Cisco 1721 router IPSec Issues

Posted on 2009-07-14
Last Modified: 2012-05-07
I have a Cisco 1721 router, with current IOS c1700-k9o3sy7-mz.122-11.T.bin

Everything is up and running fine, minus anything IPSec.

When the IPSec is setup it seems to refuse to pass traffic over the tunnel we create.  Absolutely no debugging information is show as well with the debug turned on.  Even after trying with multiple devices on the other side, still, no luck.

Here is my config (IP and names modified) and what the show crypto ipsec sa produces

Current configuration : 1719 bytes


version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption


hostname contoso


boot system flash:c1700-bk9no3r2sy7-mz.122-13.T.bin

enable secret

enable password contoso


ip subnet-zero



ip dhcp excluded-address


ip dhcp pool contoso





   lease 7


ip audit notify log

ip audit po max-events 100



crypto ca trustpoint verisign-ca

 enrollment url http://ciscoca-ultra:80


crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

 lifetime 3600

crypto isakmp key contoso address



crypto ipsec transform-set contoso esp-3des esp-md5-hmac


crypto map contoso 10 ipsec-isakmp

 set peer

 set transform-set contoso

 match address 105





interface FastEthernet0

 description inside

 ip address

 ip nat inside

 speed auto


interface Serial0

 description Gateway

 ip address

 ip nat outside

 crypto map contoso


ip nat inside source route-map contoso interface Serial0 overload

ip classless

ip route Serial0

no ip http server



access-list 105 permit ip

access-list 175 deny   ip

access-list 175 permit ip any


route-map contoso permit 1

 match ip address 175



line con 0

line aux 0

line vty 0 4

 password contoso



no scheduler allocate


contoso#show crypto ipsec sa

interface: Serial0

    Crypto map tag: contoso, local addr.

   local  ident (addr/mask/prot/port): (

   remote ident (addr/mask/prot/port): (


     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.:, remote crypto endpt.:

     path mtu 1500, media mtu 1500

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Open in new window

Question by:MainStaySolutions
  • 5
  • 4

Expert Comment

ID: 24849928
Can you show the output of a "Show crypto isakmp sa" and "Show ip nat trans"
LVL 28

Expert Comment

by:Jan Springer
ID: 24849941
Is the access-list (105) an exact inverse match of the one listed above?

Do the encryption and hash match?

Author Comment

ID: 24850049
Here is the output of the two commands.

contoso#show crypto isakmp sa

dst             src             state           conn-id    slot

contoso#show ip nat trans


Open in new window


Author Comment

ID: 24850494
You mean for the other side?

The only thing that is slightly different that instead of it being a class C subnet like the router shows it's actually a class B subnet.

All the encryption protocols do match.  We even tried instead of 3DES, DES.  And still nothing.
LVL 28

Expert Comment

by:Jan Springer
ID: 24850744
The access lists need to be an *exact* inverse match of each other as applied to the crypto peer config.
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.


Author Comment

ID: 24851979
Everything now matches, and still no luck.
LVL 28

Expert Comment

by:Jan Springer
ID: 24852158
term mon
debug crypto isakmp
debug crypto ipsec

sh crypto isakmp sa
        -> show SAs between two peers

sh crypto ipsec sa
        -> show IPsec SAs built between peers

sh crypto engine connection active
        -> show each phase 2 SA built

Author Comment

ID: 24853627
Okay, after much fighting the tunnel is up, however, I can't ping anything on the other side now.
LVL 28

Expert Comment

by:Jan Springer
ID: 24853724
What did debug and/or the log data indicate?

Accepted Solution

MainStaySolutions earned 0 total points
ID: 24935141
We got it figured out.  The issue was with the device on the other side.  

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now