Hi

my scenario is as follows

HEADQUARTER (192.168.1.0/24)

|

|

CISCO-850 (Priv IP 192.168.1.1; Pub Fake IP 11.11.11.11)

|        |

|        |

INTERNET    |VPN Site2Site

|        |

|        |

LINKSYS RV041 (Priv IP 192.168.3.10; Pub Fake IP 22.22.22.22)

|

|

BRANCH (192.168.3.0/24)

My problem is VPN Site2Site between Cisco and Linksys routers: after a troubles vpn tunnel now seems up but no data is passed accross tunnel

-------------

This is configuration of Linksys RV042 (Firmware Version: 1.3.12.6-tm, seems last for this hardware)

-------------

Tunnel No.            1   

Interface            WAN1

***Local Group Setup***

Local Security Gateway Type    IP Only

IP address            22.22.22.22     

Local Security Group Type    subnet   

IP address            192.168.3.0

Subnet Mask            255.255.255.0

***Remote Group Setup***   

Remote Security Gateway Type    11.11.11.11

Remote Security Group Type    subnet

IP address            192.168.1.0

Subnet Mask            255.255.255.0

***IPSec Setup***

Keying Mode            IKE with preshared

Phase1 DH Group            group2

Phase1 Encryption        3des

Phase1 Authentication        md5

Phase1 SA Life Time        28800

Perfect Forward Secrecy        disabled

Phase2 Encryption        3des

Phase2 Authentication        md5

Phase2 SA Life Time        3600

Preshared Key            presharedkey

***Advanced***

Aggressive Mode            not enabled

Compress             not enabled

Keep-Alive            not enabled

AH Hash Algorithm        not enabled

NetBIOS broadcast        not enabled

NAT Traversal            not enabled

Dead Peer Detection (DPD)       not enabled   

---------------

Follows config of Cisco 850 (Note that on Cisco there are other tunnels (Tunnel0 and Tunnel1, not encrypted) tha work well)

---------------

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service dhcp

!

hostname nolan

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

enable secret 5 *********************

!

no aaa new-model

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint TP-self-signed-3988726210

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3988726210

revocation-check none

rsakeypair TP-self-signed-3988726210

!

!

crypto pki certificate chain TP-self-signed-3988726210

certificate self-signed 01

  ***** ******* ***** *******

  ***** ******* ***** *******

      quit

dot11 syslog

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.2 192.168.1.199

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 151.99.125.1 151.99.0.100

   class CLASSE_100

      address range 192.168.1.201 192.168.1.240

!

!

ip dhcp class CLASSE_100

!

ip cef

no ip bootp server

ip domain name interbusiness.it

ip name-server 8.8.8.8

ip name-server 208.67.222.222

!

!

!

username supervisor privilege 15 secret 5 ********************

username admin privilege 15 secret 5 ************************

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key <presharedkey> address 22.22.22.22 no-xauth

!

!

crypto ipsec transform-set mydesmd5 esp-des esp-md5-hmac

mode transport

crypto ipsec transform-set my3desmd5 esp-3des esp-md5-hmac

!

crypto ipsec profile CRYPTOTUNNEL

set transform-set mydesmd5

!

!

crypto map CRYMAP1 1 ipsec-isakmp

description Tunnel toBRANCH

set peer 22.22.22.22

set security-association lifetime seconds 28800

set transform-set my3desmd5

match address 120

reverse-route static

!

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!        

interface Tunnel2

description ***tunnel to BRANCH***

ip unnumbered FastEthernet2

ip virtual-reassembly

shutdown

keepalive 10 3

tunnel source 11.11.11.11

tunnel destination 22.22.22.22

tunnel checksum

tunnel path-mtu-discovery

crypto map CRYMAP1

!

interface Tunnel0

description Tunnel to Tunisia

ip address 192.168.254.0 255.255.255.254

ip nat inside

ip virtual-reassembly

keepalive 10 3

tunnel source 11.11.11.11

tunnel destination zz.zz.zz.zz

tunnel key 2008

tunnel checksum

tunnel path-mtu-discovery

!

interface Tunnel1

description napoli-milano

ip address 10.1.1.2 255.255.255.252

ip nat inside

ip virtual-reassembly

keepalive 10 3

tunnel source 11.11.11.11

tunnel destination zz.zz.zz.zz

tunnel checksum

tunnel path-mtu-discovery

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address 11.11.11.11 255.255.255.0

ip nat outside

ip virtual-reassembly

pvc 8/35

  encapsulation aal5snap

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 ATM0.1

ip route 192.168.0.0 255.255.255.0 Tunnel0

ip route 192.168.2.0 255.255.255.0 Tunnel1

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat inside source list 1 interface ATM0.1 overload

ip nat inside source route-map NAT_ROUTEMAP interface Tunnel2 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 102 remark Innanzitutto esclude il tunnel ipsec dal nat

access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 remark Poi definisce il traffico da nattare

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny   ip any any

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

no cdp run

route-map NAT_ROUTEMAP permit 1

match ip address 102

!

!

!

control-plane

!

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Linksys Side the log tells:

Initiating Main Mode

[Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet

[Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet

[Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet

Ignoring Vendor ID payload Type = [Cisco-Unity]

Received Vendor ID payload Type = [Dead Peer Detection]

Ignoring Vendor ID payload [8a737dcb5be08cdf...]

Ignoring Vendor ID payload Type = [XAUTH]

[Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet

[Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet

Discarding duplicate packet; already STATE_MAIN_I3

[Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet

Main mode peer ID is ID_IPV4_ADDR: '11.11.11.11'

[Tunnel Negotiation Info] Main Mode Phase 1 SA Established

[Tunnel Negotiation Info] Initiator Cookies = fec8 d09f 5c23 e38c

[Tunnel Negotiation Info] Responder Cookies = 7fb4 dad6 5be1 8cdf

initiating Quick Mode PSK+TUNNEL

[Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet

Received informational payload, type IPSEC_RESPONDER_LIFETIME

[Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet

[Tunnel Negotiation Info] Inbound SPI value = 2971bb8f

[Tunnel Negotiation Info] Outbound SPI value = fc4aade

[Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet

[Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected

Cisco Side the logs tell:

cisco#sh crypto isakmp sa detail

IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

2659  11.11.11.11    22.22.22.22             ACTIVE 3des md5  psk  2  07:47:00    

       Engine-id:Conn-id =  SW:659

cisco#sh crypt ipsec sa

interface: Tunnel2

    Crypto map tag: CRYMAP1, local addr 11.11.11.11

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

   current_peer 22.22.22.22 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 160, #pkts decrypt: 160, #pkts verify: 160

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 11.11.11.11, remote crypto endpt.: 22.22.22.22

     path mtu 4442, ip mtu 4442, ip mtu idb Tunnel2

     current outbound spi: 0x2971BB8F(695319439)

     inbound esp sas:

      spi: 0xFC4AADE(264547038)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 933, flow_id: Motorola SEC 1.0:933, crypto map: CRYMAP1

        sa timing: remaining key lifetime (k/sec): (4562385/2647)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x2971BB8F(695319439)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 934, flow_id: Motorola SEC 1.0:934, crypto map: CRYMAP1

        sa timing: remaining key lifetime (k/sec): (4562386/2647)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x2971BB8F(695319439)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 934, flow_id: Motorola SEC 1.0:934, crypto map: CRYMAP1

        sa timing: remaining key lifetime (k/sec): (4562386/2647)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

cisco#sh crypto map

Crypto Map "CRYMAP1" 1 ipsec-isakmp

    Description: Tunnel toBranch

    Peer = 22.22.22.22

    Extended IP access list 120

        access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

    Current peer: 22.22.22.22

    Security association lifetime: 4608000 kilobytes/28800 seconds

    PFS (Y/N): N

    Transform sets={

        my3desmd5,

    }

    Reverse Route Injection Enabled

    Interfaces using crypto map CRYMAP1:

        Tunnel2

    Interfaces using crypto map CRYTTOMAP:

    Interfaces using crypto map vpn:

My problem as mentioned is that if i perform

ping 192.168.1.1 (or other internal node in HeadQuarter) from Linksys no response

ping 192.168.3.10 (or other internal node in Branch) from Cisco no response

Other secondary issue is that if I shutdown Tunnel2 the tunnel stay up!!!

Thanx