hi, i have a simple config which I move from one production router to other
it works fine on ISR 3945
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 5
crypto isakmp key XXX address 15x.65.x.23 no-xauth
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set vpn_trans esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
!
crypto map D_CrMap 10 ipsec-isakmp
set peer 15x.65.x.23
set security-association lifetime kilobytes 4000000
set security-association lifetime seconds 28800
set transform-set vpn_trans
set pfs group5
match address 101
!
!
!
!
!
!
!
!
interface Loopback0
description -=IPSEC-VPN=-
ip address 46.2x.x.99 255.255.255.255
crypto map D_CrMap
interface TenGigabitEthernet0/2/0.301
description -=ISP=-
encapsulation dot1Q 301
ip address 46.2x.x.66 255.255.255.248
ip nat outside
ip flow ingress
ip flow egress
BUT DOES NOT work on ASR1002, in fact I see tunnel, but nothing in couters of trafic inside tunnel
sh crypto ipsec sa
interface: Loopback0
Crypto map tag: D_CrMap, local addr 46.2x.x.99
protected vrf: (none)
local ident (addr/mask/prot/port): (10.x.5x.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (153.y.y.20/255.255.255.255/0/0)
current_peer 15x.65.x.23 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 46.2x.x.99, remote crypto endpt.: 15x.65.x.23
plaintext mtu 1454, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x9822B722(2562897698)
PFS (Y/N): Y, DH group: group5
inbound esp sas:
spi: 0x23423423E(2234234234)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2009, flow_id: HW:9, sibling_flags 80000048, crypto map: D_CrMap
sa timing: remaining key lifetime (k/sec): (4000000/2895)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x92342342(2234234498)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: HW:10, sibling_flags 80000048, crypto map: D_CrMap
sa timing: remaining key lifetime (k/sec): (4000000/2895)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: