Hello, I have a brand new pair of 851w's with ios version 12.4(15)T7. I cannot seem to get a site to site vpn established, I have been able to use these 800 series seccessfully in the past. I have stripped the configs down to the bare essentials and still cannot get established.
When I do a show crypto session it all looks correct but the connection is "down"
I am not 100% sure about my crypto transform
"crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs" I am not sure the 800 series will support the encryption or if I should uses something else.
I have attached the configs.
Solved! Go to Solution.
You are missing your no-nat, Currently both routers are natting the traffic, so it will not match your crypto access-list.
define your no-nat.
Hello, thanks for the response.
"route-map nonat permit 10
match ip address Crypto-list"
to each side and that did not seem to help. One thing that is odd, from the bangor side I can ping 192.168.0.1, and 192.168.1.1 but the crypto session says down. The pings respond very quickly to 192.168.0.1 so it is strange.
Can you post the latest configs from both side?
Also try not using Crypto ACL in the route-map . Make a new ACL for denying Ipsec traffic and permitting rest of the traffic.
OK firstly - your config is not complete, you have not applied it to the nat statement for the FastEtherent - it will not work until you apply it.
The "permit 10" - is just a sequence number, you can have multiple matches in a route-map.
Loopback is not required.
I am confused about applying the nat?
I have "ip nat outside" on the FE4
I have "ip nat inside" on VLan1, bvi1
and the "ip nat inside source list 1 interface FE4 overload"