thanks for your help, i went through it comparing it to my configuration ( i am newbie with cisco, so i used SDM to write the coniguration ), and i found very no difference in the IPSec configuration compared to the example, so i wonder if its possible if have a look you might spot the problem i am missing, or if not possible point to SDM version of the above, if neither then at least how to troubleshoot as ping is lost, tracert get to a dead end on the c1841 LAN port

Looks more an issue with NAT being enabled on the interface. Would it possible to remove the NAT and verify if it is causing the issue ?

Also output of sh crypto isakmp sa and sh crypto ipsec sa would be useful too

thanks, for your help, i did try this before, but may be i didn't do it correctly, i will try again, but i would apperciate if there is a guide to the steps to do (disabling NAT & re-enabling it again).

as for the results for the sh crypto commands its attached

thanks

Ok guess i missed the problem completely, what are the segments you are using in both locations. i see that there are encrypts and decrypts on the IPsec so we can rule out the NAT issue.

my network is as follows

main office (cisco1841 + cisco1600) - 192.168.100.x

|___ Burg (cisco1600 - frame relay))- 192.168.101.x

|___ Cairo (IPSec tunnel- not cisco)- 192.168.1.x

|___ Mercia(IPSec tunnel- not cisco)- 192.168.85.x

main to any of the 3 works fine, but 3 branches can't communicate, although mysterisuoly it work for while & goes down, and i noticed that main office to branch stops then.

any logical explaniation?, thanks for your help

can you try with this crypto ACL and see if it helps

ip access-list extended Cairo

permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.101.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.85.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended Burg

permit ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

permit ip 192.168.85.0 0.0.0.255 192.168.101.0 0.0.0.255

Let me know if it works after this. Ensure you have symmetric ACLs at the corresponding spokes as well.

dear sir, thanks again for your reply, i checked my ACL lists with your feedback, i have the following ACL's: 1, 100 (set on LAN port by firewall), 101 (on WAN port by firewall), 102 ( NAT for burg site), Alex (NAT for main site), Cairo (for cairo IPSec tunnel, matches above Cairo ACL, but i added both ways - am i worng?), Mercia (for mercia IPSec tunnel, also i added both ways, same as i did in cairo ACL)

here is it:

ip access-list extended Cairo

remark Cairo IPsec Tunnel

remark SDM_ACL Category=4

remark Alex-Cairo

permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

remark Cairo-Alex

permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

remark Cairo - Burg

permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

remark Burg - Cairo

permit ip 192.168.101.0 0.0.0.255 192.168.1.0 0.0.0.255

remark Burg - Cairo - WAN

permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

as for burg its supplied by the ISP (frame relay) and the ACL is have is permit ip any any both sides

thanks again, i am waiting for your next suggestion