Ipsec problem
Hi,
I have a ipsec tunnel the internal site3 can access remote site1, but remote site1 cannot access site 3.
I have found virtual-interface-addr 10.15.0.1 -> 10.15.0.254 was wrong, should be 10.15.0.1 -> 10.15.0.4.
Anyone can help?
[site1]---[10.15.0.1]--vpn--[10.15.0.2]-[site2]
--vpn--[10.15.0.4]-[site3]
site 1 conf
config vpn ipsec phase1-interface
edit "vpn01"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256
set add-route disable
set dpd on-idle
set dhgrp 14
set auto-discovery-sender enable
set psksecret ENC
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "vpn01"
set phase1name "vpn01"
set proposal aes256-sha1 3des-sha1
set dhgrp 14
next
end
config system interface
edit "vpn01"
set vdom "root"
set ip 10.15.0.1 255.255.255.255
set type tunnel
set remote-ip 10.15.0.254 255.255.255.0
set interface "port1"
next
end
diagnose vpn ike gateway list
vd: root/0
name: vpn01_0
version: 2
interface: port1 3
addr: wanip:500 -> wanip:500
tun_id: 10.15.0.2/::10.0.0.32
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 10.15.0.1 -> 10.15.0.2
created: 5221s ago
peer-id: wanip
peer-id-auth: no
auto-discovery: 1 sender
PPK: no
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 74 2dbf144f21a9b61c/78204501e66dd330
direction: responder
status: established 5221-5221s ago = 10ms
proposal: aes128-sha256
child: no
SK_ei: 8be65bce87fb035d-13616df6bf0b7591
SK_er: 70860c379fdc44ed-b57ffe16eeec3475
SK_ai: 6cbd9af9db567450-90239e485df37e2e-a6ed1ae165035823-ab3c08c8ed725dbb
SK_ar: 4ba3cb8c83eff2de-5ba4903f3e14dfd1-e5c6f21905964cf5-129eaf11d2ba99f1
PPK: no
message-id sent/recv: 0/2
QKD: no
lifetime/rekey: 86400/80908
DPD sent/recv: 00000000/00000000
peer-id: wanip
vd: root/0
name: vpn01_1
version: 2
interface: port1 3
addr: wanip:4500 -> wanip:4500
tun_id: wanip/::10.0.0.36
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 10.15.0.1 -> 10.15.0.254
created: 1740s ago
peer-id: wanip
peer-id-auth: no
PPK: no
IKE SA: created 1/1 established 1/1 time 30/30/30 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 104 7478193671bd48e6/45b5eafcb41b6385
direction: responder
status: established 1740-1740s ago = 30ms
proposal: aes128-sha256
child: no
SK_ei: b737511f8a136fa6-f8cded77588e805d
SK_er: ee44c6b1b334b766-4d94d44e808ee06c
SK_ai: 035ff938712122d1-d736031be553a7d3-0f422a371864b54a-a12bcec5f28edc2b
SK_ar: fefdd43ca39f4d6d-2b1392d86c5b4c77-188390b0911c0099-a0748e0a1f19ba26
PPK: no
message-id sent/recv: 0/175
QKD: no
lifetime/rekey: 86400/84389
DPD sent/recv: 00000000/00000000
peer-id: wanip
