06-25-2014 06:17 AM - edited 03-04-2019 11:13 PM
Hi.. i am setting up site to site ipsec tunnel with my client. My client has ASA and i have cisco router. I have done configuration on my side and phase 1 is up but when i ping client end ip, i dont get response even at my end packet are not getting encrypted, Pls see my below config and suggest where is config issue.
interface FastEthernet0/0
description >> connected to Internet
ip address X.X.X.X.13 255.255.255.224
duplex auto
speed auto
crypto map Policy_VPN
interface FastEthernet0/1
description >> connected to LAN<<
ip address X.X.X.X.251 255.255.255.248
duplex auto
speed auto
crypto ipsec transform-set ESP esp-3des esp-sha-hmac
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key aya@3 address y.y.y.y
crypto map Policy_VPN 10 ipsec-isakmp
set peer y.y.y.y
set transform-set ESP
match address 101
access-list 101 permit ip 192.168.10.0 0 0.0.0.255 host 10.110.10.12
access-list 111 deny ip 192.168.10.0 0 0.0.0.255 host 10.110.10.12
access-list 111 permit ip any any
ip nat inside source list 111 interface FastEthernet0/0 overload
--------------------------------------------------------------------------------------------------------------------
RTR#sh cry ipse sa pee y.y.y.y de
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
06-25-2014 11:40 AM
I notice that the LAN subnet in this configuration is a /29 and that the access list which identifies traffic to be encrypted in the tunnel has /24. So is 192.168.10.0 the subnet on your FastE0/1 or is it somewhere else?
You show some output from show crypto ipsec sa peer but I can not tell if this is the complete output of the command or if it is only the initial part of the output. It suggests that the phase 2 Security Association is not being negotiated. That suggests that there is some mismatch between what you have configured and what is configured on the ASA.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide