Hi

No. there is no filter, but here is c800 config:

crypto keyring ATEA-AU  

  pre-shared-key address 185.x.x.x key ******

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

crypto isakmp profile ATEA-AU

   keyring ATEA-AU

   match identity address 185.x.x.x 255.255.255.255 

   no keepalive

!

!

crypto ipsec transform-set ATEA-AU esp-aes 256 esp-sha-hmac 

 mode tunnel

!

crypto ipsec profile ATEA-AU

 set transform-set ATEA-AU 

 set isakmp-profile ATEA-AU

!

!

!

crypto map S2S 5 ipsec-isakmp 

 set peer 185.x.x.x

 set transform-set ATEA-AU 

 set isakmp-profile ATEA-AU

 match address ATEA-TO-AU-FOR-SCCM

!

!

!

!

!

!

interface Loopback0

 no ip address

!

interface GigabitEthernet0

 no ip address

!

interface GigabitEthernet1

 switchport access vlan 2

 no ip address

 spanning-tree portfast

!

!

!

interface GigabitEthernet8

 ip address 37.x.x.x 255.255.255.224

 duplex auto

 speed auto

 crypto map S2S

!

interface GigabitEthernet9

 no ip address

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

!

interface Vlan2

 ip address 10.68.2.1 255.255.255.0

!

ip default-gateway 37.x.x.x

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 37.x.x.x

ip route 10.88.0.0 255.255.0.0 GigabitEthernet8

ip route 10.245.0.0 255.255.0.0 GigabitEthernet8

ip ssh version 2

!

ip access-list extended ATEA-TO-AU-FOR-SCCM

 permit ip 10.68.2.0 0.0.0.255 10.245.0.0 0.0.255.255

!

SF

It appears that you are experiencing one way traffic. I have seen several things that might cause this symptom. One potential cause is an issue with NAT. I do not see any NAT in the partial config that you posted. Is it that there is no NAT or is there NAT but you excluded it from the posted config?

I wonder about this static route

ip route 10.245.0.0 255.255.0.0 GigabitEthernet8

It seems to be redundant with the configured static default route. Is there a reason why this static route is in the config? A static route specifying only the outbound interface can be problematic when that outbound interface is Ethernet. Could you remove this static route and let us know if the behavior changes?

HTH

Rick 

Hi 

There is no NAT, I assumed when there is no NAT at all than i do not need NAT0 either. Is that correct? Please can you show how to configure NAT0 regarding my config if it is required, I have no experience with ipsec and router.

nat0 was used in pretty old versions of ASA but is not used in IOS routers. You are correct, especially with IOS routers, that if there is no NAT activity desired then you do not need to configure anything about NAT. So that aspect of your config appears to be correct.

Can you do a show on the IPsec sa on the 800 router? Also can you go to one of the hosts connected to the 800 router and do a traceroute to a host in the LAN of the other peer?

HTH

Rick

Traceroute shows on the behinde c800 shows that packets is going to its gateway which is c800 router lan interface and sh crypto ipsec sa on the c800 shows that no ecap or decap pkts are increasing at all and no isakmp sa is comming up. 

I have seen situations where issues with NAT would produce the symptom of one way traffic. But we seem to have established that NAT is not an issue in this case.

I have seen situations where routing issues would produce the symptom of one way traffic. But we seem to have established that routing is working as expected.

I have seen situations where a mismatch in negotiating the security association would produce the symptom of one way traffic. That is why I asked for the output of show crypto ipsec sa. I still hope that if you post that output that it might give us some insight into the issue.

Perhaps posting a new copy of the current config from the 800 router might give us something helpful.

HTH

Rick 

Hi

Here is the config and output of show crypto ipsec sa in C800:

 
Atea_AU_DPatTDSE#sh cryp isak sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

Atea_AU_DPatTDSE#sh cryp ipsec sa

interface: GigabitEthernet8
Crypto map tag: S2S, local addr 3.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (10.68.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.88.0.0/255.255.0.0/0/0)
current_peer 185.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 3.x.x.x, remote crypto endpt.: 185..x.x.x
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.68.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.245.0.0/255.255.0.0/0/0)
current_peer 185.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

-------------------

!
enable secret 5 $1$OkJr$lHuFcDj5VXSdZZeK7ca2v/
!
no aaa new-model

!
ip domain name TD-DP.com
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!

cts logging verbose
license udi pid C892FSP-K9 sn FCZ194091T8
!
!
username admin secret 5 $1$7eXh$kGzS7Lwd4pQrHafookLM50
!
!
crypto keyring ATEA-AU
pre-shared-key address 185.x.x.x key ********
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile ATEA-AU
keyring ATEA-AU
match identity address 185.x.x.x 255.255.255.255
no keepalive
!
!
crypto ipsec transform-set ATEA-AU esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ATEA-AU
set transform-set ATEA-AU
set isakmp-profile ATEA-AU
!
!
!
crypto map S2S 5 ipsec-isakmp
set peer 185.185.x.x.x
set transform-set ATEA-AU
set isakmp-profile ATEA-AU
match address ATEA-TO-AU-FOR-SCCM
!
!
interface Loopback0
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 3.x.x.x 255.255.255.224
duplex auto
speed auto
crypto map S2S
!
interface GigabitEthernet9
no ip address
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.68.2.1 255.255.255.0
!
ip default-gateway 37.x.x.x
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 3.x.x.x
ip route 10.88.0.0 255.255.0.0 GigabitEthernet8
ip route 10.245.0.0 255.255.0.0 GigabitEthernet8
ip ssh version 2
!
ip access-list extended ATEA-TO-AU-FOR-SCCM
deny ip 10.68.2.0 0.0.0.255 host 10.68.2.1
permit ip 10.68.2.0 0.0.0.255 10.88.0.0 0.0.255.255
permit ip 10.68.2.0 0.0.0.255 10.245.0.0 0.0.255.255
!
control-plane
!
!
mgcp profile default
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
line vty 5 189
login local
transport input ssh

Hi Meheretab

Tanks a lot, that was it. After I removed those ip route I got end to end connectivity.

Thanks for letting us know that your issue is now solved. I had commented that one thing that could cause the symptom of onw way connectivity was an issue wth routing. It is interesting to have confirmation that this issue was indeed caused by a routing issue. And it confirms the point that sometimes a static route which uses only the outbound interface (when that interface is Ethernet) can be problematic.

HTH

Rick