Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Cisco IPSEC LAN-LAN tunnel.. I need two IP subnets to be encrypted through

Hi Everyone,

I have a really annoying problem... I have two sites,

Site 1(HQ)= Cisco 2950(data+voice vlan) and a 1701(routes between vlans using fastethernet sub-interfaces. Also for ADSL internet access, VPN)

Site 2(Homeworker)= Cisco 1701 for internet, VPN connected to unmanaged switch-> PC&IP Phone.

We have an IP enabled PABX at our HQ and an IP handset for the above homeworker(site2). I have configured an IPSEC Lan-Lan VPN between the two 1701's and it works perfectly for the data vlan( to But when I try to add the voice subnet to the cryptomap the traffic doesnt get encrypted!!( to Any ideas? Have I missed anything?? if I do a sho crypto ipsec sa, I can see the voice subnet( But the 1701 routers are not encryping/decrypting anything...

I have removed all security ACL's and IP inspects just in case.. But no joy..

The PABX definatly has the correct D/G as I can ping the internet from it... If I check my hits on my access lists I can see matches for to on ACL100(NAT) and ACL120(VPN interestig traffic)

I have posted my configs...

I really need to get this sorted asap... :-S

Thanks in advance for any help


Just did a debug from the HQ router.... definatly a problem somewhere... :(. Just cant see it on my config!!

I pinged from switch) and got this...

I have replaced the public IP's for security perposes as in my configs above( ans

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Nov 3 09:50:22.442: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local=, remote=,

local_proxy= (type=4),

remote_proxy= (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0xAA55B2A(178608938), conn_id= 0, keysize= 0, flags= 0x400A

Nov 3 09:50:22.774: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local=, remote=,

local_proxy= (type=4),

remote_proxy= (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Nov 3 09:50:22.778: IPSEC(validate_transform_proposal): no IPSEC cryptomap exis

ts for local address

Nov 3 09:50:22.782: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode faile

d with peer at .....

Success rate is 0 percent (0/5)

CreatePlease to create content