[Cialug] IPSec VPN not passing traffic

Jonathan C. Bailey jbailey at co.marshall.ia.us
Wed Sep 8 09:55:19 CDT 2010


Hmmm... I'd have to go digging through my IOS collection, it seems. I believed I have one of the "security" lines loaded on it at the moment...

Jonathan Bailey
Marshall County, Iowa
1 E Main St, Marshalltown, IA 50158
P: 641-844-2804 / C: 641-351-9631

----- Original Message -----
From: "Dave Weis" <djweis at internetsolver.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Wednesday, September 8, 2010 9:49:47 AM
Subject: Re: [Cialug] IPSec VPN not passing traffic


That's a wonderful question :-)

Not sure though. 

> -----Original Message-----
> From: cialug-bounces at cialug.org 
> [mailto:cialug-bounces at cialug.org] On Behalf Of Jonathan C. Bailey
> Sent: Wednesday, September 08, 2010 9:37 AM
> To: Central Iowa Linux Users Group
> Subject: Re: [Cialug] IPSec VPN not passing traffic
> 
> What IOS line would that be?
> 
> 
> ----- Original Message -----
> From: "Dave Weis" <djweis at internetsolver.com>
> To: "cialug at cialug.org" <cialug at cialug.org>
> Sent: Wednesday, September 8, 2010 9:21:57 AM
> Subject: Re: [Cialug] IPSec VPN not passing traffic
> 
> The arp entry should be on the vpn server. A 3745 with the 
> right ios should be capable also. 
> 
> 
> ----- Original Message -----
> From: cialug-bounces at cialug.org <cialug-bounces at cialug.org>
> To: Central Iowa Linux Users Group <cialug at cialug.org>
> Sent: Wed Sep 08 09:20:58 2010
> Subject: Re: [Cialug] IPSec VPN not passing traffic
> 
> I never saw anything in the racoon configuration for proxy arp.. Hmm..
> 
> BTW, the ARP entry you mention - should it be on the VPN 
> server with a client IP/VPN server MAC? That would seem to 
> make sense (maybe).
> 
> Also, what about a 3745 instead of the ASA? Or a 1700 series 
> router? We've got some extra Cisco stuff at the moment...
> 
> 
> -Jon
> 
> ----- Original Message -----
> From: "Dave Weis" <djweis at internetsolver.com>
> To: "Central Iowa Linux Users Group" <cialug at cialug.org>
> Sent: Wednesday, September 8, 2010 9:12:17 AM
> Subject: Re: [Cialug] IPSec VPN not passing traffic
> 
> 
> Around this point is where I break out the ASA and implement 
> it in 10 minutes... :-)
> 
> From my brief looking this can be caused by either missing 
> the proxyarp keyword somewhere or having an incorrect left or 
> right side statement.
> 
> Can you try to add the arp entry manually?
> 
> /sbin/arp -s 192.168.x.x c0:0f:fe:ba:be pub
> 
> Replace IP and mac address as appropriate
> 
> dave
> 
> --
> Dave Weis
> 515-224-9229
> djweis at internetsolver.com
> http://www.internetsolver.com/
> Please check out our Complete Support Service 
> http://www.internetsolver.com/completesupport/ 
> 
>  
> 
> > -----Original Message-----
> > From: cialug-bounces at cialug.org
> > [mailto:cialug-bounces at cialug.org] On Behalf Of Jonathan C. Bailey
> > Sent: Wednesday, September 08, 2010 9:07 AM
> > To: Central Iowa Linux Users Group
> > Subject: Re: [Cialug] IPSec VPN not passing traffic
> > 
> > Yes, our core router has a route for 192.168.22.0/24 via 
> 10.81.10.60. 
> > Forwarding is also enabled on 10.81.10.60.
> > 
> > Whenever 10.81.10.60 gets traffic for a connected VPN user, 
> it sends 
> > out ARP requests like it doesn't know about that user.
> > 
> > Jonathan Bailey
> > Marshall County, Iowa
> > 1 E Main St, Marshalltown, IA 50158
> > P: 641-844-2804 / C: 641-351-9631
> > 
> > ----- Original Message -----
> > From: "Dave Weis" <djweis at internetsolver.com>
> > To: "Central Iowa Linux Users Group" <cialug at cialug.org>
> > Sent: Wednesday, September 8, 2010 8:29:52 AM
> > Subject: Re: [Cialug] IPSec VPN not passing traffic
> > 
> > 
> > > 
> > > Also, the traffic *is* getting from client to VPN server 
> and being 
> > > decrypted, just not going anywhere on the internal network.
> > > 
> > 
> > I missed part of this but does everything on the network know the 
> > routing to get to the vpn clients? If you traceroute from 
> an unrelated 
> > machine to a VPN client, where does it stop?
> > 
> > Dave
> > 
> > 
> > --
> > Dave Weis
> > 515-224-9229
> > djweis at internetsolver.com
> > http://www.internetsolver.com/
> > Please check out our Complete Support Service 
> > http://www.internetsolver.com/completesupport/
> > 
> >  
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> > 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> 
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug


More information about the Cialug mailing list