ipsec vpn between two cisco routers

engreda22 · ‎10-22-2015

I am trying to configure ipsec vpn betwee two sites using cisco router

but the session still not established and I am getting error message

IPSEC: Expand action denied, notify RP
UTC: IPSEC: Expand action denied, notify RP
UTC: IPSEC: Expand action denied, discard or forward packet.

configuration in both routers is shown below

router A

crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key tvtckey address x.x.x.x no-xauth

crypto ipsec transform-set MYSET esp-aes 192 esp-sha-hmac
mode tunnel
crypto map x 10 ipsec-isakmp
set peer x.x.x.x
set transform-set MYSET
match address VPN-IPSEC

interface GigabitEthernet0/0
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map x
ip access-list extended VPN-IPSEC
permit ip source dest

router b

crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key tvtckey address y.y.y.y no-xauth

crypto ipsec transform-set MYSET esp-aes 192 esp-sha-hmac
mode tunnel
crypto map y 10 ipsec-isakmp
set peer y.y.yy
set transform-set MYSET
match address VPN-IPSEC
interface GigabitEthernet0/1
ip address y.y.y.y 255.255.255.252
media-type sfp
crypto map y

yogeshbb11 · ‎10-27-2015

hello,

i need the access list information

thanks & regards,

yogesh bhavsar

“Spooster IT Services

engreda22 · ‎10-29-2015

router a

Extended IP access list VPN-IPSEC
10 permit ip 172.22.0.0 0.0.255.255 172.17.140.0 0.0.0.255
20 permit ip 10.0.0.0 0.255.255.255 172.17.140.0 0.0.0.255

router b

Extended IP access list VPN-IPSEC
10 permit ip 172.17.140.0 0.0.0.255 172.22.0.0 0.0.255.255
20 permit ip 172.17.140.0 0.0.0.255 10.0.0.0 0.255.255.255

Marius Gunnerud · ‎10-29-2015

Could you provide the output of the following command:

show cry isa sa

Also do the following debug and then try to initiate traffic between the two sites and post the debug output here please.

on router A:

debug crypto condition peer x.x.x.x

debug crypto isa sa 127

debug crypto ipsec 127

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Richard Burts · ‎10-31-2015

Another question would be to verify that both routers have IP connectivity between their peering addresses. Can router A and router B ping each other using the peering addresses as source and destination.

HTH

Rick

HTH

Rick

engreda22 · ‎11-10-2015

yes .. pingable from both side

engreda22 · ‎11-11-2015

Dears ,

I removed all my configuration and did it again and the tunnel become up

there was an issue behind one router , the ISA server is doing the nating and routing and it was blocking the traffic to pass through

Richard Burts · ‎11-11-2015

Thanks for posting back to the forum and letting us know that you started over again and now it works. It is helpful to know that the ISA server was impacting traffic between the routers.

HTH

Rick

HTH

Rick

engreda22 · ‎11-10-2015

attached

Richard Burts · ‎11-10-2015

You seem to have attached the same file twice. Was there supposed to be a second file that was different?

The output in the file shows that at least some IPSec SAs have been negotiated but only one has had any traffic and that one has received a single packet and has sent no packets

local ident (addr/mask/prot/port): (172.22.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.17.140.0/255.255.255.0/0/0)
   current_peer 172.25.16.126 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1

I do see error messages in the file about expand action denied and am not clear what that is about.

HTH

Rick

HTH

Rick

Marius Gunnerud · ‎11-10-2015

First thought is that there is a mismatch between the crypto ACLs

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts