Cisco Router problem routing for Remote Client

---

• From: billthegatesingh@xxxxxxxxx
• Date: 17 Nov 2005 22:39:08 -0800

---

Hello,

My company has 2 centers main-Center and an Branch(100Km apart), they
are connect by an VPN service Using Cisco 1841 and Cisco 1761(At
Branch) Routers. All intenet access to the Branch is through the Vpn
from the Main Center. The problem i am facing is that i am trying to
establish an Vpn session through nortel VPn software to an Remote
Client site from the Branch office which i am unable to connect it give
an error message "Secure connection has been lost". When i try doing
the same through the main center it connect without any problem.Also,
at the branch office i am able to acces sites and other servers outside
our network. Things to Note :

1) all traffice between the 2 centers is unrestricted.
2) On MAin router from which internet is being accessed all traffice on
ports ISAKMP ESP AH is open to and from the Remote Clients VPN
Router/firewall.
3) on the Branch router all traffice is open in and out to the Remote
Clients Public Ip.

Now, to analyze the problem i did an ethreal packet sniffing when try
to connect to remote clients VPN. the results are as follows:
1) I see traffice to the renote client site as ISAKMP( Agressive Mode),
A response back from client is recieved.

2) Then there is traffice and response for ISAkMP(transaction (Config
Mode).

3)Then i can see traffic from My machine to the remote site as ESP, I
can see 31 packets sent but no packets recieved.

4) After about 51 seconds of the initiating the process i see
ISAKMP(informational), for which i get an response back as
ISAKMP(informational).

5) Immediately after that ICMP Destination unreachable, form my machine
.. Then i cant ping the remore Nortel fireall for 2-3 Minutes.


I have also checked the NAT translations on the Main Router . It show
the ISAKMP traffice from My machine Ip to the Remote clients Firewall
Ip and the ICMPerr

The problem is that i need to get this up and runningas this is Imp.
Any help is welcome . Plesae let me know if u need details..


Regards,
Bill

.

---

• Prev by Date: Re: Cat 6500 spanning tree - change MAC address?
• Next by Date: Re: Cisco 1751: %Software-forced reload
• Previous by thread: Cisco 2610 BGP
• Next by thread: Do we use the classful address scheme yet?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: IP routing on VPN ... >my VPN clients can't connect to the VPN server. ... >Frame router that routes to subnets 192.168.30.1 ... >How do the VPN clients know to get to the outside NIC? ... (microsoft.public.windows.server.networking) Re: VPN error with SBS2003 and ISA ... some of the cable/dsl router just don't work with VPN. ... When you switch your clients from the x.x.2.x network to x.x.3.x ... (microsoft.public.isaserver) Re: IP routing on VPN ... > I have a RRAS Server setup as a VPN with two NICs. ... Just use the Internet Router as ... All the clients on ... VPN Clients, when getting the DHCP assignment, must use a Default Gateway ... (microsoft.public.windows.server.networking) Re: authenticate clients over router to router VPN ? ... subnets connected by an IP router. ... Remote access and VPN dialup clients do ... > connection established i.e can ping etc.. ... (microsoft.public.win2000.ras_routing) Re: HIPAA and firewalls ... >compliant manner using VPN. ... this is a bad and expensive method of purchasing a router. ... the VPN is setup in 5 steps. ... network IP block to both sides of the VPN tunnel. ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)