LANCOM Support Knowledgebase Document No. 1803.2616.1904.RHOO - V2.20

Troubleshooting guide: An additional local network cannot be accessed via VPN



Description:

This troubleshooting guide demonstrates the available options when an additional local network cannot be reached over an established VPN connection.



Scenario:
  • In addition to the local network 192.168.66.0/24, another local network with the address range 192.168.67.0/24 is to be accessible at the remote site.
  • However, after configuring the VPN connection, this fails. Only the network 192.168.66.0/24 can be reached via the VPN connection.




Procedures:

1) “Ping” and “Tracert” in the local network of the initiator router:

1.1) From the local network, a ping to an IP address in the network at the remote site will check whether it can be reached.

In this example, a PING cannot reach the LANCOM router at the remote site in the network 192.168.67.0/24 at the address 192.168.67.1.

1.2) A “Tracert” to the address 192.168.67.1 is only able to trace the route to the initiator router itself.




2) Perform an IP router trace on the initiator router:

2.1) Performing an IP router trace to the address 192.168.67.1 on the initiator router shows that IP packets are being sent out over the WAN.

However, the echo requests from the remote site go unanswered. It is no “echo reply”.






3) Perform a VPN packet trace on the initiator router:

3.1) In a VPN packet trace to the address 192.168.67.1, you can see that there is something wrong with the SA's of the VPN connection (message “no sa available”).





    4) Perform “show vpn” on the initiator router and on the responder router:
      Note:
      This procedure is also recommended if there is only one local network at each end and the networks cannot be reached.

    4.1) A “show vpn” on the command line of the initiator router clearly shows that there are 2 SAs for this VPN connection:
    • SA 1: 192.168.50.0/24 <-> 192.168.67.0/24
    • SA 2: 192.168.50.0/24 <-> 192.168.66.0/24
      Note:
      The command “show vpn” displays all of the established SAs. You can also filter to a specific remote site (VPN connection) by entering the command “show vpn @ <name of VPN connection>”.



4.2) However, a “show vpn” on the command line of the responder router shows that there is just 1 SA for this VPN connection:
  • SA 1: 192.168.50.0/24 <-> 192.168.66.0/24





5) How can the problem be solved?
  • Set Rule creation for the VPN connection on the responder router to “automatic” or
  • In the case of manual rule creation on the responder router, create a firewall VPN rule for the second network (192.168.67.0/24) or, depending on the configuration, modify the network rule in the configuration of the VPN connection.


Catchwords: vpn; troubleshooting; error; search; debugging; SA
Please review this document! This document was helpful This document was not helpful