Wireless Access

Reply
New Contributor

how to debug Site-to-Site VPN?

Hi, 
I have configured a site-to-site IPSec VPN with following commands:

 

Topology:
(controller-Initiator)--(NAT Gateway)--[emulate internet]--((Nat Static 500,4500) NAT Gateway)--(controller-Responder)
172.16.1.254---------------1.1.1.2--------------------------------------------1.1.1.1--------------------------------------172.16.0.254
the connection is ok, i have tested it. i can ping to responder from initiator.
 
configuration(controller-Initiator)

(Responder) #show switch ip

Switch IP Address: 172.16.1.254

!

crypto-local ipsec-map s2s 1
peer-ip 1.1.1.1
local-fqdn initiator.xxx.com
vlan 1
src-net 172.16.1.0 255.255.255.0
dst-net 172.16.0.0 255.255.255.0
set transform-set default-transform
pre-connect enable
trusted enable
force-natt enable

crypto-local isakmp key "******" address 1.1.1.1 netmask 255.255.255.255

 
=======================================
configuration(controller-responder)

(Responder) #show switch ip

Switch IP Address: 172.16.0.254

!

crypto-local ipsec-map responder 1
peer-ip 0.0.0.0
peer-fqdn any-fqdn
vlan 1
src-net 172.16.0.0 255.255.255.0
dst-net 0.0.0.0 0.0.0.0
set transform-set default-transform
pre-connect enable
trusted enable
force-natt enable
!

crypto-local isakmp key "******" fqdn-any

 

I used the wireshark to monitor the SPAN port for debugging this issue, and the wireshark show that they cycle in the first two steps of the aggressive mode.

 

i have also logged security messages, but it didn't show any anomalous messages. are there some other commands for debugging this issue? anyone can help me? thanks in advance!

 

Guru Elite

Re: how to debug Site-to-Site VPN?

Can you ping any of the private addresses to/from?

 

Change your dst-net to 172.16.1.0 255.255.255.0, instead of 0.0.0.0 0.0.0.0

 

Type "show datapath tunnel table" to see the encaps (sent traffic) and decaps (received traffic)



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: