Dear Marius,

attached is the snapshot for  configuration on CUCM.

Also i tried building the tunnel but when i execute the command show crypto ipsec sa i didnt saw any packet encrypted of voice signalling but the isakmp tunnel was showing me active.

#sh run | b crypto
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 10.10.4.2 no-xauth
!
!
crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
!
crypto map MGCP-MAP 10 ipsec-isakmp
 set peer 10.10.4.2
 set transform-set IPSEC-SET
 set pfs group2
 match address 110

sh crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: MGCP-MAP, local addr 10.229.4.8

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.4.8/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.10.4.2/255.255.255.255/0/0)
   current_peer 10.10.4.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.229.4.8, remote crypto endpt.: 10.229.4.2
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.10.4.8      10.10.4.2      MM_NO_STATE          0 ACTIVE (deleted)

I am no expert on CUCM but it looks like you are missing the hash in your crypto isakmp policy

hash sha256

Also you have it set to transport mode on the CUCM or transport on the router side. default on the router is tunneled mode.

crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac

  mode transport

Try adding that and see if the tunnel comes up.

But to be perfectly honost, you should set this up on its own VLAN.  Doing this via a VPN on the same network is a bit messy and uneeded.

--

Please remember to select a correct answer and rate helpful posts

Dear thanks for the reply.

now the status i snot steady on the below it wait for sometime and then again it goes to MM_NO_STATE

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.10.4.8      10.10.4.2      QM_IDLE           1016 ACTIVE

i dont get any option for hash256 except only the below

VG_01(config)#crypto isakmp policy 10

_VG_01(config-isakmp)#hash sha ?
  <cr>

001332: Nov 13 08:10:48.287: ISAKMP:(1014):beginning Quick Mode exchange, M-ID of 2237452007
001333: Nov 13 08:10:48.287: ISAKMP:(1014):QM Initiator gets spi
001334: Nov 13 08:10:48.287: ISAKMP:(1014): sending packet to 10.10.4.2 my_port 500 peer_port 500 (I) QM_IDLE
001335: Nov 13 08:10:48.287: ISAKMP:(1014):Sending an IKE IPv4 Packet.
001336: Nov 13 08:10:48.287: ISAKMP:(1014):Node 2237452007, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
001337: Nov 13 08:10:48.287: ISAKMP:(1014):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
001338: Nov 13 08:10:48.287: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
001339: Nov 13 08:10:48.287: ISAKMP:(1014):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

001340: Nov 13 08:10:48.287: ISAKMP (1014): received packet from 10.10.4.2 dport 500 sport 500 Global (I) QM_IDLE
001341: Nov 13 08:10:48.287: ISAKMP: set new node -1502355529 to QM_IDLE
001342: Nov 13 08:10:48.287: ISAKMP:(1014): processing HASH payload. message ID = 2792611767
001343: Nov 13 08:10:48.287: ISAKMP:(1014): processing NOTIFY INVALID_ID_INFO protocol 1
        spi 0, message ID = 2792611767, sa = 0x31B85428
001344: Nov 13 08:10:48.287: ISAKMP:(1014):peer does not do paranoid keepalives.

001345: Nov 13 08:10:48.287: ISAKMP:(1014):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 10.10.4.2)
001346: Nov 13 08:10:48.287: ISAKMP:(1014):deleting node -1502355529 error FALSE reason "Informational (in) state 1"
001347: Nov 13 08:10:48.287: ISAKMP:(1014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001348: Nov 13 08:10:48.287: ISAKMP:(1014):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

001349: Nov 13 08:10:48.287: ISAKMP: set new node 1147210847 to QM_IDLE
001350: Nov 13 08:10:48.291: ISAKMP:(1014): sending packet to 10.10.4.2 my_port 500 peer_port 500 (I) QM_IDLE
001351: Nov 13 08:10:48.291: ISAKMP:(1014):Sending an IKE IPv4 Packet.
001352: Nov 13 08:10:48.291: ISAKMP:(1014):purging node 1147210847
001353: Nov 13 08:10:48.291: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001354: Nov 13 08:10:48.291: ISAKMP:(1014):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

001355: Nov 13 08:10:48.291: ISAKMP:(1014):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 10.10.4.2)
001356: Nov 13 08:10:48.291: ISAKMP: Unlocking peer struct 0x3230D2F8 for isadb_mark_sa_deleted(), count 0
001357: Nov 13 08:10:48.291: ISAKMP: Deleting peer node by peer_reap for 10.10.4.2: 3230D2F8
001358: Nov 13 08:10:48.291: ISAKMP:(1014):deleting node -2057515289 error FALSE reason "IKE deleted"
001359: Nov 13 08:10:48.291: ISAKMP:(1014):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
001360: Nov 13 08:10:48.291: ISAKMP:(1014):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

001361: Nov 13 08:10:48.291: ISAKMP (1014): received packet from 10.10.4.2 dport 500 sport 500 Global (I) MM_NO_STATE

Ah ok, I believe the issue is that some of the management packets / keepalive packets are going through the VPN tunnel... so in hindsite, I do not think this is going to work after all.

You would need to have a different IP to source packets from than the interface onwhich you are terminating the VPN

--

Please remember to select a correct answer and rate helpful posts