09-30-2015 04:02 PM
Hi.
I have a Cisco 2851 router establishing an IPSEC site-to-site VPN with a RV130W. Both isakmp and ipsec SA´s are formed but I only get one way traffic. When I ping from the remote site (the RV130W) I see the decrypted packets, but the response doesn´t go through the tunnel. Here you can see the current status and configuration. Please note that the incoming traffic weirdly matches the crypto-acl for outgoing traffic (those 3 matches are the same 3 packets from the incoming traffic) and when I try outgoing traffic, I don´t see any matches on ACL 150.
Crypto Map "MYMAP" 3 ipsec-isakmp
Description: X
Peer = 10.116.2.6
Extended IP access list 150
access-list 150 permit ip 10.241.0.0 0.0.255.255 10.111.0.0 0.0.255.255
Current peer: 10.116.2.6
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
MYTSET: { esp-3des esp-md5-hmac } ,
}
CSC2851#show access-lists 150
Extended IP access list 150
10 permit ip 10.241.0.0 0.0.255.255 10.111.0.0 0.0.255.255 (3 matches)
CSC2851#show crypto ipsec sa peer 10.116.2.6
interface: GigabitEthernet0/0.701
Crypto map tag: MYMAP, local addr 192.168.100.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.241.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.111.0.0/255.255.0.0/0/0)
current_peer 10.116.2.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.100.2, remote crypto endpt.: 10.116.2.6
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.701
current outbound spi: 0x2EC9471D(784942877)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x67DF1852(1742674002)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2103, flow_id: Onboard VPN:103, sibling_flags 80000046, crypto map: SERVICIOS_ADMINISTRADOS
sa timing: remaining key lifetime (k/sec): (4573605/3492)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2EC9471D(784942877)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2104, flow_id: Onboard VPN:104, sibling_flags 80000046, crypto map: SERVICIOS_ADMINISTRADOS
sa timing: remaining key lifetime (k/sec): (4573606/3492)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
09-30-2015 09:35 PM
Hi lpavon0312 ,
Make sure the router has applied a NO-NAT policy for that VPN traffic, if NAT is not configured on the router , check the interfaces ACL are not blocking this traffic.
If the is not ACL applied , it could mean the devices behind the router are not replying back.
Hope it helps
-Randy-
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: