Tunnel not working until remote peer initiate some traffic

Unanswered Question
Apr 30th, 2009
User Badges:

Hi all,


I have configured a vpn that just working it, when we initiate the traffic. If remote to try initiate any connection, will be unble to make it.


Do you know why should is heppening this?


Just this peer is able to initiate the traffic


access-list outside_cryptomap_1 extended permit ip 1.2.3.0 255.255.255.0 4.5.6.0 255.255.255.0


crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES esp-3des esp-none

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer X.X.X.X

crypto map outside_map 1 set transform-set ESP-3DES


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sat, 05/02/2009 - 06:17
User Badges:
  • Red, 2250 points or more

Do you have a 'dynamic' crypto map setup at one side? In that case only the side with the static crypto map can initiate the connection.


Regards


Farrukh

Farrukh Haroon Sun, 05/03/2009 - 23:37
User Badges:
  • Red, 2250 points or more

Please post more details about the setup.


What are the VPN terminating devices, IOS?


Are you using NAT-T?


What is the routing configuration?


Regards


Farrukh

leandro.candido Mon, 05/04/2009 - 07:06
User Badges:

The vpn terminating device is IOS.


I dont have the information if the vpn terminating is using nat-t, the only information about vpn terminating that I have are this:


crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 2


crypto isakmp key


crypto ipsec transform-set ZZZZZ esp-3des



crypto map XXX 11 ipsec-isakmp

set peer Y.Y.Y.Y

set transform-set ZZZZZ

match address AAAAA


ip access-list extended AAAAA


About the routing, I have a branch office that arrives via L2L until vpn and the traffic is forward to tunnel. In concern to the routing is okay.


Thank you

Farrukh Haroon Sat, 05/09/2009 - 00:49
User Badges:
  • Red, 2250 points or more

Sorry I was away, please let me know if this issue is still open.


Regards


Farrukh

hunnetvl01 Tue, 05/19/2009 - 02:51
User Badges:

do a sh crypto isakmp sa

deb isakmp 255 and post the output


Actions

This Discussion