Hello I am seeing some issues with a VPN setup where in I cannot ping the other end of the VPN tunnel.
The status of the tunnel is as below:
Interface: GigabitEthernet0/0
Session status: UP-IDLE
Peer: yyy.yyy.yyy.yyy port 4500
IKEv1 SA: local xxx.xxx.xxx.xxx/4500 remote yyy.yyy.yyy.yyy/4500 Active
Our end is configured as
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key ABCD address yyy.yyy.yyy.yyy no-xauth
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto map VPN 20 ipsec-isakmp
set peer yyy.yyy.yyy.yyy
set transform-set ESP-AES-256-SHA
set pfs group2
match address 170
!
the remote end is configured as follows>
crypto map networks-cryptomap 225 ipsec-isakmp
description *** To B2B Connection ***
set peer xxx.xxx.xxx.xxx
set transform-set abc
match address VPN
!
crypto ipsec transform-set abc esp-aes 256 esp-sha-hmac
!
crypto isakmp policy 195
encr aes 256
authentication pre-share
hash sha
group 2
lifetime 86400
I see that there is some differences in the config at each end like aes only on our end while aes 256 on the other end also set pfs-group. also hash sha is configured on the remote end only
As the tunnel is up
met-wh-gw01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx QM_IDLE 1471 ACTIVE
also in the show crypto session,
wanted to confirm whether the differences mentioned above can create issues with tunnel reachability end-end or should not matter as long as the tunnel is up? or those credentials should match exactly for the pings to be possible
Would be grateful to have any advise on this.
Please let me know if any more information is required on this.
Many Thanks