Hi all,

I am configuring a Cisco 2801 running IOS 12.4(8a) for a client to be a host for a series of IPSec tunnels running over a Private WAN, with the remote clients connecting being embedded Linux routers running Openswan 2.6.22.

The tunnel establishes, but traffic only flows one way; into the Cisco side of the tunnel, but not out of it. The tunnel is between the 2801 (10.70.0.1/24 and 10.0.0.3 external interface) and a Linux router running Openswan 2.6.22 (192.168.7.1/24 and 10.0.16.6 external interface).

The devices negotiate a tunnel successfully and establish the appropriate SAs, but traffic can only flow from the Openswan device to the 2801. The Cisco decapsulates and appropriately forwards the traffic to the intended 'inside' interface client address, but replies and generated traffic from clients or the 2801's inside interface are not encapsulated, despite the existing IPSec ACL matching the traffic destination.

I have looked up this one way traffic issue, but most people with the issue end up resolving it with a NAT exclusion rule for the IPSec traffic. However, there is no need for NAT on this connection as the only traffic expected to route through the 2801 is tunnel traffic. I have tried implementing a NAT with an IPSec exclusion with the same results.

IDs and matching configurations have been checked and double checked. Other available crypto transforms and settings have been tried. Configuration was initially done with CLI, but eventually I began using Cisco Configuration Professional to see if it would catch something I didn't.

Any help would be hugely appreciated. Full config is attached (sensitive lines modified) and crypto details on CLI look like this while tunnel is running:

rk9c#show crypto isakmp sa
dst             src             state          conn-id slot status
10.0.0.3        10.0.16.6       QM_IDLE              9    0 ACTIVE

rk9c#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: SDM_CMAP_1, local addr 10.0.0.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.70.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.7.0/255.255.255.0/0/0)
   current_peer 10.0.16.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.3, remote crypto endpt.: 10.0.16.6
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xAC9CBC1D(2895952925)

     inbound esp sas:
      spi: 0xC403794(205535124)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3002, flow_id: FPGA:2, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4434924/603)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xAC9CBC1D(2895952925)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3001, flow_id: FPGA:1, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4434924/603)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

rk9c#show crypt map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
        Description: Tunnel to10.0.16.6
        Peer = 10.0.16.6
        Extended IP access list 100
            access-list 100 permit ip 10.70.0.0 0.0.0.255 192.168.7.0 0.0.0.255
        Current peer: 10.0.16.6
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                TEST,
        }
        Interfaces using crypto map SDM_CMAP_1:
                FastEthernet0/0