Tue Apr 09, 2013 6:59 am
I'd like to get this method functional. I'm actually working on documentation for each scenario. Here is the problem.
Router-A
ether1 = 65.55.45.34/29 default route = 65.55.45.33
ether2 = 10.10.1.1/24
Laptop = 10.10.1.254/24
Router-B
ether1 = 66.56.46.34/29 default route = 66.56.46.33
ether2 = 10.10.2.1/24
Laptop = 10.10.2.254/24
Peer on Router-A
Peer=66.56.46.34
defaults for rest
Peer on Router-B
Peer=65.55.45.34
defaults for rest
Policy on Router-A
src. address 10.10.1.0/24
dst. address 10.10.2.0/24
then publics for SA's as usual.
Policy on Router-B
src address 10.10.2.0/24
dst. address 10.10.1.0/24
then publics for SA's as usual.
NAT on Router-A
chain=srcnat, src. address=10.10.1.0/24, dst. address=10.10.2.0/24, action=accept
NAT on Router-B
chain=srcnat, src. address=10.10.2.0/24, dst. address=10.10.1.0/24, action=accept
As I stated, the IPSEC tunnel comes up fine in one scenario then works 100%. Scenario 4 is the only way to bring up the tunnel to get everything to work. I thought at first it had something to do with the peer setting for "Send Initial Contact" but no matter how I configure that setting on either end nothing changes. The reboot stated below simply is to clear connections, flush SA's, and kill peer connection. I am trying to recreate a clean boot that's all.
Scenario 1: Reboot Both Units, On Router-A from Laptop ping 10.10.1.1, works, ping 10.10.2.1 ipsec doesn't come up and does not set SA Installed.
Scenario 2: Reboot Both Units, On Router-B from Laptop ping 10.10.2.1, works, ping 10.10.1.1 ipsec doesn't come up and does not set SA Installed.
Scenario 3: Reboot Both Units, On Router-A from Ping Tool ping 10.10.2.1 from ether2 interface, tunnel does not come up either.
Scenario 4: Reboot Both Units, On Router-B from Ping Tool ping 10.10.1.1 from ether2 interface, tunnel comes up.
In all of these scenarios I am sending interesting traffic. I have checked and checked my configurations with no luck this far. All firmware is on latest.