01-11-2008 09:35 AM - edited 02-21-2020 01:51 AM
I am trying to bring up a tunnel between my older 2811 and my new ISR 2811. The tunnel shows QM_IDLE with a sho cry isa sa on both devices but I can't ping across the /30 that I assigned to the tunnel interface and sho ip eigrp neigh doesn't show them as neighbors. I have 10 or so tunnels just like this on the older 2811 but this is the first attempt using the newer ISR 2811. I am using firmware version 12.4(15)T1 (C2800NM-ADVIPSERVICESK9-M). When I do a sho cry eng conn active I see decrypts but 0 encrypts. Help..
01-11-2008 09:37 PM
Hi,
Make sure that the VPN ACL is symmetric.
Router-A VPN ACL
Source: Network-A
Destination: Network-B
Router-B ACL
Source: Network-B
Destination: Network-A
Enable this debug in both router and post the output here (check the clock if correct before turning debug on).
Router# debug crypto isakmp
Router# debug crypto isakmp error
Router# debug crypto ipsec
Router# debug crypto pki
Do you have ACL in the interface of VPN Gateway? i.e. "ip access-group ACL# in/out". This ACL should not only include VPN Gateways but also networks permit to travel thru VPN tunnel.
Regards,
Dandy
01-14-2008 08:43 AM
from the vpn gateway
access-list 180 permit gre host xxx.xxx.3.70 host 64.209.111.130
from the 2811 ISR
access-list 180 permit gre host 64.209.111.130 host xxx.xxx.3.70
I have a blanket statement to let all VPN related traffic through on my outside facing interface on the vpn gateway both ways. I don't have an ACL yet on the interface on the 2811ISR. This is all I get from the debugs, on the 2811
Jan 14 10:40:32: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /141.131.3.70, src_addr= 64.209.111.130, prot= 47
on the 2811ISR
Jan 14 16:40:48.231: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:40:48.231: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:40:58.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:40:58.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:41:08.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:41:08.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:41:18.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:41:18.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:41:28.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:41:28.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:41:38.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Jan 14 16:41:38.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: