Hi,
I've got 2 sites. One has a Cisco 881 and the other has a Sophos UTM.
I configured a Site-to-site IPsec tunnel between the two devices, the tunnel is up but there's no traffic flowing from the cisco to the sophos. When I ping from the sophos to Cisco I see my decap packet count increasing. When pinging from Cisco to sophos, nothing increases.
The Cisco is connected directly to internet and receives a DHCP address from my provider. It's sole purpose is to VPN with the Sophos so that I can offsite my backup.
All other internet is being provided by a different device (192.168.1.1/24) on a different WAN IP.
Router config
Text
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rtr
!
boot-start-marker
boot system flash:c880data-universalk9-mz.154-3.M4.bin
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2120420913
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2120420913
revocation-check none
rsakeypair TP-self-signed-2120420913
!
ip name-server 192.168.1.1
ip cef
no ipv6 cef
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key key address 1.2.3.4
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to1.2.3.4
set peer 1.2.3.4
set transform-set ESP-3DES-SHA
match address 100
!
interface FastEthernet0
switchport access vlan 46
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
no ip address
shutdown
!
interface Vlan46
ip address 192.168.1.254 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
ntp update-calendar
ntp server 2.be.pool.ntp.org source FastEthernet0
!
end
Ipsec info
Text
rtr#show cry ipsec sa
interface: FastEthernet4
Crypto map tag: SDM_CMAP_1, local addr 5.6.7.8
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 1.2.3.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 5.6.7.8, remote crypto endpt.: 1.2.3.4
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xB154E54B(2975130955)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB2FD9732(3002963762)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4154462/2709)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB154E54B(2975130955)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4154462/2709)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
