Hello

[u]I'm facing problem when I want to establish VPN IPsec tunnel Site-to-site configuration.
I can ping router Bydgoszcz from router Torun and invertly but only with standard ping (WAN interfaces) however I can't ping from LAN to LAN.[/u]
There is configuration of routers. IOS: C3745-ADVENTERPRISEK9-M

topology in attachment

Config of router Bydgoszcz:
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key kluczVPN123 address 192.168.11.1
crypto isakmp key kluczVPN123 address 192.168.21.3
!
!
crypto ipsec transform-set MYTRANSFORM esp-aes 256 esp-sha-hmac
!
crypto map CMAP 1 ipsec-isakmp
 set peer 192.168.21.3
 set transform-set MYTRANSFORM
 set pfs group5
 match address 100
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.11.1 255.255.255.0
 ip ospf network broadcast
 duplex auto
 speed auto
 crypto map CMAP
!
interface FastEthernet0/1
 ip address 192.168.12.1 255.255.255.0
 ip ospf network broadcast
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 1.1.1.0 0.0.0.255 area 0
 network 192.168.11.0 0.0.0.255 area 0
 network 192.168.21.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.22.0 0.0.0.255

Config routera Torun:
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key kluczVPN123 address 192.168.11.1
!
!
crypto ipsec transform-set MYTRANSFORM esp-aes 256 esp-sha-hmac
!
crypto map CMAP 1 ipsec-isakmp
 set peer 192.168.11.1
 set transform-set MYTRANSFORM
 set pfs group5
 match address 100
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.21.3 255.255.255.0
 ip ospf network broadcast
 duplex auto
 speed auto
 crypto map CMAP
!
interface FastEthernet0/1
 ip address 192.168.22.3 255.255.255.0
 ip ospf network broadcast
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 3.3.3.0 0.0.0.255 area 0
 network 192.168.21.0 0.0.0.255 area 0
 network 192.168.22.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.22.0 0.0.0.255 192.168.12.0 0.0.0.255
!
[u]ACL's looks fine for me[/u]

Torun#sh crypto isakmp sa
dst             src             state          conn-id slot status
192.168.21.3    192.168.11.1    QM_IDLE              1    0 ACTIVE
--
Bydgoszcz#sh crypto isakmp sa
dst             src             state          conn-id slot status
192.168.21.3    192.168.11.1    QM_IDLE              1    0 ACTIVE

[u]ISAKMP status on both sides is correct.[/u]

Transform sets, Crypto maps, etc seems to be correct

[u]When I ping LAN Torun from LAN Bydgoszcz and invertly, wehn SA is not established yet(or lifetime expired)
There is output like this on both sides:[/u]

Bydgoszcz#ping 192.168.22.3 source 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1

*Mar  1 22:35:27.006: ISAKMP: received ke message (1/1)
*Mar  1 22:35:27.006: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar  1 22:35:27.010: ISAKMP: Found a peer struct for 192.168.21.3, peer port 500
*Mar  1 22:35:27.010: ISAKMP: Locking peer struct 0x64F2568C, IKE refcount 1 for isakmp_initiator
*Mar  1 22:35:27.014: ISAKMP: local port 500, remote port 500
*Mar  1 22:35:27.014: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 22:35:27.018: insert sa successfully sa = 655BB69C
*Mar  1 22:35:27.018: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar  1 22:35:27.022: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.21.3
*Mar  1 22:35:27.026: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 22:35:27.030: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 22:35:27.030: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 22:35:27.034: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 22:35:27.038: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 22:35:27.038: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar  1 22:35:27.042: ISAKMP:(0:0:N/A:0): sending packet to 192.168.21.3 my_port 500 peer_port 500 (TATE
*Mar  1 22:35:27.370: ISAKMP (0:0): received packet from 192.168.21.3 dport 500 sport 500 Global (I)TE
*Mar  1 22:35:27.374: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 22:35:27.378: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  Ne.w State = IKE_I_MM2

*Mar  1 22:35:27.382: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 22:35:27.386: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:35:27.390: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 22:35:27.390: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 22:35:27.390: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.21.3
*Mar  1 22:35:27.390: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 22:35:27.390: ISAKMP : Scanning profiles for xauth ...
*Mar  1 22:35:27.390: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
*Mar  1 22:35:27.390: ISAKMP:      encryption AES-CBC
*Mar  1 22:35:27.390: ISAKMP:      keylength of 256
*Mar  1 22:35:27.390: ISAKMP:      hash SHA
*Mar  1 22:35:27.390: ISAKMP:      default group 5
*Mar  1 22:35:27.390: ISAKMP:      auth pre-share
*Mar  1 22:35:27.390: ISAKMP:      life type in seconds
*Mar  1 22:35:27.390: ISAKMP:      life duration (basic) of 3600
*Mar  1 22:35.:27.390: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar  1 22:35:27.426: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 22:35:27.430: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 22:35:27.430: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar  1 22:35:27.434: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 22:35:27.438: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 22:35:27.438: ISAKMP:(0:1:SW:1): sending packet to 192.168.21.3 my_port 500 peer_port 500 (ITUP
*Mar  1 22:35:27.438: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 22:35:27.438: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 22:35:27.570: ISAKMP (0:134217729): received packet from 192.168.21.3 dport 500 sport 500 GlM_SA_SETUP
*Mar  1 22:35:27.578: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 22:35:27.578: ISAKMP:(0:1:SW:1):Old State =. IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 22:35:27.586: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 192.168.21.3
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1):SKEYID state generated
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1):Send initial contact
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1):.SA is doing pre-shared key authentication using id type ID_
*Mar  1 22:35:27.670: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.11.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1): sending packet to 192.168.21.3 my_port 500 peer_port 500 (IXCH
*Mar  1 22:35:27.670: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 22:35:27.674: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 22:35:27.726: ISAKMP (0:134217729): received packet from 192.168.21.3 dport 500 sport 500 GlM_KEY_EXCH
*Mar  1 22:35:27.734: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Mar  1 22:35:27.738: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.21.3
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 22:35:27.742: ISAKMP.
Success rate is 0 percent (0/5)
Bydgoszcz#:(0:1:SW:1):: peer matches *none* of the profiles
*Mar  1 22:35:27.746: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Mar  1 22:35:27.750: ISAKMP:(0:1:SW:1):SA authentication status:
        authenticated
*Mar  1 22:35:27.754: ISAKMP:(0:1:SW:1):SA has been authenticated with 192.168.21.3
*Mar  1 22:35:27.754: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 22:35:27.758: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 22:35:27.766: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 22:35:27.770: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 22:35:27.778: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 22:35:27.782: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 22:35:27.782: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 1246707369
*Mar  1 22:35:27.826: ISAKMP:(0:1:SW:1): sending packet to 192.168.21.3 my_port 500 peer_port 500 (I
*Mar  1 22:35:27.826: ISAKMP:(0:1:SW:1):Node 1246707369, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 22:35:27.826: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 22:35:27.826: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 22:35:27.826: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 22:35:28.038: ISAKMP (0:134217729): received packet from 192.168.21.3 dport 500 sport 500 GlM_IDLE
*Mar  1 22:35:28.050: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 1246707369
*Mar  1 22:35:28.054: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 1246707369
*Mar  1 22:35:28.054: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar  1 22:35:28.058: ISAKMP: transform 1, ESP_AES
*Mar  1 22:35:28.058: ISAKMP:   attributes in transform:
*Mar  1 22:35:28.058: ISAKMP:      encaps is 1 (Tunnel)
*Mar  1 22:35:28.062: ISAKMP:      SA life type in seconds
*Mar  1 22:35:28.062: ISAKMP:      SA life duration (basic) of 3600
*Mar  1 22:35:28.062: ISAKMP:      SA life type in kilobytes
*Mar  1 22:35:28.066: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Mar  1 22:35:28.070: ISAKMP:      authenticator is HMAC-SHA
*Mar  1 22:35:28.070: ISAKMP:      key length is 256
*Mar  1 22:35:28.074: ISAKMP:      group is 5
*Mar  1 22:35:28.074: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar  1 22:35:28.078: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 1246707369
*Mar  1 22:35:28.078: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 1246707369
*Mar  1 22:35:28.138: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1246707369
*Mar  1 22:35:28.138: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1246707369
*Mar  1 22:35:28.138: ISAKMP: Locking peer struct 0x64F2568C, IPSEC refcount 4 for for stuff_ke
*Mar  1 22:35:28.138: ISAKMP:(0:1:SW:1): Creating IPSec SAs
*Mar  1 22:35:28.138:         inbound SA from 192.168.21.3 to 192.168.11.1 (f/i)  0/ 0
        (proxy 192.168.22.0 to 192.168.12.0)
*Mar  1 22:35:28.138:         has spi 0xC9CF8BFA and conn_id 0 and flags 43
*Mar  1 22:35:28.138:         lifetime of 3600 seconds
*Mar  1 22:35:28.138:         lifetime of 4608000 kilobytes
*Mar  1 22:35:28.138:         has client flags 0x0
*Mar  1 22:35:28.138:         outbound SA from 192.168.11.1 to 192.168.21.3 (f/i) 0/0
        (proxy 192.168.12.0 to 192.168.22.0)
*Mar  1 22:35:28.138:         has spi 2023156237 and conn_id 0 and flags 4B
*Mar  1 22:35:28.138:         lifetime of 3600 seconds
*Mar  1 22:35:28.138:         lifetime of 4608000 kilobytes
*Mar  1 22:35:28.138:         has client flags 0x0
*Mar  1 22:35:28.138: ISAKMP:(0:1:SW:1): sending packet to 192.168.21.3 my_port 500 peer_port 500 (I
*Mar  1 22:35:28.138: ISAKMP:(0:1:SW:1):deleting node 1246707369 error FALSE reason "No Error"
*Mar  1 22:35:28.138: ISAKMP:(0:1:SW:1):Node 1246707369, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 22:35:28.138: ISAKMP:(0:1:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
*Mar  1 22:35:28.142: ISAKMP: Locking peer struct 0x64F2568C, IPSEC refcount 5 for from create_trans
*Mar  1 22:35:28.146: ISAKMP: Unlocking IPSEC struct 0x64F2568C from create_transforms, count 4
Bydgoszcz#
Bydgoszcz#

And when I ping again - nothing

Bydgoszcz#ping 192.168.22.3 source 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
.....
Success rate is 0 percent (0/5)
----------
PINGS
[u]From Bydgoszcz side:
Standard[/u]
Bydgoszcz#ping 192.168.22.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/49/92 ms
[u]From LAN of Bydgoszcz to LAN of Torun[/u]
Bydgoszcz#ping 192.168.22.3 source 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
.....
Success rate is 0 percent (0/5)
[u]To LAN of Torun from WAN of Bydgoszcz[/u]
Bydgoszcz#ping 192.168.22.3 source 192.168.11.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/49/72 ms

***************************************************************
[u]From Torun side:
Standardow ping[/u]
Torun#ping 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Torun#ping 192.168.11.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/49/92 ms
[u]To LAN of Bydgoszcz from LAN of Torun[/u]
Torun#ping 192.168.12.1 source 192.168.22.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.22.3
.....
Success rate is 0 percent (0/5)
[u]Ping to WAN of Bydgoszcz from LAN Torun[/u]
Torun#ping 192.168.11.1 source 192.168.22.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.22.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/72 ms
And this output occurs on Torun
Torun#
*Mar  6 12:41:30.583: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=192 .168.21.3 remote=192.168.11.1 spi=8F58DC99 seqno=00000009

Any suggestions would be much appreciated. I don't know what went wrong
Thanks in advance