andrewprouse
asked on
Site-to-Site VPN - Cisco 1801 to Draytek Vigor 2850
Hi there,
I'm having issues trying to set a site-to-site (lan to lan) VPN up between two sites. Site 1 has a Cisco 1801 and site 2 has a Draytek Vigor 2850. I'm more familiar with the Cisco side so I'm guessing I'm doing somthing wrong with the Draytek. The end result is that I can't seem to bring the tunnel UP.
For the purpose of this doc the IPs are as follows:
WAN LOCAL
SITE 1 1.1.1.1 172.16.16.254 255.255.240.0
SITE 2 2.2.2.2. 192.168.1.1 255.255.255.0
SITE 1 Cisco config below (& SITE 2 Draytek config attached):
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key cslcsl01 address 2.2.2.2
!
!
crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac
crypto ipsec transform-set TSET2 esp-des esp-md5-hmac
crypto ipsec transform-set TSET3 esp-aes 256 esp-sha-hmac
!
crypto map CRMAP local-address Dialer0
crypto map CRMAP 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set TSET3
match address 198
!
interface Dialer0
mtu 1483
bandwidth 350
ip address negotiated
ip access-group 199 in
ip access-group 150 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname Cxxxxxx@hg43.btclick.com
ppp chap password 0 xxxxxxxxx
crypto map CRMAP
max-reserved-bandwidth 100
service-policy output QOS-OUT
!
access-list 198 permit ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 198 permit ip 192.168.1.0 0.0.0.255 172.16.16.0 0.0.15.255
access-list 198 permit tcp any any eq 500
access-list 198 permit esp any any
I'm having issues trying to set a site-to-site (lan to lan) VPN up between two sites. Site 1 has a Cisco 1801 and site 2 has a Draytek Vigor 2850. I'm more familiar with the Cisco side so I'm guessing I'm doing somthing wrong with the Draytek. The end result is that I can't seem to bring the tunnel UP.
For the purpose of this doc the IPs are as follows:
WAN LOCAL
SITE 1 1.1.1.1 172.16.16.254 255.255.240.0
SITE 2 2.2.2.2. 192.168.1.1 255.255.255.0
SITE 1 Cisco config below (& SITE 2 Draytek config attached):
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key cslcsl01 address 2.2.2.2
!
!
crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac
crypto ipsec transform-set TSET2 esp-des esp-md5-hmac
crypto ipsec transform-set TSET3 esp-aes 256 esp-sha-hmac
!
crypto map CRMAP local-address Dialer0
crypto map CRMAP 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set TSET3
match address 198
!
interface Dialer0
mtu 1483
bandwidth 350
ip address negotiated
ip access-group 199 in
ip access-group 150 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname Cxxxxxx@hg43.btclick.com
ppp chap password 0 xxxxxxxxx
crypto map CRMAP
max-reserved-bandwidth 100
service-policy output QOS-OUT
!
access-list 198 permit ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 198 permit ip 192.168.1.0 0.0.0.255 172.16.16.0 0.0.15.255
access-list 198 permit tcp any any eq 500
access-list 198 permit esp any any
We are missing the Draytek config ;-)
If you are more familiar with the Cisco part, I recommend to try to initiate traffic from Draytek, and debug on Cisco. That should show what the Draytek expects, and will most likely reveal the culprit.
If you are more familiar with the Cisco part, I recommend to try to initiate traffic from Draytek, and debug on Cisco. That should show what the Draytek expects, and will most likely reveal the culprit.
ASKER
Sorry...Draytek config attached.
The only option to initiate traffic on the Draytek is to hit the DIAL button on the VPN Connection Manager. When I press this literally nothing happens. No error messages & no debug info on the Cisco
Draytek-Config.docx
The only option to initiate traffic on the Draytek is to hit the DIAL button on the VPN Connection Manager. When I press this literally nothing happens. No error messages & no debug info on the Cisco
Draytek-Config.docx
Can we see ip access lists 199 and 150?
I'm no expert on any of Draytek or Cisco, and have only configured a Draytek once a long time ago, but there are some points which puzzle me:
In Cisco config there are PPP authentication information for Dialer0. IPSec does not use such.
The Draytek has a general section for entering the PSK, and a specific section. The PSK is entered in the specific section only. Maybe you should also set it in the general one.
Anyway, as long as the remote gateway address and generic protocol (PPTP, IPSec, ...) is correct, you should see at least the connection attempt.
ASKER
There are some old rules within these ACLs from a previous site-to-site VPN to the network 172.16.0.0 255.255.240.0.
ip access-list logging interval 10
no logging trap
access-list 1 permit 172.16.16.0 0.0.15.255
access-list 101 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 101 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 172.16.16.0 0.0.15.255 any
access-list 101 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 110 permit tcp any any range 50000 59999
access-list 110 permit udp any any range 50000 59999
access-list 120 permit ip host 172.16.30.1 host 172.16.14.1
access-list 125 permit ip any any dscp ef
access-list 125 permit ip any any
access-list 150 permit udp any any eq 50561 log-input
access-list 150 permit udp any any
access-list 150 permit tcp any any
access-list 150 permit ip any any
access-list 155 permit ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 180 permit ip 172.16.0.0 0.0.15.255 192.168.200.0 0.0.0.255
access-list 180 permit ip 172.16.0.0 0.0.15.255 172.16.16.0 0.0.15.255
access-list 198 permit ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 198 permit ip 192.168.1.0 0.0.0.255 172.16.16.0 0.0.15.255
access-list 198 permit tcp any any eq 500
access-list 198 permit esp any any
access-list 199 permit tcp any any established
access-list 199 permit udp any eq domain any
access-list 199 permit udp host 217.36.231.143 any eq non500-isakmp
access-list 199 permit udp host 217.36.231.143 any eq isakmp
access-list 199 permit esp host 217.36.231.143 any
access-list 199 permit ahp host 217.36.231.143 any
access-list 199 deny ip host 255.255.255.255 any
access-list 199 deny ip 127.0.0.0 0.255.255.255 any
access-list 199 permit tcp any any eq 5801
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp any any eq 143
access-list 199 permit tcp any any eq smtp
access-list 199 permit tcp any any eq 3389
access-list 199 permit tcp any any eq 5903
access-list 199 permit tcp any any eq 81
access-list 199 permit tcp any any eq 443
access-list 199 permit tcp any any eq 993
access-list 199 permit gre any any
access-list 199 permit tcp any any eq telnet
access-list 199 permit icmp any any
access-list 199 permit tcp any any eq 8081
access-list 199 permit tcp any any eq 52222
access-list 199 permit udp any any eq 50561
access-list 199 permit tcp any any eq 123
access-list 199 permit tcp any any eq 1234
access-list 199 permit udp any any eq 50562
access-list 199 permit udp any any eq 50563
access-list 199 permit tcp any any eq 22315
access-list 199 permit udp any any eq 22315
access-list 199 permit tcp any any eq ftp
access-list 199 permit tcp any any range 65500 65510
access-list 199 permit ip 172.16.0.0 0.0.15.255 any
access-list 199 permit udp any any eq ntp
access-list 199 permit tcp any any eq 22
access-list 199 permit udp any any eq 22
access-list 199 permit tcp any any eq 5900
access-list 199 permit tcp any any eq 5901
access-list 199 permit tcp any any eq 5902
access-list 199 permit tcp any any eq 5800
access-list 199 permit tcp any any eq 50561
access-list 199 permit udp any any eq 389
access-list 199 permit tcp any any eq 445
access-list 199 permit tcp any any eq 444
access-list 199 permit tcp any any eq 5061
access-list 199 permit udp any any eq 3478
access-list 199 permit udp any any range 50000 59999
access-list 199 permit tcp any any range 50000 59999
access-list 199 permit tcp any any eq 446
access-list 199 permit ip 192.168.100.0 0.0.0.255 any
access-list 199 permit tcp any any eq 4443
access-list 199 permit tcp any any eq www
access-list 199 permit udp any any eq 3389
access-list 199 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.240.0
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit tcp any any eq 500
access-list 199 permit esp any any
access-list 199 permit udp any any eq isakmp
dialer-list 1 protocol ip permit
ip access-list logging interval 10
no logging trap
access-list 1 permit 172.16.16.0 0.0.15.255
access-list 101 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 101 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 172.16.16.0 0.0.15.255 any
access-list 101 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 110 permit tcp any any range 50000 59999
access-list 110 permit udp any any range 50000 59999
access-list 120 permit ip host 172.16.30.1 host 172.16.14.1
access-list 125 permit ip any any dscp ef
access-list 125 permit ip any any
access-list 150 permit udp any any eq 50561 log-input
access-list 150 permit udp any any
access-list 150 permit tcp any any
access-list 150 permit ip any any
access-list 155 permit ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 180 permit ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 180 permit ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 180 permit ip 172.16.0.0 0.0.15.255 192.168.200.0 0.0.0.255
access-list 180 permit ip 172.16.0.0 0.0.15.255 172.16.16.0 0.0.15.255
access-list 198 permit ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 198 permit ip 192.168.1.0 0.0.0.255 172.16.16.0 0.0.15.255
access-list 198 permit tcp any any eq 500
access-list 198 permit esp any any
access-list 199 permit tcp any any established
access-list 199 permit udp any eq domain any
access-list 199 permit udp host 217.36.231.143 any eq non500-isakmp
access-list 199 permit udp host 217.36.231.143 any eq isakmp
access-list 199 permit esp host 217.36.231.143 any
access-list 199 permit ahp host 217.36.231.143 any
access-list 199 deny ip host 255.255.255.255 any
access-list 199 deny ip 127.0.0.0 0.255.255.255 any
access-list 199 permit tcp any any eq 5801
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp any any eq 143
access-list 199 permit tcp any any eq smtp
access-list 199 permit tcp any any eq 3389
access-list 199 permit tcp any any eq 5903
access-list 199 permit tcp any any eq 81
access-list 199 permit tcp any any eq 443
access-list 199 permit tcp any any eq 993
access-list 199 permit gre any any
access-list 199 permit tcp any any eq telnet
access-list 199 permit icmp any any
access-list 199 permit tcp any any eq 8081
access-list 199 permit tcp any any eq 52222
access-list 199 permit udp any any eq 50561
access-list 199 permit tcp any any eq 123
access-list 199 permit tcp any any eq 1234
access-list 199 permit udp any any eq 50562
access-list 199 permit udp any any eq 50563
access-list 199 permit tcp any any eq 22315
access-list 199 permit udp any any eq 22315
access-list 199 permit tcp any any eq ftp
access-list 199 permit tcp any any range 65500 65510
access-list 199 permit ip 172.16.0.0 0.0.15.255 any
access-list 199 permit udp any any eq ntp
access-list 199 permit tcp any any eq 22
access-list 199 permit udp any any eq 22
access-list 199 permit tcp any any eq 5900
access-list 199 permit tcp any any eq 5901
access-list 199 permit tcp any any eq 5902
access-list 199 permit tcp any any eq 5800
access-list 199 permit tcp any any eq 50561
access-list 199 permit udp any any eq 389
access-list 199 permit tcp any any eq 445
access-list 199 permit tcp any any eq 444
access-list 199 permit tcp any any eq 5061
access-list 199 permit udp any any eq 3478
access-list 199 permit udp any any range 50000 59999
access-list 199 permit tcp any any range 50000 59999
access-list 199 permit tcp any any eq 446
access-list 199 permit ip 192.168.100.0 0.0.0.255 any
access-list 199 permit tcp any any eq 4443
access-list 199 permit tcp any any eq www
access-list 199 permit udp any any eq 3389
access-list 199 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.240.0
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit tcp any any eq 500
access-list 199 permit esp any any
access-list 199 permit udp any any eq isakmp
dialer-list 1 protocol ip permit
ASKER
Ok, the VPN now seems to be up. I had to change the 'WAN IP' & 'Remote Gateway IP' to 0.0.0.0 on the LAN-to-LAN setup page (must be a Draytek thing).
My issue now is that I can't seem to ping accross the VPN. Would this be an ACL thing?
My issue now is that I can't seem to ping accross the VPN. Would this be an ACL thing?
ASKER
DEBUG shows
*Aug 14 09:16:33.171: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 09:16:33.171: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
No, you have already permitted everything you need in access lists
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit ip any any
Make sure you have routing properly configured
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit ip any any
Make sure you have routing properly configured
You would also need to configure NAT exempt on the router
Can you post your NAT config?
Can you post your NAT config?
ASKER
I have a static route of: S 192.168.1.0/24 [1/0] via 2.2.2.2
If I do a sh cry ipsec sa I've noticed the following:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 273
NAT config is as follows:
ip nat pool AV_Edge 192.168.200.20 192.168.200.20 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 172.16.17.33 443 interface Dialer0 443
ip nat inside source static udp 172.16.20.18 22315 interface Dialer0 22315
ip nat inside source static tcp 172.16.20.18 22315 interface Dialer0 22315
ip nat inside source static udp 172.16.16.120 50561 interface Dialer0 50561
ip nat inside source static tcp 172.16.17.33 80 interface Dialer0 80
ip nat inside source static tcp 172.16.17.33 25 interface Dialer0 25
ip nat inside source static tcp 172.16.17.32 1723 interface Dialer0 1723
ip nat inside source static tcp 172.16.17.33 143 interface Dialer0 143
ip nat inside source static tcp 172.16.17.33 993 interface Dialer0 993
ip nat inside source static tcp 172.16.17.33 21 interface Dialer0 21
ip nat inside source static tcp 172.16.17.33 65500 interface Dialer0 65500
ip nat inside source static tcp 172.16.17.33 65501 interface Dialer0 65501
ip nat inside source static tcp 172.16.17.33 65502 interface Dialer0 65502
ip nat inside source static tcp 172.16.17.33 65503 interface Dialer0 65503
ip nat inside source static tcp 172.16.17.33 65504 interface Dialer0 65504
ip nat inside source static tcp 172.16.17.33 65505 interface Dialer0 65505
ip nat inside source static tcp 172.16.17.33 65506 interface Dialer0 65506
ip nat inside source static tcp 172.16.17.33 65507 interface Dialer0 65507
ip nat inside source static tcp 172.16.17.33 65508 interface Dialer0 65508
ip nat inside source static tcp 172.16.17.33 65509 interface Dialer0 65509
ip nat inside source static tcp 172.16.17.33 65510 interface Dialer0 65510
ip nat inside source static udp 172.16.17.31 123 interface Dialer0 123
ip nat inside source static udp 172.16.30.1 22 interface Dialer0 22
ip nat inside source static tcp 172.16.30.1 22 interface Dialer0 22
ip nat inside source static tcp 172.16.20.16 5900 interface Dialer0 5900
ip nat inside source static tcp 172.16.20.16 5901 interface Dialer0 5901
ip nat inside source static tcp 172.16.20.16 5902 interface Dialer0 5902
ip nat inside source static tcp 172.16.20.16 5903 interface Dialer0 5903
ip nat inside source static tcp 172.16.20.16 5800 interface Dialer0 5800
ip nat inside source static tcp 172.16.16.120 50561 interface Dialer0 50561
ip nat inside source static tcp 172.16.17.33 444 interface Dialer0 444
ip nat inside source static tcp 192.168.200.20 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.200.20 3478 interface Dialer0 3478
ip nat inside source static tcp 192.168.200.20 4443 interface Dialer0 4443
ip nat inside source static tcp 192.168.200.20 8080 interface Dialer0 8080
ip nat inside source static tcp 192.168.200.20 446 interface Dialer0 446
ip nat inside source static tcp 172.16.17.10 3389 interface Dialer0 3389
ip nat inside source static tcp 172.16.16.10 52222 interface Dialer0 52222
ip nat inside source route-map RMAP-1 interface Dialer0 overload
ip nat inside destination list 110 pool AV_Edge
!
!
route-map RMAP-1 permit 1
match ip address 101
!
interface Dialer0
ip nat outside
!
interface Vlan1
ip nat inside
!
If I do a sh cry ipsec sa I've noticed the following:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 273
NAT config is as follows:
ip nat pool AV_Edge 192.168.200.20 192.168.200.20 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 172.16.17.33 443 interface Dialer0 443
ip nat inside source static udp 172.16.20.18 22315 interface Dialer0 22315
ip nat inside source static tcp 172.16.20.18 22315 interface Dialer0 22315
ip nat inside source static udp 172.16.16.120 50561 interface Dialer0 50561
ip nat inside source static tcp 172.16.17.33 80 interface Dialer0 80
ip nat inside source static tcp 172.16.17.33 25 interface Dialer0 25
ip nat inside source static tcp 172.16.17.32 1723 interface Dialer0 1723
ip nat inside source static tcp 172.16.17.33 143 interface Dialer0 143
ip nat inside source static tcp 172.16.17.33 993 interface Dialer0 993
ip nat inside source static tcp 172.16.17.33 21 interface Dialer0 21
ip nat inside source static tcp 172.16.17.33 65500 interface Dialer0 65500
ip nat inside source static tcp 172.16.17.33 65501 interface Dialer0 65501
ip nat inside source static tcp 172.16.17.33 65502 interface Dialer0 65502
ip nat inside source static tcp 172.16.17.33 65503 interface Dialer0 65503
ip nat inside source static tcp 172.16.17.33 65504 interface Dialer0 65504
ip nat inside source static tcp 172.16.17.33 65505 interface Dialer0 65505
ip nat inside source static tcp 172.16.17.33 65506 interface Dialer0 65506
ip nat inside source static tcp 172.16.17.33 65507 interface Dialer0 65507
ip nat inside source static tcp 172.16.17.33 65508 interface Dialer0 65508
ip nat inside source static tcp 172.16.17.33 65509 interface Dialer0 65509
ip nat inside source static tcp 172.16.17.33 65510 interface Dialer0 65510
ip nat inside source static udp 172.16.17.31 123 interface Dialer0 123
ip nat inside source static udp 172.16.30.1 22 interface Dialer0 22
ip nat inside source static tcp 172.16.30.1 22 interface Dialer0 22
ip nat inside source static tcp 172.16.20.16 5900 interface Dialer0 5900
ip nat inside source static tcp 172.16.20.16 5901 interface Dialer0 5901
ip nat inside source static tcp 172.16.20.16 5902 interface Dialer0 5902
ip nat inside source static tcp 172.16.20.16 5903 interface Dialer0 5903
ip nat inside source static tcp 172.16.20.16 5800 interface Dialer0 5800
ip nat inside source static tcp 172.16.16.120 50561 interface Dialer0 50561
ip nat inside source static tcp 172.16.17.33 444 interface Dialer0 444
ip nat inside source static tcp 192.168.200.20 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.200.20 3478 interface Dialer0 3478
ip nat inside source static tcp 192.168.200.20 4443 interface Dialer0 4443
ip nat inside source static tcp 192.168.200.20 8080 interface Dialer0 8080
ip nat inside source static tcp 192.168.200.20 446 interface Dialer0 446
ip nat inside source static tcp 172.16.17.10 3389 interface Dialer0 3389
ip nat inside source static tcp 172.16.16.10 52222 interface Dialer0 52222
ip nat inside source route-map RMAP-1 interface Dialer0 overload
ip nat inside destination list 110 pool AV_Edge
!
!
route-map RMAP-1 permit 1
match ip address 101
!
interface Dialer0
ip nat outside
!
interface Vlan1
ip nat inside
!
What is your default gateway on Cisco network?
ASKER
the Router's VLAN1 IP Address: 172.16.16.254
Add this to your config
access-list 101 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
I suggest adding it after access-list 101 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
I suggest adding it after access-list 101 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
ASKER
Sorry didn't notice your post..... I've just added your command to ACL 101 but I don;t seem to be any further forward.
The VPN appreas UP if I use Draytek's aggressive mode, but as soon as I put it back to 'main mode' the VPN never starts. In both modes however the Cisco debug is plaugued with messages about 'purging nodes':
BRISTOL-RTR#
*Aug 14 11:49:17.990: ISAKMP:(2014):purging node -615247504
BRISTOL-RTR#
*Aug 14 11:49:28.326: ISAKMP (0:2014): received packet from 87.194.205.145 dport 500 sport 500 Global (R) QM_IDLE
*Aug 14 11:49:28.326: ISAKMP: set new node -1337222847 to QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014): processing HASH payload. message ID = -1337222847
*Aug 14 11:49:28.330: ISAKMP:(2014): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1337222847, sa = 851CD7B4
*Aug 14 11:49:28.330: ISAKMP:(2014):deleting node -1337222847 error FALSE reason "Informational (in) state 1"
*Aug 14 11:49:28.330: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 14 11:49:28.330: ISAKMP:(2014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Aug 14 11:49:28.330: ISAKMP:(2014):DPD/R_U_THER
*Aug 14 11:49:28.330: ISAKMP: set new node 1339048727 to QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2219908288, message ID = 1339048727
*Aug 14 11:49:28.330: ISAKMP:(2014): seq. no 0xB60
*Aug 14 11:49:28.330: ISAKMP:(2014): sending packet to 87.194.205.145 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014):Sending an IKE IPv4 Packet.
*Aug 14 11:49:28.330: ISAKMP:(2014):purging node 1339048727
BRISTOL-RTR#
*Aug 14 11:49:28.330: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Aug 14 11:49:28.330: ISAKMP:(2014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
BRISTOL-RTR#
*Aug 14 11:49:33.074: ISAKMP:(2014):purging node 1343386404
BRISTOL-RTR#
*Aug 14 11:49:43.414: ISAKMP (0:2014): received packet from 87.194.205.145 dport 500 sport 500 Global (R) QM_IDLE
*Aug 14 11:49:43.414: ISAKMP: set new node 621411317 to QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014): processing HASH payload. message ID = 621411317
*Aug 14 11:49:43.414: ISAKMP:(2014): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 621411317, sa = 851CD7B4
*Aug 14 11:49:43.414: ISAKMP:(2014):deleting node 621411317 error FALSE reason "Informational (in) state 1"
*Aug 14 11:49:43.414: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 14 11:49:43.414: ISAKMP:(2014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Aug 14 11:49:43.414: ISAKMP:(2014):DPD/R_U_THER
*Aug 14 11:49:43.414: ISAKMP: set new node -737335812 to QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2219908288, message ID = -737335812
*Aug 14 11:49:43.414: ISAKMP:(2014): seq. no 0xB61
*Aug 14 11:49:43.414: ISAKMP:(2014): sending packet to 87.194.205.145 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014):Sending an IKE IPv4 Packet.
*Aug 14 11:49:43.414: ISAKMP:(2014):purging node -737335812
The VPN appreas UP if I use Draytek's aggressive mode, but as soon as I put it back to 'main mode' the VPN never starts. In both modes however the Cisco debug is plaugued with messages about 'purging nodes':
BRISTOL-RTR#
*Aug 14 11:49:17.990: ISAKMP:(2014):purging node -615247504
BRISTOL-RTR#
*Aug 14 11:49:28.326: ISAKMP (0:2014): received packet from 87.194.205.145 dport 500 sport 500 Global (R) QM_IDLE
*Aug 14 11:49:28.326: ISAKMP: set new node -1337222847 to QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014): processing HASH payload. message ID = -1337222847
*Aug 14 11:49:28.330: ISAKMP:(2014): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1337222847, sa = 851CD7B4
*Aug 14 11:49:28.330: ISAKMP:(2014):deleting node -1337222847 error FALSE reason "Informational (in) state 1"
*Aug 14 11:49:28.330: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 14 11:49:28.330: ISAKMP:(2014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Aug 14 11:49:28.330: ISAKMP:(2014):DPD/R_U_THER
*Aug 14 11:49:28.330: ISAKMP: set new node 1339048727 to QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2219908288, message ID = 1339048727
*Aug 14 11:49:28.330: ISAKMP:(2014): seq. no 0xB60
*Aug 14 11:49:28.330: ISAKMP:(2014): sending packet to 87.194.205.145 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 14 11:49:28.330: ISAKMP:(2014):Sending an IKE IPv4 Packet.
*Aug 14 11:49:28.330: ISAKMP:(2014):purging node 1339048727
BRISTOL-RTR#
*Aug 14 11:49:28.330: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Aug 14 11:49:28.330: ISAKMP:(2014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
BRISTOL-RTR#
*Aug 14 11:49:33.074: ISAKMP:(2014):purging node 1343386404
BRISTOL-RTR#
*Aug 14 11:49:43.414: ISAKMP (0:2014): received packet from 87.194.205.145 dport 500 sport 500 Global (R) QM_IDLE
*Aug 14 11:49:43.414: ISAKMP: set new node 621411317 to QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014): processing HASH payload. message ID = 621411317
*Aug 14 11:49:43.414: ISAKMP:(2014): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 621411317, sa = 851CD7B4
*Aug 14 11:49:43.414: ISAKMP:(2014):deleting node 621411317 error FALSE reason "Informational (in) state 1"
*Aug 14 11:49:43.414: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Aug 14 11:49:43.414: ISAKMP:(2014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Aug 14 11:49:43.414: ISAKMP:(2014):DPD/R_U_THER
*Aug 14 11:49:43.414: ISAKMP: set new node -737335812 to QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2219908288, message ID = -737335812
*Aug 14 11:49:43.414: ISAKMP:(2014): seq. no 0xB61
*Aug 14 11:49:43.414: ISAKMP:(2014): sending packet to 87.194.205.145 my_port 500 peer_port 500 (R) QM_IDLE
*Aug 14 11:49:43.414: ISAKMP:(2014):Sending an IKE IPv4 Packet.
*Aug 14 11:49:43.414: ISAKMP:(2014):purging node -737335812
ASKER
I'm also getting a lot of these messages:
*Aug 14 11:53:48.754: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 11:53:48.754: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Can you do show crypto ipsec again please?
ASKER
BRISTOL-RTR#sh cry ipsec sa
interface: Dialer0
Crypto map tag: CRMAP, local addr 81.149.56.229
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 93
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x8BB6CCE6(2344013030)
inbound esp sas:
spi: 0x7D58F445(2102981701)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 23, flow_id: Motorola SEC 2.0:23, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4554930/1549)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8BB6CCE6(2344013030)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 24, flow_id: Motorola SEC 2.0:24, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4554950/1549)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
Crypto map tag: CRMAP, local addr 81.149.56.229
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 93
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x8BB6CCE6(2344013030)
inbound esp sas:
spi: 0x7D58F445(2102981701)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 23, flow_id: Motorola SEC 2.0:23, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4554930/1549)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8BB6CCE6(2344013030)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 24, flow_id: Motorola SEC 2.0:24, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4554950/1549)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
BRISTOL-RTR#
interface: Dialer0
Crypto map tag: CRMAP, local addr 81.149.56.229
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 93
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x8BB6CCE6(2344013030)
inbound esp sas:
spi: 0x7D58F445(2102981701)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 23, flow_id: Motorola SEC 2.0:23, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4554930/1549)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8BB6CCE6(2344013030)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 24, flow_id: Motorola SEC 2.0:24, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4554950/1549)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
Crypto map tag: CRMAP, local addr 81.149.56.229
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 93
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x8BB6CCE6(2344013030)
inbound esp sas:
spi: 0x7D58F445(2102981701)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 23, flow_id: Motorola SEC 2.0:23, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4554930/1549)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8BB6CCE6(2344013030)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 24, flow_id: Motorola SEC 2.0:24, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4554950/1549)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
BRISTOL-RTR#
Can you post sh ip access-list 101?
ASKER
BRISTOL-RTR#sh ip access 101
Extended IP access list 101
10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255 (3826 matches)
20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
30 permit ip 172.16.16.0 0.0.15.255 any (350164 matches)
40 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
50 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
60 permit ip 192.168.200.0 0.0.0.255 any (5228 matches)
70 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
Extended IP access list 101
10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255 (3826 matches)
20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
30 permit ip 172.16.16.0 0.0.15.255 any (350164 matches)
40 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
50 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
60 permit ip 192.168.200.0 0.0.0.255 any (5228 matches)
70 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Changed to 102:
route-map RMAP-1 permit 1
match ip address 102
!
BRISTOL-RTR#sh ip access 102
Extended IP access list 102
10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
30 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
40 permit ip 172.16.16.0 0.0.15.255 any
50 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
60 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
70 permit ip 192.168.200.0 0.0.0.255 any
BRISTOL-RTR#
route-map RMAP-1 permit 1
match ip address 102
!
BRISTOL-RTR#sh ip access 102
Extended IP access list 102
10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255
20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
30 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
40 permit ip 172.16.16.0 0.0.15.255 any
50 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
60 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
70 permit ip 192.168.200.0 0.0.0.255 any
BRISTOL-RTR#
ASKER
BRISTOL-RTR#sh ip access 102
Extended IP access list 102
10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255 (6 matches)
20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
30 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
40 permit ip 172.16.16.0 0.0.15.255 any (28 matches)
50 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
60 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
70 permit ip 192.168.200.0 0.0.0.255 any (4 matches)
Extended IP access list 102
10 deny ip 172.16.16.0 0.0.15.255 172.16.0.0 0.0.15.255 (6 matches)
20 deny ip 172.16.16.0 0.0.15.255 192.168.100.0 0.0.0.255
30 deny ip 172.16.16.0 0.0.15.255 192.168.1.0 0.0.0.255
40 permit ip 172.16.16.0 0.0.15.255 any (28 matches)
50 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
60 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.0.15.255
70 permit ip 192.168.200.0 0.0.0.255 any (4 matches)
Ok, now see if you can ping the other side. If no, post the show crypto ipsec again
ASKER
Still no reply from the other side.
BRISTOL-RTR#sh cry ipsec sa
interface: Dialer0
Crypto map tag: CRMAP, local addr 81.149.56.229
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 115
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x8BB6CCE7(2344013031)
inbound esp sas:
spi: 0xF1C686AE(4056319662)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 25, flow_id: Motorola SEC 2.0:25, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4497036/3247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8BB6CCE7(2344013031)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 26, flow_id: Motorola SEC 2.0:26, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4497038/3247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
Crypto map tag: CRMAP, local addr 81.149.56.229
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 115
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x8BB6CCE7(2344013031)
inbound esp sas:
spi: 0xF1C686AE(4056319662)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 25, flow_id: Motorola SEC 2.0:25, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4497036/3247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8BB6CCE7(2344013031)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 26, flow_id: Motorola SEC 2.0:26, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4497038/3247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
BRISTOL-RTR#
BRISTOL-RTR#sh cry ipsec sa
interface: Dialer0
Crypto map tag: CRMAP, local addr 81.149.56.229
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 115
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x8BB6CCE7(2344013031)
inbound esp sas:
spi: 0xF1C686AE(4056319662)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 25, flow_id: Motorola SEC 2.0:25, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4497036/3247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8BB6CCE7(2344013031)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 26, flow_id: Motorola SEC 2.0:26, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4497038/3247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
Crypto map tag: CRMAP, local addr 81.149.56.229
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/500)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 115
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x8BB6CCE7(2344013031)
inbound esp sas:
spi: 0xF1C686AE(4056319662)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 25, flow_id: Motorola SEC 2.0:25, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4497036/3247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8BB6CCE7(2344013031)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 26, flow_id: Motorola SEC 2.0:26, crypto map: CRMAP
sa timing: remaining key lifetime (k/sec): (4497038/3247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/50/0)
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81.149.56.229, remote crypto endpt.: 87.194.205.145
path mtu 1483, ip mtu 1483, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
BRISTOL-RTR#
local ident (addr/mask/prot/port): (172.16.16.0/255.255.240.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 115
0 here means that packets do not reach the router (routing problem) or NAT problem
From where are you pinging?
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer 87.194.205.145 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 115
0 here means that packets do not reach the router (routing problem) or NAT problem
From where are you pinging?
ASKER
Although the VPN comes UP I'm still getting the following:
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:07:27.058: ISAKMP:(2017):purging node 2002373508
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:05:48.794: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:07:27.058: ISAKMP:(2017):purging node 2002373508
Where are you pinging from?
How do you see that the VPN is up?
How do you see that the VPN is up?
ASKER
Ah, we may have just got somewhere.
After your change to ACL 102 I cleared all tunnels and sessions the re-initiated the VPN from the draytek side. I can now ping from the Cisco router's VLAN1 interface to the Draytek router and beyond to LAN devices.
I am now just trying to get the ping working the other way.
After your change to ACL 102 I cleared all tunnels and sessions the re-initiated the VPN from the draytek side. I can now ping from the Cisco router's VLAN1 interface to the Draytek router and beyond to LAN devices.
I am now just trying to get the ping working the other way.
For testing, you need to ping from a PC to PC, not from vpn devices
ASKER
I can ping from SITE 1 PC to SITE 2 LAN DEVICE
I'm just trying to arrange access to a PC on site 2 to try pinging the other way.
SITE 2 router cannot ping SITE 1 router or LAN, but you could be right so I'll keep trying to get access to a PC on SITE 2
I'm just trying to arrange access to a PC on site 2 to try pinging the other way.
SITE 2 router cannot ping SITE 1 router or LAN, but you could be right so I'll keep trying to get access to a PC on SITE 2
ASKER
fgasimzade...I think we've done it :)
It must have been the NAT rule that you suggested I add to the NAT ACL.
Strange though that I'm still getting these debug messages:
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:55.750: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:38:56.514: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:38:57.274: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
However, I don't really mind, the main thing is that it is up and working....thank you :)
It must have been the NAT rule that you suggested I add to the NAT ACL.
Strange though that I'm still getting these debug messages:
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:11.482: No peer struct to get peer description
*Aug 14 13:38:55.750: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:38:56.514: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
*Aug 14 13:38:57.274: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
However, I don't really mind, the main thing is that it is up and working....thank you :)
have a good day!
ASKER
clear cry ses
clear cry sa
clear cry isa
I get the following debug message:
*Aug 14 08:05:53.967: No peer struct to get peer description