The router configuration VPN VTI adding a third site/router

Similar Questions

• Configuration of the router to allow VPN traffic through

  I would like to ask for assistance with a specific configuration to allow VPN traffic through a router from 1721.

  The network configuration is the following:

  Internet - Cisco 1721 - Cisco PIX 506th - LAN

  Remote clients connect from the internet by using the Cisco VPN client. The 1721 should just pass the packets through to the PIX, which is 192.168.0.2. Inside of the interface of the router is 192.168.0.1.

  The pix was originally configured with a public ip address and has been tested to work well to authenticate VPN connections and passing traffic in the local network. Then, the external ip address was changed to 192.168.0.2 and the router behind.

  The 1721 is configured with an ADSL connection, with fall-over automatic for an asynchronous connection. This configuration does not work well, and in the local network, users have normal internet access. I added lists of access for udp, esp and the traffic of the ahp.

  Cisco VPN clients receive an error indicating that the remote control is not responding.

  I have attached the router for reference, and any help would be greatly apreciated.

  Manual.

  Brian

  For VPN clients reach the PIX to complete their VPN the PIX needs to an address that is accessible from the outside where the customers are. When the PIX was a public address was obviously easy for guests to reach the PIX. When you give the PIX one address private, then he must make a translation. And this becomes a problem if the translation is dynamic.

  You have provided a static translation that is what is needed. But you have restricted the TCP 3389. I don't know why you restricted it in this way. What is supposed to happen for ISAKMP and ESP, AHP traffic? How is it to be translated?

  If there is not a static translation for ISAKMP traffic, ESP and AHP so clients don't know how to reach the server. Which brings me to the question of what the address is configured in the client to the server?

  HTH

  Rick

• SSL VPN may be configured on the router from Cisco 881/K9?

  I'm now confused if SSL VPN can be configured on the router from Cisco 881/K9.

  Please someone advise me.

  If Yes, for only 5 users, what I need to buy the license or license is supplied with the router?

  Thank you.

  Yes, and you need a license:

  FL-WEBVPN-10-K9

  License SSL VPN functionality for up to 10 users (incremental), to 12.4 T based only IOS versions

  FL-SSLVPN10-K9

  License SSL VPN functionality for up to 10 users (incremental) for the only based 15.x IOS versions

• Router ignores the policies configured for VPN

  These are the policies that are configured for phase 1:

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 3

  BA 3des

  md5 hash

  preshared authentication

  Group 5

  lifetime 28800

  !

  crypto ISAKMP policy 5

  BA aes

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 7

  BA aes

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 9

  BA aes 256

  preshared authentication

  Group 2

  lifetime 28800

  However, this is what tells me my debug:

  16 Jul 18:23:19: ISAKMP: (0): pair found pre-shared key matching 67.216.78.20

  16 Jul 18:23:19: ISAKMP: (0): pre-shared key local found

  16 Jul 18:23:19: ISAKMP: analysis of the profiles for xauth...

  16 Jul 18:23:19: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

  16 Jul 18:23:19: ISAKMP: DES-CBC encryption

  16 Jul 18:23:19: ISAKMP: MD5 hash

  16 Jul 18:23:19: ISAKMP: group by default 2

  16 Jul 18:23:19: ISAKMP: pre-shared key auth

  16 Jul 18:23:19: ISAKMP: type of life in seconds

  16 Jul 18:23:19: ISAKMP: life (IPV) 0 x 0 0 x 0 0x1C 0x20

  16 Jul 18:23:19: ISAKMP: (0): free encryption algorithm does not match policy.

  16 Jul 18:23:19: ISAKMP: (0): atts are not acceptable. Next payload is 0

  16 Jul 18:23:19: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 3

  16 Jul 18:23:19: ISAKMP: DES-CBC encryption

  16 Jul 18:23:19: ISAKMP: MD5 hash

  16 Jul 18:23:19: ISAKMP: group by default 2

  16 Jul 18:23:19: ISAKMP: pre-shared key auth

  16 Jul 18:23:19: ISAKMP: type of life in seconds

  16 Jul 18:23:19: ISAKMP: life (IPV) 0 x 0 0 x 0 0x1C 0x20

  16 Jul 18:23:19: ISAKMP: (0): free encryption algorithm does not match policy.

  16 Jul 18:23:19: ISAKMP: (0): atts are not acceptable. Next payload is 0

  16 Jul 18:23:19: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5

  16 Jul 18:23:19: ISAKMP: DES-CBC encryption

  16 Jul 18:23:19: ISAKMP: MD5 hash

  16 Jul 18:23:19: ISAKMP: group by default 2

  16 Jul 18:23:19: ISAKMP: pre-shared key auth

  16 Jul 18:23:19: ISAKMP: type of life in seconds

  16 Jul 18:23:19: ISAKMP: life (IPV) 0 x 0 0 x 0 0x1C 0x20

  16 Jul 18:23:19: ISAKMP: (0): free encryption algorithm does not match policy.

  16 Jul 18:23:19: ISAKMP: (0): atts are not acceptable. Next payload is 0

  16 Jul 18:23:19: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 7

  16 Jul 18:23:19: ISAKMP: DES-CBC encryption

  16 Jul 18:23:19: ISAKMP: MD5 hash

  16 Jul 18:23:19: ISAKMP: group by default 2

  16 Jul 18:23:19: ISAKMP: pre-shared key auth

  16 Jul 18:23:19: ISAKMP: type of life in seconds

  16 Jul 18:23:19: ISAKMP: life (IPV) 0 x 0 0 x 0 0x1C 0x20

  16 Jul 18:23:19: ISAKMP: (0): free encryption algorithm does not match policy.

  16 Jul 18:23:19: ISAKMP: (0): atts are not acceptable. Next payload is 0

  16 Jul 18:23:19: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 9

  16 Jul 18:23:19: ISAKMP: DES-CBC encryption

  16 Jul 18:23:19: ISAKMP: MD5 hash

  16 Jul 18:23:19: ISAKMP: group by default 2

  16 Jul 18:23:19: ISAKMP: pre-shared key auth

  16 Jul 18:23:19: ISAKMP: type of life in seconds

  16 Jul 18:23:19: ISAKMP: life (IPV) 0 x 0 0 x 0 0x1C 0x20

  16 Jul 18:23:19: ISAKMP: (0): free encryption algorithm does not match policy.

  16 Jul 18:23:19: ISAKMP: (0): atts are not acceptable. Next payload is 0

  16 Jul 18:23:19: ISAKMP: (0): audit ISAKMP transform 1 against priority policy 65535

  16 Jul 18:23:19: ISAKMP: DES-CBC encryption

  16 Jul 18:23:19: ISAKMP: MD5 hash

  16 Jul 18:23:19: ISAKMP: group by default 2

  16 Jul 18:23:19: ISAKMP: pre-shared key auth

  16 Jul 18:23:19: ISAKMP: type of life in seconds

  16 Jul 18:23:19: ISAKMP: life (IPV) 0 x 0 0 x 0 0x1C 0x20

  16 Jul 18:23:19: ISAKMP: (0): offered hash algorithm does not match policy.

  16 Jul 18:23:19: ISAKMP: (0): atts are not acceptable. Next payload is 0

  16 Jul 18:23:19: ISAKMP: (0): no offer is accepted!

  16 Jul 18:23:19: ISAKMP: (0): phase 1 SA policy is not acceptable! (local 65.118.143.194

  distance 67.216.78.20)

  The router is completely ignoring all configured policies and try with anything else than the default. Is this a bug?

  Hi Jason,

  What you see is the policy of isakmp that offers the peer and it is compared to the isakmp policies that you have configured on your router.

  You can add other isakmp policy corresponding to this proposal to see if the phase 1 ends.

  crypto ISAKMP policy 2

  the BA

  preshared authentication

  md5 hash

  Group 2

  life 7200

  What is the camera peer?

  Kind regards

  Loren

• Try to connect to the router but I get the error: "the network password must be 40 bits or 104 bits according to your network configuration."

  Hi Ive got three computers in the home two of them are not connected to my TALKTALK router no problem, but the third connect once but its gives me "the network password must be 40 bits or 104 bits according to your network configuration. This can be entered as 5 or 13 characters ascil or 26 hexadecimal characters. "error please help

  for any other computer my password work but when I try the same password for this one gives me the message above.

  Thank you all

  original title: 40-bit or 104-bit error

  Maybe you need this patch: http://www.microsoft.com/download/en/details.aspx?id=1974

  What version of Windows using this computer and what type of encryption is the router?

• Connect to the router VPN using PPTP (Ubuntu)

  Hello

  As I mentioned in other post, I try to get the VPN works for my Ubuntu workstation. I'm not an expert of VPN, so I need help.

  So far, people seem to agree that pptp is easier to config that IPSec (under Linux platform). Select the PPTP Protocol and add a user account for the Linksys router.

  Now, the Linux part.

  I have pptp-linux installation (it is the best client for linux pptp seams). I try to set it up, but I missed something relatd to coding or something.

  I try to follow this documentation: https://help.ubuntu.com/community/VPNClient#PPTP

  When I run this command: pon myvpn nodetach

  I get the following error:

  Using interface ppp0
  Connect: ppp0 <-->/dev/pts/2
  MPPE required, but not executed [v2] MS-CHAP authentication.
  Connection down.

  Here is the log of the router:

  15 Oct 21:51:02 2008 Client Remote System Log [] disconnect PPTP server.

  Kind regards

  Hello

  Thanks for your help and this useful link.

  I have change my configuration file and I managed to set up the pptp connection.

  Here the configuration file that I use (for people with the same problem):

  RemoteName until-vpn
  LinkName until-vpn
  ipparam entmd-vpn
  Pty "pptp exemple.dyndns.org - nolaunchpppd.
  name budderball
  usepeerdns
  require mppe
  garbage-eap
  /noauth
  file /etc/ppp/options.pptp

  Also, I change the contents of/etc/ppp/chap-secrets:

  Budderball until vpn-based *.

  With this configuration, I can launch the tunnel and communicate with the gateway and LAN.

  Here the command line I use to establish the connection and than create road so that any request for 192.168.1.0/24 use the ppp0 interface.

  sudo pon entmd-cpn debug dump logfd 2 nodetach

  sudo route add - net 192.168.1.0 netmask 255.255.255.0 dev ppp0

  Finally, by reading the documentation, I found a plugin for Network Manager. It's a work like a charm.

  For ubuntu: sudo apt - get install network-manager-pptp

  An installation, you must restart to 'activate' the plugin. (this is a bug)

  You can use the network - manager to configure your pptp connection. I intend to post a wikiw on the Ubuntu Wiki page.

• Routing problem between the VPN Client and the router's Ethernet device

  Hello

  I have a Cisco 1721 in a test environment.

  A net 172.16.0.0/19 simulates the Internet and a net 192.168.1.0/24 simulates the net, the VPN tunnel must go to (intranet).

  The net 172.16.0.0 depends on the router 0 FastEthernet, Intranet (VPN) hangs on Ethernet 0.

  The configuration was inspired form the sample Configuration

  "Configuring the Client VPN Cisco 3.x for Windows to IOS using Local extended authentication"

  and the output of the ConfigMaker configuration.

  Authentication and logon works. Client receives an IP address from the pool. But there's a routing problem

  side of routers. Ping client-side - do not work (the VPN client statistics that count encrypt them packets, but not to decrypt).

  Ping the router works too, but decrypt and encrypt customer statistics in VPN packets count progressive

  (customer has a correct route and return ICMP packets to the router).

  The question now is:

  How to route packets between the Tunnel and an Ethernet device (Ethernet 0)?

  conf of the router is attached - hope that's not too...

  Thanks & cordially

  Thomas Schmidt

  -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

  !

  version 12.2

  horodateurs service debug uptime

  Log service timestamps uptime

  encryption password service

  !

  !

  host name * moderator edit *.

  !

  enable secret 5 * moderator edit *.

  !

  !

  AAA new-model

  AAA authentication login userauthen local

  AAA authorization groupauthor LAN

  !

  ! only for the test...

  !

  username cisco password 0 * moderator edit *.

  !

  IP subnet zero

  !

  audit of IP notify Journal

  Max-events of po verification IP 100

  !

  crypto ISAKMP policy 3

  3des encryption

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group 3000client

  key cisco123

  pool ippool

  !

  ! We do not want to divide the tunnel

  ! ACL 108

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  !

  map clientmap client to authenticate crypto list userauthen

  card crypto clientmap isakmp authorization list groupauthor

  client configuration address map clientmap crypto answer

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  !

  interface Ethernet0

  no downtime

  Description connected to VPN

  IP 192.168.1.1 255.255.255.0

  full-duplex

  IP access-group 101 in

  IP access-group 101 out

  KeepAlive 10

  No cdp enable

  !

  interface Ethernet1

  no downtime

  address 192.168.3.1 IP 255.255.255.0

  IP access-group 101 in

  IP access-group 101 out

  full-duplex

  KeepAlive 10

  No cdp enable

  !

  interface FastEthernet0

  no downtime

  Description connected to the Internet

  IP 172.16.12.20 255.255.224.0

  automatic speed

  KeepAlive 10

  No cdp enable

  !

  ! This access group is also only for test cases!

  !

  no access list 101

  access list 101 ip allow a whole

  !

  local pool IP 192.168.10.1 ippool 192.168.10.10

  IP classless

  IP route 0.0.0.0 0.0.0.0 172.16.12.20

  enable IP pim Bennett

  !

  Line con 0

  exec-timeout 0 0

  password 7 * edit from moderator *.

  line to 0

  line vty 0 4

  !

  end

  ^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-

  Thomas,

  Can't wait to show something that might be there, but I don't see here. You do not have the card encryption applied to one of the interfaces, perhaps it was not copied. Assuming your description you do it, or should it be, applied to the fa0 and you are connected. Try how you ping? Since the router or a device located on E0? If you ping the router, you will need to do an extended ping of E0 to the ip address of the client has been assigned. If your just ping the router without the extension, you will get sales and decrypts that you declare on the client. Have you tried to ping from the client to interface E0? Your default route on the router is pointing to fa0? You have a next hop to affect? You have several NIC on the client pc? Turn off your other network cards to check that you don't have a problem with routing on the client if you have more than one.

  Kurtis Durrett

• VPN site to Site using the router and ASA

  Hello

  I have a Cisco 1812 router that is configured for remote access VPN using IPSec (Cisco VPN Client), my question is if I can configure a Cisco ASA 5505 to connect to the router as a VPN from site to site.

  Thank you

  Karl

  Dear Karl,

  Yor are right, in this case you can create a tunnel vpn site-to-site between devices or you can configure your ASA as hardware VPN client. That is to say; Easy VPN.

  For the same thing, you can consult the document below.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

  Kind regards

  Shijo.

• Need RV016 VPN connect when the router is turned on?

  Restarted my RV016 (e.g. after a power failure) the gateway to gateway VPN do not connect.  I have to go the VPN router summary page and click on connect to get them started.  Is there a way to make this happen automatically?

  In the advanced configuration of the tunnel section, if DPD and Keep Alive options are checked, RV016 will try to reconnect automatically.

• Roads remain in the routing table after disconnecting from the vpn client

  I am facing this problem for my clients and the easy vpn server.

  My Cisco 3825 has an easy vpn server configuration with an ip pool. When one of the customer disconnects and isakmp and ipsec his deleted by the router itself. The route pointing to the ip address of the ip pool is still in the routing table. This time, another vpn client connects and get the ip address of the ip even pool. But this new vpn client connected is located on a different interface of the router. Thus, an extreme problem happen! A route to 2 next hops is created! So bad!

  Someone else can help me? How can I delete the wrong way?

  Thank you!

  Jason Lam

  It can be useful to upgrade because he accompanied several questions IPP in earlier versions of the code with the roads not removed during the SA goes down, etc.

• Bypass the router upstream company ACL with IPSEC VPN

  Hello

  My headquarters has a routing infrastructure company. I want to configure a Site VPN to IPSEC as a solution of webvpn AnyConnect for my users through the company. If the security guys to create an ACL on the router upstream from my Cisco ASA 5585 to allow IPSEC between 28 (the stretch between my external interface of ASA and the trunk of PO on the upstream router) then I can send ip a whole between my inside interface subnet and subnet within the interface on the ASA distant (still on the company's infrastructure holding constant and correct routing. In short, if a packet is encrypted in an IPSEC packet, IPSEC is not filtered, you can send any traffic, even if it is AS restrictive on a router upstream of the LCA, correct?

  Thank you!

  Matt

  CCNP

  You are right, the router can not look in the VPN package. So anything that is transported inside the VPN, it bypasses security company-ACL.

  For VPN traffic to your ASA, you need the following protocols/ports:

  1. UDP/500, UDP4500, IP/50 for IPsec
  2. UDP/443 for AnyConnect with SSL/TLS, TCP/443

• Site-to-Site VPN breaks after reset of the router

  Hi all

  I have a very difficult problem.  I have a CallManager server on one site (Site A) configuration and IP phones which connect you via tunneling IPSec VPN site-to site to Site B.  WAN link to Site B (cable ISP with IP static) can be a tad bit reliable at times.  Everything worked perfectly, except when the router resets or loses connection at site B, smashing everything.  I have the option tftp 150 defined on the server CUCM on Site (192.168.10.250).  The tunnel is NOT upward automatically after a router loses connection, and once this is the case, it seems that I can't help that can restore full connectivity.  I know I must be missing something, but have no idea what.  The nbar-Discovery Protocol on the external interface of the router on the Site B shows TFTP and Skinny packets go out, but nothing back in.  I can't ping all internal resources on the Site A of Site B.  I'm doing a "isakmp crypto to show his" on each router and it shows the tunnel as being upward.  In order to back up the tunnel, I need to access the router on the Site A with the SDM tool and do a 'test' of the VPN tunnel.  It shows it as inactive, and when I have SDM generate traffic, using the source IP address as 192.168.10.1 (inside the interface of the router on the Site A) and destination IP of 192.168.11.1 (inside the interface of the router on the Site B), the tunnel back to the top.  Yet, even if the tunnel is restored, nothing works as much as to be able to ping site starting tftp from Site A to Site B and Site B.  Any help on this is GREATLY appreciated.  Any suggestions on how to configure a VPN site-to-site-reliable so that if cnnection is lost on one end, the tunnel back upward and devices on Site B can access resources such as on Site A CallManager server.  Thanks in advance!

  Hello

  One way you can have the tunnel come back automatically even if it breaks down is configure SLA monitoring on one of the routers of the site so that it sends periodic pings inside the IP address of the router on the other site. For example, on the Siite to configure it for SLA monitoring of IP than his inside source 192.168.10.1 and making ping inside the interface of Site B interface regularly, 192.168.11.1. Configuration guide, please see the below page:

  http://www.Cisco.com/en/us/docs/iOS/12_4/ip_sla/configuration/guide/hsicmp.html#wp1027188

  About traffic has not managed, pouvez you please paste the result of ' show cry isa his ', ' cry ipsec to show his ' and the configuration of the two routers if possible?

  Kind regards

  Assia

• How to set up VPN on the router via ASA5505 2811

  Hello everyone

  I apologize for the possible triviality of my question. The current configuration of our society considers appropriate for the edge, two ASA5505 below that are installed two routers configured with the CCME 2811 Express. When the two AS5505 is configured a VPN connection for the transmission of data in our network traffic. Given the presence of several public addresses available on our two sites, I was wondering if you could (and if so, how) to set up a VPN between two routers 2811, except that when existing data traffic, dedicated exclusively to the voice traffic. It give me a document that teach me how can I solve my problem?

  Thank you very much

  Damiano,

  If you want an IPsec VPN for only separate voice and termination traffic on routers, there are several possibilities. Especially if you have a spare IP addresses:

  IPsec VPN endpoints on the routers.

  GRE over IPsec routers ending (gives you that soften what and where can be routed, in particular, identify voice traffic)

  Termination of free WILL on the routers and unloading IPsec to ASAs. (Benefit of the foregoing + ASAs making encryption).

  There is no problem to close the tunnels through the ASA, the only warning is that even in the case of static NAT you should probably use NAT-Traversal.

  Marcin

• client ipSec VPN and NAT on the router Cisco = FAIL

  I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client.  The same router is NAT.

  ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface.  But I need both at the same time.

  Suggestions?

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group myclient

  key password!

  DNS 1.1.1.1

  Domain name

  pool myVPN

  ACL 111

  !

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  market arriere-route

  !

  !
  list of card crypto clientmap client VPN - AAA authentication
  card crypto clientmap AAA - VPN isakmp authorization list
  client configuration address map clientmap crypto answer
  10 ipsec-isakmp crypto map clientmap Dynamics dynmap
  !

  interface Loopback0
  IP 10.88.0.1 255.255.255.0
  !
  interface GigabitEthernet0/0
  / / DESC it's external interface

  IP 192.168.168.5 255.255.255.0
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  media type rj45
  clientmap card crypto
  !
  interface GigabitEthernet0/1

  / / DESC it comes from inside interface
  10.0.1.10 IP address 255.255.255.0
  IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
  IP virtual-reassembly
  the route cache same-interface IP
  automatic duplex
  automatic speed
  media type rj45

  !

  IP local pool myVPN 10.88.0.2 10.88.0.10

  p route 0.0.0.0 0.0.0.0 192.168.168.1
  IP route 10.0.0.0 255.255.0.0 10.0.1.4
  !

  IP nat inside source list 1 interface GigabitEthernet0/0 overload
  !
  access-list 1 permit 10.0.0.0 0.0.255.255
  access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
  access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

  Hello

  I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

  For example, to do this kind of configuration, ACL and NAT

  Note access-list 100 NAT0 customer VPN
  

  access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
  

  Note access-list 100 default PAT for Internet traffic
  

  access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

  overload of IP nat inside source list 100 interface GigabitEthernet0/0

  
  EDIT: seem to actually you could have more than 10 networks behind the router

  Then you could modify the ACL on this

  Note access-list 100 NAT0 customer VPN
  

  access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
  

  Note access-list 100 default PAT for Internet traffic
  

  access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

  Don't forget to mark the answers correct/replys and/or useful answers to rate

  -Jouni

• VPN Site-to-Site - cannot ping the router's internal IP address

  Hi guys,.

  I configured a VPN site-to site between two routers, everything works well except ping the internal (LAN) IP of a router.

  Everything works fine: ping the hosts through the tunnel in both feel.

  Routers that I use:

  -IOS 1841: M3 15.0 (1)

  -2811 IOS: 15.0 (1) M5-> here is the problem. I can't ping the inside interface of the router.

  I checked its ipsec counters and it seems that it does not send packets through the tunnel when I ping from the LAN interface.

  #pkts program is not incrementing.

  Anyone had this problem before?

  Thank you very much.

  Best regards

  I think that happens because when the router responds to icmp request he gets is outside interface IP (not the IP Address of the inside interface, wich you are trying to ping) as the source of a package. If icmp-response does not go in the tunnel, because the IP address in the router's external interface is not included in the crypto-acl.

  Solution to this, if it's correct guess, is to add the router's external IP to the crypto-acl.