cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
858
Views
0
Helpful
1
Replies

VPN between Linksys RV082 and Cisco 2801

nikalleyne
Level 1
Level 1

Morning Guys,

I'm working on establishing an IPSec VPN tunnel between a RV082 and a Cisco 2801. I've managed to have the tunnel connected successfully, however, I'm unable to pass data across the tunnel. extended Pings from 172.17.10.254 fails and if I do a traceroute it goes through the old gateway. I event went so far as to redefine a route such as 192.168.129.0 255.255.255.0 fa0/1 but still not traffic crosses this link. Once again, pings and traceroute fails

Does anyone have a suggestion where I may be able to look to address this issue.

Below is a snapshot of some of the show commands on the Cisco 2801 side.

-- Shwo Crypto Map

Crypto Map "CAL-VIC" 10 ipsec-isakmp

        Description: *** CONNECTION TO xxxx ***

        Peer = x.11.76.x

        Extended IP access list CAL-VIC

            access-list CAL-VIC permit ip 172.17.10.0 0.0.0.255 192.168.129.0 0.0.0.255

        Current peer: x.11.76.x

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): Y

        DH group:  group2

        Transform sets={

                CAL-VIC,

        }

        Reverse Route Injection Enabled

        Translation Enabled

        Interfaces using crypto map CAL-VIC:

                FastEthernet0/1

--- Show crypto sessions

Interface: FastEthernet0/1

Session status: UP-ACTIVE

Peer: x.11.76.x port 500

  IKE SA: local x.68.32.x/500 remote x.11.76.x/500 Active

  IKE SA: local x.68.32.x/500 remote x.11.76.x/500 Active

  IPSEC FLOW: permit ip 172.17.10.0/255.255.255.0 192.168.129.0/255.255.255.0

        Active SAs: 2, origin: crypto map

-- show crypto ipsec sa

interface: FastEthernet0/1

    Crypto map tag: CAL-VIC, local addr x.68.32.x

   protected vrf: ISP2

   local  ident (addr/mask/prot/port): (172.17.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.129.0/255.255.255.0/0/0)

   current_peer x.11.76.x port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 936, #pkts encrypt: 936, #pkts digest: 936

    #pkts decaps: 54, #pkts decrypt: 54, #pkts verify: 54

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 3, #recv errors 0

     local crypto endpt.: x.68.32.x, remote crypto endpt.: x.11.76.x

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

     current outbound spi: 0xAAD8CC1E(2866334750)

     inbound esp sas:

      spi: 0xCB7FA30C(3414139660)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3006, flow_id: FPGA:6, crypto map: CAL-VIC

        sa timing: remaining key lifetime (k/sec): (4523364/139)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xAAD8CC1E(2866334750)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3003, flow_id: FPGA:3, crypto map: CAL-VIC

        sa timing: remaining key lifetime (k/sec): (4523364/138)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

From the output of show cry ipsec sa, the encrypts are a lot more than decrypts, which means traffic is actually getting encrypted and getting sent through the VPN tunnel, and reply is probably not getting back towards the 2801 router.

Can you check the output on the Linksys as well. And also make sure that the Linksys end knows how to route back towards the 2800 router.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: