IPSec/ISAKMP Branch to branch (w/ NAT)

Unanswered Question
Feb 11th, 2010

Hi guys,

Just need assistance troubleshooting a connection between one site to another, the only problem is that I have no idea what the peer device is.

I have set Phase 1( ISAKMP) and Phase 2(IPsec) and when I typed "sh cryp isakmp sa" there is no output.

The device we manage is a Cisco 1811.

This is my P1 and P2 config..

crypto map SITE2SITE 2 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 1382400
set security-association lifetime seconds 28800
set transform-set 3DES-SHA-HMAC
set pfs group2
match address 131


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800

crypto isakmp key xxxx address x.x.x.x no-xauth

int fa0.1

crypto map SITE2SITE
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac


access-list 131 remark ## SITE TO SITE VPN ##
access-list 131 permit ip

Attached of the screenshot of "sh crypto isakmp sa" and "sh crypto engi connec active"

Really needed this done ASAP, any input would be appreciated!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
johnd2310 Thu, 02/11/2010 - 17:00


Turn on debug crypto isakmp and then generate some traffic to the peer. The debug output should give an idea as to why the sa is not up.



hitechdirect Thu, 02/11/2010 - 17:18

Hi John,

Thanks for the prompt response.

I turned on "debug crypto isakmp" and "terminal monitor".  I did a ping from SiteA to SiteB private IP address.

Type escape sequence to abort.                                                 
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:         

There is no debug output..

Leo Laohoo Thu, 02/11/2010 - 17:21

Shouldn't one of the side ( /24) be "access-list 131 permit ip"?

hitechdirect Thu, 02/11/2010 - 17:23

The other peer device is not a Cisco device (not entirely sure, not enough details from the peer network admin)

johnd2310 Thu, 02/11/2010 - 17:52


make sure when doing a ping that your source ip is on the network. Use an  extended ping and specify sources as a interfece.


johnd2310 Thu, 02/11/2010 - 19:30


Since you have NAT on that router, have you excluded vpn traffic from nat. what is your nat 0 command? Post scrubbed config.



hitechdirect Sun, 02/14/2010 - 12:24

Hi John,

Isn't that a PIX command?  I'm currently using an IOS Cisco 1811 - or am I missing something?

hitechdirect Sun, 02/14/2010 - 13:24

Just an additional follow up;

route-map VPNNONAT permit 10

  match ip address 130

ip nat inside source route-map VPNNONAT interface FastEthernet0.1 overload

ip route x.x.x.x

And re-enabled "crypto map SITE2SITE" on the outside interface.

Also take note that the external interface has secondary IP addresses.


This Discussion