cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
706
Views
40
Helpful
20
Replies

Ipsec tunnel up no transmitted packets

Alekin
Beginner
Beginner

Hi Folks,

I need some help please, it seems I'm missing something but can't figure it out at the moment. I have identical sites using this setup and they are functioning fine.

My setup is a small branch with a cable modem, I have a Cisco 881 routers connected and have configured an ipsec vpn to my HQ. The tunnel is up both phase 1 and phase 2 but traffic is not going over the tunnel.

The access list for the crypto map is being hit as I turned on logging, if I do an extended ping or trace using the svi on the router I get nothing. I have added the router config below

!
crypto ikev2 proposal MyProposal
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy My-policy
match fvrf any
proposal MyProposal
!
crypto ikev2 keyring My-keyring
peer peer1
address 37.32.117.31
pre-shared-key local XXXXXX
pre-shared-key remote XXXXXX
!
crypto ikev2 profile My-profile
match identity remote address 172.20.65.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local My-keyring
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set My-transform-set esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map AllowToHOBranch 1 ipsec-isakmp
set peer 37.32.117.31
set security-association lifetime seconds 28800
set transform-set My-transform-set
set pfs group19
set ikev2-profile My-profile
match address 99
!
interface FastEthernet0
no ip address
!
interface FastEthernet4
ip address 58.44.101.117 255.255.255.240
ip tcp adjust-mss 1232
crypto map AllowToHOBranch
!
interface Vlan1
ip address 172.21.17.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 58.44.101.117
!
access-list 99 permit ip 172.21.17.0 0.0.0.255 any

 

Output pf show crypto
sh crypto ikev2 sa


IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 58.44.101.116/4500 37.32.117.31/4500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4187 sec

No packets seen on the sh crypto ipsec sa peer command

Any help will be greatly appreciated.

Thanks

1 Accepted Solution

Accepted Solutions

No difference in hardware, only IOS image was different!!

And that was the issue as the upgrade resolved the connectivity.

 

View solution in original post

20 Replies 20

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Alekin do you have NAT configured?....this could cause traffic to be unintentially translated and therefore not match the crypto ACL.

Please provide the full output of "show crypto ipsec sa" for this specific tunnel.