OK, here's where I stand with this frustrating setup.
Site A: phase2 renegotiation with Site B takes place every few seconds. Can ping router addresses ate sites B and C, but can only ping remote host IP addresses at site C. Site B: phase2 renegotiation with Site A takes place every few seconds. Can ping router addresses ate sites A and C, but can't ping remote host IP addresses at sites A or C. Site C: phase1 and 2 renegotiations occur at scheduled intervals. Can ping router addresses ate sites A and B, but can't ping remote host IP addresses at sites A or B.
If anyone can offer insight to what I am doing wrong, I would greatly appreciate it. Mike, I am in dire need of your wisdom.
Here's a recap of the tunnel info, along with my router config dumps:
Site A (207) IPSec TunnelA-B Local Subnet: 192.168.0.0 Local SNM: 255.255.255.0 Remote Subnet: 192.168.1.0 Remote SNM: 255.255.255.0 Remote Tunnel Endpoint: 71.138.2xx.xx (Site B static ip) cp 2 tag AtoB cp 2 enable yes cp 2 dle ipsec cp 2 ipsec dead-peer-detection enable yes cp 2 ipsec dead-peer-detection ping-address 192.168.1.1 cp 2 ipsec dead-peer-detection ping-retry 5 cp 2 ipsec dead-peer-detection ping-reply-timeout 90 cp 2 ipsec idle-timeout 0 cp 2 ipsec ike phase1 2 cp 2 ipsec ip remote members 192.168.1.0/24 sg 71.138.2xx.xx local members 19\\
2.168.0.0/24 ;[Net 0] cp 2 ipsec mtu 1500 cp 2 ipsec pfs yes cp 2 ipsec key-manager ike cp 2 ipsec sa lifetime seconds 28800 cp 2 ipsec sa lifetime kbytes none cp 2 ipsec spi 2 44636 4 9299 cp 2 ipsec suite encapsulation esp encryption 3des authentication esp hmac-md5\\
-96 cp 2 ip enable yes cp 2 ip address local 0.0.0.0/0 cp 2 ip address remote 192.168.1.0/24 cp 2 ip addressing unnumbered cp 2 ip dhcp client mode standard cp 2 ip mask local 0.0.0.0 cp 2 ip mask remote 255.255.255.0 cp 2 ip nat enable no cp 2 ip nat map-list "Easy-PAT List" cp 2 ip nat server-list Easy-Servers cp 2 ip negotiate-lan no cp 2 ip netbios proxy enable yes cp 2 ip rip receive no cp 2 ip rip transmit no cp 2 ip state-insp enable no cp 2 interface-group any cp 2 bridge enable no
IPSec TunnelA-C Local Subnet: 192.168.0.0 Local SNM: 255.255.255.0 Remote Subnet: 192.168.2.0 Remote SNM: 255.255.255.0 Remote Tunnel Endpoint: 66.125.3x.xxx (Site C static ip) cp 3 yes cp 3 tag SBCto805 cp 3 enable yes cp 3 dle ipsec cp 3 ipsec dead-peer-detection enable yes cp 3 ipsec dead-peer-detection ping-address 192.168.2.1 cp 3 ipsec dead-peer-detection ping-retry 5 cp 3 ipsec dead-peer-detection ping-reply-timeout 90 cp 3 ipsec idle-timeout 0 cp 3 ipsec ike phase1 2 cp 3 ipsec ip remote members 192.168.2.0/24 sg 66.125.3x.xxx local members 192.\\
168.0.0/24 ;[Net 0] cp 3 ipsec mtu 1500 cp 3 ipsec pfs yes cp 3 ipsec key-manager ike cp 3 ipsec sa lifetime seconds 28800 cp 3 ipsec sa lifetime kbytes none cp 3 ipsec spi 2 44636 4 9299 cp 3 ipsec suite encapsulation esp encryption 3des authentication esp hmac-md5\\
-96 cp 3 ip enable yes cp 3 ip address local 0.0.0.0/0 cp 3 ip address remote 192.168.2.0/24 cp 3 ip addressing unnumbered cp 3 ip dhcp client mode standard cp 3 ip mask local 0.0.0.0 cp 3 ip mask remote 255.255.255.0 cp 3 ip nat enable no cp 3 ip nat map-list "Easy-PAT List" cp 3 ip nat server-list Easy-Servers cp 3 ip negotiate-lan no cp 3 ip netbios proxy enable yes cp 3 ip rip receive no cp 3 ip rip transmit no cp 3 ip state-insp enable no cp 3 interface-group any cp 3 bridge enable no
Site B (Montebello) IPSec TunnelB-A Local Subnet: 192.168.1.0 Local SNM: 255.255.255.0 Remote Subnet: 192.168.0.0 Remote SNM: 255.255.255.0 Remote Tunnel Endpoint: 71.138.1xx.xxx (Site A static ip) cp 4 yes cp 4 tag BtoA cp 4 enable yes cp 4 dle ipsec cp 4 ipsec dead-peer-detection enable yes cp 4 ipsec dead-peer-detection ping-address 192.168.0.1 cp 4 ipsec dead-peer-detection ping-retry 5 cp 4 ipsec dead-peer-detection ping-reply-timeout 90 cp 4 ipsec idle-timeout 0 cp 4 ipsec ike phase1 2 cp 4 ipsec ip remote members 192.168.0.0/24 sg 71.138.1xx.xxx local members 192\\ ..168.1.0/24 ;[Net 0] cp 4 ipsec mtu 1500 cp 4 ipsec pfs yes cp 4 ipsec key-manager ike cp 4 ipsec sa lifetime seconds 28800 cp 4 ipsec sa lifetime kbytes none cp 4 ipsec spi 2 44636 4 48675 cp 4 ipsec suite encapsulation esp encryption 3des authentication esp hmac-md5\\
-96 cp 4 ip enable yes cp 4 ip address local 0.0.0.0/0 cp 4 ip address remote 192.168.0.0/24 cp 4 ip addressing unnumbered cp 4 ip dhcp client mode standard cp 4 ip mask local 0.0.0.0 cp 4 ip mask remote 255.255.255.0 cp 4 ip nat enable no cp 4 ip nat map-list "Easy-PAT List" cp 4 ip nat server-list Easy-Servers cp 4 ip negotiate-lan no cp 4 ip netbios proxy enable yes cp 4 ip rip receive no cp 4 ip rip transmit no cp 4 ip state-insp enable no cp 4 interface-group any cp 4 bridge enable no
IPSec TunnelB-C Local Subnet: 192.168.1.0 Local SNM: 255.255.255.0 Remote Subnet: 192.168.2.0 Remote SNM: 255.255.255.0 Remote Tunnel Endpoint: 66.125.3x.xxx (Site C static ip) cp 3 yes cp 3 tag BtoC cp 3 enable yes cp 3 dle ipsec cp 3 ipsec dead-peer-detection enable yes cp 3 ipsec dead-peer-detection ping-address 192.168.2.1 cp 3 ipsec dead-peer-detection ping-retry 5 cp 3 ipsec dead-peer-detection ping-reply-timeout 90 cp 3 ipsec idle-timeout 0 cp 3 ipsec ike phase1 2 cp 3 ipsec ip remote members 192.168.2.0/24 sg 66.125.3x.xxx local members 192.\\
168.1.1/24 ;[Net 0] cp 3 ipsec mtu 1500 cp 3 ipsec pfs yes cp 3 ipsec key-manager ike cp 3 ipsec sa lifetime seconds 28800 cp 3 ipsec sa lifetime kbytes none cp 3 ipsec spi 2 44636 4 48675 cp 3 ipsec suite encapsulation esp encryption 3des authentication esp hmac-md5\\
-96 cp 3 ip enable yes cp 3 ip address local 0.0.0.0/0 cp 3 ip address remote 192.168.2.0/24 cp 3 ip addressing unnumbered cp 3 ip dhcp client mode standard cp 3 ip mask local 0.0.0.0 cp 3 ip mask remote 255.255.255.0 cp 3 ip nat enable no cp 3 ip nat map-list "Easy-PAT List" cp 3 ip nat server-list Easy-Servers cp 3 ip negotiate-lan no cp 3 ip netbios proxy enable yes cp 3 ip rip receive no cp 3 ip rip transmit no cp 3 ip state-insp enable no cp 3 interface-group any cp 3 bridge enable no
Site C IPSec TunnelC-A Local Subnet: 192.168.2.0 Local SNM: 255.255.255.0 Remote Subnet: 192.168.0.0 Remote SNM: 255.255.255.0 Remote Tunnel Endpoint: 71.138.1xx.xxx (Site A static ip) cp 3 yes cp 3 tag CtoA cp 3 enable yes cp 3 dle ipsec cp 3 ipsec dead-peer-detection enable yes cp 3 ipsec dead-peer-detection ping-address 192.168.0.1 cp 3 ipsec dead-peer-detection ping-retry 5 cp 3 ipsec dead-peer-detection ping-reply-timeout 90 cp 3 ipsec idle-timeout 0 cp 3 ipsec ike phase1 2 cp 3 ipsec ip remote members 192.168.0.0/24 sg 71.138.1xx.xxx local members 192\\ ..168.2.0/24 ;[Net 0] cp 3 ipsec mtu 1500 cp 3 ipsec pfs yes cp 3 ipsec key-manager ike cp 3 ipsec sa lifetime seconds 28800 cp 3 ipsec sa lifetime kbytes none cp 3 ipsec spi 2 44636 4 18515 cp 3 ipsec suite encapsulation esp encryption 3des authentication esp hmac-md5\\
-96 cp 3 ip enable yes cp 3 ip address local 0.0.0.0/0 cp 3 ip address remote 192.168.0.0/24 cp 3 ip addressing unnumbered cp 3 ip dhcp client mode standard cp 3 ip mask local 0.0.0.0 cp 3 ip mask remote 255.255.255.0 cp 3 ip nat enable no cp 3 ip nat map-list "Easy-PAT List" cp 3 ip nat server-list Easy-Servers cp 3 ip negotiate-lan no cp 3 ip netbios proxy enable yes cp 3 ip rip receive no cp 3 ip rip transmit no cp 3 ip state-insp enable no cp 3 interface-group any cp 3 bridge enable no
IPSec TunnelC-B Local Subnet: 192.168.2.0 Local SNM: 255.255.255.0 Remote Subnet: 192.168.1.0 Remote SNM: 255.255.255.0 Remote Tunnel Endpoint: 71.138.2xx.xx (Site B static ip) cp 2 yes cp 2 tag CtoB cp 2 enable yes cp 2 dle ipsec cp 2 ipsec dead-peer-detection enable yes cp 2 ipsec dead-peer-detection ping-address 192.168.1.1 cp 2 ipsec dead-peer-detection ping-retry 5 cp 2 ipsec dead-peer-detection ping-reply-timeout 90 cp 2 ipsec idle-timeout 0 cp 2 ipsec ike phase1 2 cp 2 ipsec ip remote members 192.168.1.0/24 sg 71.138.2xx.xx local members 19\\
2.168.2.0/24 ;[Net 0] cp 2 ipsec mtu 1500 cp 2 ipsec pfs yes cp 2 ipsec key-manager ike cp 2 ipsec sa lifetime seconds 28800 cp 2 ipsec sa lifetime kbytes none cp 2 ipsec spi 2 44636 4 18515 cp 2 ipsec suite encapsulation esp encryption 3des authentication esp hmac-md5\\
-96 cp 2 ip enable yes cp 2 ip address local 0.0.0.0/0 cp 2 ip address remote 192.168.1.0/24 cp 2 ip addressing unnumbered cp 2 ip dhcp client mode standard cp 2 ip mask local 0.0.0.0 cp 2 ip mask remote 255.255.255.0 cp 2 ip nat enable no cp 2 ip nat map-list "Easy-PAT List" cp 2 ip nat server-list Easy-Servers cp 2 ip negotiate-lan no cp 2 ip netbios proxy enable yes cp 2 ip rip receive no cp 2 ip rip transmit no cp 2 ip state-insp enable no cp 2 interface-group any cp 2 bridge enable no
The IKE config is identical on all 3 routers, as determined by using Beyond Compare: ike phase1 2 authentication method shared-secret ike phase1 2 authentication shared-secret ascii ***** ike phase1 2 dangling-sas no ike phase1 2 encryption 3des ike phase1 2 group 2 ike phase1 2 hash md5 ike phase1 2 id 2 ike phase1 2 identity local ipv4-address 0.0.0.0 ike phase1 2 identity remote ipv4-address 0.0.0.0 ike phase1 2 independent rekeys yes ike phase1 2 initial-contact yes ike phase1 2 invalid-spi-recovery no ike phase1 2 mode main ike phase1 2 negotiation normal ike phase1 2 port policy permissive ike phase1 2 sa lifetime seconds 28800 ike phase1 2 sa lifetime kbytes none ike phase1 2 sa use-policy new-sas-immediately ike phase1 2 tag "DHC IKE Profile" ike phase1 2 vendor-id yes
Since this last config dump, I have tried scheduling the phase 2 duration to be half that of phase 1 (4 hours instead of 8), following some recommendations I found elsewhere. No help.