IPSec VPN issues with MAX 700


#1

Hi. I recently started working with the Pepwave MAX 700 playing around with it’s IPSec VPN capability. I am succesful in getting the 700 to establish a VPN with a neighboring Cisco 2811. The protected subnet behind the 700 is the default 192.168.50.0/24 with the default DHCP range. The subnet on the 2811 belongs to a loopback and is a /32 of 10.10.10.1. The crypto map on the 2811 matches traffic from the loopback to the remote protected subnet.

What I’m observing is traffic that I send sourced from the loopback on the 2811 to the 700’s protected subnet is rejected at the WAN interface on the 700. I see the following message in the device event log on the 700[280423.456000]Denied CONN=WAN1 SRC=10.10.10.1 DST=192.168.50.2 LEN=100 PROTO=ICMP TYPE=8 CODE=0

Now, I know the VPN is up, and I am matching traffic against the ACL for my crypto map on the 2811. I can see that the 2811 is encrypting the traffic by viewing the IPSec SA that is established on the 2811. I’ve tried adding a rule [above the existing deny rule] to the “Inbound Firewall Rules” permitting the ICMP traffic that I am testing with. I assume that rule set applies inbound on the WAN interface? But I still am not getting traffic to pass that is initially sourced from the 2811 to the host behind the 700.

I am able to receive traffic if it is sourced from the 700’s host. i.e. - ping from the 192.168.50.2 --> 10.10.10.1. In this scenario I am able to receive my ICMP reply.

NAT is enabled on the WAN interface

Hardware rev. 2
Firmware 5.4.6 build 1801

Any feedback would be appreciated.

r/Andrew


#2

This sounds like something to do with the firewall rule. Please open up a support ticket with us here so we can take a closer look at this.