09-25-2009 07:34 AM - edited 02-21-2020 04:20 PM
I'm trying build a tunnel between an 877 and VPN 3000. The tunnel appears to com up when I send interesting traffic but I can ping back to HQ.
Attached is 877 config and debug crypto isakmp.
Any ideas ?
09-25-2009 07:51 AM
1. make sure there is no ACL to block your ping packet.
2. Check the routing in both direction.
3. check "show crypto ipsec sa" to see if both encry and decry counter are incrementing when you are doing ping testing.
09-28-2009 03:00 AM
There are no ACL's on HQ side besides those on the firewall permitting the tunnel ports:
access-list VPN permit icmp any host 84.203.192.67
access-list VPN permit udp any host 84.203.192.67 eq 10000
access-list VPN permit udp any host 84.203.192.67 eq isakmp
access-list VPN permit esp any host 84.203.192.67
I have static routes (for the 10.73.100.0 remote subnet) on the HQ side on the core switches pointing at the concentrator and on the VPN concentrator pointing out the public interface and on the PIX pointing out the public interface.
I'm not sure if the routing around the DMZ/concentrator is set up correctly.
When doing a trace route from HQ to the remote inside address the packets get dropped at the concentrator.
The "show crypto ipsec sa" doesnt seem to even show counters for encryption & decryption on the 877.
09-30-2009 08:21 AM
The trouble was the any in my access-list the. Either the Concentrator or the router didn't like it so I changed it to 10.0.0.0.
Also I changed the static route on the concentrator pointing to remote inside vlan to the next hop rather than the exit interface.
Don't know why it worked but it did.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: