(originally I had it as any network as I wanted to get all traffic outbound from the remote site to come through the vpn, I have now changed this to the below but I would like to put it back to 'any')
Phase 1 up
Phase 2 up
I can ping from a host at the headend to the remote site SVI's no problem but can't ping from the headend to any device attached to the switch, the devices attached to the switch currently are phones and wireless AP's but I have had the same result using a windows laptop.
I have checked all the configuration a 100 times and just can't understand it, has anyone seen this issue before?
Important bit of configs below:
tunnel-group 188.8.131.52 type ipsec-l2l
tunnel-group 184.108.40.206 general-attributes
tunnel-group 220.127.116.11 ipsec-attributes
group-policy LDN-GP internal
group-policy LDN-GP attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
crypto map outside_map 50 match address LDN-CRYPTO-ACL
crypto map outside_map 50 set peer 18.104.22.168
crypto map outside_map 50 set transform-set ESP-AES-256-SHA
access-list LDN-CRYPTO-ACL extended permit ip 10.0.0.0 255.0.0.0 172.21.160.0 255.255.255.0
access-list LDN-CRYPTO-ACL extended permit ip 10.0.0.0 255.0.0.0 172.21.161.0 255.255.255.0
access-list LDN-CRYPTO-ACL extended permit ip 10.0.0.0 255.0.0.0 172.21.190.0 255.255.255.0
Thanks a lot for your reply, unfiortunately I don't have access to the kit right now but as I said phase 1 is up so that's what sh crypto isakmp will show and phase 2 is up for each subnet, I can see decaps and encaps on both ends.
In regards to NAT - I have NONAT's configured on the ASA and do not have NAT configured on the 3560 at all.
A colleague has mentioned that it could be a platform limitation which is what I suspected, I think the reason that I can configure the tunnel and it comes up is becasuse the platform does support ipsec for management-plane traffic - this would explain why I can get to the switches SVI's and nothing else.
I will update the post once I have tested using something else.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :