ok, i'm attaching a v2 config for my issue

from what i could see although your config looked right for teh ipsec tunnel the additional routes you added meant that data destined for the other side did not actually use the VPN, which is why the isakmp table never listed the connection and the IPSec tunnel packet count didnt leave 0

I have setup a more complex network structure, likely more representative of the real world, the internet requires multiple hops and the addition of NAT at both ends means you cant naturally route into the opposing network.

Both servers  and all routers are able to ping ALL internet (10.x.x.x) based ip's.

But the VPN is not establishing to link the LAN (192.168.x.x) networks

Any further help would be great!!!

Please see v2 attached (again requires changing file extension)

Thanks for all your help so far!!!

Hi @AshleyUnwin

The tunnel is ok already. I just verify why servers does not ping each other and we are done!

Router#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

10.3.3.2 10.1.1.1 QM_IDLE 1046 0 ACTIVE

IPv6 Crypto ISAKMP SA

Router#sh crypto ipsec sa

interface: GigabitEthernet0/1

Crypto map tag: vpnset, local addr 10.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)

current_peer 10.3.3.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 0

#pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 10.1.1.1, remote crypto endpt.:10.3.3.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

current outbound spi: 0x481F3A46(1210006086)

inbound esp sas:

spi: 0x08E346E1(149112545)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2006, flow_id: FPGA:1, crypto map: vpnset

sa timing: remaining key lifetime (k/sec): (4525504/3417)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x481F3A46(1210006086)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2007, flow_id: FPGA:1, crypto map: vpnset

sa timing: remaining key lifetime (k/sec): (4525504/3417)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 10.3.3.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.1, remote crypto endpt.:10.3.3.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

-If I helped you somehow, please, rate it as useful.-

tunnel still not dialling for me :-s

when i run that v2 file i get the following

———————————

Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

Router#show crypto ipsec sa

interface: GigabitEthernet0/1

Crypto map tag: vpnset, local addr 10.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer 10.3.3.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.1, remote crypto endpt.:10.3.3.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Hello my friend, it is ready!

A lot of chances was performed. I recommend you to save your config in a txt file then save my config the same way and use Comparit software to highlight all the differences.

 Good look!

-If I helped you somehow, please, rate it as useful.-

Sorry to be a pain, the VPN is now up from the look of it, however i'm not able to ping server to server....any thoughts?

That's ok. We are here to learn. I was able to ping. Did you change you setup ?

If VPN is up, you need to permit  both 192 network on both side.

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.255

Then the same thing the other way around.

-If I helped you somehow, please, rate it as useful.-

I didnt change the config, I have even just re-downloaded the file you sent to check

my two configs are https://www.diffchecker.com/e9s5mHFX

however i'm seeing

Router2 -

show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

10.1.1.1 10.3.3.2 MM_NO_STATE 0 0 ACTIVE (deleted)

But Router1 -

Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

NOTHING!!!

Its very odd!!!

Save config, reload both router and try to ping from server. But, does not ping 192 network, from server, try to ping 10. network on the opposite side. This should brings the VPN up.

 IF you prefer I can post my routers config here.

-If I helped you somehow, please, rate it as useful.-

ok, i did as you said i redownloaded and opened the file, saved both routers and rebooted both, ran a ping to the outsides both ways and then the vpn established and pings worked.

if i repeat the exact same process again, it doesnt work, no isakmp connection!

It seems to work when it feels like it and drop!

I literally just re-downloaded the file again from here and tried again and nothing!!!

it feels like it only wants to work occasionally.

Does the isakmp keep retrying itself or can i manually trigger a retry?

Usually you need to force the first time and them must be some keep alive.

Bear in mind that this is a simulator and may be tricking you. But, most important is to understand the concepts.

 You can also try GNS3 or EVE. They are also free and they are not simulator but Emulator and you can run real OS.

-If I helped you somehow, please, rate it as useful.-

Nop. There´s no command as far as I know. Only ping is necessary. 

Find attached my two router config for your reference.

-If I helped you somehow, please, rate it as useful.-