No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

IPSEC VPN branches can’t mutual access

Publication Date:  2012-12-14 Views:  81 Downloads:  0
Issue Description
Some site HQ through SRG20-20 and its branches though two USG2139 do IPSEC VPN connection, the branches can access the HQ, but the branches can’t mutual access though VPN tunnel.
Alarm Information
None.
Handling Process
1. Because the branches can access the HQ internal network, namely the configuration has no problem.
2. Check the ACL data flow which used to do IPSEC, found it is wrong:
       One of the ACL is:
              acl number 3000
                 description FOR_VPN
                 rule 0 permit ip source 172.70.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
      The other ACL is:
              acl number 3002
                  description FOR_VPN
                  rule 0 permit ip source 172.17.112.0 0.0.3.255 destination 172.17.0.0 0.0.255.255
Through comparing, the second ACL’s designated address doesn’t contain the source IP address of the equipment which configured the first ACL, so can’t access, in order to realize mutual access, modify the first ACL to:
        rule 0 permit ip source 172.70.0.0 0.0.255.255 destination 172.0.0.0 0.255.255.255
   Modify the second ACL to:
        rule 0 permit ip source 172.17.112.0 0.0.3.255 destination 172.0.0.0 0.255.255.255
Through testing, found it can realize the branches mutual access through VPN.
Root Cause
The ACL designated address when the branch do IPSEC data flow hasn’t contained the data flow to reach another branch.
Suggestions
When do IPSEC VPN, in order to realize the HQ and branches can communicate, the source needs to be defined to the detail network segment of the branch node, destination needs to be defined to all the network segment of the HQ and branches.

END