Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Manual IPSEC over a 831 router


I've been working to replace our 806 router by a 831. I took the configuration from the 806 without modifying it and copied it in the 831. This router is configured to connect to 3 peers, 2 of which use isakmp, and 1 use manual ipsec, due to the peer being a sonicwall.

The manual IPSEC tunnel seems to be up, data is encrypted, but no reply is received.

If I put back the configuration in the 806, and put it online, all 3 tunnels goes back up and connectivity is reached via all 3 of them.

Here's the config:

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key ******* address

crypto isakmp key ******* address

crypto isakmp identity hostname

crypto isakmp keepalive 10



crypto ipsec transform-set vpn-des esp-des esp-md5-hmac

crypto ipsec transform-set vpn-3des esp-3des esp-md5-hmac


crypto map vpn-client 10 ipsec-isakmp

set peer

set transform-set vpn-des

set pfs group2

match address 120

crypto map vpn-client 12 ipsec-isakmp

set peer

set transform-set vpn-des

set pfs group2

match address 140

crypto map vpn-client 15 ipsec-manual

set peer

set session-key inbound esp 2135 cipher *********** authenticator **********

set session-key outbound esp 2135 cipher *********** authenticator **********

set transform-set vpn-3des

match address 130





interface Ethernet1

ip address

ip nat outside

no ip route-cache

no ip mroute-cache

crypto map vpn-client


ip nat inside source route-map nonat interface Ethernet1 overload

ip route

access-list 110 deny ip

access-list 110 permit ip any

access-list 120 permit ip

access-list 130 permit ip

access-list 140 permit ip


route-map nonat permit 10

match ip address 110




Cisco Employee

Re: Manual IPSEC over a 831 router

Are you running the same IOS version on both routers?

When using manual keys the tunnel will appear to be up, since as there's no negotiation that needs to take place the router builds the SAs as soon as you enter the config commands in.

Can you check the SonicWalls logs and see if it's receiving the packets that the router is sending. Did you clear the SAs on the SonicWall after putting the 831 in place? If not, try that.

New Member

Re: Manual IPSEC over a 831 router

Since the 831 is a new router using hardware encryption, there is only 2 versions available for this router. Both uses one of the latest 12.2 ED IOS.

For the sonicwall, I don't have access to this router since it's owned by another company. But I know that they have multiple VPN up in a hub and spoke configuration, having the sonicwall as a HUB.

When I put the 831 in place, I used another configuration that is similar to the other peers. Nothing was reachable. I took this config and put it in the 806, and everything worked. So if I needed to clear the SA on the sonicwall, the 831 would have worked and the 806 may have not.

CreatePlease to create content