Found strange issue with LAN-to-LAN VPN between Cisco 2821 and ASA 5500.
On 2821 we have 4 GRE-over-IPSec tunnels ("tunnel mode ipsec") between IOS boxces, that work fine.
Trying to added on this router next VPN to ASA. Doing it a standard way:
- create crypto map
- assign this crypto map on Loopback0 interface, and on external interface too.
- add static route for this VPN: ip route 172.26.2.0 255.255.255.0 Loopback0
For verify this vpn created another Loopback51 interface with address from our local LAN.
Ping remote side using Loppback51 as a source-address - all works fine, crypto session on Loopback0 goes to UP-Active, sa counters shown same amount of enc. & decrypted packets.
Trying to ping remote side from inside local LAN. Result - nothing.
Traceroute show that packets come to 2821, next hops not resolved.
SA counters for crypto session not increases. And after timeout period crypto session goes to DOWN.
Can anyone push me in right way?