no tunnel possible to subnetted networks with concentrator

d.thelen · ‎12-17-2002

I have an problem with the 3005 VPN concentrator when I try to establish a tunnel to an subneted network. When I choose the complete networks everything works fine, but when I do subnetting the tunnel doesn't start establishing.

e.g.:

This works:

permit ip 194.69.39.39 0.0.0.255 194.117.106.128 0.0.0.255

That doesn't work:

permit ip host 194.69.39.39 194.117.106.128 0.0.0.3

I want to connect to an IOS router and need to use subnetting.

Does anyone got an idea?

jfrahim · ‎12-17-2002

Hi there,

It sounds like you have mis-matched encryption ACLs between your concentrator and your IOS router when you use the subnetted networks

If you think your ACLs are configured properly, then enable:

debug cry isa & debug cry ip on the IOS router, and

IKE,IKEDBG,IPSEC,IPSECDBG, severity to log 1-9 on the concentrator to find out why the tunnel is not coming up

Jazib

d.thelen · ‎12-18-2002

Hello.

The router is configured to work with dyn-map. I know that is not the standard but the customer of the router just want to work with dyn-maps.

Dirk

jfrahim · ‎12-18-2002

Dirk,

so what u r saying is, your 3005s are going to a router which has dynamic crypto configured?

Can you enable debug cry isa and debug cry ip and send me me the debugs when ur 3005 tries to bring up the tunnel

Jazib

d.thelen · ‎12-19-2002

Hello Jazib.

I try to get this outputs.

Dirk