Setting up VPN 3002 Hardware Client to VPN 3005

[mspindler]

I am trying to setup a VPN 3002 hardware client to a VPN 3005 in network extension mode. My problem is that I am unable to reach (ping) anything on the LAN on the 3005 side from the VPN 3002 and vice versa. The VPN establishes the tunnel and the statistics show that it is connected, but on the 3005 side the statistics show that it is receiving packets but not transmitting anything to the 3002. The networks on the 3005 side are all 10.20.*.* networks and the 3002 also has a 10.20.*.* network (10.20.46.0), but these are not overlapping. Would anyone have any ideas for me?
Thanks in advance!

 

[eumeri]

I am having exactly the same problem. I have tried static routes and NOTHING is working. I have followed the ONE document TAC has on this to the letter and no dice.

 

[eumeri]

I got this working but it is a bit screwy. In order for traffic to flow you have to create static routes on both the 3005 and the 3002. The route for the remote network must point to the peer's external interface on the remote end of the link. The problem I see here is for clients using DHCP or PPPOE based clients where that may change frequently. If you have static addresses no problems but that can severely limit the number of setups this can be used in. TAC really needs to document this better.

P.S. Updating both units to the latest build of the sofwtare helped with performance as well. New versions for both were released just 3 days ago.

 

[eumeri]

HEY! I got this working. You have to have a static route on the 3002 pointing to the concentrators external interface. you then enable RRi on the 3005 for both client and network extension and manually enter a hold-down route. now you can use DHCP clients and when the address changes in a few minutes the tunnels pop back up.

Email me at pdj@pdjnet.com if you would like screen shots on this.

I will give this to TAC as well since there is a dearth of info on the Cisco web site on this.