Hi, I’m working on a project to replace our Cisco ASAs in my remote offices. I’d like to use a Balance router as a consentrator, hanging off a separate zone on my firewall, and have it act as a consentrator for all my remote sites. I already have this working with our existing Cisco ASAs, so I know my internal configuration is working. I’m running into an issue where a remote site, running on a Balance 20, can successfully build an IPSec VPN tunnel to my Cisco ASA at my HQ, but it will not build a PepVPN tunnel back to the balance router I have at my HQ. Has anyone here tried to do this before? I’ve included a simple graphic that hopefully explains what I’m trying to accomplish. Thanks!
Hi and welcome.
Whats HQ NGFW? Is that the CISCO that you can build the IPSEC to?
So long as the Balance 20’s can route to ports 32015 and 4500 on the HQ Peplink concentrator then they should be able to build a PepVPN. At what point in the PepVPN build process is it failing?
In this role you can use either the Balance or the Fusionhub
1 Like
Hi,
Yes we’ve deployed this scenario many times, as Martin mentioned you need to have those specific ports open for Speedfusion/PepVPN so it could be that you need those specific ports setup and your ASA is only allowing traditional IPSEC.
If you keep an eye on the debug/syslog view on the ASA using ASDM you should be able to see the ‘deny’ lines in the log, you can filter this down to help narrow it to the public IP you’ve used to NAT to the Balance device.
1 Like
Hey guys, thanks for the responses. I should have included more detail in the OP. The Balance router has it’s own WAN connections separate from my Palo Alto NGFW, sitting adjacent to it. My plan is to use a 305/380 at my HQ, and have it terminate PepVPN/SpeedfusionVPN, then hand it off to my FW so that any interesting traffic passes through for it inspection.
*Long term goal being move away from Cisco for site to site IPSec VPNs
*Update
Without changing any configurations, the tunnel just fired up between my test consentrator and my test branch location. It’s making me wonder if this was an issue caused by the ISP. More info to follow.
1 Like