See below:

R4#sho cry isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

1.1.1.1         4.4.4.1         QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R4#sho cry ips sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 4.4.4.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 1.1.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 4.4.4.1, remote crypto endpt.: 1.1.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

     current outbound spi: 0xAFA1518A(2946584970)

     inbound esp sas:

      spi: 0xB59A027A(3046769274)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 1, flow_id: 1, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4556522/3239)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xAFA1518A(2946584970)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: 2, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4556518/3239)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R4#

R4#sho int tun0

Tunnel0 is up, line protocol is up

  Hardware is Tunnel

  Interface is unnumbered. Using address of Serial0/0 (4.4.4.1)

  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 4.4.4.1 (Serial0/0), destination 1.1.1.1

  Tunnel protocol/transport IPSEC/IP

  Tunnel TTL 255

  Fast tunneling enabled

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile "PRO1")

  Last input never, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     0 packets output, 0 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

R4#

Hello Ashley,

And from the spoke you are not able to ping the host on the 192.168.1.1 right?

Can you attempt to ping 192.168.1.1 from the Loopback0 on the spoke and provide us the output you get?

Regards,

I can ping 192.168.1.1 from the spokes, but only if it is sourced from the outside. If I source a ping from the loopback interface then the ping does not go through. Response just times out

Hello Ashley,

I have the same configuration on a GNS lab and it works perfect here is my config example for you:

Spoke:

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 10.10.10.1

!

!

crypto ipsec transform-set cisco esp-aes esp-sha-hmac

!

crypto ipsec profile cisco

set transform-set cisco

interface Tunnel10

ip unnumbered FastEthernet0/0

tunnel source FastEthernet0/0

tunnel destination 10.10.10.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile cisco

!

interface FastEthernet0/0

ip address 10.10.10.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.12.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 192.168.10.0 255.255.255.0 Tunnel10

!

ip nat inside source list VPN interface FastEthernet0/0 overload

!

ip access-list extended VPN

permit ip 192.168.12.0 0.0.0.255 any

!

Now on the Hub:

crypto keyring cisco

  pre-shared-key address 10.10.10.2 key cisco

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp profile teta

   keyring cisco

   match identity address 10.10.10.2 255.255.255.255

   virtual-template 10

!

!

crypto ipsec transform-set cisco esp-aes esp-sha-hmac

!

crypto ipsec profile cisco

set transform-set cisco

!

!

!

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Virtual-Template10 type tunnel

ip unnumbered FastEthernet0/1

tunnel source FastEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile cisco

ip route 0.0.0.0 0.0.0.0 10.10.10.2

ip nat inside source list VPN interface FastEthernet0/1 overload

!

ip access-list extended VPN

permit ip 192.168.10.0 0.0.0.255 any

!

From the spoke router:

#ping 192.168.10.1 source fastEthernet 0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.12.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/80/112 ms

sh crypto isakmp sa

dst             src             state          conn-id slot status

10.10.10.1      10.10.10.2      QM_IDLE              1    0 ACTIVE

interface: Tunnel10

    Crypto map tag: Tunnel10-head-0, local addr 10.10.10.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 10.10.10.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

Our five packets and I can see the decrypted on the other side.

Regards,

Julio

Hi,

Thanks for that. I will try again and see if there is anything that I missed. Will update you once I have tried

Sent from Cisco Technical Support iPhone App

Sure,

Please do,

Regards,

Julio

Still no good. I have done the same config. I noticed the only difference was that your outside interfaces are on the same subnet so I changed the IP address of the tunnel and virtual-template to the 192.168.10.0/24 subnet and still no joy.

I know that the virtual-access1 interface remains in the down/down state, but I noticed that the virtual-template interface was in a down/down state also. Is this normal behaviour?

Hello Ashley,

As soon as phase 1 and phase 2 go up you will see the virtual access on the up/up state so it is definetly no expected...

Can you share the topology and configuration one more time. I will copy and paste it to see the behavior on my lab.

Julio

Remember to rate all the helpful posts

See attached zip file

Sent from Cisco Technical Support iPhone App

Hello Ashley,

That is the same than before,

Correct?

Regards

Yeah, that's right

Sent from Cisco Technical Support iPhone App

Hello Ashley,

What is in between those 2 routers?

It's another router terminating all the serial connections. It's basically acting as an ISP router

Sent from Cisco Technical Support iPhone App