Please 100% Match the Internal IP Address

This topic poped up in my mind when I was writing the article ‘A Good Document Helps You Build Site2Site VPN’. Looking back in my personal VPN toubleshooting history, the case I am going to talk is listed on top of the reasons that cause site to site VPN not to work.

The most common senario is that the phase 1 (IKE) negotiatation succeeds, but somehow the phase 2 (IPSec) just refuses to work despite you 100% ensure you use the right encryption method, Hash algorithm.

If that is the case, you should confirm that whether you 100% matched the Internal IP address in your settings. OK, let me take the followin as a example:

Company A and B are going to build up a site to site VPN, which allows the following subnets to access to each other.

A side internal IP address:
B side internal IP address:

Here is a piece of configurations the network admin did on each side.

The VPN interesting traffic ACL settings On A firewall:
access-list A2B extended permit ip

The VPN interesting traffic ACL settings On B firewall:
access-list B2A extended permit ip

Did you find any problems above?

The problem is that the A company’s network admin configured ‘access-list A2B extended permit ip’ . He used the whole class C subnet. Even you may say that covers, but this should not be allowed. I have seen many many times that it blocks the phase 2 to be built up.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s