cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
304
Views
0
Helpful
1
Replies

IPSec site to site tunnel on cisco router

Anukalp S
Level 1
Level 1

 

Hi.. i am setting up site to site ipsec tunnel with my client. My client has ASA and i have cisco router. I have done configuration on my side and phase 1 is up but when i ping client end ip, i dont get response even at my end packet are not getting encrypted, Pls see my below config and suggest where is config issue.

 

interface FastEthernet0/0
 description >> connected to Internet
 ip address X.X.X.X.13 255.255.255.224
 duplex auto
 speed auto
 crypto map Policy_VPN
 

interface FastEthernet0/1
 description >> connected to LAN<<
 ip address X.X.X.X.251 255.255.255.248
 duplex auto
 speed auto

crypto ipsec transform-set ESP esp-3des esp-sha-hmac

 

crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
 

crypto isakmp key aya@3 address y.y.y.y

 

crypto map Policy_VPN 10 ipsec-isakmp
 set peer y.y.y.y
 set transform-set ESP
 match address 101

 

access-list 101 permit   ip 192.168.10.0 0 0.0.0.255 host 10.110.10.12

access-list 111 deny ip 192.168.10.0 0 0.0.0.255 host 10.110.10.12

access-list 111 permit ip  any any

ip nat inside source list 111 interface FastEthernet0/0 overload

--------------------------------------------------------------------------------------------------------------------

RTR#sh cry ipse sa pee y.y.y.y de

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
 

1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

I notice that the LAN subnet in this configuration is a /29 and that the access list which identifies traffic to be encrypted in the tunnel has /24. So is 192.168.10.0 the subnet on your FastE0/1 or is it somewhere else?

 

You show some output from show crypto ipsec sa peer but I can not tell if this is the complete output of the command or if it is only the initial part of the output. It suggests that the phase 2 Security Association is not being negotiated. That suggests that there is some mismatch between what you have configured and what is configured on the ASA.

 

HTH

 

Rick

HTH

Rick