Cisco 1721 router IPSec Issues

I have a Cisco 1721 router, with current IOS c1700-k9o3sy7-mz.122-11.T.bin

Everything is up and running fine, minus anything IPSec.

When the IPSec is setup it seems to refuse to pass traffic over the tunnel we create.  Absolutely no debugging information is show as well with the debug turned on.  Even after trying with multiple devices on the other side, still, no luck.

Here is my config (IP and names modified) and what the show crypto ipsec sa produces

Current configuration : 1719 bytes
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname contoso
boot system flash:c1700-bk9no3r2sy7-mz.122-13.T.bin
enable secret
enable password contoso
ip subnet-zero
ip dhcp excluded-address
ip dhcp pool contoso
   lease 7
ip audit notify log
ip audit po max-events 100
crypto ca trustpoint verisign-ca
 enrollment url http://ciscoca-ultra:80
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key contoso address
crypto ipsec transform-set contoso esp-3des esp-md5-hmac
crypto map contoso 10 ipsec-isakmp
 set peer
 set transform-set contoso
 match address 105
interface FastEthernet0
 description inside
 ip address
 ip nat inside
 speed auto
interface Serial0
 description Gateway
 ip address
 ip nat outside
 crypto map contoso
ip nat inside source route-map contoso interface Serial0 overload
ip classless
ip route Serial0
no ip http server
access-list 105 permit ip
access-list 175 deny   ip
access-list 175 permit ip any
route-map contoso permit 1
 match ip address 175
line con 0
line aux 0
line vty 0 4
 password contoso
no scheduler allocate
contoso#show crypto ipsec sa
interface: Serial0
    Crypto map tag: contoso, local addr.
   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.:, remote crypto endpt.:
     path mtu 1500, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you show the output of a "Show crypto isakmp sa" and "Show ip nat trans"
Jan SpringerCommented:
Is the access-list (105) an exact inverse match of the one listed above?

Do the encryption and hash match?
MainStaySolutionsAuthor Commented:
Here is the output of the two commands.

contoso#show crypto isakmp sa
dst             src             state           conn-id    slot
contoso#show ip nat trans

Open in new window

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

MainStaySolutionsAuthor Commented:
You mean for the other side?

The only thing that is slightly different that instead of it being a class C subnet like the router shows it's actually a class B subnet.

All the encryption protocols do match.  We even tried instead of 3DES, DES.  And still nothing.
Jan SpringerCommented:
The access lists need to be an *exact* inverse match of each other as applied to the crypto peer config.
MainStaySolutionsAuthor Commented:
Everything now matches, and still no luck.
Jan SpringerCommented:
term mon
debug crypto isakmp
debug crypto ipsec

sh crypto isakmp sa
        -> show SAs between two peers

sh crypto ipsec sa
        -> show IPsec SAs built between peers

sh crypto engine connection active
        -> show each phase 2 SA built
MainStaySolutionsAuthor Commented:
Okay, after much fighting the tunnel is up, however, I can't ping anything on the other side now.
Jan SpringerCommented:
What did debug and/or the log data indicate?
MainStaySolutionsAuthor Commented:
We got it figured out.  The issue was with the device on the other side.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.