No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

VPN tunnel is up but remote LAN is not reachable

Publication Date:  2014-04-13 Views:  1080 Downloads:  0

Issue Description

The Tunnel is up but remote LAN is not reachable.

The scenario is IPsec VPN site to site ,, both sites are PPPoE with DynDNS.

Site 1 : DXB
Local LAN : 192.168.2.0/24
Remote LAN : 192.168.0.0/24
DynDNS domain : adcdxb.dyndns-home.com

Site 2 : AUH
Local LAN : 192.168.0.0/24
Remote LAN : 192.168.2.0/24
DynDNS domain : adcauh.dyndns.org

Alarm Information

none

Handling Process

check the configuration on pppoe port

interface Dialer0
link-protocol ppp
ppp chap user advdent
ppp chap password cipher %$%$q{I&S1A+xUA0l1Tc~(.NU:1(%$%$
ppp pap local-user advdent password cipher %$%$2xlC1B`zkX-gBBW2Sa:.U0'{%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user advdent
dialer-group 10
dialer bundle 1
ipsec policy map1 auto-neg
ddns apply policy abc
service-manage enable
service-manage https permit
service-manage ping permit
service-manage ssh permit
nat enable    // this is unwanted, the nat-policy is configuration between the interzone. Please delete it.
detect ftp

The both  sides firewalls (FW-DXB and FW-AUH) have the above incorrect configuration (under interface Dialer0 have “ nat enable “)

delete "nat enable" command on the ports from both sides . remote LAN communciation is no problems , ipsec become working fine.

Root Cause

root cause of this issue is the  interface source NAT configuration( the command “nat enable” under the interface). this command will due to the traffic be NAT, and then mismatch the IPsec acl. It is unwanted. "nat enable" configuration caused the traffice enter nat instead of ipsec tunnel .

Suggestions

when we configure ipsec with nat together on some interface , pay attention that don't configure "nat enable" command under the port , otherwise , the related flow will enter nat instead of ipsec tunnel , which caused ipsec flow can't be forwarded correctly .

END