Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC Lan2Lan VPN 3000 & 877

I'm trying build a tunnel between an 877 and VPN 3000. The tunnel appears to com up when I send interesting traffic but I can ping back to HQ.

Attached is 877 config and debug crypto isakmp.

Any ideas ?


Re: IPSEC Lan2Lan VPN 3000 & 877

1. make sure there is no ACL to block your ping packet.

2. Check the routing in both direction.

3. check "show crypto ipsec sa" to see if both encry and decry counter are incrementing when you are doing ping testing.

New Member

Re: IPSEC Lan2Lan VPN 3000 & 877

There are no ACL's on HQ side besides those on the firewall permitting the tunnel ports:

access-list VPN permit icmp any host

access-list VPN permit udp any host eq 10000

access-list VPN permit udp any host eq isakmp

access-list VPN permit esp any host

I have static routes (for the remote subnet) on the HQ side on the core switches pointing at the concentrator and on the VPN concentrator pointing out the public interface and on the PIX pointing out the public interface.

I'm not sure if the routing around the DMZ/concentrator is set up correctly.

When doing a trace route from HQ to the remote inside address the packets get dropped at the concentrator.

The "show crypto ipsec sa" doesnt seem to even show counters for encryption & decryption on the 877.

New Member

Re: IPSEC Lan2Lan VPN 3000 & 877

The trouble was the any in my access-list the. Either the Concentrator or the router didn't like it so I changed it to

Also I changed the static route on the concentrator pointing to remote inside vlan to the next hop rather than the exit interface.

Don't know why it worked but it did.

CreatePlease to create content