Saturday, July 7, 2012

VPN Troubleshooting Tip: I Cant Get Traffic Across The Site To Site VPN

There is really only 4 things you need to setup a vpn:  phase I, phase II, interesting traffic ACL, and a nonat ACL.  Yes, there is some information embedded in these, but for the concept Im trying to get across today, thats all we will say about that.  So, if phase I and phase II look good, but you can not get traffic across the vpn, here is a simple test IF you just cant see a problem with the interesting traffic ACL or the nonat ACL.  Just simply do a traceroute from your pc to a device across the vpn.  You will want to watch the second hop and what it reports back.  The first hop should always be your default gateway.  The next hop should be across the vpn.  Look in this one below.  Notice the second hop.  It shows a public IP address.  Because it shows this, I KNOW it IS nat'ing the traffic.  Meaning, I need to go check both my interesting traffic ACL and my nonat ACL.