L3 VPN won't come up

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hello,

I have a problem with a vpn setup between a CVG and a BR200 (branch office).
As you can see the vpn won't come up.



both ports 500 and 4500 are open.

if i run a show IKE Event on the CVG i get; (192.168.1.45 is the wan ip of the CVG and 80.101.73.208 is the public ip of the branch office)

2013-07-22 14:19:18:Phase 1 deleted(192.168.1.45[500]->80.101.73.208[500])
2013-07-22 14:19:24:Phase 1 started(192.168.1.45[500]->80.101.73.208[500])
2013-07-22 14:19:32:Peer not responding(192.168.1.45[500]->80.101.73.208[500])
2013-07-22 14:19:32:Phase 1 deleted(192.168.1.45[500]->80.101.73.208[500])
2013-07-22 14:19:38:Phase 1 started(192.168.1.45[500]->80.101.73.208[500])

Show IKE Event on the BR200; (194.78.213.250 is a dedicated public ip address and 192.168.178.213 is the eth0 ip address of the BR200 through DHCP)

2013-07-22 14:18:32:Phase 1 started(192.168.178.21[500]->194.78.213.250[500])
2013-07-22 14:18:44:Phase 1 deleted(192.168.178.21[4500]->194.78.213.250[4500])
2013-07-22 14:18:46:Phase 1 started(192.168.178.21[500]->194.78.213.250[500])
2013-07-22 14:18:58:Phase 1 deleted(192.168.178.21[4500]->194.78.213.250[4500])

Should the eth0 ip of the BR200 be in the same subnet as the range from the CVG (192.168.1.x)?

Please can anyone help me?
feel free to ask more logging data or setup parameters.

Thanks!
Seppe
Photo of Giuseppe

Giuseppe

  • 16 Posts
  • 1 Reply Like

Posted 5 years ago

  • 1
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Seppe,

From the IKE Event log it looks like the BR200 can not reach the CVG, can you confirm that both UDP 500 and UDP 4500 are opened inbound and outbound on your firewall on the BR200 side? You mentioned that ports 500 and 4500 were open, but did not specify whether that was TCP or UDP and did not mention if those ports were open in both directions for both the CVG and BR200. If you are just seeing Phase one start and get deleted from the BR200, that usually indicates a firewall issue, which is reinforced by the message you are receiving on the CVG: 2013-07-22 14:19:32:Peer not responding(192.168.1.45[500]->80.101.73.208[500]) .

Thanks in advance
Photo of Giuseppe

Giuseppe

  • 16 Posts
  • 1 Reply Like
Hello Brian,

i would like to verify if both ports are open. Is there a way i can test this? The rules on the ISA server looks like they are fine. If i run a telnet from outside on the public ip of the HQ, i cannot make a session to the CVG. I guess telnet won't work because the ports are UDP? Maybe there is another way to test if the ports are open?

Thanks,
Seppe
Photo of Giuseppe

Giuseppe

  • 16 Posts
  • 1 Reply Like
Hello,

vpn is up!
We found a bug in Forefront Threat Management Gateway 2010.

Thanks,
Seppe
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hello Seppe,

I am very happy to hear that your VPN tunnel is now up an running! However, would you be able to enlighten us as to what needed to be adjusted in the firewall to get this up and running? If there is an issue in Microsoft Forefront, other customers may experience this same problem, so it would be helpful to know what needed to be adjusted to be able to interoperate with our product.

Thanks in advance