[c-nsp] IPSec between Cisco and D-Link

[Dmitriy Sirant]

Hello,

Have main office where somebody put D-Link DFL-1600 as main VPN 
concentrator. I try to connect there my cisco 2620.

As i can see, i has worked IKE keys between d-link and cisco, but have 
problem when try ping other side. Found something interesting in debug:

1w1d: IP: s=192.168.132.1 (local), d=10.223.132.254 (FastEthernet1/0), 
len 100, output crypto map check failed.

But i can't found in google what is the problem.

Also i think about that problem sad #send errors 90,

Here some info about ios and config:

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(20), RELEASE 
SOFTWARE (fc2)

cisco-skoda uptime is 1 week, 1 day, 5 hours, 58 minutes
System returned to ROM by power-on
System restarted at 09:37:53 UKR Tue Mar 6 2007
System image file is "flash:c2600-ik9o3s3-mz.123-20.bin"


sh runn (somewhere skipped):
!
ip subnet-zero
ip tcp selective-ack
ip cef
!
crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key some_key address 212.xx.xx.xx
crypto isakmp keepalive 30 5
!
crypto ipsec transform-set PRN0006 esp-aes esp-sha-hmac
!
crypto map MOJA_MAPA local-address FastEthernet1/0
crypto map MOJA_MAPA 10 ipsec-isakmp
  description Tunnel toPRN0006
  set peer 212.xx.xx.xx
  set transform-set PRN0006
  set pfs group2
  match address KRYPTO_LIST
!
interface FastEthernet0/0
  description Link to LAN
  ip address 192.168.132.1 255.255.255.0
  speed 100
  full-duplex
  fair-queue
!
interface FastEthernet1/0
  description Link to ISP
  ip address 193.xx.xx.xx 255.255.255.224
  speed auto
  half-duplex
  fair-queue
  crypto map MOJA_MAPA
!
ip route 0.0.0.0 0.0.0.0 193.xx.xx.xx
ip route 10.0.0.0 255.0.0.0 FastEthernet1/0
!
ip access-list extended KRYPTO_LIST
  permit ip 192.168.132.0 0.0.0.255 10.0.0.0 0.255.255.255
!


Some info:
cisco#sh crypto ipsec sa

interface: FastEthernet1/0
     Crypto map tag: MOJA_MAPA, local addr. 193.xx.xx.xx

    protected vrf:
    local  ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
    current_peer: 212.xx.xx.xx:500
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0
     #pkts not decompressed: 0, #pkts decompress failed: 0
     #send errors 90, #recv errors 0

      local crypto endpt.: 193.xx.xx.xx, remote crypto endpt.: 212.xx.xx.xx
      path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
      current outbound spi: 0

      inbound esp sas:

      inbound ah sas:

      inbound pcp sas:

      outbound esp sas:

      outbound ah sas:

      outbound pcp sas:

cisco#ping 10.223.132.254 source 192.168.132.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.223.132.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.132.1
.....
Success rate is 0 percent (0/5)


cisco#sh crypto isakmp sa
dst             src             state          conn-id slot
212.xx.xx.xx   193.xx.xx.xx QM_IDLE              1    0


Please help with that problem.