Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
0
Helpful
3
Replies

IPSec tunnel up no traffic

avwoudenberg
Level 1
Level 1

‎03-08-2013 07:13 AM - edited ‎03-07-2019 12:08 PM

I have an IPSec tunnel configured on my Cisco 1941. The other device is an ZyXEL router.

I can see the tunnel is up but there is no traffic.

This comes out the show crypto ipsec sa

interface: Dialer1

    Crypto map tag: CMAP_AVW, local addr 10.10.10.89

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.150.0/255.255.255.0/0/0)

   current_peer 20.20.20.161 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 708, #pkts encrypt: 708, #pkts digest: 708

    #pkts decaps: 1167, #pkts decrypt: 1167, #pkts verify: 1167

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 9, #recv errors 0

     local crypto endpt.: 10.10.10.89, remote crypto endpt.: 20.20.20.161

     path mtu 1492, ip mtu 1492, ip mtu idb Dialer1

     current outbound spi: 0xB40221B0(3020038576)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x8F853118(2407870744)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2017, flow_id: Onboard VPN:17, sibling_flags 80000046, crypto m

ap: CMAP_AVW

        sa timing: remaining key lifetime (k/sec): (4497592/2744)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xB40221B0(3020038576)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2018, flow_id: Onboard VPN:18, sibling_flags 80000046, crypto m

ap: CMAP_AVW

        sa timing: remaining key lifetime (k/sec): (4497592/2744)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2

    Crypto map tag: CMAP_AVW, local addr 10.10.10.89

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.150.0/255.255.255.0/0/0)

   current_peer 20.20.20.161 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 708, #pkts encrypt: 708, #pkts digest: 708

    #pkts decaps: 1167, #pkts decrypt: 1167, #pkts verify: 1167

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 9, #recv errors 0

     local crypto endpt.: 10.10.10.89, remote crypto endpt.: 20.20.20.161

     path mtu 1492, ip mtu 1492, ip mtu idb Dialer1

     current outbound spi: 0xB40221B0(3020038576)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x8F853118(2407870744)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2017, flow_id: Onboard VPN:17, sibling_flags 80000046, crypto m

ap: CMAP_AVW

        sa timing: remaining key lifetime (k/sec): (4497592/2744)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xB40221B0(3020038576)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2018, flow_id: Onboard VPN:18, sibling_flags 80000046, crypto m

ap: CMAP_AVW

        sa timing: remaining key lifetime (k/sec): (4497592/2744)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

I also add the config.

Can someone help me with this?

Thanks a lot.

Labels:
15356048-confg.zip
0 Helpful
3 Replies 3

Tagir Temirgaliyev
Spotlight
Spotlight

‎03-08-2013 07:29 AM

this is traffic

#pkts encaps: 708, #pkts encrypt: 708, #pkts digest: 708

    #pkts decaps: 1167, #pkts decrypt: 1167, #pkts verify: 1167

make several times

show crypto ipsec sa

if bold digits grows so ipsec works

dont forget to rate post

0 Helpful

Nadeem Jan
Level 1
Level 1
In response to Tagir Temirgaliyev

‎03-08-2013 07:45 AM

access-list 23 permit 192.168.200.0 0.0.0.255

access-list 23 permit 192.168.150.0 0.0.0.255

Please remove these statements and then check.

Also Check on both Side

Client A must have Gateway of A Router Inside LAN

Cleint B musth have Gateway of B Router Inside LAN.

*** Do Rate Helpful Posts***

0 Helpful

avwoudenberg
Level 1
Level 1
In response to Tagir Temirgaliyev

‎03-19-2013 02:29 PM

Hi ttemirgaliyev,

Yes, your right. This is traffic. I found out what is the problem.

I can ping all network devices in the 192.168.200.0 subnet, except the 2 servers 192.168.200.2 and 192.168.200.242

These 2 servers connect to the internet through 2 other ip addresses from the subnet than the one which is on the dailer1.

ip nat inside source static 192.168.200.2 10.10.10.90

ip nat inside source static 192.168.200.242 10.10.10.91

IP address on dialer1 is 10.10.10.89

10.10.10.89 is also the ip address which is used by the 192.168.200.0 subnet.

So, I think that I know where the problem is came from, but don't know how to fix it.

I hope you can help me with it.

Thanx a lot again.

Kind regards,

Albert

0 Helpful
Customers Also Viewed These Support Documents