IPSec Tunnels set up, but can't pass traffic

I'm able to set up AES IPSec tunnels from an 1811 router to a 3845 router, but cannot pass traffic. A firewall, not under our control, sits immediately in front of the 3845, so I suspect that it is causing the problem.

Here's the config on the 1811 side:

crypto isakmp policy 2 encr aes authentication pre-share group 2 ! crypto isakmp key xxxx address crypto isakmp keepalive 60 30 periodic ! crypto ipsec transform-set backup esp-aes esp-sha-hmac ! crypto ipsec profile backup set transform-set backup

The tunnels look absolutely fine and are working on other interfaces where the firewall isn't present. Any ideas?

Reply to
Loading thread data ...

Do you have the correct routes in place?

Reply to
Brian V

Apply the crypto map to the interface and add static routes to send traffic to that destination through the crypto map interface.

Check to see the progress with these commands: show crypto isakmp sa show crypto ipsec sa debug crypto isakmp

Your desired output for the "show crypto isakmp sa" command is a QM_IDLE status for your connection.

Reply to
Scott Perry

in message

Those have been applied...see tunnel configuration below:

interface Tunnel1 description BACKUP TUNNEL ip address ip virtual-reassembly tunnel source tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile backup

In addition, the routes look like this:

ip route ip route Tunnel0 ip route Tunnel1 2 ip route ip route Tunnel0 ip route Tunnel0 ip route Tunnel1 2 ip route Tunnel1 ip route

With tunnel0 shutdown, the routing table looks like:

Gateway of last resort is to network is subnetted, 1 subnets C is directly connected, FastEthernet1 is variably subnetted, 2 subnets, 2 masks C is directly connected, Vlan2 S is directly connected, Tunnel1 is variably subnetted, 6 subnets, 5 masks S is directly connected, Tunnel1 C is directly connected, Tunnel1 C is directly connected, FastEthernet0 S [1/0] via C is directly connected, Loopback0 C is directly connected, Vlan2 is subnetted, 1 subnets S [1/0] via S* [1/0] via S is directly connected, Tunnel1

Any ideas ??

Reply to

Do you control the firewall? Can it be monitored/checked to see if protocol 50 (ESP) is permitted as necessary to/from your vpn endpoint?

Reply to

Issue was resolved by changing the default route on the 3845. It had pointed all traffic to the wrong interface on the firewall. This still allowed the tunnels to come up, but not pass traffic. Very bizarre. Problem identified by looking at logs that included icmp redirects.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.