Solved

Cisco IPSEC LAN-LAN tunnel.. I need two IP subnets to be encrypted through one tunnel.. Have i missed something??

Posted on 2006-11-03
8
458 Views
Last Modified: 2008-02-01
Hi Everyone,

I have a really annoying problem... I have two sites,
Site 1(HQ)= Cisco 2950(data+voice vlan) and a 1701(routes between vlans using fastethernet sub-interfaces. Also for ADSL internet access, VPN)
Site 2(Homeworker)= Cisco 1701 for internet, VPN connected to unmanaged switch-> PC&IP Phone.

We have an IP enabled PABX at our HQ and an IP handset for the above homeworker(site2). I have configured an IPSEC Lan-Lan VPN between the two 1701's and it works perfectly for the data vlan(196.196.1.0/24 to 192.168.93.0/24). But when I try to add the voice subnet to the cryptomap the traffic doesnt get encrypted!!(192.168.92.0/24 to 192.168.93.0/24) Any ideas? Have I missed anything?? if I do a sho crypto ipsec sa, I can see the voice subnet(192.168.92.0/24). But the 1701 routers are not encryping/decrypting anything...  

I have removed all security ACL's and IP inspects just in case.. But no joy..

The PABX definatly has the correct D/G as I can ping the internet from it... If I check my hits on my access lists I can see matches for 192.168.92.0/24 to 192.168.93.0/24 on ACL100(NAT) and ACL120(VPN interestig traffic)

I have posted my configs below...

I really need to get this sorted asap... :-S

Thanks in advance for any help

Matt


HQ (Site 1)

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HQ_RTR
!
boot-start-marker
boot-end-marker
!
enable secret *****
!
clock timezone GMT 0
clock summer-time BST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip inspect name firewall cuseeme
ip inspect name firewall ftp
ip inspect name firewall h323
ip inspect name firewall icmp
ip inspect name firewall netshow
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall esmtp
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tftp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall vdolive
ip inspect name firewall http
ip ips notify SDEE
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
class-map match-all voice
 match access-group 150
!
!
policy-map LLQ
 class voice
  priority 80
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key itsasecret address 2.2.2.2 no-xauth
!
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
!
crypto map cavity 1 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set trans1
 match address 120
 qos pre-classify
!
!
!
interface ATM0
 bandwidth 288
 no ip address
 service-policy output LLQ
 atm ilmi-keepalive
 dsl operating-mode ansi-dmt
 hold-queue 224 in
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface BRI0
 no ip address
 shutdown
!
interface FastEthernet0
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0.1
 encapsulation dot1Q 10
 ip address 196.196.1.89 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0.2
 encapsulation dot1Q 20
 ip address 192.168.92.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 bandwidth 256
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 service-policy output LLQ
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ****
 ppp chap password ****
 ppp pap sent-username **** password ****
 crypto map cavity
 hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
!
ip dns server
!
!
access-list 100 deny   ip 192.168.92.0 0.0.0.255 192.168.93.0 0.0.0.255
access-list 100 deny   ip 196.196.1.0 0.0.0.255 192.168.93.0 0.0.0.255
access-list 100 permit ip 196.196.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.92.0 0.0.0.255 any
access-list 120 permit ip 196.196.1.0 0.0.0.255 192.168.93.0 0.0.0.255
access-list 120 permit ip 192.168.92.0 0.0.0.255 192.168.93.0 0.0.0.255
access-list 150 permit ip any any dscp ef
access-list 150 permit ip any any precedence critical
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
 password ****
line aux 0
line vty 0 4
 password ****
 login
!
scheduler max-task-time 5000
ntp clock-period 17179795
ntp server 158.43.128.33 source Dialer1 prefer
ntp server 158.43.128.66 source Dialer1
end

Home Worker (site 2)

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterHome
!
boot-start-marker
boot-end-marker
!
enable secret ******
!
clock timezone GMT 0
clock summer-time BST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.93.1 192.168.93.10
!
ip dhcp pool home1_DHCP
   network 192.168.93.0 255.255.255.0
   default-router 192.168.93.1
   dns-server 192.168.93.1
!
!
ip name-server 81.17.66.13
ip name-server 81.17.66.14
ip cef
ip inspect name firewall cuseeme
ip inspect name firewall ftp
ip inspect name firewall h323
ip inspect name firewall icmp
ip inspect name firewall netshow
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall esmtp
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tftp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall vdolive
ip inspect name firewall http
ip ips notify SDEE
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
class-map match-all voice
 match access-group 150
!
!
policy-map LLQ
 class voice
  priority 80
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key itsasecret address 1.1.1.1 no-xauth
!
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
!
crypto map cavity 1 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set trans1
 match address 120
 qos pre-classify
!
!
!
interface ATM0
 bandwidth 288
 no ip address
 service-policy output LLQ
 atm ilmi-keepalive
 dsl operating-mode ansi-dmt
 hold-queue 224 in
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface BRI0
 no ip address
 shutdown
!
interface FastEthernet0
 ip address 192.168.93.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface Dialer1
 bandwidth 256
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 service-policy output LLQ
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ****
 ppp chap password ****
 ppp pap sent-username **** password ****
 crypto map cavity
 hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
!
ip dns server
!
!
access-list 100 deny   ip 192.168.93.0 0.0.0.255 196.196.1.0 0.0.0.255
access-list 100 deny   ip 192.168.93.0 0.0.0.255 192.168.92.0 0.0.0.255
access-list 100 permit ip 192.168.93.0 0.0.0.255 any
access-list 120 permit ip 192.168.93.0 0.0.0.255 196.196.1.0 0.0.0.255
access-list 120 permit ip 192.168.93.0 0.0.0.255 192.168.92.0 0.0.0.255
access-list 150 permit ip any any dscp ef
access-list 150 permit ip any any precedence critical
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
 password ****
line aux 0
line vty 0 4
 password ****
 login
!
scheduler max-task-time 5000
ntp clock-period 17179899
ntp server 158.43.128.33 source Dialer1 prefer
ntp server 158.43.128.66 source Dialer1
end

0
Comment
Question by:needsy
  • 4
  • 4
8 Comments
 
LVL 1

Author Comment

by:needsy
Comment Utility
Just did a debug from the HQ router.... definatly a problem somewhere... :(. Just cant see it on my config!!

I pinged from 192.168.92.253(2950 switch) and got this...

I have replaced the public IP's for security perposes as in my configs above(1.1.1.1 ans 2.2.2.2).

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.93.1, timeout is 2 seconds:

Nov  3 09:50:22.442: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 192.168.92.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.93.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xAA55B2A(178608938), conn_id= 0, keysize= 0, flags= 0x400A
Nov  3 09:50:22.774: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 192.168.92.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.93.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Nov  3 09:50:22.778: IPSEC(validate_transform_proposal): no IPSEC cryptomap exis
ts for local address 1.1.1.1
Nov  3 09:50:22.782: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode faile
d with peer at 2.2.2.2   .....
Success rate is 0 percent (0/5)

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Let's try changing the nat to use a route-map
from this:
>ip nat inside source list 100 interface Dialer1 overload

To using a route-map:
 no ip nat inside source list 100 interface Dialer1 overload
 ip nat inside source route-map VPN interface Dialer1 overload

route-map VPN permit 10
 match address 100

Can you post result of 'show cry ip sa' from both sides?
0
 
LVL 1

Author Comment

by:needsy
Comment Utility
Hi Irmoore,

Right, I've changed the configs at both ends to use route-maps... But still no change
:-(. I have attached the debugs you needed. I noticed there are some send errors so hopefully we're closing in on the problem? Any ideas what would cause them?

Cheers

Main Router:

HQ_RTR#sho crypto ip sa

interface: Dialer1
    Crypto map tag: cavity, local addr. 1.1.1.1

   protected vrf:
   local  ident (addr/mask/prot/port): (196.196.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   current_peer: 2.2.2.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 93, #pkts encrypt: 93, #pkts digest: 93
    #pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, media mtu 1500
     current outbound spi: 6AF2E491

     inbound esp sas:
      spi: 0xEC73F9B1(3967023537)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 7, crypto map: cavity
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4573644/3182)
        ike_cookies: 8E7A4942 0406EC07 816722D2 C5D53BA8
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6AF2E491(1794303121)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 8, crypto map: cavity
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4573645/3181)
        ike_cookies: 8E7A4942 0406EC07 816722D2 C5D53BA8
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.92.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   current_peer: 2.2.2.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 15, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:



interface: Virtual-Access2
    Crypto map tag: cavity, local addr. 1.1.1.1

   protected vrf:
   local  ident (addr/mask/prot/port): (196.196.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   current_peer: 2.2.2.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 93, #pkts encrypt: 93, #pkts digest: 93
    #pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, media mtu 1500
     current outbound spi: 6AF2E491

     inbound esp sas:
      spi: 0xEC73F9B1(3967023537)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 7, crypto map: cavity
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4573644/3177)
        ike_cookies: 8E7A4942 0406EC07 816722D2 C5D53BA8
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6AF2E491(1794303121)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 8, crypto map: cavity
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4573645/3177)
        ike_cookies: 8E7A4942 0406EC07 816722D2 C5D53BA8
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.92.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   current_peer: 2.2.2.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 15, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


interface: Virtual-Access2
    Crypto map tag: cavity, local addr. 1.1.1.1

   protected vrf:
   local  ident (addr/mask/prot/port): (196.196.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   current_peer: 2.2.2.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 93, #pkts encrypt: 93, #pkts digest: 93
    #pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, media mtu 1500
     current outbound spi: 6AF2E491

     inbound esp sas:
      spi: 0xEC73F9B1(3967023537)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 7, crypto map: cavity
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4573644/3175)
        ike_cookies: 8E7A4942 0406EC07 816722D2 C5D53BA8
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6AF2E491(1794303121)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 8, crypto map: cavity
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4573645/3174)
        ike_cookies: 8E7A4942 0406EC07 816722D2 C5D53BA8
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.92.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   current_peer: 1.1.1.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 15, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Homeworker Router:

Homeworker_RTR#sho crypto ip sa

interface: Dialer1
    Crypto map tag: cavity, local addr. 2.2.2.2

   protected vrf:
   local  ident (addr/mask/prot/port): (196.196.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   current_peer: 1.1.1.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (196.196.1.0/255.255.255.0/0/0)
   current_peer: 1.1.1.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: EC73F9B1

     inbound esp sas:
      spi: 0x6AF2E491(1794303121)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 11, crypto map: cavity
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4606687/3487)
        ike_cookies: 816722D2 C5D53BA8 8E7A4942 0406EC07
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEC73F9B1(3967023537)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 12, crypto map: cavity
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4606688/3487)
        ike_cookies: 816722D2 C5D53BA8 8E7A4942 0406EC07
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.92.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   current_peer: 1.1.1.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.93.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.92.0/255.255.255.0/0/0)
   current_peer: 1.1.1.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 10, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:



0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The only thing I can think of is what is the default gateway set to on the .92.x hosts?

I don't understand what I'm seeing here. It looks like the routers are confused as to local and remote networks. I can't explain it because it does not match the acl 120's that you've defined for the crypto maps. The config that you posted looks good, the results of the output does not.
I would also suggest a hard reboot of the router. Save the config and do a complete power off shutdown and back on..

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:needsy
Comment Utility
Hi Irmoore,

D/G's are definatly right.. in any case, when testing i'm using the "ping source interface" command from the router itself on either end. I've used it many times.

I see what you mean about the crypto maps though!... I reset both ends and it sorted that strange local-remote subnet problem. But it still doesnt work. Im on the verge of upgrading IOS's. Getting desperate now... ;).

Remote worker = c1700-k9o3sy7-mz.123-8.T8.bin
Main Site = c1700-k9o3sy7-mz.123-8.T4.bin

Do you think it's worth a bash?

Cheers

Matt

Matt
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
before you do that, try pinging host to host instead of router to router.
Then post another round of "sho cry ip sa"
0
 
LVL 1

Author Comment

by:needsy
Comment Utility
Hi Irmoore,

Sorry to jump the gun but I had a chance to try upgrading each end so I did... And thankfully it resolved the problem! :). I upgraded to 12.4-10a in the end.

Thanks very much for your continued assistance. Your help really did assist with this so you have deserved the points mate.

Regards

Matt
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Glad you're working!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now