I meant a strange problem.

The toplogy is below:

I have set up two IPSEC VPN ,  "106.0" to "53.0" is strange:

I can't ping 172.29.53.13 from "106.0",but can ping other IPs. Meantime, 172.29.53.13 can't ping any IPs in "106.0".

"21.0" to "53.0" is ok

Here is the configuration:

"106.0"

access-list vpnnonat extended permit ip 172.29.106.0 255.255.255.0 172.29.53.0 255.255.255.0

access-list vpnhkpolylite extended permit ip 172.29.106.0 255.255.255.0 172.29.53.0 255.255.255.0

nat (inside) 0 access-list vpnnonat

crypto ipsec transform-set myvpn2 esp-3des esp-md5-hmac

crypto ipsec transform-set remvpn esp-3des esp-md5-hmac

crypto ipsec transform-set myvpn esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 2000 set transform-set remvpn

crypto map vpnmap 200 match address vpnhkpolylite

crypto map vpnmap 200 set peer 202.64.111.3

crypto map vpnmap 200 set transform-set myvpn2

crypto map vpnmap 2000 ipsec-isakmp dynamic dynmap

crypto map vpnmap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

tunnel-group 202.64.111.3 type ipsec-l2l

tunnel-group 202.64.111.3 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 300 retry 2

----------------------------------------------------------------------------------

"53.0"

access-list vpnnonat extended permit ip 172.29.53.0 255.255.255.0 172.29.106.0 255.255.255.0

access-list vpnmaxdo extended permit ip 172.29.53.0 255.255.255.0 172.29.106.0 255.255.255.0

nat (inside) 0 access-list vpnnonat

crypto ipsec transform-set myvpn2 esp-3des esp-md5-hmac

crypto ipsec transform-set myvpn esp-3des esp-sha-hmac

crypto ipsec transform-set remvpn esp-3des esp-md5-hmac

crypto dynamic-map dynmap 65535 set transform-set remvpn

crypto map outside_map1 100 match address vpnmaxdo

crypto map outside_map1 100 set peer 116.247.86.170

crypto map outside_map1 100 set transform-set myvpn2

crypto map outside_map1 65535 ipsec-isakmp dynamic dynmap

crypto map outside_map1 interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 116.247.86.170 type ipsec-l2l

tunnel-group 116.247.86.170 ipsec-attributes

pre-shared-key *

--------------------------------------------------------------------------------------------

Is there anything else need to check ?

Kindly wait for the solution.