VPN tunnel troubleshooting questions

Unanswered Question
Jun 15th, 2008

If I have a L2L VPN tunnel configured and it is not coming up,

What is the sequence of the tunnel coming up?

For example, at what point should I see the access-lists for interesting traffic getting hits in the process?

If the tunnel does not succesfully come up, should I expect to see no hits on the access-list even though the routing is ok?

My understanding is that the interesting traffic access-list are part of phase 2, but it seems that these access-lists would have to be the first thing in the process to initiate phase 1.

Doesn't there have to be traffic destined for the remote tunnel LAN in order for phase 1 to start?

Also,I have seen several posts indicating to check the sa liftimes on both ends, my understanding is that these do not have to match, that the end with the shortest time will cause a rekey.

Is that not correct?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Sun, 06/15/2008 - 13:19


You are correct in what you say. The crypto access-list defines the interesting traffic so as soon as the VPN device sees traffic that matches it's access-list it initiates phase 1 which is all about setting up a secure channel between the 2 devices. Note this is a secure channel for further communication - it is not a secure channel to transfer the actual data.

The crypto access-list is also used in phase 2 where the local & remote networks are compared ie. vpn device 1 checks that vpn device 2 agrees on what the local and remote networks are.

So yes the crypto map access-list is used in both phases.

As for SA's, one of the pains with IPSEC is that although it is a standard different vendors sometimes seem to do different things. Yes they should not have to match, at least on phase 2 but i have set up L2L vpn between Cisco and other vendors where the only way to get the tunnel up was by matching them.

If you are trying to set up a L2L tunnel it is always best to make sure both ends agree on everything.


wilson_1234_2 Sun, 06/15/2008 - 15:31

Thanks jon.


Phase 1 sets up a secure channel to the peer and the negotiation of phase 2 is encrypted in the phase 1 tunnel?

As far as the access-list goes, if I have traffic that matches the list and initiates phase one, but phase 2 is not successful, would I expect to see hits on the access-list?,

Or are the packets just dropped if phase 2 never comes up?

michael.leblanc Mon, 06/16/2008 - 08:01


Perhaps you could refrain from posting the same question in multiple forums.

I responded to this same question in VPN | Security.

If I had seen that your question was adequately answered here by another respondent, I would have refrained from wasting my time.


This Discussion