I have established a site-to-site tunnel between our two office bldg's, but I'm unable to ping between the two. Both IPSec and IKE negotiate and show active connections, but if I check the IPSec tunnels in the VPN status monitor, there are no decapsulated packets. There are plenty of encapsulated packets (21296), but 0 decapsulated....packets along with 155 Send Error Packets. The hardware used is a 2811 Integrated services router and an ASA 5505. Any ideas as to why this connection would be performing this way?
Check if there's ACL in the interface and make sure you include the host/network that passing thru VPN.
For example if Fa0/1 is used for VPN Tunnel. Check the "access-group acl_number in_or_out" ACL. Try removing it first and test.
I checked ACL on both routers and the ACL_INT_IN (outside interface) is set to permit traffic from remote network and source network. Still no luck.
2811 settings: ip access-list extended sdm_fastethernet0/1_in permit ip 192.168.1.0 0.0.0.255 10.4.167.0 0.0.0.255
ASA Settings: access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.4.167.0 255.255.255.0
Check your routing for the destination network on the opposite side of the end not getting decapsulated packets. If you are seeing encapsulated packets, it has a route out. If you don't see any decaps, there is no route in from the other side. That might not be true 100% of the time, but in my experience, it's usually a route that's either incorrect or missing.
Hope this helps.
Check your crypto ACL's, each router's ACL should be a mirror of the other. Also check to make sure pfs is turned off on each end. From my experience if you are seeing the tunnel come up, but no encaps or decaps it is usually either the crypto ACL's, pfs, or in some cases depending on your topology a missing static route pointing to the destination network specified in the crypto ACL.
I have a 2801 router with one VPN site-to-site (static entry) and also configured a dynamic entry in crypto-map to support vpn client access to the LAN. But when I configure it, the site-to-site vpn failed and the remote-vpn does not work.
This is the actual configuration, but without dynamic entry in crypto map.
Thanks for you help!!!!
crypto isakmp policy 10
encr aes 256
crypto isakmp key xxx
crypto isakmp client configuration group clientes-vpn.cl
dns 10.1.0.110 10.1.0.120
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
crypto dynamic-map vpn-client-map 1
set transform-set myset
crypto map argentina 10 ipsec-isakmp
set peer 188.8.131.52
set transform-set myset
set pfs group2
match address 102
crypto map vpn-client-map isakmp authorization list clientes-vpn.cl
crypto map vpn-client-map client configuration address respond
description Enlace Trunk Local
no ip address
description Gateway Datos
encapsulation dot1Q 10
ip address 10.56.0.1 255.255.255.0
--More-- ip nat inside
description Gateway Voz
encapsulation dot1Q 20
ip address 10.56.1.1 255.255.255.0
h323-gateway voip bind srcaddr 10.56.1.1
description Gateway Wireless
encapsulation dot1Q 30
ip address 10.56.2.1 255.255.255.0
ip nat inside
encapsulation dot1Q 40
ip address 10.60.3.1 255.255.255.0
encapsulation dot1Q 100
ip address 184.108.40.206 255.255.255.248
ip nat outside
crypto map argentina
Your configurations are all good. The issue is that even with the latest IOS release static and dynamic vpns are not supported on the Cisco router. You will need a separate router for this senario. I ran into this issue away back while trying to setup site-to-site vpns and also DMVPN on the same router. Hope this helps!
Can you change this configuration line "crypto dynamic-map vpn-client-map 1" to "crypto dynamic-map vpn-client-map 999" and then configuration the dynamic crypto map and bring up the tunnel between the LAN to LAN as well as remote clients.
Also, I see that you have NAT Configured on the router. Have you bypassed NAT for the VPN Traffic.
Please refer the below URL for details on configuring L2L as well as remote access IPSec Tunnels.
Have you tested the Site-to-Site VPN alone without configuring dynamic vpn client???
This is just for the process elimination.
Also can you provide the full configuration??
this is part of configuration that I have on a ASA 5505 and the VPN tunnel connects, I don't see the first line in your configuration?
crypto map VPN_map 3 match address VPN-acl
crypto map VPN_map 3 set peer 220.127.116.11
crypto map VPN_map 3 set transform-set CCS_VPN