04-10-2007 04:59 AM - edited 02-21-2020 01:28 AM
Hello all,
I'm having a little problem getting a site to site vpn tunnel working between an 1800 IOS router and a 5520 ASA. The tunnel negotiates and comes up ok however the clients at each end are unable to communicate.
Site A shows that it is receiving and transmitting ipsec encrypted packets across the tunnel, however site B shows that it is only sending encrypted packets and not receiving or decrypting packets. I've checked the routing time and time again but can't see anything wrong. Perhaps someone could cast an eye over the configs below and perhaps spot something obvious that I've missed?
Thanks for any assistance.
(I should mention I don't want to nat any of these addresses. The sites are part of an internal private network hence the use of private network 10 subnets and each clients ip address is routable on this network).
Site B Router Config:
!
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key somekey address 10.177.8.37
!
!
crypto ipsec transform-set vpntset esp-3des esp-md5-hmac
!
crypto map N3VPNACCESS 11 ipsec-isakmp
set peer 10.177.8.37
set transform-set vpntset
match address 120
!
!
interface FastEthernet0
description "Outside"
ip address 10.217.63.130 255.255.255.224
duplex auto
speed auto
crypto map N3VPNACCESS
!
interface FastEthernet1
description "Inside"
ip address 10.217.63.190 255.255.255.224
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.217.63.129
ip route 10.177.8.37 255.255.255.255 10.217.63.129
ip route 10.177.29.0 255.255.255.0 10.177.8.37
access-list 120 permit ip 10.217.63.160 0.0.0.31 10.177.29.0 0.0.0.255
Site A ASA Config:
access-list NONAT extended permit ip 10.177.29.0 255.255.255.0 10.217.63.160 255.255.255.224
access-list SOME-SITE extended permit ip 10.177.29.0 255.255.255.0 10.217.63.160 255.255.255.224
crypto map N3VPNACCESS 24 match address SOME-SITE
crypto map N3VPNACCESS 24 set peer 10.217.63.130
crypto map N3VPNACCESS 24 set transform-set ESP-3DES-MD5
tunnel-group 10.191.63.4 type ipsec-l2l
tunnel-group 10.191.63.4 general-attributes
default-group-policy SOME-VPN-GRPPOL
tunnel-group 10.191.63.4 ipsec-attributes
pre-shared-key *
04-10-2007 03:18 PM
Hello,
This IP route statement given below is not needed since you have default route on the router. But if you would like to add it, make sure the next-hop is set as the next hop. In your case, I believe 10.217.63.129 and not the peer tunnel IP address.
ip route 10.177.29.0 255.255.255.0 10.177.8.37
Also, if the packets are encrypting and decrypting on the ASA, do you see any packets reaching the router. Have you tried debugging it with an ACL on the router?
Cheers
gilbert
04-10-2007 11:14 PM
Thank you. For the debugging should I add an acl with the log option to permit the ipsec traffic from the 10.177.8.37 peer?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide