "center_vpn_1_PT" was generated from the configuration wizard, the others are manually added by duplicating the parameters. However,  only the "center_vpn_1_PT" can be successfully connected when we tested the deployment with an Dlink RV420 router at branch side. Anything wrong with our configrations?

Thansk.

Davis

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

user_2790689
Created Dec 8, 2015 09:54:52 Helpful(0) Helpful(0)

Wait for expert to solve this problem.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login