Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 891 VPN Connection issue with OpenSwan


I have a small issue with VPN between my linux server (ubuntu with openswan) and cisco891.

Tunel is up and running but I can access devices only from cisco side but if I try to ping any device on cisco side I cannot connect to anything.

crypto isakmp sa


dst             src             state          conn-id status    QM_IDLE           2001 ACTIVE

In this example is a cisco and is a linux server both with external ip's

Lan side is for cisco and for linux.

With that tunnel running i can ping from any device in network but if I try do reverse I mean from cisco to ping any device in 2.0 network I have no reply from any device.

Any ideas?

Config below:

no ip domain lookup

ip domain name

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip cef

no ipv6 cef

object-group network GAMESERVERS



object-group network MONITORING



object-group network WEBSERVERS



object-group network PERSONAL



crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800


crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key secretpassword address

crypto isakmp keepalive 10 periodic



crypto ipsec transform-set cm-transformset-1 esp-aes esp-sha-hmac




crypto map cm-cryptomap local-address GigabitEthernet0

crypto map cm-cryptomap 1 ipsec-isakmp

set peer

set security-association lifetime kilobytes 46080000

set transform-set cm-transformset-1

match address 110

interface GigabitEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address

ip access-group MAIN_IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly in

duplex full

speed 100

crypto map cm-cryptomap


interface Vlan1


ip address

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452


ip nat inside source route-map ISP interface GigabitEthernet0 overload

ip nat inside source static tcp 22 65022 route-map ISP extendable

ip nat inside source static tcp 5555 65101 route-map ISP extendable

ip nat inside source static tcp 5555 65102 route-map ISP extendable

ip route GigabitEthernet0 10

ip access-list extended NAT

deny   ip any

deny   ip any

deny   ip any

permit ip any

ip access-list extended MAIN_IN

permit ip object-group GAMESERVERS any

permit ip object-group WEBSERVERS any

permit ip object-group PERSONAL any

permit ip object-group MONITORING any

permit icmp any any

deny   ip any any log


access-list 100 deny   ip host any

access-list 100 deny   ip any

access-list 100 permit ip any any

route-map ISP permit 10

match ip address NAT

match interface GigabitEthernet0

Everyone's tags (2)
New Member

Re: Cisco 891 VPN Connection issue with OpenSwan

normally it's caused by interesting cal mismatch, have you checked that on both sides?

Sent from Cisco Technical Support iPhone App

New Member

Cisco 891 VPN Connection issue with OpenSwan

I'm sorry but not quite understand what are you asking here.

What sort of call mismatch you are talking about here?

I had very similar setup working with centos with same open swan configuration which I can post here if required but for some reason in this setup i can only achive one way comunication strangely...

New Member

Cisco 891 VPN Connection issue with OpenSwan

Nodoby can help me with that?