02-28-2012 05:59 AM - edited 02-21-2020 05:54 PM
Hello, I have problems with a network that add to our Router 800, show ipsec sa send errors to the 172.17.0.0 network which I can not get it to connect, I spend my configuration:
ip nat pool branch 200.89.177.111 200.89.177.111 netmask 255.255.255.248
ip nat inside source route-map nonat pool branch overload
!
access-list 120 remark SDM_ACL Category=20
access-list 120 permit ip 172.30.19.192 0.0.0.63 200.49.83.0 0.0.0.255
access-list 120 permit ip 172.30.19.192 0.0.0.63 172.17.0.0 0.0.255.255
access-list 130 deny ip 172.30.19.192 0.0.0.63 200.49.83.0 0.0.0.255
access-list 130 deny ip 172.30.19.192 0.0.0.63 172.17.0.0 0.0.255.255
access-list 130 permit ip 172.30.19.192 0.0.0.63 any
y el show crypto ipsec sa:
SOAPL-VPN#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: nolan, local addr 200.89.177.211
protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.19.192/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)
current_peer 200.71.232.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 391, #recv errors 0
local crypto endpt.: 200.89.177.211, remote crypto endpt.: 200.71.232.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.19.192/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (200.49.83.0/255.255.255.0/0/0)
current_peer 200.71.232.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15475, #pkts encrypt: 15475, #pkts digest: 15475
#pkts decaps: 15734, #pkts decrypt: 15734, #pkts verify: 15734
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.89.177.211, remote crypto endpt.: 200.71.232.2
path mtu 1500, ip mtu 1500
current outbound spi: 0xE21A0585(3793356165)
inbound esp sas:
spi: 0xE7E8C6A7(3890792103)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: C87X_MBRD:3, crypto map: nolan
sa timing: remaining key lifetime (k/sec): (4386876/86369)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE21A0585(3793356165)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: C87X_MBRD:4, crypto map: nolan
sa timing: remaining key lifetime (k/sec): (4386876/86369)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Hopefully they can help me.
thank you very muchHopefully they can help me.
thank you very much
Hello, I have problems with a network that add to our Router 800, show ipsec sa send errors to the 172.17.0.0 network which I can not get it to connect, I spend my configuration:
ip nat pool branch 200.89.177.111 200.89.177.111 netmask 255.255.255.248
ip nat inside source route-map nonat pool branch overload
!
access-list 120 remark SDM_ACL Category=20
access-list 120 permit ip 172.30.19.192 0.0.0.63 200.49.83.0 0.0.0.255
access-list 120 permit ip 172.30.19.192 0.0.0.63 172.17.0.0 0.0.255.255
access-list 130 deny ip 172.30.19.192 0.0.0.63 200.49.83.0 0.0.0.255
access-list 130 deny ip 172.30.19.192 0.0.0.63 172.17.0.0 0.0.255.255
access-list 130 permit ip 172.30.19.192 0.0.0.63 any
y el show crypto ipsec sa:
SOAPL-VPN#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: nolan, local addr 200.89.177.211
protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.19.192/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)
current_peer 200.71.232.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 391, #recv errors 0
local crypto endpt.: 200.89.177.211, remote crypto endpt.: 200.71.232.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.19.192/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (200.49.83.0/255.255.255.0/0/0)
current_peer 200.71.232.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15475, #pkts encrypt: 15475, #pkts digest: 15475
#pkts decaps: 15734, #pkts decrypt: 15734, #pkts verify: 15734
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.89.177.211, remote crypto endpt.: 200.71.232.2
path mtu 1500, ip mtu 1500
current outbound spi: 0xE21A0585(3793356165)
inbound esp sas:
spi: 0xE7E8C6A7(3890792103)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: C87X_MBRD:3, crypto map: nolan
sa timing: remaining key lifetime (k/sec): (4386876/86369)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE21A0585(3793356165)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: C87X_MBRD:4, crypto map: nolan
sa timing: remaining key lifetime (k/sec): (4386876/86369)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Hopefully they can help me.
thank you very muchHopefully they can help me.
thank you very much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide