Balance 380 to Cisco VPN


#1

I’m trying to setup a vpn between a 380 and a Cisco router and having an issue. The vpn is up and established, but I’m unable to access devices across the tunnel. There is an inbound access rule in place that defines the 2 networks that are sitting across the vpn. On the Peplink side there is an allow any any rule for outbound access.

I’ve tried this on both an ASA as well as a router running IOS on the Cisco side w/ similar results. If I check the tunnel on the Cisco device I see encaps but no decaps, which suggests the Cisco side is forwarding traffic to the tunnel but I’m not seeing any return traffic.

Wondering if there might be something I’m missing or need to confirm is working.


#2

Hello,

I would check Inbound FW rules as well on the Balance. Set Inbound FW to Any/Any Allow on the Balance to see if this resolves the issue (will at least let us know if Balance fw is blocking things).


#3

Thanks. I actually just checked the Peplink and see that there already is an inbound rule in place to allow Any Any traffic. Is there anyway to try to initiate traffic from the PepLink across the tunnel or setup a capture or something?


#4

Hi mumbles,

Please ensure the subnet mask of Local and Remote Networks (Network > IPsec VPN > Select IPSec profile > Local Networks and Remote Networks) between Balance 380 and Cisco ASA are matched.


#5

Thanks. The masks are the same for both networks. Initially the tunnel established partially due to a mismatch in one of the 2 networks, but after fixing that it established successfully. And I can see traffic being sent from the Ciusco side, just don’t know how one would troubleshoot it on the PepLink side.


#6

Hi,

Do you mind to share the config for both Balance 380 and Cisco ASA? Please open ticket if these are sensitive.

Thank you.


#7

Thanks for responding. Here’s the relevant section of the config from the Cisco router:

crypto isakmp policy 15
encr 3des
authentication pre-share
group 2

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2

crypto isakmp key myvpnkey address AA.BB.CC.225
crypto isakmp key myvpnkey address AA.BB.CC.226

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto map VPN_Tunnel 2 ipsec-isakmp
description Union Square
set peer AA.BB.CC.225
set peer AA.BB.CC.226
set transform-set ESP-AES256-SHA
match address 102

interface GigabitEthernet0/0/0
crypto map VPN_Tunnel

access-list 100 deny ip 192.168.8.0 0.0.3.255 192.168.0.0 0.0.3.255
access-list 100 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.3.255
access-list 100 permit ip 192.168.8.0 0.0.3.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 100 permit ip 172.16.8.0 0.0.3.255 any

access-list 102 remark Union Tunnel
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.3.255
access-list 102 permit ip 192.168.8.0 0.0.3.255 192.168.0.0 0.0.3.255


#8

Hi,

Thanks. Can I have the screenshot for Balance 380’s IPSec settings?


#9


Here is the Balance side


#10

Hi,

Look like the settings are correct. Can you share the settings of Internal Firewall (Network > Access Rules > Internal Network Firewall Rules)?


#11

Hi,

Just want to check you have access list 100 defined for the Cisco site. I notice this access list is denying the traffics. Possible to let me know where you associate the access list ?

Thank You