This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco 850 <-> ASG220: No data from Cisco

Hi All,

I've got IKE and IPSec up and running between a Cisco850 and an ASG220.

I can see data from the ASG side being decrypted on the Cisco end:

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

But data originating from the Cisco side is never encapsulated and returned down the tunnel:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

My default route on the Cisco is the Dialer0 interface (since it's DSL).

Here's the relevant parts of the Cisco config:

crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 7800
crypto isakmp key ***** address a.b.c.d

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto map VPN-Map-1 10 ipsec-isakmp
set peer a.b.c.d
set security-association lifetime seconds 3600
set transform-set AES-SHA
set pfs group5
match address Crypto-list

interface Dialer0
crypto map VPN-Map-1

ip access-list extended Crypto-list
permit ip 192.168.1.0 0.0.0.255 10.19.0.0 0.0.15.255

Here's the Astaro side:

2008:05:12-18:59:52 (none) pluto[19718]: "S_KMM-VPN_0" #1: initiating Main Mode
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: enabling possible NAT-traversal with method RFC 3947
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: ignoring Vendor ID payload [Cisco-Unity]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: received Vendor ID payload [Dead Peer Detection]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: ignoring Vendor ID payload [839fac53cce86946798e0e003a916cee]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: ignoring Vendor ID payload [XAUTH]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: Peer ID is ID_IPV4_ADDR: 'a.b.c.d'
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: ISAKMP SA established
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2008:05:12-19:00:03 (none) pluto[19718]: "S_KMM-VPN_0" #2: Dead Peer Detection (RFC 3706) enabled
2008:05:12-19:00:03 (none) pluto[19718]: "S_KMM-VPN_0" #2: sent QI2, IPsec SA established {ESP=>0xc64bc472

This thread was automatically locked due to age.

Parents

0 ClausP over 17 years ago

... static route missing for your remote network (10.19.0.0) with ipsec-peer a.b.c.d as next hop ?
Cancel
Vote Up 0 Vote Down

Cancel
0 James Bourne over 17 years ago in reply to ClausP

I tried that. I also tried routing via Dialer0 ... no joy [:)]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 James Bourne over 17 years ago in reply to ClausP

I tried that. I also tried routing via Dialer0 ... no joy [:)]
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 James Bourne over 17 years ago in reply to James Bourne

Fixed it ...

I need to add an exclusion to the route map so traffic destined to the remote VPN network is not NAT'd viz:

route-map NONAT permit 10
match ip address 100

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.19.0.0 0.0.15.255
Cancel
Vote Up 0 Vote Down

Cancel