Dear Abd Alqader,

Actually i'm facing difficuty in bringing the VPN up.

It supposed to be straight forward. i have Point-to_point Frame Relay that Link the head Office to the Branches (Hub and Spoke)

I'm trying to set up the VPN between Accra Office and the Head Office and it's not working.

Everything looks fine in the config, but no SA are formed especially the ISAKMP.

i've attached the config for both routers and the Diagram. please take a quick look and advice.

thanks

Fady

Hi,

Is it cut and paste problem or are you missing ACL 110

This is on you FR interface but I cant see this ACL in your config.

ip access-group 110 in

Hi,

actually it's there in the configuration and it's attached to the interface s0/0.4 and s0/0/0.4 pn the Branch and the Head Office respectively.

Do you mean that this ACL should be attached to the physical interface (S0/0;S0/0/0)??? coz i don't think so.

please advice.

regards

Fady

Hi,

I see the ACL 110 is apply to the sub interface. I just dont see the implementation of the ACL in your config.

There is no "access-list 110 permit *****" in there. If it's not defined, it's like a deny any any.

I don't agree with this statement- "There is no "access-list 110 permit *****" in there. If it's not defined, it's like a deny any any."

If there is "ip access-group 110 in" on an interface and there is no acl 110, then all traffic will be permitted.

Can you please paste the following debug info:

debug cry isa

debug cry ipsec

as you initiate VPN traffic.

Hi Abdl Kader,

Thank you for your help, i've created the access-list 110 but i'm having wired thing.

The VPN will only work if i put permit any any on access-list 140 and 110, which is not supposed to work this way especially if i want to plan for split tunneling in the branches.

can you please take a look at my config.

thank u

Fady