Cisco IPSEC VPN Issue

Posted on 2011-10-24
Last Modified: 2012-05-12
I'm having trouble get a VPN between a Cisco 1841 (Spoke) router and a Cisco 3825 (Hub) router working correctly. Everything (sh crypto sessions, sh crypto ipsec sa, sh crypto isakmp sa) indicates the VPN tunnel is established, but traffic refuses to pass. This leads me to think it's a routing or a NAT issue.

I'm trying to establish a IPSEC VPN between Site A (Spoke) and Site B (Hub). Site A must also have access to Site C where the servers are located.

Site A (10.1.20.X) is connected to the Internet via Comcast Broadband (int Fast0/0). Site B (10.1.0.X) is connect to the Internet via AT&T MLPPP T1s (int MULTI1). Site C (10.1.10.X, 10.1.11.x, 10.1.12.x) is connected via AT&T MPLS to Site B (int Gi0/0). Site C accesses the MLPPPT1s in site B for Internet access.

Router Configs are attached. Anyone have any ideas what I'm missing here? I'm desperate! The location is completely down - they moved before the MPLS circuits were ready and they still have a few weeks before those will go in. Site-A.txt Site-B.txt
Question by:Matt Walker
    LVL 17

    Expert Comment

    At first glance, you are missing ppp multilink group 1 from the multilink1 interface.
    LVL 2

    Expert Comment

    access-list 155 permit ip ( in both sites you have subnet  ???????? )

    Author Comment

    by:Matt Walker
    PPP Multilink group 1 is there - it might not have come out in the configuration I copied here - Internet access through this Interface works fine.

    In site A (Spoke Site) is subnet 10.1.20.X and site B (Hub site) is subnet 10.1.0.X. Site C (Server Site) is subnets 10.1.10.X, 10.1.11.X, and 10.1.12.X).
    LVL 2

    Accepted Solution


    crypto map mymap 10 ipsec-isakmp
     set peer
     set transform-set myset
     match address 155
    access-list 155 permit ip
    this is your config for site A, for identifying traffic wich must pass through vpn you use access list 155, but in access list 155 you say that traffic originating from network and that goes to network must pass through vpn. This statement it is not correct.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Suggested Solutions

    The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now