L2L Ipsec tunnel between 1800 and ASA failing to decrypt on one side

Unanswered Question
Apr 10th, 2007
User Badges:

Hello all,

I'm having a little problem getting a site to site vpn tunnel working between an 1800 IOS router and a 5520 ASA. The tunnel negotiates and comes up ok however the clients at each end are unable to communicate.

Site A shows that it is receiving and transmitting ipsec encrypted packets across the tunnel, however site B shows that it is only sending encrypted packets and not receiving or decrypting packets. I've checked the routing time and time again but can't see anything wrong. Perhaps someone could cast an eye over the configs below and perhaps spot something obvious that I've missed?

Thanks for any assistance.

(I should mention I don't want to nat any of these addresses. The sites are part of an internal private network hence the use of private network 10 subnets and each clients ip address is routable on this network).

Site B Router Config:



crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp key somekey address



crypto ipsec transform-set vpntset esp-3des esp-md5-hmac


crypto map N3VPNACCESS 11 ipsec-isakmp

set peer

set transform-set vpntset

match address 120



interface FastEthernet0

description "Outside"

ip address

duplex auto

speed auto

crypto map N3VPNACCESS


interface FastEthernet1

description "Inside"

ip address

duplex auto

speed auto


ip route

ip route

ip route

access-list 120 permit ip

Site A ASA Config:

access-list NONAT extended permit ip

access-list SOME-SITE extended permit ip

crypto map N3VPNACCESS 24 match address SOME-SITE

crypto map N3VPNACCESS 24 set peer

crypto map N3VPNACCESS 24 set transform-set ESP-3DES-MD5

tunnel-group type ipsec-l2l

tunnel-group general-attributes

default-group-policy SOME-VPN-GRPPOL

tunnel-group ipsec-attributes

pre-shared-key *

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ggilbert Tue, 04/10/2007 - 15:18
User Badges:
  • Cisco Employee,


This IP route statement given below is not needed since you have default route on the router. But if you would like to add it, make sure the next-hop is set as the next hop. In your case, I believe and not the peer tunnel IP address.

ip route

Also, if the packets are encrypting and decrypting on the ASA, do you see any packets reaching the router. Have you tried debugging it with an ACL on the router?



jason.scott Tue, 04/10/2007 - 23:14
User Badges:

Thank you. For the debugging should I add an acl with the log option to permit the ipsec traffic from the peer?


This Discussion