Site to Site VPN Problems

Unanswered Question
Jan 2nd, 2008

I have established a site-to-site tunnel between our two office bldg's, but I'm unable to ping between the two. Both IPSec and IKE negotiate and show active connections, but if I check the IPSec tunnels in the VPN status monitor, there are no decapsulated packets. There are plenty of encapsulated packets (21296), but 0 decapsulated....packets along with 155 Send Error Packets. The hardware used is a 2811 Integrated services router and an ASA 5505. Any ideas as to why this connection would be performing this way?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Danilo Dy Sat, 01/05/2008 - 20:08

Hi,

Check if there's ACL in the interface and make sure you include the host/network that passing thru VPN.

For example if Fa0/1 is used for VPN Tunnel. Check the "access-group acl_number in_or_out" ACL. Try removing it first and test.

Regards,

Dandy

westernmotor Mon, 01/07/2008 - 08:51

I checked ACL on both routers and the ACL_INT_IN (outside interface) is set to permit traffic from remote network and source network. Still no luck.

2811 settings: ip access-list extended sdm_fastethernet0/1_in permit ip 192.168.1.0 0.0.0.255 10.4.167.0 0.0.0.255

ASA Settings: access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.4.167.0 255.255.255.0

mnorwood Tue, 01/08/2008 - 05:47

Check your routing for the destination network on the opposite side of the end not getting decapsulated packets. If you are seeing encapsulated packets, it has a route out. If you don't see any decaps, there is no route in from the other side. That might not be true 100% of the time, but in my experience, it's usually a route that's either incorrect or missing.

Hope this helps.

mbroberson1 Tue, 01/15/2008 - 06:04

Check your crypto ACL's, each router's ACL should be a mirror of the other. Also check to make sure pfs is turned off on each end. From my experience if you are seeing the tunnel come up, but no encaps or decaps it is usually either the crypto ACL's, pfs, or in some cases depending on your topology a missing static route pointing to the destination network specified in the crypto ACL.

ivan.garrido Thu, 01/17/2008 - 13:50

Hi,

I have a 2801 router with one VPN site-to-site (static entry) and also configured a dynamic entry in crypto-map to support vpn client access to the LAN. But when I configure it, the site-to-site vpn failed and the remote-vpn does not work.

This is the actual configuration, but without dynamic entry in crypto map.

Thanks for you help!!!!

Ivan.

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key xxx

address 190.3.112.34

!

crypto isakmp client configuration group clientes-vpn.cl

key prueba-vpn-dic-2007

dns 10.1.0.110 10.1.0.120

pool VPN-Clients

!

!

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

!

crypto dynamic-map vpn-client-map 1

set transform-set myset

reverse-route

!

!

crypto map argentina 10 ipsec-isakmp

set peer 190.3.112.34

set transform-set myset

set pfs group2

match address 102

!

crypto map vpn-client-map isakmp authorization list clientes-vpn.cl

crypto map vpn-client-map client configuration address respond

!

!

!

!

interface FastEthernet0/0

description Enlace Trunk Local

no ip address

speed 100

full-duplex

!

interface FastEthernet0/0.10

description Gateway Datos

encapsulation dot1Q 10

ip address 10.56.0.1 255.255.255.0

--More-- ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.20

description Gateway Voz

encapsulation dot1Q 20

ip address 10.56.1.1 255.255.255.0

h323-gateway voip bind srcaddr 10.56.1.1

!

interface FastEthernet0/0.30

description Gateway Wireless

encapsulation dot1Q 30

ip address 10.56.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.40

description Management

encapsulation dot1Q 40

ip address 10.60.3.1 255.255.255.0

!

interface FastEthernet0/0.100

description Acceso_Publico_a_Inet

encapsulation dot1Q 100

ip address 190.54.46.50 255.255.255.248

ip nat outside

ip virtual-reassembly

crypto map argentina

!

mbroberson1 Thu, 01/17/2008 - 13:56

Ivan,

Your configurations are all good. The issue is that even with the latest IOS release static and dynamic vpns are not supported on the Cisco router. You will need a separate router for this senario. I ran into this issue away back while trying to setup site-to-site vpns and also DMVPN on the same router. Hope this helps!

Good luck,

Brandon

ajagadee Sat, 01/19/2008 - 23:27

Can you change this configuration line "crypto dynamic-map vpn-client-map 1" to "crypto dynamic-map vpn-client-map 999" and then configuration the dynamic crypto map and bring up the tunnel between the LAN to LAN as well as remote clients.

Also, I see that you have NAT Configured on the router. Have you bypassed NAT for the VPN Traffic.

Please refer the below URL for details on configuring L2L as well as remote access IPSec Tunnels.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

Regards,

Arul

c-injapuram Thu, 01/24/2008 - 08:04

Have you tested the Site-to-Site VPN alone without configuring dynamic vpn client???

This is just for the process elimination.

Also can you provide the full configuration??

Actions

This Discussion