I have set up a site to site VPN between a Cisco 1841 ISR and a Cisco ASA 5520, all appears to be working however I have a couple of questions.
1. I have to explicitly allow all VPN traffic in the ACL on the outside interface of the 1841, is there a router equivilent of "sysopt connection permit-vpn"?
2. Although the VPN comes up and passes traffic I occasionally see the following?
*Jun 22 14:11:52.883: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 220.127.116.11
Solved! Go to Solution.
The "outside" interface on router (I assume we're talking about the one with crypto map applied) will only see encrypted packets or IKE (ESP, UDP/4500 and udp/500). Unless you're running A VERY old IOS version.
Mutiple possibilities Quick Mode is Phase 2 negotiation. Would need to debug and see the configs.
What is the version of IOS you're using.
Show me the outputs of:
"show crypto map"
"show run interface NAME NUMBER" for interfaces facing LAN and WAN.
Version: (C1841-ADVSECURITYK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
ROUTER#sh crypto map
Crypto Map "MYMAP" 10 ipsec-isakmp
Peer = 18.104.22.168
Extended IP access list VPN2OFFICE
access-list VPN2OFFICE permit ip 10.71.0.0 0.0.3.255 any
Current peer: 22.214.171.124
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Interfaces using crypto map MYMAP:
ip address 126.96.36.199 255.255.255.0
ip access-group outside_in in
crypto map MYMAP
ip address 10.71.3.225 255.255.252.0
And you're saying that if you ping from other side to 10.71.3.225 traffic gets denied by ACL?
Are you sure it's entering the tunnel in the first place?
"show crypto ipsec sa" on both sides will show you.
Maybe phase 2 does not establish?