Thanks Mr. Elton for your response. I did make the changes but is not working at all. I really don't know what to do anymore. Here is the new configurations:

CCME1

hostname CCME1

!

!

!

!

ip dhcp excluded-address 10.10.0.1 10.10.0.10

ip dhcp excluded-address 10.15.0.1 10.15.0.10

!

ip dhcp pool Date_pool

network 10.10.0.0 255.255.255.0

default-router 10.10.0.1

ip dhcp pool Voce_pool

network 10.15.0.0 255.255.255.0

default-router 10.15.0.1

option 150 ip 10.15.0.1

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key CRIPTARE address 172.1.2.2

!

!

crypto ipsec transform-set R1R2 esp-3des esp-sha-hmac

!

crypto map R1R2 1 ipsec-isakmp

description TUNELR1R2

set peer 172.1.2.2

set transform-set R1R2

match address 100

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface Loopback0

ip address 99.99.99.99 255.255.255.255

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

description MNG

encapsulation dot1Q 1

ip address 10.1.0.1 255.255.255.0

!

interface FastEthernet0/0.10

description LAN_DATE

encapsulation dot1Q 10 native

ip address 10.10.0.1 255.255.255.0

!

interface FastEthernet0/0.15

description LAN_VOCE

encapsulation dot1Q 15

ip address 10.15.0.1 255.255.255.0

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface FastEthernet1/0

description SPRE_MIHAILESTI

ip address 172.1.2.1 255.255.255.252

duplex auto

speed auto

crypto map R1R2

!

interface FastEthernet1/1

description SPRE_R3

ip address 172.1.3.1 255.255.255.252

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

network 10.1.0.0 0.0.0.255 area 10

network 10.10.0.0 0.0.0.255 area 10

network 10.15.0.0 0.0.0.255 area 10

network 172.1.2.0 0.0.0.3 area 10

network 172.1.3.0 0.0.0.3 area 10

!

ip classless

!

!

access-list 100 permit ip 10.1.0.0 0.0.0.255 20.1.0.0 0.0.0.255

access-list 100 permit ip 10.10.0.0 0.0.0.255 20.10.0.0 0.0.0.255

access-list 100 permit ip 10.15.0.0 0.0.0.255 20.15.0.0 0.0.0.255

!

no cdp run

!

!

!

!

!

dial-peer voice 6 voip

destination-pattern 200.

session target ipv4:172.1.2.2

!

dial-peer voice 7 voip

destination-pattern 300.

session target ipv4:172.1.3.2

!

telephony-service

max-ephones 10

max-dn 20

ip source-address 10.15.0.1 port 2000

!

ephone-dn 1

number 1000

!

ephone-dn 2

number 1001

!

ephone-dn 3

number 1002

!

ephone-dn 4

number 1003

!

ephone-dn 5

number 1004

!

ephone-dn 6

number 1005

!

ephone 1

device-security-mode none

mac-address 00D0.FF2B.27D0

type 7960

button 1:1

!

ephone 2

device-security-mode none

mac-address 0090.21D4.9973

type 7960

button 1:2

!

ephone 3

device-security-mode none

mac-address 0030.F2D9.A344

type 7960

button 1:3

!

ephone 4

device-security-mode none

mac-address 0004.9A90.47E2

type 7960

button 1:4

!

ephone 5

device-security-mode none

mac-address 0004.9A1A.E70E

type 7960

button 1:5

!

ephone 6

device-security-mode none

mac-address 0010.118B.34B6

type 7960

button 1:6

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

CCME2

hostname CCME2

!

!

!

!

ip dhcp excluded-address 20.10.0.1 20.10.0.10

ip dhcp excluded-address 20.15.0.1 20.15.0.10

!

ip dhcp pool Date_pool

network 20.10.0.0 255.255.255.0

default-router 20.10.0.1

ip dhcp pool Voce_pool

network 20.15.0.0 255.255.255.0

default-router 20.15.0.1

option 150 ip 20.15.0.1

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key R1R2 address 172.1.2.1

!

!

crypto ipsec transform-set R1R2 esp-3des esp-sha-hmac

!

crypto map R1R2 1 ipsec-isakmp

description TUNELR1R2

set peer 172.1.2.1

set transform-set R1R2

match address 100

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface Loopback0

ip address 99.99.99.98 255.255.255.255

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

description MNG_R2

encapsulation dot1Q 1

ip address 20.1.0.1 255.255.255.0

!

interface FastEthernet0/0.10

description LAN_DATE_R2

encapsulation dot1Q 10 native

ip address 20.10.0.1 255.255.255.0

!

interface FastEthernet0/0.15

description LAN_VOCE_R2

encapsulation dot1Q 15

ip address 20.15.0.1 255.255.255.0

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface FastEthernet1/0

description WAN_R2

ip address 172.1.2.2 255.255.255.252

duplex auto

speed auto

crypto map R1R2

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

network 20.1.0.0 0.0.0.255 area 10

network 20.10.0.0 0.0.0.255 area 10

network 20.15.0.0 0.0.0.255 area 10

network 172.1.2.0 0.0.0.3 area 10

!

ip classless

!

!

access-list 100 permit ip 20.1.0.0 0.0.0.255 10.1.0.0 0.0.0.255

access-list 100 permit ip 20.10.0.0 0.0.0.255 10.10.0.0 0.0.0.255

access-list 100 permit ip 20.15.0.0 0.0.0.255 10.15.0.0 0.0.0.255

!

no cdp run

!

!

!

!

!

dial-peer voice 6 voip

destination-pattern 100.

session target ipv4:172.1.2.1

!

dial-peer voice 7 voip

session target ipv4:172.1.3.2

!

dial-peer voice 23 voip

destination-pattern 300.

session target ipv4:172.20.3.1

!

telephony-service

max-ephones 10

max-dn 20

ip source-address 20.15.0.1 port 2000

!

ephone-dn 1

number 2000

!

ephone-dn 2

number 2001

!

ephone-dn 3

number 2002

!

ephone 1

device-security-mode none

mac-address 0030.F296.69A0

type 7960

button 1:1

!

ephone 2

device-security-mode none

mac-address 000A.F399.C70B

type 7960

button 1:2

!

ephone 3

device-security-mode none

mac-address 00D0.FF0D.31CC

type 7960

button 1:3

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

Thanks!

Regarding the above configuration. The tunnel is up. But it seems it's something wrong.

CCME1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

172.1.2.2       172.1.2.1       QM_IDLE           1065    0 ACTIVE

IPv6 Crypto ISAKMP SA

CCME1#

So... the tunnel is up. But when i want to see the ipsec sa the results are like this:

CCME1#show crypto ipsec sa

interface: FastEthernet1/0

    Crypto map tag: r1r2, local addr 172.1.2.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)

   remote  ident (addr/mask/prot/port): (20.1.0.0/255.255.255.0/0/0)

   current_peer 172.1.2.2 port 500

    PERMIT, flags={origin_is_acl,}

   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

   #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 0

   #pkts compressed: 0, #pkts decompressed: 0

   #pkts not compressed: 0, #pkts compr. failed: 0

   #pkts not decompressed: 0, #pkts decompress failed: 0

   #send errors 0, #recv errors 0

     local crypto endpt.: 172.1.2.1, remote crypto endpt.:172.1.2.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0

     current outbound spi: 0x5FDC20C7(1608261831)

     inbound esp sas:

      spi: 0x72D901C5(1926824389)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2009, flow_id: FPGA:1, crypto map: r1r2

        sa timing: remaining key lifetime (k/sec): (4525504/942)

        IV size: 16 bytes

        replay detection support: N

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x5FDC20C7(1608261831)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2010, flow_id: FPGA:1, crypto map: r1r2

        sa timing: remaining key lifetime (k/sec): (4525504/942)

        IV size: 16 bytes

        replay detection support: N

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   local  ident (addr/mask/prot/port): (10.10.0.0/255.255.255.0/0/0)

   remote  ident (addr/mask/prot/port): (20.10.0.0/255.255.255.0/0/0)

   current_peer 172.1.2.2 port 500

    PERMIT, flags={origin_is_acl,}

   #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 0

   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

   #pkts compressed: 0, #pkts decompressed: 0

   #pkts not compressed: 0, #pkts compr. failed: 0

   #pkts not decompressed: 0, #pkts decompress failed: 0

   #send errors 0, #recv errors 0

     local crypto endpt.: 172.1.2.1, remote crypto endpt.:172.1.2.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0

     current outbound spi: 0x5FDC20C7(1608261831)

     inbound esp sas:

      spi: 0x72D901C5(1926824389)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2009, flow_id: FPGA:1, crypto map: r1r2

        sa timing: remaining key lifetime (k/sec): (4525504/942)

        IV size: 16 bytes

        replay detection support: N

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x5FDC20C7(1608261831)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2010, flow_id: FPGA:1, crypto map: r1r2

        sa timing: remaining key lifetime (k/sec): (4525504/942)

        IV size: 16 bytes

        replay detection support: N

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   local  ident (addr/mask/prot/port): (10.15.0.0/255.255.255.0/0/0)

   remote  ident (addr/mask/prot/port): (20.15.0.0/255.255.255.0/0/0)

   current_peer 172.1.2.2 port 500

    PERMIT, flags={origin_is_acl,}

   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

   #pkts compressed: 0, #pkts decompressed: 0

   #pkts not compressed: 0, #pkts compr. failed: 0

   #pkts not decompressed: 0, #pkts decompress failed: 0

   #send errors 0, #recv errors 0

     local crypto endpt.: 172.1.2.1, remote crypto endpt.:172.1.2.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0

     current outbound spi: 0x5FDC20C7(1608261831)

     inbound esp sas:

      spi: 0x72D901C5(1926824389)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2009, flow_id: FPGA:1, crypto map: r1r2

        sa timing: remaining key lifetime (k/sec): (4525504/942)

        IV size: 16 bytes

        replay detection support: N

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x5FDC20C7(1608261831)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2010, flow_id: FPGA:1, crypto map: r1r2

        sa timing: remaining key lifetime (k/sec): (4525504/942)

        IV size: 16 bytes

        replay detection support: N

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

CCME1#

It's that normal?

Or this one is normal?

Router A#sho crypto isakmp sa

dst             src             state          conn-id slot

30.0.0.1        20.0.0.1        QM_IDLE              2    0

Router A#sho crypto ipsec sa

interface: FastEthernet0/1

    Crypto map tag: branch-map, local addr. 20.0.0.1

   protected vrf:

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)

   current_peer: 30.0.0.1:500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 1059, #pkts encrypt: 1059, #pkts digest 1059

    #pkts decaps: 1059, #pkts decrypt: 1059, #pkts verify 1059

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

Hi Cosmin!

I have faced such problem before on 2 occassions.

The first one was my Nat statment on ASA.  I had it reversed. after changing it packets starte encaps and decaping both sides.

The second time was both on a Router and ASA, the issue was routing related. If packets gets to one destination and doesn't know how to return the packet to the source...you'll have such problems.

So my little suggestion would be please check that you routing is fine on both ends.

Cheers

Teddy

Thanks Teddy,

I sorted it out but now i have a new  challenge. I have a project in packet tracer to create 2 vpn tunnels  from 2 sites to a headquarter office. I made the first tunnel between  the head and the 1'st remote site. Now i cant create the 2'nd tunnel  from head to remote site 2. I must simulate over intranet not over  internet so i have some switches. On the head router i have 2 fast  ethernet adapters. So...the first tunnel is created on fa1/0. I cant  create a tunnel from fa1/1 to remote site 2. When i apply the crypto map  to the interface fa1/1 on the head router i'm not getting the message  that the isakmp is ON. Any advice?

Hi Cosmin,

Glad you sorted out the first! Fair enough about that! Please pray tell what you did to resolve the issue.

For the second tunnel you are building, do you have any previous crypto map applied to the interface before? From what I know you can only have one crypto map applied to an interface per time.

So the best thing to do is, use the same crypto map but with different sequence numbers.

say you have something like this:

crypto ipsec transform-set TSVPN esp-aes esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.100

set transform-set TSVPN

match address VPN-TRAFFIC

interface FastEthernet0/0

crypto map CMAP

Your next crypto map statement should be the same but will sequence number 11 or something.

                                                                            BUT

In the case where by you don't have any msg saying that the crypto isakmp is on, on the interface...my guess would be that that the IOS doesn't support ISAKMP. You might need to check that to make sure its an IOS that support such functionality! I might be wrong.

Ok just do sh version on your router and paste the outcome lets see. 

I hope this helps only If i'm not understanding your question correctly. Please let me know either ways.

Cheers

Teddy