Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
3
Replies

L2L VPN problem

kleung0405
Level 1
Level 1

‎05-09-2013 04:34 PM

I have set up a VPN connection between a Cisco 887VA and a Cisco SOHO routers.  The connection seems to come up ok, but I cannot ping either network.  From the remote network, I can ping the main office router but nothing else.  I cannot ping anything from the main office to remote. 

Here is the ping results:

ping result.jpg

I can ping the main office router from the remote router.

ping result 2.jpg

I cannot ping anything else.

remote ISAKMP.jpg

By doing a show crypto isakmp sa, I can see the tunnel seem to have been established.

Remote IPsec.jpg

Doing a show crypto ipsec sa, I can see packets being encrypted but nothing is coming back.

I am not sure is it an access list problem or a routing problem. 

Attached are the configuration of the routers.  Any help would be appreciated.

Labels:
15359940-internet_router-confg.zip
15359941-oldfitz-confg.zip
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎05-09-2013 04:45 PM

Hi,

I am personally not that familiar with all the different Router configurations (although very basic for one using routers regularly)

What hit my eye in the other configuration was the "set ip next-hop 1.1.1.2". Whats its purpose?

route-map nonat permit 10

match ip address 120

set ip next-hop 1.1.1.2

- Jouni

0 Helpful

kleung0405
Level 1
Level 1
In response to Jouni Forss

‎05-09-2013 04:48 PM

Hi

That was copied from an old working configuration.  It didn't work with or without it. 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to kleung0405

‎05-09-2013 04:55 PM

Other one would be the ACL that defines the interesting traffic for the L2L VPN

access-list 115 permit ip 172.16.1.0 0.0.0.255 172.16.12.0 0.0.0.255

access-list 115 permit ip 172.16.2.0 0.0.0.255 172.16.12.0 0.0.0.255

access-list 115 permit ip 172.16.3.0 0.0.0.255 172.16.12.0 0.0.0.255

access-list 115 deny   ip 172.16.3.0 0.0.0.255 any

access-list 115 deny   ip 172.16.2.0 0.0.0.255 any

access-list 115 deny   ip 172.16.1.0 0.0.0.255 any

I dont think you need the "deny" statements in the ACL.

The earlier lines already define the traffic that needs to get to the VPN connection. Rest traffic simply wont get matched.

Though dunno if this has anything to do with the actual problem.

I wonder what the traffic in your above screen capture shows. It shows that theres been 9 packets from the other direction. But naturally most traffic has never gotten any return traffic. I wonder where those 9 packets were sourced from since there has been some traffic through the tunnel in the other direction too.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents