You need to generate traffic requiring crypto protection (defined by your crypto ACL) in order to initiate the negotiation of an ISAKMP SA, which will establish a secure channel through which IPSec SAs will be negotiated.
Don't have access to a 3030 Concentrator, but on an IOS system you'd check status with:
show crypto isakmp sa detail
show crypto ipsec sa detail
Perhaps, log crypto sessions in syslog with:
crypto logging session
... and perhaps:
deny ip any any log
... as the last ACE in interface ACLs to identify configuration errors, and the presence of traffic that violates security policy.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...