Hello together,
we have an connection between a outside router (836) to a Router in the HQ (7204VXR) via L2TP using PPPoE.
This is working fine.
Now we like to configure IPSec between the two Routers. We have used the configuration that Cisco provides under :
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml
But it seems that it is not working correctly.
We see that the 836 Router has matches in the ACL and we also see that the router encrypts the packets.
836#show crypto ipsec sa
interface: Dialer1
Crypto map tag: test, local addr. 20.20.20.20
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
current_peer: 30.30.30.30
PERMIT, flags={origin_is_acl,}
#pkts encaps: 208, #pkts encrypt: 208, #pkts digest 208
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
The Remote 7204vxr Router decrypts the packets
But we didn´t see that the remote Router encrypts packets although we see matches in the acl.
7204vxr#show crypto ipsec sa
interface: FastEthernet 0/0
Crypto map tag: test, local addr. 30.30.30.30
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: 20.20.20.20
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 208, #pkts decrypt: 208, #pkts verify 208
The ISAKMP state is QM_IDLE.
We also receive an error message on the 836 when we ping LAN-LAN:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC : Rec'd packet not an IPSEC packet.\n\n(ip) vrf/dest_addr= 192.168.100.10/,src_addr= 192.168.200.10, prot= 1
We are not using NAT like in the example.
Did anybody has experience for this issue ?
We are thankful for any help.