<div>
Not quite.<br />
Could you post the sanitized configs here so we can have a look?
</div>


<div>
is the 877 connecting to 2 differnet routers ?-sounds like an access list prblem on the 877.which way is the traffic been stopped ?
</div>


<div>
In fact, I just realized that my two routers are NOT connected. A NCP client was running as a service on my PC and was connecting instead of my router. I deactivated it. Sorry.<br />
So I come back with my first question I posted yesterday, why my routers are not connecting.<br />
I post the two configs.<br />
<br />
Sorry for my mistake.<br />
&nbsp;<a href="https://filedb.experts-exchange.com/incoming/2011/08_w33/486736/Cisco-877.txt" target="_blank" class="file-inline" title="Config Cisco 877 (3 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Cisco-877.txt</a><br />
<a href="https://filedb.experts-exchange.com/incoming/2011/08_w33/486737/Cisco-881.txt" target="_blank" class="file-inline" title="Config Cisco 881 (3 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Cisco-881.txt</a>
</div>


Cisco-877.txt

Cisco-881.txt

<div>
I see both routers get an ip dynamically, is that correct?
</div>


<div>
Yes but to simplify my first try with Cisco VPN, I use static IP in my config. When it will work, I'll try to config it with dynamic IP.
</div>


<div>
Well, the thing is that with a site2site vpn you will need atleast one static ip. Otherwise this isn't going to work.<br />
<br />
<i>crypto dynamic-map SDM_DYNMAP_1 1<br />
&nbsp;set transform-set Test<br />
&nbsp;match address 100</i><br />
can only be used for incoming connections.<br />
<br />
You need the static ip so you can tell the router where it must connect to, like:<br />
<i>crypto map map1 5 ipsec-isakmp<br />
&nbsp;set peer a.b.c.d<br />
&nbsp;set transform-set Test<br />
&nbsp;match address 100</i>
</div>


<div>
And of course, when an IP change on one or on the other router, I correct it in my config... (before you ask ;)<br />
I'm aware of the remote IP thanks to dyndns which I managed to make working.<br />

</div>


<div>
But a dynamic IP is static for 36h if I don't reboot the router so it should work.<br />
Here for my test, I don't have static IP. But it will be installed at the end in an environment with one satic IP.<br />

</div>


<div>
And sorry again, my config are not update.<br />
Both sides, there's now :<br />
crypto map SDM_CMAP_1 1 ipsec-isakmp<br />
&nbsp;set peer IP (other side router)<br />
&nbsp;set transform-set ESP-3DES-SHA<br />
&nbsp;match address 100<br />
<br />
and both sides there's :<br />
crypto isakmp policy 2<br />
&nbsp;encr aes<br />
&nbsp;authentication pre-share<br />
&nbsp;group 2<br />
&nbsp;lifetime 28800<br />
crypto isakmp key xxx address IP (other side router)<br />
crypto isakmp keepalive 10 10<br />

</div>


<div>
Ok,<br />
<br />
If you use those address as 'static', you still have to adjust your crypto maps so there is a peer defined.
</div>


<div>
Maybe less confusing, I cleaned configs except what (I think) is related to VPN only.<br />
&nbsp; <br />
<a href="https://filedb.experts-exchange.com/incoming/2011/08_w33/486745/Cisco-877.txt" target="_blank" class="file-inline" title="Cleaned config 877 (899 bytes)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Cisco-877.txt</a><br />
<a href="https://filedb.experts-exchange.com/incoming/2011/08_w33/486747/Cisco-881.txt" target="_blank" class="file-inline" title="Cleaned config 881 (1002 bytes)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Cisco-881.txt</a>
</div>


<div>
Ah, crossposted your comments didn't see them.<br />
<br />
Well this is looking ok.<br />
So what do you see when we throw in some debugging:<br />
<i>debug crypto ipsec<br />
debug crypto isakmp<br />
debug crypt engine</i><br />
?
</div>


<div>
Due to multiple changes, I introduced mismatch between <br />
crypto ipsec transform-set ESP-3DES-SHA <u>esp-3des </u>esp-md5-hmac<br />
and <br />
crypto isakmp policy 2<br />
<u> encr aes</u><br />
I suppose both must match<br />
I correct it, test it and if it fails I post debug logs<br />

</div>


<div>
That shouldn't matter, but it won't hurt if you change it.<br />
Let me know what happens.
</div>


<div>
Each time I ping a remote local IP, I've got only in the log :<br />
000164: *Mar &nbsp;5 22:15:32.186 PCTime: IPSEC(epa_des_crypt): decrypted packet failed SA identity check<br />
nothing in sh cry isa sa both sides<br />

</div>


<div>
Ok now the tunnel seems to be up.<br />
I see both IP in sh crypto isa sa<br />
The two local networks can ping each other...<br />
It's a big step forward thank you.<br />
<br />
But now I've got the same problem than Cisco &lt;-&gt; Linksys RV042, only pings works. I can't browse remote NAS or access this NAS thru HTTP (Linksys &lt;-&gt; Linksys works perfectly)<br />

</div>


<div>
Forgot to mention it : RDP with remote local address works also.
</div>


<div>
Is that the same 877 or another?
</div>


<div>
Yes the same 877. I could try Cisco 881 &lt;-&gt; Linksys RV042 to see if I've still got the problem...
</div>


<div>
To keep it less confusing ;) could you post the relevant parts of the configs for that tunnel?
</div>


<div>
Here's the configs. I didn't remove too much because I don't know what can be relevant or not... since it implies LAN and Wan interfaces...<br />
On the 877, I've got some surfing problemes and had to add some commands :<br />
interface ATM0<br />
&nbsp;atm vc-per-vp 64<br />
&nbsp;interface Dialer0<br />
&nbsp;ip mtu 1492<br />
&nbsp;ip tcp adjust-mss 1452<br />
&nbsp;<br />
<a href="https://filedb.experts-exchange.com/incoming/2011/08_w33/486780/Cisco-877.txt" target="_blank" class="file-inline" title="Cisco 877 config (1 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Cisco-877.txt</a><br />
<a href="https://filedb.experts-exchange.com/incoming/2011/08_w33/486781/Cisco-881.txt" target="_blank" class="file-inline" title="Cisco 881 config (1 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Cisco-881.txt</a>
</div>


<div>
On the 877 side you'll need something like this for the second site2site:<br />
<br />
<i>crypto map SDM_CMAP_1 10 ipsec-isakmp<br />
&nbsp;set peer yyy<br />
&nbsp;set transform-set Test<br />
&nbsp;match address 103</i><br />
<br />
Assuming the Linksys supports the transform set.<br />
<br />
<i>access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255</i><br />
<br />
Here I assumed the network behind the Linksys is 192.168.4.0<br />
<br />
<i>access-list 101 deny &nbsp; ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255<br />
access-list 101 deny &nbsp; ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255<br />
access-list 101 permit ip 192.168.2.0 0.0.0.255 any</i><br />
<br />
You'll also need to insert a line in list 101.
</div>


<div>
I'm confused by your post. We continue with the two Cisco or you want me to replace a Cisco by a Linksys ? &nbsp;I don't need three point tunnels (for the moment).<br />
In the linksys, there's no acl to configure. It's automatic. With two linksys, everything works well without any acl or firewall to config. But I want to test vpn with Cisco only now. Later If I can mix Cisco and Linksys, it would be great.<br />
<br />
I also have access to a cisco 1800 with fixed IP. I could go there and configure it to replace Cisco 877 or install a second tunnel between the 881 and the 1800 to see if the 877 is the problem.
</div>


<div>
Ehr, I was under the impression you also wanted to set up a tunnel from the 877 to a linksys.<br />
<br />
So It's about the two Ciscos And the tunnel is up but you can only ping?
</div>


<div>
Yes that's it. <br />
For now, I try two Cisco with fixed IP.<br />
Other combinations will be for other posts (and other points ;) <br />

</div>


<div>
Other posts are always good :))<br />
<br />
So, does the nas have the Cisco as gateway?
</div>


<div>
Yes and I can ping the NAS.<br />
Here I am on the 192.168.3.3<br />
Nas is remote<br />
IP : 192.168.2.6<br />
Mask /24<br />
Gateway 192.168.2.1<br />
DNS : directly to my ISP DNS server<br />
Besides, (that's why I mentionned the linksys) with two linksys in exactly the same environment, I never been blocked neither sides.<br />
With two Cisco, it seems to block or at least to be extremely slow. It seems to fail due to time out limit.
</div>


<div>
Are you connecting by name or IP? 
</div>


<div>
IP because I suppose ther's a lot to configure to let names to pass from a network to the other...
</div>


<div>
Could'nt it be a mtu problem or something ?<br />
Because when the data to be transfered is very short (like a ping or a <u>nearly-empty folder </u>on the NAS), it works ! But when data are larger, it then hangs.
</div>


<div>
Ok it seems to be a MTU problem.<br />
I fixed mtu on lan/wan interfaces to the same values and it works !<br />
I double check that to be sure and I keep you informed...
</div>


<div>
Good job!<br />
<br />
I'm on the road right now, can't type that much. But do keep me posted.
</div>


<div>
Ok everything works fine now. I'll have to fine tune mtu to get best performance, I guess.<br />
Thanks a lot for your help and patience :)<br />
Stay around I've still lot to learn...<br />

</div>


<div>
I'll be around :)<br />
<br />
Thx for the points.
</div>


<div>
<div class="content wysiwyg-content">
Hello Experts,<br />
<br />
I've setup a site to site vpn tunnel between two Cisco (877 &amp;&nbsp;881) and between a Cisco 877 and a Linksys RV042 issuing the same problem. It works one way perfectly, but not the other way. Except pings. Is it normal ?<br />
<br />
Thanks for your reply.
</div>
</div>


Hello Experts,

I've setup a site to site vpn tunnel between two Cisco (877 & 881) and between a Cisco 877 and a Linksys RV042 issuing the same problem. It works one way perfectly, but not the other way. Except pings. Is it normal ?

Thanks for your reply.

Cisco VPN works only one way

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

Routers

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.