Aditya,

Can you tell me what the "output crypto map check failed" refers to? I'm able to ping hosts on the internet, but not on the other side of the VPN link.

Thanks,

Hi,

That means the traffic is not able to hit the crypto engine and that can be due to the following reasons:

1. Route issue.

2. NAT issue.

Since I do not see any NAT then we do not need to worry about it.

Normally we need to deny the VPN traffic so that it does not get NATTed.

Regards,

Aditya

Please rate helpful posts.

Updated config as I believe we actually need to use NAT.

fa0/0 is our inside interface and fa0/1 is the outside interface. fa0/1 has a public IP.

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password Password1
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-565821720
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-565821720
 revocation-check none
 rsakeypair TP-self-signed-565541720
!
!
crypto pki certificate chain TP-self-signed-565541720
 certificate self-signed 01
  quit
!
!
class-map match-all SiteA-2_OUT
 match access-group name SiteA-2_OUT
class-map match-all SiteA-2_IN
 match access-group name SiteA-2_IN
!
!
crypto keyring SiteA-2
  pre-shared-key address 123.123.123.123 key 9P5q9154&ES485Rrq9154&E
crypto logging session
!
crypto isakmp policy 40
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile SiteA-2
   keyring SiteA-2
   match identity address 123.123.123.123 255.255.255.255
   keepalive 10 retry 2
!
!
crypto ipsec transform-set SiteA-2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 160 ipsec-isakmp
 set peer 123.123.123.123
 set security-association lifetime kilobytes 1280000
 set security-association lifetime seconds 86400
 set transform-set SiteA-2
 set isakmp-profile SiteA-2
 match address SiteA-2_ACCESSLIST
 reverse-route static
!
!
!
interface FastEthernet0/0
 description LAN_AMI_PLL
 ip address 111.222.111.222 255.255.252.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description OUTSIDE_INTERNET1
 ip address 222.222.222.222 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN
!
ip default-gateway 222.222.222.129
ip route 0.0.0.0 0.0.0.0 222.222.222.129
ip route 172.29.10.0 255.255.255.0 172.29.0.1
!
no ip http server
ip http secure-server
!
ip access-list extended SiteA-2_ACCESSLIST
 permit ip any host 10.140.0.20
 permit ip any host 10.140.0.21
ip access-list extended SiteA-2_IN
 permit ip host 123.123.123.123 any
ip access-list extended SiteA-2_OUT
ip access-list extended VPN_IN
 permit udp any any
 permit ahp any any
 permit esp any any
 permit icmp any any
 permit ip any any
ip access-list extended VPN_OUT
 permit udp any any
 permit ahp any any
 permit esp any any
 permit icmp any any
 permit ip any any
!
access-list 1 permit 172.29.0.0 0.0.3.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password SiteA2
 login
!
end

Hi,

Since we are using NAT statements you need to deny the VPN traffic so that it is exempted from NAT.

Sample config:

ip nat inside source route-map nonat interface FastEthernet0/0 overload

!

!--- Exclude the private network and VPN Client !--- traffic from the NAT process.

access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any

access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any

!--- Exclude the private network and VPN Client !--- traffic from the NAT process.

route-map nonat permit 10
match ip address 110

In your case it would be access-list 110 deny ip any host 10.140.0.20

access-list 110 deny ip any host 10.140.0.21

access-list 110 permit ip any any

For further info check this link:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14132-ios-D.html

Regards,

Aditya

please rate helpful posts.

My new config is below. I have now lost access to Internet hosts.

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password Password1
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-565821720
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-565821720
 revocation-check none
 rsakeypair TP-self-signed-565541720
!
!
crypto pki certificate chain TP-self-signed-565541720
 certificate self-signed 01
  quit
!
!
class-map match-all SiteA-2_OUT
 match access-group name SiteA-2_OUT
class-map match-all SiteA-2_IN
 match access-group name SiteA-2_IN
!
!
crypto keyring SiteA-2
  pre-shared-key address 123.123.123.123 key 9P5q9154&ES485Rrq9154&E
crypto logging session
!
crypto isakmp policy 40
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile SiteA-2
   keyring SiteA-2
   match identity address 123.123.123.123 255.255.255.255
   keepalive 10 retry 2
!
!
crypto ipsec transform-set SiteA-2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 160 ipsec-isakmp
 set peer 123.123.123.123
 set security-association lifetime kilobytes 1280000
 set security-association lifetime seconds 86400
 set transform-set SiteA-2
 set isakmp-profile SiteA-2
 match address SiteA-2_ACCESSLIST
 reverse-route static
!
!
!
interface FastEthernet0/0
 description LAN_AMI_PLL
 ip address 111.222.111.222 255.255.252.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description OUTSIDE_INTERNET1
 ip address 222.222.222.222 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN
!
ip default-gateway 222.222.222.129
ip route 0.0.0.0 0.0.0.0 222.222.222.129
ip route 172.29.10.0 255.255.255.0 172.29.0.1
!
no ip http server
ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
ip access-list extended SiteA-2_ACCESSLIST
 permit ip any host 10.140.0.20
 permit ip any host 10.140.0.21
ip access-list extended SiteA-2_IN
 permit ip host 123.123.123.123 any
ip access-list extended SiteA-2_OUT
ip access-list extended VPN_IN
 permit udp any any
 permit ahp any any
 permit esp any any
 permit icmp any any
 permit ip any any
ip access-list extended VPN_OUT
 permit udp any any
 permit ahp any any
 permit esp any any
 permit icmp any any
 permit ip any any
!
access-list 1 permit 172.29.0.0 0.0.3.255
access-list 110 deny   ip any host 10.140.0.21
access-list 110 permit ip any any
route-map nonat permit 10
 match ip address 110
!

!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password SiteA2
 login
!
end

Hi,

Try changing it to the other interface:

ip nat inside source route-map nonat interface FastEthernet0/1 overload

Reagrds,

Aditya

Can access the Internet now, but still get the "output crypto map check failed" errorr..

Hi,

I hope you are pinging only 10.140.0.21 as you are only denying this.

Regards,

Aditya

*Mar 10 12:57:38.049: IP: s=222.222.222.222 (local), d=10.140.0.20 (FastEthernet0/1), len 100, output crypto map check failed.

Same occurs with 10.140.0.21 which are the two hosts we need to access on the other side of the VPN tunnel.

Hi,

May I know how are you trying to ping the remote host ?

Regards,

Aditya

ping 10.140.0.20 source 172.29.0.51

and

ping 10.140.0.20

both give the "crypto map check failed"

I really appreciate your help!

Hi Aditya,

Was away for a few days vacation, but I am back at it. Still having issues and here is my running config:

Current configuration : 4154 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password password
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-565541111
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-565541111
 revocation-check none
 rsakeypair TP-self-signed-565541111
!
!
crypto pki certificate chain TP-self-signed-565541111
 certificate self-signed 01
  E00980BF 3247F4AF A781509F 7505A0A2 13E77897 7E84BE4D DBBA103C BB97ABDA
  9A182196 67484930 EFBCC542 F69A6FC4 4360734D 62C38CBE 1610ABBE AD4843DB
  02030100 01A36E30 6C300F06 03551D13 0101FF04 05300301 01FF3019 0603551D
  11041230 10820E52 6F757465 72504C4C 53434332 2E301F06 03551D23 04183016
  8014663F B9669CD4 1E6723A9 406BBAD4 70F616A4 D389301D 0603551D 0E041604
  14663FB9 669CD41E 6723A940 6BBAD470 F616A4D3 89300D06 092A8648 86F70D01
  01040500 03818100 A57572F9 F5C62C1C D8E78A9E 5FB92963 64426E9B FA22A36D
  47AEAB14 4C9C5BA8 C1839A30 C7455CDF 96D1D5FD B82E0BEE BE2F1AC2 74DD0F4E
  0D1B592C D37CC1FD A3DF8BE7 B1E3EA8D 5CA4808D EAB7FC92 607C4E5C 8EF1BC0D
  BD6AB2AF 50A5D9D0 BEA9C764 1A15F4A7 984BE26D CE891970 F9185CC0 B09F1FD4
  9724C043 3ECB9540 30820244 308201AD A0030201 02020101 300D0609 2A864886
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35363535 34313732 30301E17 0D313630 32313731 38323533
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 35353431
  37323030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A8020C0D B94138CD 06273724 92128AD0 A1AD641D FAD51F62 89EC11F1 4334B0CB
  CE167FDB 4FFC05E8 8A9C3618 BBA6B179 88349AD6 47459BF6 B1A55309 F2AFD879
  F70D0101 04050030
  quit
!
!
class-map match-all Site-1_OUT
 match access-group name Site-1_OUT
class-map match-all Site-1_IN
 match access-group name Site-1_IN
!
!
crypto keyring Site-1
  pre-shared-key address 12.12.12.12 key 5S485Rr9Pq9154&E
crypto logging session
!
crypto isakmp policy 40
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile Site-1
   keyring Site-1
   match identity address 12.12.12.12 255.255.255.255
   keepalive 10 retry 2
!
!
crypto ipsec transform-set Site-1 esp-aes 256 esp-sha-hmac
!
crypto map VPN 160 ipsec-isakmp
 set peer 12.12.12.12
 set security-association lifetime kilobytes 1280000
 set security-association lifetime seconds 86400
 set transform-set Site-1
 set isakmp-profile Site-1
 match address Site-1_ACCESSLIST
 reverse-route static
!
!
!
interface FastEthernet0/0
 description LAN_PLL
 ip address 13.13.13.13 255.255.252.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description OUTSIDE_INTERNET1
 ip address 14.14.14.14 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN
!
ip default-gateway 14.14.14.129
ip route 0.0.0.0 0.0.0.0 14.14.14.129
ip route 13.13.13.0 255.255.255.0 13.13.13.1
!
no ip http server
ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip access-list extended Site-1_ACCESSLIST
 permit ip any host 10.140.0.20
 permit ip any host 10.140.0.21
ip access-list extended Site-1_IN
 permit ip host 12.12.12.12 any
ip access-list extended Site-1_OUT
ip access-list extended VPN_IN
 permit udp any any
 permit ahp any any
 permit esp any any
 permit icmp any any
 permit ip any any
ip access-list extended VPN_OUT
 permit udp any any
 permit ahp any any
 permit esp any any
 permit icmp any any
 permit ip any any
!
access-list 1 permit 13.13.0.0 0.0.3.255
access-list 110 deny   ip any host 10.140.0.20
access-list 110 deny   ip any host 10.140.0.21
access-list 110 permit ip any any
route-map nonat permit 10
 match ip address 110
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password password
 login
!
end

Hi,

do you still have this problem?
Can you send us the updated config from each of the routers?

Thanks