Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1423 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco 850 <-> ASG220: No data from Cisco

James Bourne
Hi All,

I've got IKE and IPSec up and running between a Cisco850 and an ASG220.

I can see data from the ASG side being decrypted on the Cisco end:

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

But data originating from the Cisco side is never encapsulated and returned down the tunnel:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

My default route on the Cisco is the Dialer0 interface (since it's DSL).

Here's the relevant parts of the Cisco config:

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 7800
crypto isakmp key ***** address a.b.c.d

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac 
crypto map VPN-Map-1 10 ipsec-isakmp 
 set peer a.b.c.d
 set security-association lifetime seconds 3600
 set transform-set AES-SHA 
 set pfs group5
 match address Crypto-list

interface Dialer0
 crypto map VPN-Map-1

ip access-list extended Crypto-list
 permit ip 192.168.1.0 0.0.0.255 10.19.0.0 0.0.15.255

Here's the Astaro side:

2008:05:12-18:59:52 (none) pluto[19718]: "S_KMM-VPN_0" #1: initiating Main Mode
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: enabling possible NAT-traversal with method RFC 3947
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: ignoring Vendor ID payload [Cisco-Unity]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: received Vendor ID payload [Dead Peer Detection]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: ignoring Vendor ID payload [839fac53cce86946798e0e003a916cee]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: ignoring Vendor ID payload [XAUTH]
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: Peer ID is ID_IPV4_ADDR: 'a.b.c.d'
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #1: ISAKMP SA established
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2008:05:12-19:00:02 (none) pluto[19718]: "S_KMM-VPN_0" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2008:05:12-19:00:03 (none) pluto[19718]: "S_KMM-VPN_0" #2: Dead Peer Detection (RFC 3706) enabled
2008:05:12-19:00:03 (none) pluto[19718]: "S_KMM-VPN_0" #2: sent QI2, IPsec SA established {ESP=>0xc64bc472 


This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to James Bourne
    Fixed it ...

    I need to add an exclusion to the route map so traffic destined to the remote VPN network is not NAT'd viz:

    route-map NONAT permit 10
     match ip address 100

    access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.19.0.0 0.0.15.255   
Children
No Data
Cookie Information Banner