Thank you, but how does that fix my routing issue?

Without it, my encryption already working fine, just trying to understand why your suggesting i do this?

Thanks for helping.

JH

Hello,

where do you originate the traceroute from, the router or a PC ? The pfs group setting was suggested because I had encountered an almost identical problem a while ago on the 880...

It might be worth while trying to use an SVTI instead of the crypto map. Do you know how to configure this ? Otherwise I'll send over the configs...

Hello,

in the meantime, try to change the default routes so they point to the outgoing interface:

ip route 0.0.0.0 0.0.0.0 FastEthernet4

Trace route from a PC on the LAN side of router G1.

yes, please send me configs for using  SVTI. Never tried that before and might give it a shot.

Thanks!

Hello,

here are the configs (changes and additions marked in bold). Basically, you create two tunnel interfaces and get rid of the crypto map. You then just route traffic that you want to be encrypted over the tunnel.

OFFICE_G1

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname OFFICE_G1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
aaa new-model
!
aaa authentication login default line local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone EST -5 0
!
no ip source-route
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
ip ssh authentication-retries 5
ip ssh version 2
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key KEY address 65.175.135.XX
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TS
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 72.73.127.XXX 255.255.255.XXX
no ip redirects
no ip unreachables
ip mtu 1454
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1414
duplex auto
speed auto
no cdp enable
!
interface Tunnel 0
ip address 172.16.0.1 255.255.255.0
tunnel source 72.73.127.xx
tunnel destination 65.175.135.xx
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Vlan1
ip address 172.250.254.250 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1450
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 65.175.135.xx
ip route 172.250.1.0 255.255.255.0 Tunnel 0
!
access-list 23 permit any
access-list 1 permit 172.250.254.0 0.0.0.255

OFFICE_A2

Current configuration : 4035 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname OFFICE_A2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa authentication login default line local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
memory-size iomem 10
!
no ip subnet-zero
no ip source-route
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.250.1.205
ip dhcp excluded-address 172.250.1.254
ip dhcp excluded-address 172.250.1.10
ip dhcp excluded-address 172.250.1.11
ip dhcp excluded-address 172.250.1.12
ip dhcp excluded-address 172.250.1.13
ip dhcp excluded-address 172.250.1.14
ip dhcp excluded-address 172.250.1.15
ip dhcp excluded-address 172.250.1.50
ip dhcp excluded-address 172.250.1.51
ip dhcp excluded-address 172.250.1.52
ip dhcp excluded-address 172.250.1.53
ip dhcp excluded-address 172.250.1.54
ip dhcp excluded-address 172.250.1.55
!
ip dhcp pool sdm-pool
import all
network 172.250.1.0 255.255.255.192
default-router 172.250.1.254
lease 0 2
!
ip cef
ip cef accounting per-prefix
no ip bootp server
ip inspect one-minute low 500
ip inspect one-minute high 600
ip inspect dns-timeout 10
ip inspect tcp idle-time 3650
ip inspect tcp max-incomplete host 49 block-time 19
ip inspect name watchdog1 tcp audit-trail on
no ipv6 cef
!
multilink bundle-name authenticated
!
ip ssh authentication-retries 5
ip ssh version 2
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key KEY address 72.73.127.XXX
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TS
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description INTERNET_INTERFACE
ip address 65.175.135.XX 255.255.255.0
no ip redirects
no ip unreachables
ip nat outside
ip inspect watchdog1 in
ip virtual-reassembly
ip tcp adjust-mss 1450
duplex auto
speed auto
no cdp enable
!
interface Tunnel 0
ip address 172.16.0.2 255.255.255.0
tunnel source 65.175.135.xx
tunnel destination 72.73.127.xx
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Vlan1
description OFFICE_A2_LAN
ip address 172.250.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
hold-queue 32 in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 72.73.127.xx
ip route 172.250.254.0 255.255.255.0 Tunnel 0
!
access-list 23 permit any
access-list 1 permit 172.250.1.0 0.0.0.255