It's not a bug, it looks like your ACL 121 would be blocking the traffic coming in. If you remove that off the interface, does it work then?
If so, it's probably this line:
> access-list 121 deny ip 192.168.0.0 0.0.255.255 any
that's causing the problem. When you have an inbound ACL on a crypto interface, you have to allow both the encrypted AND the unencrypted form of the traffic in. This is because the packet is run through the interface twice, one as an encrypted packet on it's way in, it's then decrypted and put back on the interface, where it runs through the same ACL as an unencrypted packet. You'll need to add:
access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
to your ACL, make sure you put it BEFORE the "deny 192.168.0.0" line though.
And to answer your next question, no, this is not a security/spoofing risk, since the first thing the router does when it receives an inbound unencrypted packet on a crypto interface is to check and see if it should be encrypted. If it should be, the packet will be dropped. So, if someone tries to spoof this network and sends unencrypted packets, the router will drop them cause they weren't encrypted as they should have been.
I have removed this access-list form my serial 0/ 1 but no changes. The same problem. Incoming packet on a pedlock ( client VPN) always 0.Still no communication. I have removed the all nat configuration and still the same.
OK, if you do a "sho cry ipsec sa" on the router after the tunnel is built and you've sent a few packets, what are the counters showing for "packets encaps" and "packets decaps" for this tunnel. If the "packets decaps" is >0, then that indicates the packets from your client are getting to the router and being decrpyted. If the "packets encaps" are >0, then that indicates the router has seen the return packets from whatever you pinged, and has encrypted them and sent them on back to your PC. From all these counters, you should be able to figure out where the problem lies.
You could also try:
no ip route-cache
but I doubt that'll work, switching problems should have been fixed up ages ago.
As I said, try and determine where the problem lies. You say the "packets encrypted" counter is going up on your VPN client, so we can assume it's sending them out. The counters on the router will tell you if it's receiving them and replying to them. Look for access-lists or firewalls after you determine where the problem lies.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :