Hi, i have a weired problem with a site to site setup consisting of a c1841 with IOS 12.4(3c) on one site (local) and a cheap draytek vigor
2200eplus on the other site (remote).The vpn connection is established fine, but traffic only flows from the remote to the local site. Since a traceroute from the local site to the lan address on the remote gets nated and routed to the internet instead the vpn tunnel, i guess it has something to do with the accesslists defining ipsec traffic (maybe i`m deadly wrong there. ...).
I can also see some "IPSEC(epa_des_crypt): decrypted packet failed SA identity check" messages, when trying to conncect to something on the remote site, but a continous ping from remote to the local site runs fine, same with telnet. According to CCO this can result from asymetric accesslists - but i can`t seem to see this.
Setup: (local network) (remote network)
192.168.0.0/16 c1841-192.168.3.253/24->Inetvigor2200 - 192.168.253.251192.168.253.0/24I`d be glad for help ! tia, Dirk
This is the current config on the cisco:
#sho conf Using 4005 out of 196600 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ipsec-gw-100.xxx.yyy ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 $xxxxx enable password zzzzz
aaa new-model ! aaa authentication login default local aaa authorization console aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ip domain name yourdomain.com ip name-server 194.109.6.66 ip ddns update method sdm_ddns1 HTTP add http://xxxx....
crypto pki trustpoint TP-self-signed-155xxxxx enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-155xxxxx revocation-check none rsakeypair TP-self-signed-155xxxxx ! ! crypto pki certificate chain TP-self-signed-155xxxxxx certificate self-signed 01 nvram:IOS-Self-Sig#3901.cer username cisco privilege 15 secret 5 $xxxxxxxxx crypto logging session ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key ZXYXZZXZ address 0.0.0.0 0.0.0.0 crypto isakmp xauth timeout 15
! crypto ipsec transform-set fvipsec esp-3des esp-md5-hmac crypto ipsec df-bit clear crypto ipsec nat-transparency spi-matching ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set fvipsec match address 122 reverse-route ! ! crypto map SDM_CMAP_1 local-address Dialer0 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! interface FastEthernet0/0 description lan0 ip address 192.168.3.253 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 speed auto half-duplex no mop enabled ! interface FastEthernet0/1 description wan0 no ip address duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1 ! interface Dialer0 ip ddns update hostname ipsec-gw-100.rrr.ttt ip ddns update sdm_ddns1 ip address negotiated ip mtu 1452 ip nat outside ip nat enable ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname xxx_deleted ppp chap password 0 4 xxx_deleted ppp pap sent-username xxx_deleted crypto map SDM_CMAP_1 ! router rip redistribute static network 192.168.3.0 ! ip classless ip default-network 192.168.3.0 ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.1.0 255.255.255.0 192.168.3.5 permanent ip route 192.168.3.0 255.255.255.0 FastEthernet0/0 permanent ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat log translations syslog ip nat inside source list 133 interface Dialer0 overload ! access-list 122 permit ip 192.168.253.0 0.0.0.255 192.168.0.0
0.0.255.255 log-input access-list 122 permit ip 192.168.0.0 0.0.255.255 192.168.253.0 0.0.0.255 log-input access-list 133 deny ip 192.168.3.0 0.0.0.255 192.168.253.0 0.0.0.255 log access-list 133 permit ip 192.168.3.0 0.0.0.255 any access-list 155 deny ip 192.168.253.0 0.0.0.255 any access-list 155 deny ip 192.168.0.0 0.0.255.255 192.168.253.0 0.0.0.255 log access-list 155 permit ip any any dialer-list 1 protocol ip permit snmp-server community xxxxx RO control-plane banner login ^C fv gw 100 ^C banner motd ^C fv gw 100 ^C ! line con 0 line aux 0 line vty 0 4 password zzzz transport input telnet ssh line vty 5 15 password zzzz transport input telnet ssh ! end