[c-nsp] crypto map working on outbound interface, need it to work on bound interface

Christopher J. Wargaski wargo1 at gmail.com
Tue Dec 13 23:08:08 EST 2011


   When I played VPN day in and out, and couldn't make a tunnel come up I
found that it was typically due to one of four reasons:

1) Mismatch in ACLs on the two peers
2) A route was not correct
3) Crypto map bound to the wrong interface
4) NAT goof up

   If you have checked those 4 items, I also suggest debugs. Start with
isakmp only because you aren't even passing phase 1.


Date: Tue, 13 Dec 2011 15:41:42 -0500
> From: "Joseph Mays" <mays at win.net>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] crypto map working on outbound interface,      need it to
>        work on inbound interface
> Message-ID: <C518D87304014BFB92E3D598C9668AF8 at win2snvu0x4eg9>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>        reply-type=original
> Have a crypto map that was working to build a tunnel between
> and Peers for the vpn tunnel were and
> Due to some network changes, which was the
> egress interface toward the remote end, is now an ingress interface. Still,
> I don't see why this should matter. The access list is the same, it's just
> traffic coming in through the interface rather than out of it.
> Crypto Map "WinnetToSyniverse" 20 ipsec-isakmp
>        Description: PHL-3845-SS7-VPN router
>        Peer =
>        Extended IP access list PHL-3845-SS7-VPN
>            access-list PHL-3845-SS7-VPN permit ip host host
>        Current peer:
>        Security association lifetime: 4608000 kilobytes/3600 seconds
>        PFS (Y/N): N
>        Transform sets={
>                TSI2,
>        }
>        Interfaces using crypto map WinnetToSyniverse:
>               FastEthernet1/1
> The packets for the access list should match regardless of direction, but
> it
> acts like it's not matching packets to the access list and not even trying
> to start the vpn.
> Router#show crypto isakmp sa
> dst             src             state          conn-id slot status
> Nothing there.
> I can ping from the router even when I set the source
> address
> to the address of the ingress interface,, and can ping the host
> we are trying to talk to across the vpn,, from
> I moved the crypto map command to the outside interface and it started
> matching packets tried to bring the vpn tunnel up, but that failed, I'm
> guessing because the source address changed to the address of the egress
> interface, which would not be the address configured in the remote side. So
> I want to use the ingress interface and its address so we don't have to go
> through a complex process to get the other side to reconfigure.

More information about the cisco-nsp mailing list