"ip source-route" was from an earlier configuration and no i don't have dynamic nat enabled on the router.

Do i need to have any other configuration to allow VPN session from "192.168.10.30"  to "192.168.2.100"?

Thanks

Hi Javaid,

Can you send the NAT configuration at your end as well as on remote end.

Also what output you are getting from show crypto isakmp sa and sh crypto ipsec sa, when remote peer try to establish the tunnel.

Your interesting traffic must be exempted from NAT. 

Hi,

I do not have nat enabled on my router since the internal server "192.168.2.100" doesn't require to access the internet.

"show crypto isakmp sa" results remain empty unless i initiate the tunnel in which case following output is received. 

"

Router#show  crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.2.3.4  20.21.22.23  QM_IDLE           1004 ACTIVE

"

I did try the following nat (bold,italic)settings without any luck.

version 12.4

hostname Router

 

dot11 syslog
ip source-route


voice-card 0


archive
 log config
  hidekeys

crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key abhdsd address 1.2.3.4

crypto ipsec transform-set Office-Partner esp-aes 192 esp-sha-hmac 
!
crypto map OfficePartner 10 ipsec-isakmp 
 set peer 1.2.3.4
 set transform-set Office-Partner 
 set pfs group2
 match address 101

interface GigabitEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp

ip nat inside
 ip flow ingress
 duplex auto
 speed auto
 no mop enabled

interface GigabitEthernet0/1
 ip address 20.21.22.23 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress

ip nat outside
 duplex auto
 speed auto
 no mop enabled
 crypto map OfficePartner

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 20.21.22.24
ip http server
no ip http secure-server

//acl for interesting ipsec traffic
access-list 101 permit ip host 192.168.2.100 host 192.168.10.30
access-list 101 permit ip host 192.168.2.100 host 192.168.10.31

//acl for nat exemption
access-list 110 deny   ip host 192.168.2.100 host 192.168.10.30
access-list 110 deny   ip host 192.168.2.100 host 192.168.10.31
access-list 110 permit ip host 192.168.2.100 any

route-map nonat permit 10
 match ip address 110

ip nat inside source route-map nonat interface  GigabitEthernet0/1 overload

control-plane

Thank You

Hi,

Your isakmp sa output shows that tunnel is up and active. What about the sh crypto ipsec sa, are you able to see encrypted and decrypted packet count. it should increase when traffic passes through the tunnel. 

Again, you  clear the isakmp sa and ipsec sa at your end and ask the partner to initiate the tunnel by sending interesting traffic, what output you are getting with isakmp sa and ipsec sa. 

Thanks for the suggestions however the status is the same.

/phase 1 tunnel status

Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
20.21.22.23  1.2.3.4  QM_IDLE           1019 ACTIVE

//Show crypto ipsec sa output when the interesting traffic is sent from partner's end(192.168.10.30).

Router#show  crypto ipsec sa
     PFS (Y/N): N, DH group: none
     PFS (Y/N): N, DH group: none

interface: GigabitEthernet0/1
    Crypto map tag: APLHBL, local addr 20.21.22.23

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.100/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.31/255.255.255.255/0/0)
   current_peer 1.2.3.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
    #pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 20.21.22.23, remote crypto endpt.: 1.2.3.4
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.100/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.30/255.255.255.255/0/0)
   current_peer 1.2.3.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 134600, #pkts encrypt: 134600, #pkts digest: 134600
    #pkts decaps: 85293, #pkts decrypt: 85293, #pkts verify: 85293
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 20.21.22.23, remote crypto endpt.: 1.2.3.4
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

//Tunnel status when i ping 192.168.10.30 from 192.168.2.100

Router#show  crypto ipsec sa
     PFS (Y/N): Y, DH group: group2
     PFS (Y/N): Y, DH group: group2

interface: GigabitEthernet0/1
    Crypto map tag: APLHBL, local addr 20.21.22.23

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.100/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.31/255.255.255.255/0/0)
   current_peer 1.2.3.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 30, #pkts encrypt: 30, #pkts digest: 30
    #pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 115.186.178.13, remote crypto endpt.: 1.2.3.4
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x3989FB49(965344073)

     inbound esp sas:
      spi: 0xCC79AF61(3430526817)
        transform: esp-192-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2113, flow_id: NETGX:113, sibling_flags 80000046, crypto map: officepartner
        sa timing: remaining key lifetime (k/sec): (4553977/3575)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3989FB49(965344073)
        transform: esp-192-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2114, flow_id: NETGX:114, sibling_flags 80000046, crypto map: officepartner
        sa timing: remaining key lifetime (k/sec): (4553975/3575)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
 --More--
protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.100/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.30/255.255.255.255/0/0)
   current_peer 1.2.3.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 136096, #pkts encrypt: 136096, #pkts digest: 136096
    #pkts decaps: 86360, #pkts decrypt: 86360, #pkts verify: 86360
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0

     local crypto endpt.: 20.21.22.23, remote crypto endpt.: 1.2.3.4
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x62E2A681(1659020929)

     inbound esp sas:
      spi: 0x330834A(53510986)
        transform: esp-192-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2111, flow_id: NETGX:111, sibling_flags 80000046, crypto map: officepartner
        sa timing: remaining key lifetime (k/sec): (4428148/3568)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x62E2A681(1659020929)
        transform: esp-192-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2112, flow_id: NETGX:112, sibling_flags 80000046, crypto map: officepartner
        sa timing: remaining key lifetime (k/sec): (4428190/3568)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Do i need to enable nat and then in place nat exemptions on interesting traffic?

Interesting. So traffic flows both ways after tunnel is established from the other end?

Can you check the cef route for this source and destination:

show ip cef exact-route 192.168.2.100 192.168.10.30

One suggestion i have is to create 2 new ACL's like this:

access-list 150 permit ip host 192.168.2.100 host 192.168.10.30 log

access-list 150 permit ip any any

and 

access-list 189 permit ip host 192.168.2.100 host 192.168.10.30

Apply the ACL 150 on the LAN interface:

interface GigabitEthernet0/0

ip access-group 150 in

and then do a "debug ip packet detail 189" for this traffic alone. Send 1 icmp echo request matching traffic defined in ACL 189.

Logs should show you process-switched packets which match this 189 ACL and what features it goes through on then router.

"undebug all" after this step.