CVPN-3005 question on making the connection

[ForumKid]

I have just setup my CVPN-3005.

My public interface is 192.168.3.4. I can ping it, but cannot connect via VPN. The error is:
Reason 412: The remote peer is no longer responding.

I have read that it could be a port blocked. I am going from my pix inside interface to the dmz. My syslog is not throwing any errors. ANy ideas if its just a setup mistake on the cvpn 3005? I didnt make too many changes except for local pool, interfaces, and created a user.

Im lost.

 

[ForumKid]

Wierd thing is that I can VPN into the private network, but not the public network. It is going through a firewall. I can ping the public. My syslog is not throwing any errors and the syslog reads both firewall and concentrator....Any ideas?

 

[ForumKid]

Probably a waste of time, but will update anyhow.

I found out that I can only connect to the private interface of 192.168.x if my laptop is on the 192.168.1.x network. I can only connect to the public interface of 192.168.3.x if my laptop is on the 192.168.3.x network. I guess my real issue is how to allow other networks such as 192.168.1.x to access the public interface. Has nothing to do with a firewall either.

Still looking for some assistance but it doesn't appear anyone in this forum knows anything about concentrators. Afterall its a PIX forum.

Thanks

 

[themut]

If you are able to ping the public interface then you should be able to access the network where the public interface resides. It has nothing to do with VPN, you VPN to access the private network. Once you establish a VPN tunnel then your computer is part of the private network, so if you want to access the network where the public interface lies then you need to configure a proper tunnel default gateway and make sure the routing allows for such access.

Alternatively, you can configure split tunnel on the 3005 so only traffic destined for the private networks is encrypted and everything else is in clear text. That way you should access the public network since you can ping the public interface in the first place. My two cents

 

[ForumKid]

Thats what I thought. But the when I try to connect from 192.168.1.2 to the public interface of 192.168.3.4, I get:

FYI: 192.168.1.13 is my Private Interface.

2005-04-04 11:43:44 Local4.Notice 192.168.1.13 76 04/04/2005 11:57:00.210 SEV=5 IKEDBG/64 RPT=7 192.168.1.2 IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False

 

[themut]

Are you trying to VPN from 192.168.1.2 to the public interface?

 

[ForumKid]

Yes. I want to make sure that I can do that before I try to connect from the outside world.

 

[themut]

You will never be able to accomplish this, it makes no sense. The reason for a VPN concentrator is to establish a VPN to the public interface so you can access the private network. If you are already on the private network then you have no reason to establish a VPN so the VPN3000 won't allow it, it just was not design to accomplish this.
If you wan to test it, then you need to connect a pc in the same network as the public interface and establish the tunnel.

 

[ForumKid]

Let me just get this straight.

I should setup so that the outside world can VPN to the public interface. Once VPN'd into the public interface, they will be able to access machines that are connected to the private interface?

Yes. If I connect from a machine on the public interface, i can VPN in.

 

[themut]

You are correct! The outside world establishes a VPN tunnel to the public interface and if successful then the outside world can access the internal resources.