Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec site to site tunnel on cisco router

 

Hi.. i am setting up site to site ipsec tunnel with my client. My client has ASA and i have cisco router. I have done configuration on my side and phase 1 is up but when i ping client end ip, i dont get response even at my end packet are not getting encrypted, Pls see my below config and suggest where is config issue.

 

interface FastEthernet0/0
 description >> connected to Internet
 ip address X.X.X.X.13 255.255.255.224
 duplex auto
 speed auto
 crypto map Policy_VPN
 

interface FastEthernet0/1
 description >> connected to LAN<<
 ip address X.X.X.X.251 255.255.255.248
 duplex auto
 speed auto

crypto ipsec transform-set ESP esp-3des esp-sha-hmac

 

crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
 

crypto isakmp key aya@3 address y.y.y.y

 

crypto map Policy_VPN 10 ipsec-isakmp
 set peer y.y.y.y
 set transform-set ESP
 match address 101

 

access-list 101 permit   ip 192.168.10.0 0 0.0.0.255 host 10.110.10.12

access-list 111 deny ip 192.168.10.0 0 0.0.0.255 host 10.110.10.12

access-list 111 permit ip  any any

ip nat inside source list 111 interface FastEthernet0/0 overload

--------------------------------------------------------------------------------------------------------------------

RTR#sh cry ipse sa pee y.y.y.y de

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
 

  • WAN Routing and Switching
1 REPLY
Hall of Fame Super Silver

I notice that the LAN subnet

I notice that the LAN subnet in this configuration is a /29 and that the access list which identifies traffic to be encrypted in the tunnel has /24. So is 192.168.10.0 the subnet on your FastE0/1 or is it somewhere else?

 

You show some output from show crypto ipsec sa peer but I can not tell if this is the complete output of the command or if it is only the initial part of the output. It suggests that the phase 2 Security Association is not being negotiated. That suggests that there is some mismatch between what you have configured and what is configured on the ASA.

 

HTH

 

Rick

37
Views
0
Helpful
1
Replies
This widget could not be displayed.