Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
2
Replies

L2L Ipsec tunnel between 1800 and ASA failing to decrypt on one side

jason.scott
Level 1
Level 1

‎04-10-2007 04:59 AM - edited ‎02-21-2020 01:28 AM

Hello all,

I'm having a little problem getting a site to site vpn tunnel working between an 1800 IOS router and a 5520 ASA. The tunnel negotiates and comes up ok however the clients at each end are unable to communicate.

Site A shows that it is receiving and transmitting ipsec encrypted packets across the tunnel, however site B shows that it is only sending encrypted packets and not receiving or decrypting packets. I've checked the routing time and time again but can't see anything wrong. Perhaps someone could cast an eye over the configs below and perhaps spot something obvious that I've missed?

Thanks for any assistance.

(I should mention I don't want to nat any of these addresses. The sites are part of an internal private network hence the use of private network 10 subnets and each clients ip address is routable on this network).

Site B Router Config:

!

!

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp key somekey address 10.177.8.37

!

!

crypto ipsec transform-set vpntset esp-3des esp-md5-hmac

!

crypto map N3VPNACCESS 11 ipsec-isakmp

set peer 10.177.8.37

set transform-set vpntset

match address 120

!

!

interface FastEthernet0

description "Outside"

ip address 10.217.63.130 255.255.255.224

duplex auto

speed auto

crypto map N3VPNACCESS

!

interface FastEthernet1

description "Inside"

ip address 10.217.63.190 255.255.255.224

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 10.217.63.129

ip route 10.177.8.37 255.255.255.255 10.217.63.129

ip route 10.177.29.0 255.255.255.0 10.177.8.37

access-list 120 permit ip 10.217.63.160 0.0.0.31 10.177.29.0 0.0.0.255

Site A ASA Config:

access-list NONAT extended permit ip 10.177.29.0 255.255.255.0 10.217.63.160 255.255.255.224

access-list SOME-SITE extended permit ip 10.177.29.0 255.255.255.0 10.217.63.160 255.255.255.224

crypto map N3VPNACCESS 24 match address SOME-SITE

crypto map N3VPNACCESS 24 set peer 10.217.63.130

crypto map N3VPNACCESS 24 set transform-set ESP-3DES-MD5

tunnel-group 10.191.63.4 type ipsec-l2l

tunnel-group 10.191.63.4 general-attributes

default-group-policy SOME-VPN-GRPPOL

tunnel-group 10.191.63.4 ipsec-attributes

pre-shared-key *

0 Helpful
2 Replies 2

ggilbert
Cisco Employee
Cisco Employee

‎04-10-2007 03:18 PM

Hello,

This IP route statement given below is not needed since you have default route on the router. But if you would like to add it, make sure the next-hop is set as the next hop. In your case, I believe 10.217.63.129 and not the peer tunnel IP address.

ip route 10.177.29.0 255.255.255.0 10.177.8.37

Also, if the packets are encrypting and decrypting on the ASA, do you see any packets reaching the router. Have you tried debugging it with an ACL on the router?

Cheers

gilbert

0 Helpful

jason.scott
Level 1
Level 1
In response to ggilbert

‎04-10-2007 11:14 PM

Thank you. For the debugging should I add an acl with the log option to permit the ipsec traffic from the 10.177.8.37 peer?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card