Im having difficulty with a site-to-site vpn where it can only be initiated/established from one side of the VPN.
So from 1 side of the vpn i can ping accross with no issues and vpn tunnel is established successfully, however when i try this from the other side of the vpn it never establishes and the state is stuck in MM_KEY_EXCH.
I have verfied the configurations at both ends and all appears to be fine (please see below), also please find a debug crypto isakmp attached from the router that doesn't seem to establish the vpn - any ideas why this is failing?
VPN is being established on a C837 to a C857.
crypto isakmp policy 10
crypto isakmp key secret address 184.108.40.206 no-xauth
crypto ipsec security-association lifetime seconds 3000
crypto ipsec transform-set secure esp-des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
set peer 220.127.116.11
set transform-set secure
match address VPN-Traffic
That could very well be causing this problem.
If you have static-to-dynamic setup for IPsec between two routers, please make sure you have this configuration:
You see that the dynamic IP site has a normal static crypto map, but the static IP side has a dynamic crypto map.
This example assumes you're doing NAT also.
With this configuration, the tunnel can only be initiated from the dynamic side.
Hope it helps.