Hi all, I configure a tunnel btw pix and router. The traffic goes to PIX but do not have return. I see only encaps on the router and decaps on the PIX. Is missing anything?
Tks Router Output and Config TEHTCVPNRT01#sh cry ip sa interface: GigabitEthernet0/1 Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141 protected vrf: (none) local ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0) current_peer 200.150.180.62 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 0 local crypto endpt.: 180.200.200.141, remote crypto endpt.: 200.150.180.62 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xEA23924(245512484) inbound esp sas: spi: 0x2E3660C5(775315653) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn sa timing: remaining key lifetime (k/sec): (4429641/3573) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEA23924(245512484) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn sa timing: remaining key lifetime (k/sec): (4429640/3573) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: crypto isakmp policy 11 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 crypto isakmp key 6 L2L address 200.150.180.62 no-xauth crypto isakmp aggressive-mode disable crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac crypto map ra-L2L-vpn 2 ipsec-isakmp set peer 200.150.180.62 set transform-set aessha-pixrtr match address 120 reverse-route interface GigabitEthernet0/1 ip address 180.200.200.141 255.255.255.192 crypto map ra-L2L-vpn access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255 ++++++++++++++++++++++++++++++++++ PIX output and Config: local ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0) current_peer: 180.200.200.141:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 200.150.180.62 , remote crypto endpt.: 180.200.200.141 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 2e3660c5 inbound esp sas: spi: 0xea23924(245512484) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 4, crypto map: L2L-ons sa timing: remaining key lifetime (k/sec): (4607999/3478) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2e3660c5(775315653) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 3, crypto map: L2L-ons sa timing: remaining key lifetime (k/sec): (4608000/3478) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: ip address outside 200.150.180.62 255.255.255.224 ip address inside 10.139.1.111 255.255.255.0 access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0 access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0 nat (inside) 0 access-list L2Lnonat route outside 10.180.0.0 255.255.0.0 180.200.200.141 1 sysopt connection permit-ipsec crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto map L2L 1 ipsec-isakmp crypto map L2L 1 match address L2L crypto map L2L 1 set peer 180.200.200.141 crypto map L2L 1 set transform-set aessha-pixrtr crypto map L2L interface outside isakmp enable outside isakmp key L2L address 180.200.200.141 netmask 255.255.255.255 no-xauth isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 3600 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/