Site-Site VPN - 2921 IOS 15 -> 2811 IOS 12.4

Unanswered Question
Jul 8th, 2010

I just got a new 2921 router with ios 15.0. When configuring ipsec I'm able to get the session up and running between the routers.

I'm able to connect to the router from the "home" network using local ip addresses - but not anything behind the local interface on the remote router.

I'm connecting from the 2921 router to the 2811 router.

The configuration on the 2921 router is as follows (modified with regards to ip addresses and key):

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key MyKey address
crypto ipsec transform-set mets esp-aes esp-sha-hmac
crypto ipsec df-bit clear
crypto map ipsec-vpn 10 ipsec-isakmp
set peer
set transform-set mets
set pfs group2
match address 120

access-list 120 permit ip

access-list 130 permit ip

access-list 130 permit ip any
interface GigabitEthernet0/0
ip address
ip access-group 130 in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address dhcp
duplex auto
speed auto
crypto map ipsec-vpn

When doing a "ping" from i get a match in the access-list 130, but not in the access-list 120.

And no result is returned from the "home" network.

I have also replaced the 2921 router with a 3845 running 12.4, and entered the same configuration. This is working as it's supposed to.

Are there any changes regarding configuration of this in ios 15.0 ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
budmiller Fri, 11/05/2010 - 06:39


Have you found any resolution for this?  I am running into the same issue.  In our case we had to upgrade a 2811 from 12.4 to 15 code to support a new card and we are running into the same issue trying to get an IPSEC tunnel to work between the 2811 running version 15 code and a 2821 running 12.4.  The config was not changed at all and if we backrev the code on the 2811 back to 12.4 the tunnel comes right back up and passes traffic.

I have a TAC case open on it so when I get a resolution I will let you know.



pthuland Fri, 11/12/2010 - 02:41

No, I have not been able to resolve this. I had to use a 3845 instead of the 2900.

If I configure IPSEC with known ip addresses on both sides (not dhcp on "internet" side,

and not using reverse route) everything is ok.

budmiller Mon, 11/29/2010 - 16:34

Well I've found that if I upgrade the code to the newest version 15.1.3.T that the tunnels work fine on the 2811.  I'm not sure what changed in the releases as I have still not changed the config at all but I have it working now on that version of code.  I'm not sure if that will fix it for the 2921 as well or not.


Bud Miller


This Discussion