IPSec Tunnel problem, need help !!


I've two sites (SG & KL) running with Cisco router and connected with an ipsec tunnel. Recently, there's a new subnet created in 'KL'. I've modified the crypto acl, include the new subnet in both router setting. Unfortunately, SG's workstation failed to connect to the new subnet of 'KL'. Then I checked both router crypto map status, it said isakmp SA is failed to established.

Under existing tunnel setting, both subnets are under the same isakmp & ipsec profile, as well as same secret key. Why does the new subnet SA can't be established but the old subnet does work without any problem ? Any thought ?

For my understanding, both routers will negotiate and exchanged local network parameters, if both parameters & profile are matched, the SA will be established. Will these routers attempt to connect to the new subnet during SA negotiation ? As the new subnet is connected to another router device behind the lan, the router may not have the access during negotiation stage. would it be the cause ? I only want to ensure the SA will be established and I'll troubleshoot the connectivity issue later.

Below are 'sh cry isakmp output' & two routers configuration for your reference :

SGoff1#sh cry isa sa dst src state conn-id slot MM_NO_STATE 155 0 (deleted) QM_IDLE 156 0

SG router:- crypto isakmp key xxxxx address

crypto map KLoff1 1 ipsec-isakmp set peer set transform-set esp-3des-sha match address KL-SG

interface FastEthernet0/0 description Outside ip address crypto map YNRVPN28501 ! interface FastEthernet0/1 description Outside ip address crypto map YNRVPN28501

ip access-list extended KL-SG permit ip host

Reply to
Loading thread data ...

The peer addresses don't appear to add up:

! crypto map SGoff1 1 ipsec-isakmp set peer ! crypto isakmp key xxxxx address !

Shouldn't it be 'set peer' on the KL router?

Reply to

Ah, it's my typo mistake. it should be

crypto map KLoff1 1 ipsec-isakmp set peer

The issue is the first net - permit ip host is workable, both net share the same crypto map and isakmp profile. Why only the first net does work ?

Al =BCg=B9D=A1G

Reply to

Based on this ...

It looks like the original SA needs to be cleared - I would ensure these are cleared on both ends. I'm not sure of the router command but on a PIX it would be "clear ipsec sa" but I think on the router you have to give a connection ID when you clear it

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.