Problem with IPSEC tunnel between two Cisco Router 2811

Unanswered Question
Jan 26th, 2009
User Badges:


I'm trying to set up a site to site vpn from a remote office to a central office with two Cisco 2811 routers. In the remote office there is a non-Cisco cable modem and router (owned by an ISP- Public IP - not real)

The central router is working perfectly and have other vpn tunnel active.

The router owned by the ISP has the ports redirected to Cisco 2811 router (UDP 500, TCP 1723, TCP 47, TCP 50, TCP 51).

Configurations are attached.

thanks for any help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 01/26/2009 - 12:39
User Badges:
  • Cisco Employee,

What is the issue with this tunnel? is it not completing the negotiation? Can you pass traffic? FYI, IPSec uses udp 500, udp 4500 (when behind NAT) and ESP (protocol 50) this is a portless protocol, and cannot be forwarded by TCP/UDP.

Richard Burts Mon, 01/26/2009 - 13:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I see several issues with the configs that you have posted:

- in both routers there is an access group on the tunnel interface. The access list is permit any, so the access group is doing no good and I would suggest that it be removed.

- in both routers the crypto map is assigned on the tunnel interface as well as being assigned on the FastEthernet or VLAN interface. In old versions of code you did put the crypto map on both the tunnel interface and the outbound interface. But you are running 12.4 code and in these releases the crypto map should be only on the outbound interface. I suggest that you remove the crypto map from the tunnel interface.

- on the remote router you have configured NAT and the NAT configuration will translate everything originating from the local LAN and overloading on the FastEthernet interface. You do not want to translate the traffic going out the tunnel to the remote.

- on the central router you have configured nat inside and nat outside but there is no nat configured.

- another issue is that the key configured on the remote for ISAKMP authentication does not match the key configured on the central router.

- and there is a major problem in that the addresses configured on the remote router do not match up at all with the addresses configured on the central router.



marianares0001 Fri, 01/30/2009 - 03:42
User Badges:

I'm changing all the things you've written, but what you comment in the last paragraph is because in the remote office there is a non-Cisco cable modem and router owned by an ISP and it have Public IP, and the Cisco router is in a subnet,, connected to the other router. I think this must be the biggest problem, because Cisco router doesn't have a Public IP.

Do you know how can I fix this thing?

thanks a lot


This Discussion