L2L Ipsec tunnel between 1800 and ASA failing to decrypt on one side

Unanswered Question
Apr 10th, 2007
User Badges:

Hello all,


I'm having a little problem getting a site to site vpn tunnel working between an 1800 IOS router and a 5520 ASA. The tunnel negotiates and comes up ok however the clients at each end are unable to communicate.


Site A shows that it is receiving and transmitting ipsec encrypted packets across the tunnel, however site B shows that it is only sending encrypted packets and not receiving or decrypting packets. I've checked the routing time and time again but can't see anything wrong. Perhaps someone could cast an eye over the configs below and perhaps spot something obvious that I've missed?


Thanks for any assistance.


(I should mention I don't want to nat any of these addresses. The sites are part of an internal private network hence the use of private network 10 subnets and each clients ip address is routable on this network).



Site B Router Config:


!

!

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp key somekey address 10.177.8.37

!

!

crypto ipsec transform-set vpntset esp-3des esp-md5-hmac

!

crypto map N3VPNACCESS 11 ipsec-isakmp

set peer 10.177.8.37

set transform-set vpntset

match address 120

!

!

interface FastEthernet0

description "Outside"

ip address 10.217.63.130 255.255.255.224

duplex auto

speed auto

crypto map N3VPNACCESS

!

interface FastEthernet1

description "Inside"

ip address 10.217.63.190 255.255.255.224

duplex auto

speed auto

!



ip route 0.0.0.0 0.0.0.0 10.217.63.129

ip route 10.177.8.37 255.255.255.255 10.217.63.129

ip route 10.177.29.0 255.255.255.0 10.177.8.37



access-list 120 permit ip 10.217.63.160 0.0.0.31 10.177.29.0 0.0.0.255




Site A ASA Config:



access-list NONAT extended permit ip 10.177.29.0 255.255.255.0 10.217.63.160 255.255.255.224


access-list SOME-SITE extended permit ip 10.177.29.0 255.255.255.0 10.217.63.160 255.255.255.224


crypto map N3VPNACCESS 24 match address SOME-SITE

crypto map N3VPNACCESS 24 set peer 10.217.63.130

crypto map N3VPNACCESS 24 set transform-set ESP-3DES-MD5



tunnel-group 10.191.63.4 type ipsec-l2l

tunnel-group 10.191.63.4 general-attributes

default-group-policy SOME-VPN-GRPPOL

tunnel-group 10.191.63.4 ipsec-attributes

pre-shared-key *






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Tue, 04/10/2007 - 15:18
User Badges:
  • Cisco Employee,

Hello,


This IP route statement given below is not needed since you have default route on the router. But if you would like to add it, make sure the next-hop is set as the next hop. In your case, I believe 10.217.63.129 and not the peer tunnel IP address.


ip route 10.177.29.0 255.255.255.0 10.177.8.37


Also, if the packets are encrypting and decrypting on the ASA, do you see any packets reaching the router. Have you tried debugging it with an ACL on the router?


Cheers

gilbert



jason.scott Tue, 04/10/2007 - 23:14
User Badges:

Thank you. For the debugging should I add an acl with the log option to permit the ipsec traffic from the 10.177.8.37 peer?

Actions

This Discussion