Hi guys. I'm trying to setup a site-to-site IPSEC tunnel between an ISA500 and Cisco 887. I've configured the tunnel at each end, and it seems to be up. Running "show crypto engine connections active" on the 800 and the decrypt count goes up when I try and ping from the ISA500 side, but the encrypt count never increases.
The ISA500 LAN is on 22.214.171.124/24 (which I cannot change for political or technical reasons easily) and the Cisco 800 LAN is on 10.10.1.0/24. Would the ISA's side's LAN range be causing an issue?
I'm happy to provide a sanitized copy of the 800's config if it would help.
If the decrypt counter goes up it does sound like they are sending through the tunnel to you. And if the encrypt counter does not go up then you are not sending response to them. My first suggestion would be to check your configuration and to make sure that the access list that you use to identify traffic for encryption does match the access list used on the other side. My second suggestion would be to check your routing logic and to make sure that you are routing to the source address of the ping in a way that will take the traffic through the tunnel.
Thanks Richard, it's encouraging that I'm not completely loosing my mind.
Unfortunately I must be missing something silly because I'm just not seeing the problem :( If someone could take a quick look at the config below (I've removed a lot of it and only left what might be relevant) and give me a pointer in the right direction - I feel like I'm going a bit googly eyed trying to find the issue :(
! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! boot-start-marker boot-end-marker ! ! logging buffered 51200 warnings ! no aaa new-model clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00 ! ! ip dhcp excluded-address 10.10.1.1 10.10.1.50 ! ip dhcp pool data import all network 10.10.1.0 255.255.255.0 dns-server 10.10.1.1 default-router 10.10.1.1 ! ! ! ! ! controller VDSL 0 ! ip ssh version 2 ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 crypto isakmp key REDACTED address REDACTED no-xauth ! ! crypto ipsec transform-set tr-aes256-sha esp-aes 256 esp-sha-hmac mode tunnel ! ! ! crypto map cm01 100 ipsec-isakmp set peer REDACTED set transform-set tr-aes256-sha match address 101 reverse-route ! ! ! ! ! interface Loopback0 ip address REDACTED 255.255.255.255 crypto map cm01 ! interface ATM0 no ip address ip mtu 1500 no atm ilmi-keepalive ! interface ATM0.1 point-to-point pvc 0/38 pppoe-client dial-pool-number 1 ! ! interface Vlan1 ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1412 ! interface Dialer0 ip unnumbered Loopback0 ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname REDACTED ppp chap password 0 REDACTED ppp pap sent-username REDACTED password 0 REDACTED ppp ipcp dns request no cdp enable ! ip nat inside source route-map nonat interface Loopback0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ! access-list 101 remark VPN access-list 101 permit ip 10.10.1.0 0.0.0.255 126.96.36.199 0.0.0.255 access-list 105 remark Traffic to NAT access-list 105 deny ip 10.10.1.0 0.0.0.255 188.8.131.52 0.0.0.255 access-list 105 permit ip any any dialer-list 1 protocol ip permit no cdp run ! route-map nonat permit 10 match ip address 105 ! ! ! end</code>
The first things that I notice are that you have the crypto map applied to the loopback interface and I believe it should be on the outbound interface. So I would move crypto map cm01 from the loopback interface to the dialer interface.
Article ID:5748 Use TheGreenBow VPN Client to Connect with RV34x Series
Router Introduction A Virtual Private Network (VPN) connection allows
users to access, send, and receive data to and from a private network by
means of going through a public or share...
Article ID:5728 Configure a Teleworker VPN Client on the RV34x Series
Router Objective The Teleworker VPN Client feature minimizes the
configuration requirements at remote locations by allowing the device to
work as a Cisco VPN hardware client. When the T...
Article ID:5708 Configure the LAN and DHCP Settings on the RV34x Series
Router Objective A Local Area Network (LAN) is a network limited to an
area such as a home or small business that is used to interconnect
devices. LAN settings can be configured to li...