IPSec

DT

Hi All

I have set up a tunnel between 2 IOS Routers A and B (1760 and 1841).

A has a single FastEth interface, and B 2 of them, FE0/0 with the crypto map, and FE0/1 connected to my LAN.

While logged on A, I ping from A router the LAN interface of B router, the ISAKMP/IPSec negociation establishes the tunnel.

With sh crypto ipsec sa I see that the datagrams (pings) are encrypted on A #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

but on B router, the sh crypto ipsec sa shows no data decrypted #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

¿ Why isn't B router showing that he is receiveing the datagrams sent through the tunnel ?

Regards

Jaime

In article , TERRA wrote: :I have set up a tunnel between 2 IOS Routers A and B (1760 and 1841).

;A has a single FastEth interface, and B 2 of them, FE0/0 with the crypto ;map, and FE0/1 connected to my LAN.

:While logged on A, I ping from A router the LAN interface of B router, the :ISAKMP/IPSec negociation establishes the tunnel.

:With sh crypto ipsec sa I see that the datagrams (pings) are encrypted on A :#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

:but on B router, the sh crypto ipsec sa shows no data decrypted : #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

:¿ Why isn't B router showing that he is receiveing the datagrams sent :through the tunnel ?

As a guess: you might have a mismatch in the crypto ACLs used to define the tunnels. If you aren't careful, you can end up in situations where B expects the traffic to have been on a different SA than A thinks.

This can occur especially if you have overlapping ranges, such as "all of A to host B1" and "host A2 to all of B" -- e.g., which SA do you use to communicate from host A2 to B1 ?