Hi,
I've two sites (SG & KL) running with Cisco router and connected with an ipsec tunnel. Recently, there's a new subnet created in 'KL'. I've modified the crypto acl, include the new subnet in both router setting. Unfortunately, SG's workstation failed to connect to the new subnet of 'KL'. Then I checked both router crypto map status, it said isakmp SA is failed to established.
Under existing tunnel setting, both subnets are under the same isakmp & ipsec profile, as well as same secret key. Why does the new subnet SA can't be established but the old subnet does work without any problem ? Any thought ?
For my understanding, both routers will negotiate and exchanged local network parameters, if both parameters & profile are matched, the SA will be established. Will these routers attempt to connect to the new subnet during SA negotiation ? As the new subnet is connected to another router device behind the lan, the router may not have the access during negotiation stage. would it be the cause ? I only want to ensure the SA will be established and I'll troubleshoot the connectivity issue later.
Below are 'sh cry isakmp output' & two routers configuration for your reference :
SGoff1#sh cry isa sa dst src state conn-id slot
190.22.13.129 218.101.136.5 MM_NO_STATE 155 0 (deleted) 218.101.136.5 190.22.13.129 QM_IDLE 156 0SG router:- crypto isakmp key xxxxx address 200.75.1.254
crypto map KLoff1 1 ipsec-isakmp set peer 200.75.1.254 set transform-set esp-3des-sha match address KL-SG
interface FastEthernet0/0 description Outside ip address 218.101.136.5 255.255.255.128 crypto map YNRVPN28501 ! interface FastEthernet0/1 description Outside ip address 192.168.146.1 255.255.255.0 crypto map YNRVPN28501
ip access-list extended KL-SG permit ip 192.168.146.0 0.0.0.255 host 190.22.13.129