Hi Karsten,

Below is the config for Site B Cisco Router, is this the correct way?

Site B Cisco Router

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

lifetime 7800

!

crypto isakmp key 6 password address 66.66.66.122 (Site A Checkpoint FW WAN Int)

!

crypto ipsec transform-set rtpset esp-aes 256 esp-sha-hmac

!

crypto map rtp 1 ipsec-isakmp

set peer 66.66.66.122 (Site A Checkpoint FW WAN Int)

set transform-set rtpset

match address 120

!

interface GigabitEthernet0/0

description WAN Facing Int

ip address 99.99.99.94 255.255.255.252

ip nat outside

crypto map rtp

!

interface GigabitEthernet0/1

description LAN Facing Int

ip address 99.99.99.161 255.255.255.240

ip nat inside

!

ip nat inside source list 110 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 99.99.99.93

ip route 192.1.1.0 255.255.255.0 99.99.99.162

!

access-list 110 deny   ip 192.1.1.0 0.0.0.255 host 66.66.66.99 log

access-list 110 permit ip 192.1.1.0 0.0.0.255 any log

access-list 120 permit ip 192.1.1.0 0.0.0.255 host 66.66.66.99 log

I follow the example from this link: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Is there any way to check if the crypto is up and traffic is going from SIte B to Site A?

The config looks fine assuming the traffic from server A uses the IP 66.66.66.99.

You can look at the counters with "sh crypto ipsec sa", there are also some other statistics that can give you a hint. If that commands doesn't show any SAs, post the output of "show crypto isakmp sa".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Sorry for the late reply, was on leave the past few days.

I had a look at the "show crypto ipsec sa" and "show crypto isakmp sa", below is the statistics:

    show crypto ipsec sa

    #pkts encaps: 90509, #pkts encrypt: 90509, #pkts digest: 90509

    #pkts decaps: 90485, #pkts decrypt: 90485, #pkts verify: 90485

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

    sh crypto isakmp sa

    IPv4 Crypto ISAKMP SA

    dst                                  src                                 state                  conn-id status

    Site A Chkpt FW Ext IP    Site B Cisco Rtr Ext IP    QM_IDLE           1167 ACTIVE

1) Does this mean that the IPSec VPN is up and running?

2) If the IPSec VPN is up, howcome when I do a traceroute it still go via the Internet instead of the IPSec VPN?

3) Is there anyway to determine if the above mention statistics encrypted packets is from Site A to Site B or Site B to Site A?

1) Does this mean that the IPSec VPN is up and running?

At least the part you posted looks fine.

3) Is there anyway to determine if the above mention statistics encrypted packets is from Site A to Site B or Site B to Site A?

it's for both directions. "pkts encaps/encrypt/digest" is what you send to the other side, "pkts decaps/decrypt/verify" is what you received from the other side.

2) If the IPSec VPN is up, howcome when I do a traceroute it still go via the Internet instead of the IPSec VPN?

There are many possibilities. First the config could be still wrong, but that is not to tell as you removed/changed too much in your output. And the Checkpoint on the other side could filter the traceroute. You should inspect the logs on the other side to investigate that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten,

The problem had been solve. Thank for your help these days.

The configuration on the router side was working fine all the while, the problem lies on the Checkpoint FW IPSec VPN. Really appreciated your help!!!