I have made the recommended changes but still no luck

TDNVPN01#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src       state          conn-id slot status
217.x.x.x    81.x.x.x  MM_NO_STATE       2082    0 ACTIVE (deleted)
217.x.x.x     81.x.x.x  MM_NO_STATE       2081    0 ACTIVE (deleted)
217.x.x.x     81.x.x.x  MM_NO_STATE       2080    0 ACTIVE (deleted)
217.x.x.x     81.x.x.x  MM_NO_STATE       2079    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

This is the output from a debug - its saying something about MTU size but i have just used whatever defaults are on the VPN router and the Layer 3 switch

4w6d: OSPF: Rcv DBD from 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0x52 flag 0x7
len 32  mtu 1400 state EXCHANGE
4w6d: OSPF: Nbr 172.18.111.100 has smaller interface MTU
4w6d: OSPF: Send DBD to 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0x52 flag 0x2 l
en 1452
4w6d: OSPF: Rcv DBD from 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0x52 flag 0x7
len 32  mtu 1400 state EXCHANGE
4w6d: OSPF: Nbr 172.18.111.100 has smaller interface MTU
4w6d: OSPF: Send DBD to 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0x52 flag 0x2 l
en 1452
4w6d: OSPF: Rcv LS UPD from 172.18.15.152 on Vlan600 length 76 LSA count 1
4w6d: OSPF: Rcv LS UPD from 172.18.15.152 on Vlan600 length 60 LSA count 1
4w6d: OSPF: Rcv LS UPD from 172.18.15.152 on Vlan600 length 60 LSA count 1
4w6d: OSPF: Rcv LS UPD from 172.18.15.152 on Vlan600 length 56 LSA count 1
4w6d: OSPF: Rcv DBD from 172.18.111.100 on Tunnel0 seq 0x1A42 opt 0x52 flag 0x7
len 32  mtu 1400 state EXCHANGE
4w6d: OSPF: Nbr 172.18.111.100 has smaller interface MTU

One other question.  Should i be able to ping from one side of the tunnel to the other even.  I cant ping from 172.18.46.1 to 172.18.46.2 even though the tunnel is up/up and i have allowed pimg through the firewall.

any advice is welcome

based on "show crypto isa sa" output, VPN tunnel did not come up at all.

You need run "debug cry isa" and "debug cry ipsec" to see why the tunnel won't come up.

by the way, you have a acl "internet-in" applied under Dialer0 interface but there is no any entry in this ACL. please check this as well.

interface Dialer0
description $FW_OUTSIDE$
ip address x.x.x.x. 255.255.255.254
ip access-group internet-in in

Hello,

I can see the tunnel is up but no traffic is passing along the tunnel.  I cant ping from one side to the other even ie from 172.18.46.1 to 172.18.46.2 even though i have a route to it and it is enabled on the firewall.

rtrNewrTDNVPN01#sh ip route 172.18.46.2
Routing entry for 172.18.46.0/30
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Tunnel10
      Route metric is 0, traffic share count is 1

rtrNewrTDNVPN01#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
217.33.137.16   81.x.x.x  QM_IDLE           2278    0 ACTIVE

IPv6 Crypto ISAKMP SA

Q.  Is QM_IDLE good or bad?

rtrNewrTDNVPN01#sh ip ospf nei
Neighbor ID     Pri   State           Dead Time   Address         Interface
172.18.47.152     0   FULL/  -        00:00:33    172.18.46.2     Tunnel10

rtrNewrTDNVPN01#show session
% No connections open

can you setup a tunnel if one end of the tunnel is a layer 3 switch

Kevin

It looks as if Phase 2 is not working.  i did see some encrypt/decrypt but it went back to zero again.

PERMIT, flags={origin_is_acl,}

    #pkts encaps: 9401, #pkts encrypt: 9401, #pkts digest: 9401

    #pkts decaps: 118, #pkts decrypt: 118, #pkts verify: 118

PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

What issue are you still experiencing?   From the VPN site i should now be able to ping back into our network.  But i am unable to ping 172.18.46.2 or the tunnel destination of 172.18.41.1.  I have some users who want to connect from this VPN back into our network and then will need to be able to get onto our domain.  If i do a show ip route from the VPn i can see routes to everywhere that is needed on the OPF network but i cant ping anything.

VPN router on the outside is a cisco 1801

Firewall in between is a cisco asa 8.0

Device on the inside of the firewall is a Layer 3 switch.

thanks

Kevin

I did not see the configuration files were attached any more.

Could you please attached "complete" configuration file from all 3 devices?

My understanding of your setup is that GRE tunnel is terminated on two routers but IPSec tunnel is terminated on router at one side and ASA on the other side. You might still have something mis-configured.

Hello,

I have attached some partial configs.

I have noticed this evening that the tunnel has went back to this state.  Earlier on it was FULL

TDNVPN01#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface

172.18.47.152     0   EXSTART/  -     00:00:39    172.18.46.2     Tunnel10

Still not working i'm afraid.  I have attached the debugs.

At the moment I am just testing the operation of the vpn incorrectly. I am attempting to ping from the router to the ASA to test the tunnel connectivity.  Maybe i need to be onsite to put my laptop behind the router and get the routable packets?

Or is their any known issues with Layer 3 devices and GRE tunnels or IP sec?

regards

Kevin

I did all the clear commands listed below on all devices.

I have attached 3 running configs.

show crypto isa sa" and "show crypto ipsec sa" from both router

rtrNewrTDNVPN01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
217.33.137.16   x.x.x.x  QM_IDLE           2291    0 ACTIVE

IPv6 Crypto ISAKMP SA

I have attached the show crypto ipsec sa from the router also.

show crypto isa sa" and "show crypto ipsec sa" from the ASA.

TDNASA# show crypto isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

TDNASA# show crypto ipsec sa
interface: OUTSIDE
    Crypto map tag: vpnmap, seq num: 600, local addr: 192.168.100.254

      access-list ACL-VPN600 permit ip host 172.20.3.1 host 172.20.3.100
      local ident (addr/mask/prot/port): (172.20.3.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (172.20.3.100/255.255.255.255/0/0)
      current_peer: x.x.x.x      #pkts encaps: 954, #pkts encrypt: 1132, #pkts digest: 1132
      #pkts decaps: 300, #pkts decrypt: 300, #pkts verify: 300
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 954, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 178, #pre-frag failures: 0, #fragments created: 356
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.100.254/4500, remote crypto endpt.: x.x.x.x/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 58615332

    inbound esp sas:
      spi: 0x303D1094 (809308308)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 22290432, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (4274972/2421)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x58615332 (1482773298)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 22290432, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (4274594/2420)
         IV size: 8 bytes
         replay detection support: Y

any help is appreciated

Kevin