VPN Frame Relay interoperability with Linksys VPN 1

[topoh]

Hi,

I have used a long time a Frame Relay VPN that has many remote subnets and a concentrator subnet like description below. Recently, I install internet cable access at Central Office (Frame Relay Concentrator) and other cable internet access in other remote office to begin migrate all Frame Relay Network to Linksys VPN network. I configured one Linksys BEFSX41 at both cable internet access, VPN is connected and I can ping and connect from concentrator to new remote office by Linksys VPN. My problem is that I cant ping and connect from remote frame relay VPN offices to new remote Linksys VPN office (Interoperability between FRame Relay network with Linksys IPSec VPN network). I can ping from FRame Relay concentrator Cisco router to remote new Linksys VPN network. But I cant ping or connect from remote frame relay VPN offices to new Linksys IPSec VPN router. I execute a traceroute from remote Frame relay cisco router and it stops at Linksys Router at Central Office (Concentrator)

Remote Frame Relay offices subnets

192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
.
.
.
192.168.31.0/24
192.168.32.0/24

Concentrator Frame Relay subnet

192.168.50.0 255.255.255.0

Concentrator IP Address

192.168.50.254

Route Table at Cisco Frame Relay concentrator router

ip route 192.168.0.0 255.255.224.0 10.254.0.1
ip route 192.168.50.0 255.255.255.0 Ethernet0
ip route 192.168.51.0 255.255.255.0 10.254.50.2
ip route 192.168.52.0 255.255.255.0 10.254.50.6
ip route 192.168.53.0 255.255.255.0 10.254.50.10
ip route 192.168.54.0 255.255.255.0 10.254.50.14
ip route 192.168.55.0 255.255.255.0 10.254.50.18
ip route 192.168.56.0 255.255.255.0 10.254.50.22
ip route 192.168.57.0 255.255.255.0 10.254.50.26
ip route 192.168.58.0 255.255.255.0 10.254.50.30
ip route 192.168.59.0 255.255.255.0 10.254.50.34
ip route 192.168.60.0 255.255.255.0 10.254.50.38
ip route 192.168.62.0 255.255.255.0 192.168.50.250 (new remote Linksys VPN office route)


Linksys BEFSX41 configuration installed at concentrator to interoperability with Frame Relay VPN

LAN IP Address

192.168.50.250

VPN Tunnel: Enabled
Tunnel Name: Teste

------------------------------------------------------------
Local Secure Group:
IP Addr.SubnetIP Range
IP: 192.168.0.0
Mask: 255.255.0.0

------------------------------------------------------------

Remote Secure Group:
IP Addr.SubnetIP RangeHostAny
IP: 192.168.62.0
Mask: 255.255.255.0

------------------------------------------------------------
Remote Security Gateway:
IP Addr.FQDN
Fully-Qualified Domain: teste.dyndns.org

------------------------------------------------------------
Encryption: 3DES
Authentication: SHA

------------------------------------------------------------ Key Management
Auto. (IKE)
PFS: Enabled
Pre-shared Key: 1234
Key Lifetime: 3600 Sec.

------------------------------------------------------------

Status Connected


Sorry my english ! And help me ... PLEASE !

Topoh

 

[bcastner]

Talk to Cisco.
The concentrator will not encrypt ICMP traffic.

 

[topoh]

bcastner,

but I can ping from concentrator cisco router to remote Linksys VPN office. Then, ICMP traffic is being encrypted by Linksys and trasmitting to remote Linksys office. I disabled All kind of pass-through and it doesnt work. But I will talk to Cisco.

Tk's,

Topoh

 

[MattWray]

I'd say it is probably a route. I have a similar setup, except we use the VPN as a backup to our Frame intstead of a replacement.

You say you can ping from a remote Cisco to the Linksys but not beyond? Who is the gateway at the Central Office? If he does not know a route over the VPN, your ICMP will not find his way back. And also, if the Frame is up at the time, your gateway is probably trying to send the traffic back across the Frame instead of the VPN.

Try changing one of your client gateways to the Linksys. Then from your remote Cisco Frame router, try to ping that one client and see if it replies...

Thanks,

Matt Wray

GFH

http://www.sss-steel.com

 

[bcastner]

Matt Wray is closer to the issue than I am, so I defer to him on the issue. From your description, the traceping dies at the first endpoint of the VPN connection, and never reaches the remote endpoint. So the routes are fine, but there is no encryption over the Linksys VPN, and as Matt noted, no return.

As a good guess, an ICMP ping test is not going to make you happy in this instance unless you make special provisions in the Cisco firmware/setup. It might not be the concentrator blocking the ICMP traffic, but the end point switch.

If Matt says a route addition will solve this, I believe him. But ask Cisco, as many of the recent firmwares were designed to prevent the relay of ICMP packets.

 

[topoh]

Matt Wray,

responsing your questions ...

1) You say you can ping from a remote Cisco to the Linksys but not beyond ?

R- Yes, I can ping from remote office on Frame Relay office to Central Office Linksys. But ping dont reach up to remote Linksys, through IPSec VPN.

2) Who is the gateway at the Central Office?

R- Gateway at Central office network is FRame Relay Cisco router.

About routes, I already did you suggested. I did a tracert DOS command session at remote PC on Frame Relay network to Remote VPN Linksys. It dies at Linksys in Central office. At the same PC, I did ping to LInksys at Central Office and it passed. But across IPSec VPN it did not pass. Then, I discard wrong routes possibilities.

 

[topoh]

Folks,

I updated firmware in both Linksys BEFSX41 EndPoint and, now, VPN doesnt work. We had firmware 1.45 release and ewre updated to 1.50.9. All configuration are ok. I am begining believe that at Central Office we have to put a BEFVP41. I will test !

regards,

Topoh

 

[MattWray]

I'm getting lost reading this. Let's clarify...

Yes, I can ping from remote office on Frame Relay office to Central Office Linksys. But ping dont reach up to remote Linksys, through IPSec VPN.

Q1. You mean, when the Frame is up, you can ping the Linksys. When you drop the Frame you cannot ping the Linksys. True?

Q2. Your Linksys's are connected to a Cisco router? What type?

You are losing me with this, Frame Relay VPN
One or the other please.

This is how I would test:

HQ
Router has route to Remote over Frame. It also has a route to Remote over VPN with a higher metric. I will give examples,
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 10.10.10.0 255.255.255.0 192.168.77.4 <Frame Relay>
ip route 10.10.10.0 255.255.255.0 192.168.77.252 10 <VPN thru PIX>
On the Ethernet interface of the HQ router, No IP Redirect.

Remote
Linksys shows connected to VPN.
Change client settings to have Linksys as Gateway.
Try and ping. Do a tracert to verify that the ping is going to the Linksys then the HQ router.

I don't believe you need all Linksys, as I have Linksys connected to PIX as we speak. And I have read the configs on Linksys KB of connecting them to Cisco product.

I had problems setting this up myself. It is very tricky when you start getting into the thick of the routing, give what I said a shot and post back...

Thoughts?





Thanks,

Matt Wray

GFH

http://www.sss-steel.com

 

[topoh]

Hi,
I got it ! After firmware update and adjustment on configurations, VPN Frame Relay is interoperating with VPN IPSec (Linksys). I had to put a route at Central Office Linksys router as below.

192.168.0.0 255.255.224.0 192.168.50.254

192.168.50.254 (Cisco router - Frame Relay Concentrator)

regards and tks,

Sergio Brito

 

[bcastner]

topoh,

Congratulations.

This was not an easy one to figure out.
I am giving Matt Wray a star for focusing on route issues. This was part and parcel of the need to do firmware changes to permit the ICMP traffic.

Bill Castner

 

[MattWray]

Thanks Bill!


Thanks,

Matt Wray

GFH

http://www.sss-steel.com