Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

1 way traffic between Router to VPN Concentrator 3K

1) private network on VPN Concentrator : 10.0.5.96/27

2) router private network : 192.168.1.0/24

I have network list define on VPN Concentrator:

10.0.5.96/0.0.0.31 under local network

192.168.1.0/0.0.0.255 under remote network

I did define the crypto access list on router:

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.5.96 0.0.0.31

From the router debug, I can see the IPSec SA is being created. When I show crypto engine connection active, there are encrpted packet being sent but no packets being decrypted. What would be wrong on my configuration?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 1 way traffic between Router to VPN Concentrator 3K

Hi,

Once the tunnel is established, try sending some traffic across the tunnel look at the monitor sessions on the VPN3000 to see if you are getting packets Rx is getting increased or not.

If Yes, then make sure that the host that you are trying to access is live and knows that it has to send the packets back to the VPN3000 for the 192.168.1.x/24.

If No, then see if the VPN3000 is sitting behind a firewall that is blocking Protocol 50 (ESP).

And what happens if you generate traffic from behind the VPN3000.

Regards,

Arul

4 REPLIES
New Member

Re: 1 way traffic between Router to VPN Concentrator 3K

First check to see if the concentrator is getting these packets and if it is sending them back.

Cisco Employee

Re: 1 way traffic between Router to VPN Concentrator 3K

Hi,

Once the tunnel is established, try sending some traffic across the tunnel look at the monitor sessions on the VPN3000 to see if you are getting packets Rx is getting increased or not.

If Yes, then make sure that the host that you are trying to access is live and knows that it has to send the packets back to the VPN3000 for the 192.168.1.x/24.

If No, then see if the VPN3000 is sitting behind a firewall that is blocking Protocol 50 (ESP).

And what happens if you generate traffic from behind the VPN3000.

Regards,

Arul

New Member

Re: 1 way traffic between Router to VPN Concentrator 3K

Hi,

Here is the scenario I have :

VPN3K--->Firewall---->Router

The esp protocol is blocked by firewall. Now I manage to established the tunnel from Router to VPN3K.

My problem now is, when I try to initiate the tunnel from VPN3K to Router. The VPN3K will none stop negotiated IKE parameter with router and display MM mode failed.

I though the Firewall is blocking packet again, so I change the VPN3K to router. Router---->Firewall------>Router. I can initiate the tunnel from any router.

Does this means that the Site to Site for VPN3K only can be intiated between VPN3K and only a responder to Cisco Router?

regards,

Sam

New Member

Re: 1 way traffic between Router to VPN Concentrator 3K

Hi,

I manage to figure out why I can't initiate tunnel from my concentrator to cisco router. Concentrator know how to negotiate and use the smallest livetime even IKE policy's lifetime does not match between Concentrator and router.

Every single parameter use in IKE and IPSec are match now.

102
Views
0
Helpful
4
Replies
CreatePlease login to create content