Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec site to site tunnel on cisco router


Hi.. i am setting up site to site ipsec tunnel with my client. My client has ASA and i have cisco router. I have done configuration on my side and phase 1 is up but when i ping client end ip, i dont get response even at my end packet are not getting encrypted, Pls see my below config and suggest where is config issue.


interface FastEthernet0/0
 description >> connected to Internet
 ip address X.X.X.X.13
 duplex auto
 speed auto
 crypto map Policy_VPN

interface FastEthernet0/1
 description >> connected to LAN<<
 ip address X.X.X.X.251
 duplex auto
 speed auto

crypto ipsec transform-set ESP esp-3des esp-sha-hmac


crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp key aya@3 address y.y.y.y


crypto map Policy_VPN 10 ipsec-isakmp
 set peer y.y.y.y
 set transform-set ESP
 match address 101


access-list 101 permit   ip 0 host

access-list 111 deny ip 0 host

access-list 111 permit ip  any any

ip nat inside source list 111 interface FastEthernet0/0 overload


RTR#sh cry ipse sa pee y.y.y.y de

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0

  • WAN Routing and Switching
Hall of Fame Super Silver

I notice that the LAN subnet

I notice that the LAN subnet in this configuration is a /29 and that the access list which identifies traffic to be encrypted in the tunnel has /24. So is the subnet on your FastE0/1 or is it somewhere else?


You show some output from show crypto ipsec sa peer but I can not tell if this is the complete output of the command or if it is only the initial part of the output. It suggests that the phase 2 Security Association is not being negotiated. That suggests that there is some mismatch between what you have configured and what is configured on the ASA.





This widget could not be displayed.