04-30-2009 10:18 AM - edited 02-21-2020 03:26 AM
Hi all,
I have configured a vpn that just working it, when we initiate the traffic. If remote to try initiate any connection, will be unble to make it.
Do you know why should is heppening this?
Just this peer is able to initiate the traffic
access-list outside_cryptomap_1 extended permit ip 1.2.3.0 255.255.255.0 4.5.6.0 255.255.255.0
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES esp-3des esp-none
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ESP-3DES
05-02-2009 06:17 AM
Do you have a 'dynamic' crypto map setup at one side? In that case only the side with the static crypto map can initiate the connection.
Regards
Farrukh
05-03-2009 05:54 PM
I haven't. There is no dynamic crypto at other side.
05-03-2009 11:37 PM
Please post more details about the setup.
What are the VPN terminating devices, IOS?
Are you using NAT-T?
What is the routing configuration?
Regards
Farrukh
05-04-2009 07:06 AM
The vpn terminating device is IOS.
I dont have the information if the vpn terminating is using nat-t, the only information about vpn terminating that I have are this:
crypto isakmp policy 4
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key
crypto ipsec transform-set ZZZZZ esp-3des
crypto map XXX 11 ipsec-isakmp
set peer Y.Y.Y.Y
set transform-set ZZZZZ
match address AAAAA
ip access-list extended AAAAA
About the routing, I have a branch office that arrives via L2L until vpn and the traffic is forward to tunnel. In concern to the routing is okay.
Thank you
05-09-2009 12:49 AM
Sorry I was away, please let me know if this issue is still open.
Regards
Farrukh
05-09-2009 07:19 AM
yes. Is open yet.
05-19-2009 02:51 AM
do a sh crypto isakmp sa
deb isakmp 255 and post the output
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide