For more details, please see ourCookie Policy.


Info & Feedback

Reply
Highlighted
New Member
Posts: 1
Registered: ‎10-23-2018

Packets not routed via IPSec tunnels

I'm running Brocade vRouter 5600.

I've got 2 gateways running in high availability, and they've run in a couple of years working fine.

I'm trying to setup a VPN/IPSec on one of my gateways, and have packets routed via the 4 tunnels created.

 

This is my configurations commands:

 

 

set security vpn ipsec esp-group MY-ESP compression 'disable'
set security vpn ipsec esp-group MY-ESP lifetime '3600'
set security vpn ipsec esp-group MY-ESP mode 'tunnel'
set security vpn ipsec esp-group MY-ESP pfs 'dh-group5'
set security vpn ipsec esp-group MY-ESP proposal 1 encryption 'aes256'
set security vpn ipsec esp-group MY-ESP proposal 1 hash 'sha1'

set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection action 'restart'
set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection interval '20'
set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection timeout '90'
set security vpn ipsec ike-group MY-IKEV1 ike-version '1'
set security vpn ipsec ike-group MY-IKEV1 lifetime '86400'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 dh-group '5'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 encryption 'aes256'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 hash 'sha1'

set security vpn ipsec site-to-site peer 70.21.22.99 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 70.21.22.99 authentication pre-shared-secret 'PSK'
set security vpn ipsec site-to-site peer 70.21.22.99 connection-type 'initiate'
set security vpn ipsec site-to-site peer 70.21.22.99 default-esp-group 'MY-ESP'
set security vpn ipsec site-to-site peer 70.21.22.99 description 'MY VPN GW1'
set security vpn ipsec site-to-site peer 70.21.22.99 ike-group 'MY-IKEV1'
set security vpn ipsec site-to-site peer 70.21.22.99 local-address '5.67.88.253' 
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 0 local prefix '201.199.10.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 0 remote prefix '70.99.100.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 1 local prefix '211.198.11.22/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 1 remote prefix '70.99.100.9032'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 2 local prefix '211.198.11.90/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 2 remote prefix '70.101.100.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 3 local prefix '201.199.11.66/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 3 remote prefix '5.100.90.21/32'

 

This result in the following with show vpn ipsec sa peer 70.21.22.99:

 

 

Peer ID / IP Local ID / IP
------------ -------------
70.21.22.99 5.67.88.253
Description: MY VPN GW1
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
0 7 up 0.0/0.0 aes256 sha1 5 93 3600
1 8 up 0.0/0.0 aes256 sha1 5 93 3600
2 9 up 0.0/0.0 aes256 sha1 5 93 3600
3 10 up 0.0/0.0 aes256 sha1 5 93 3600

 

 

But when I ex. try to ping 70.99.100.11 the "Bytes Out/In" doesn't change, and my remote peer cannot see any packets entering their gateway.

How can I make sure packets for the remote IP adresses are routed via my VPN/IPSec tunnels?

Join the Broadcom Community

Get quick and easy access to valuable resources across the Broadcom Community Network.