09-23-2011 06:05 AM
Morning Guys,
I'm working on establishing an IPSec VPN tunnel between a RV082 and a Cisco 2801. I've managed to have the tunnel connected successfully, however, I'm unable to pass data across the tunnel. extended Pings from 172.17.10.254 fails and if I do a traceroute it goes through the old gateway. I event went so far as to redefine a route such as 192.168.129.0 255.255.255.0 fa0/1 but still not traffic crosses this link. Once again, pings and traceroute fails
Does anyone have a suggestion where I may be able to look to address this issue.
Below is a snapshot of some of the show commands on the Cisco 2801 side.
-- Shwo Crypto Map
Crypto Map "CAL-VIC" 10 ipsec-isakmp
Description: *** CONNECTION TO xxxx ***
Peer = x.11.76.x
Extended IP access list CAL-VIC
access-list CAL-VIC permit ip 172.17.10.0 0.0.0.255 192.168.129.0 0.0.0.255
Current peer: x.11.76.x
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
CAL-VIC,
}
Reverse Route Injection Enabled
Translation Enabled
Interfaces using crypto map CAL-VIC:
FastEthernet0/1
--- Show crypto sessions
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: x.11.76.x port 500
IKE SA: local x.68.32.x/500 remote x.11.76.x/500 Active
IKE SA: local x.68.32.x/500 remote x.11.76.x/500 Active
IPSEC FLOW: permit ip 172.17.10.0/255.255.255.0 192.168.129.0/255.255.255.0
Active SAs: 2, origin: crypto map
-- show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: CAL-VIC, local addr x.68.32.x
protected vrf: ISP2
local ident (addr/mask/prot/port): (172.17.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.129.0/255.255.255.0/0/0)
current_peer x.11.76.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 936, #pkts encrypt: 936, #pkts digest: 936
#pkts decaps: 54, #pkts decrypt: 54, #pkts verify: 54
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 0
local crypto endpt.: x.68.32.x, remote crypto endpt.: x.11.76.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xAAD8CC1E(2866334750)
inbound esp sas:
spi: 0xCB7FA30C(3414139660)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3006, flow_id: FPGA:6, crypto map: CAL-VIC
sa timing: remaining key lifetime (k/sec): (4523364/139)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAAD8CC1E(2866334750)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: CAL-VIC
sa timing: remaining key lifetime (k/sec): (4523364/138)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
09-24-2011 04:31 AM
From the output of show cry ipsec sa, the encrypts are a lot more than decrypts, which means traffic is actually getting encrypted and getting sent through the VPN tunnel, and reply is probably not getting back towards the 2801 router.
Can you check the output on the Linksys as well. And also make sure that the Linksys end knows how to route back towards the 2800 router.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: