Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.

 

This is my configuration:

 

141Kerioth#sh config
Using 3763 out of 262136 bytes
!
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 141Kerioth
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!

141Kerioth#do wr mem
              ^
% Invalid input detected at '^' marker.

141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...

Current configuration : 5053 bytes
!
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 141Kerioth
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-580381394
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-580381394
 revocation-check none
 rsakeypair TP-self-signed-580381394
!
!
crypto pki certificate chain TP-self-signed-580381394
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
  33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
  173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
  930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
  D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
  1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
  4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
  9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
  0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
  00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
  14EF37EA 15E57AD0 3C5D01F3 EF
        quit
!
!
!
ip dhcp excluded-address 10.0.16.1
!
ip dhcp pool ccp-pool
 import all
 network 10.0.16.0 255.255.255.0
 default-router 10.0.16.1
 dns-server 8.8.8.8
 lease 0 2
!
!
!
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX180483DD
!
!
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
!
!
!
!
!
!
policy-map type inspect outbound-policy
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map mymap 10 ipsec-isakmp
 set peer z.z.z.z
 set transform-set TS
 match address 115
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Tunnel1
 no ip address
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description $FW_OUTSIDE_WAN$
 ip address 50.y.y.y 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map mymap
!
interface Vlan1
 description $ETH_LAN$
 ip address 10.0.16.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
!
access-list 110 deny   ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
!
route-map nonat permit 10
 match ip address 100
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 1 in
 exec-timeout 30 0
 privilege level 15
 transport preferred ssh
 transport input ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
!
end

 

Everyone's tags (1)
272
Views
0
Helpful
0
Replies
CreatePlease to create content