Hello,

I had such a similar issue in the days.

If traffic is decapsulated on the concentrator but won't be encapsulated when sending traffic back to the remote site, it can be a routing issue in the outbound direction towards the remote site (as was the problem in my case as well).

Additionally, it's also possible that you have some firewall in the DC on which this traffic traverses through and the appropriate ports on which the remote site would like to communicate is not allowed, therefore traffic on that port can't be sent back towards the remote site because the FW denies it.

Otherwise, it would be useful to run a debug on it with debug crypto ipsec to see the details.

Hope it helps.

Hi,

Thank you for the reply. There is no firewall between either of the sites, its direct connection to the internet and I can reach external networks. 

Attaching a screenshot from the concentrator.

I have not looked at it for couple of days, will go back and recheck the configuration again... the static routes were already inplace before in both sites, and also for datacenter network to reach the remote network....

I think it is still a routing issue since connection is being established.

Can you share both phase isakmp & ipsec states and details ?

Additonally share running config 2811.

Thanks ,

Manj

Here is more detailed config running on 2811:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY123 address 128.100.101.12
!
crypto ipsec transform-set VPN2DC esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
description to DataCenter
set peer 128.100.101.12
set transform-set VPN2DC
match address 185
!
interface FastEthernet0/0
description Connected to the INTERNAL LAN
ip address 192.168.66.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
service-policy input P2P
!
interface FastEthernet0/1
description Connected to the INTERNET
ip address 107.1.2.3 255.255.255.240
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map to_vpn
!
ip route profile
ip route 0.0.0.0 0.0.0.0 107.1.56.45
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1

!
ip http server
no ip http secure-server
ip nat pool mypool 107.1.2.3 107.1.2.6 netmask 255.255.255.240
ip nat inside source route-map NoNat pool mypool overload

access-list 185 remark VPN2DC TRAFFIC_START
access-list 185 permit ip 192.168.66.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 185 remark VPN2DC TRAFFIC END

access-list 199 remark LOCAL_NAT_TRAFFIC_START
access-list 199 deny ip 192.168.66.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip 192.168.66.0 0.0.0.255 any
access-list 199 remark LOCAL_NAT_TRAFFIC_END

route-map NoNat permit 10
match ip address 199

2811-Router#show crypto ipsec sa detail

interface: FastEthernet0/1
Crypto map tag: VPN2DC, local addr 107.1.2.3

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.66.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 128.100.101.12 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 195056, #pkts encrypt: 195056, #pkts digest: 195056
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 1, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 107.1.2.3, remote crypto endpt.: 128.100.101.12
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x6E4FF7B5(1850734517)

inbound esp sas:
spi: 0xDA4473DC(3661919196)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2321, flow_id: NETGX:321, crypto map: to_vpn
sa timing: remaining key lifetime (k/sec): (4408428/2956)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6E4FF7B5(1850734517)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2322, flow_id: NETGX:322, crypto map: to_vpn
sa timing: remaining key lifetime (k/sec): (4408380/2956)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

2811-Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
107.1.2.3 128.100.101.12 QM_IDLE 1014 0 ACTIVE

Hi ,

Please do check below procedures .

The problem  shows that Phase 1 of the tunnel is successfully establishing but phase 2 has problems. Specifically the firewall is encrypting packets but not decrypting them.

If an ASA or router is getting encaps but not decaps, this means it is encrypting the data and sending it but has not received anything to decrypt in return.

• Verify the other end has a route outside for the interesting traffic.
• Check that both VPN ACL’s are not mismatched.
• Double check NAT’s to make sure the traffic is not NAT’ing correctly.
• Is what you are trying to ping even responding back? Often what you’re sending traffic to is not able to accept or is not responding to this traffic. I prefer to put a packet capture on the remote end firewall to see if the traffic is coming back into that firewall.

give Rate if this helps you .

Thanks,

Mani