Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

isakmp won't initiate a connection w/o a default route?

I'm starting to do some testing to get a simple IPSEC tunnel between a Cisco 891 router and a SonicWall device controlled by a 3rd party. I've got a couple hundred 891 routers doing IPSEC to ASAs already with no problems using certificate authentication. This particular will be doing pre-shared keys with the SW.

Here's the entire (addresses changed to protect the guilty) 891 config:

hostname test
logging buffered 16000
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key ReallyGoodKeyHere address
crypto ipsec transform-set transetA esp-aes 192 esp-sha-hmac
crypto ipsec df-bit clear
crypto map cm1 10 ipsec-isakmp
set peer
set transform-set transetA
match address HEQ
interface GigabitEthernet0
description Public Internet WAN interface
ip address
ip access-group pubint in
ip mtu 1452
crypto map cm1
no shut
interface Vlan1
description remote LAN
ip address
ip route
ip access-list extended HEQ
permit ip
ip access-list extended pubint
permit esp host any
permit udp host any eq isakmp
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any echo-reply

I have a laptop connected via VLAN1 that I ping with to initiate the tunnel but the 891 doesn't even try to set up the tunnel. I have "debug crypto isakmp" running and there's no output. I do a "debug ip packet detail" and it says there's not enough information to route the pings.

I can ping and traceroute the VPN peer from the router so I know the static route to is there.

When I add a default static route ( to the 89, isakmp fires right up as soon as I send a ping from the laptop. The tunnel setup fails because the guy on the other end hasn't done his bit yet, but that's tomorrow's issue.

What's going on that makes my "host" route not good enough for isakmp? I don't have default routes on any of the 200+ 891 routers that I already have in the field connecting to ASAs. I also tried a static rout to the /24 subnet that the remote peer is on but that didn't work either.

I tried this on two different 891 routers with IOS 15.1.1 and 12.4.22.


Re: isakmp won't initiate a connection w/o a default route?


There's no need for a default route if you have both a route to the other peer's public IP and also for the internal LAN you want to reach through the tunnel.

Can you try the following:

No default route

ip route x.x.x.x next-hop (x.x.x.x is the remote public IP to terminate the tunnel).

ip route REMOTE_LAN next-hop


Community Member

Re: isakmp won't initiate a connection w/o a default route?


That'll probably do it. All my other VPNs use GRE which also requires a placeholder route through the public interface to the GRE destination. I didn't think of doing the same thing here for the simple tunnel.


CreatePlease to create content