IPSec Tunnel is up but cant ping remote ip

Discussion in 'Cisco' started by urvin, Apr 14, 2008.

  1. urvin


    Apr 14, 2008
    Likes Received:

    I have setup a Ipsec tunnel between our branch office and our HQ. Please find attached the configuration. The tunnel is showing up but I am not able to ping the remote end of the tunnel. Any help really appreciated. I am using a Cisco 877 router in the branch office.

    Router configruation:

    crypto isakmp policy 450
    authentication pre-share
    lifetime 84600
    crypto isakmp key passkey address 193.95.x.x
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 30 30
    crypto ipsec transform-set internet esp-3des esp-sha-hmac
    mode transport
    crypto map Russia-VPN local-address Loopback0
    crypto map Russia-VPN 450 ipsec-isakmp
    description VPN backup To Dublin
    set peer 193.95.x.x
    set transform-set internet
    match address 130
    interface Loopback0
    description ConnectionToISP
    ip address 85.112.x.x
    crypto map Russia-VPN
    interface Tunnel450
    bandwidth 2048
    ip address
    no ip mroute-cache
    tunnel source Loopback0
    tunnel destination 193.95.x.x
    crypto map Russia-VPN
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode adsl2+
    interface ATM0.1 point-to-point
    ip address
    ip accounting output-packets
    ip accounting access-violations
    no snmp trap link-status
    atm route-bridged ip
    pvc 1/50
    encapsulation aal5snap
    interface FastEthernet0
    interface FastEthernet1
    switchport access vlan 2
    interface Vlan2
    ip address
    router eigrp 180
    distribute-list 1 out Vlan2
    no auto-summary
    no eigrp log-neighbor-changes
    ip route Tunnel450
    ip route 193.95.x.x
    access-list 130 permit gre host 85.112.x.x host 193.95.x.x
    access-list 130 permit ip host 85.112.x.x host 193.95.x.x
    snmp-server community somestring RO

    Router#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id slot status
    85.112.x.x 193.95.x.x QM_IDLE 2002 0 ACTIVE

    IPv6 Crypto ISAKMP SA

    Router#sh ip route
    Routing entry for
    Known via "connected", distance 0, metric 0 (connected, via interface)
    Redistributing via eigrp 180
    Routing Descriptor Blocks:
    * directly connected, via Tunnel450
    Route metric is 0, traffic share count is 1

    Router#sh ip eigrp neighbors
    IP-EIGRP neighbors for process 180
    H Address Interface Hold Uptime SRTT RTO Q Seq
    (sec) (ms) Cnt Num
    1 Tu450 14 00:00:33 1 5000 2 0
    0 Vl2 13 00:32:11 5 200 0 687

    Router#sh ver

    Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(11)T4,
    System image file is "flash:c870-advipservicesk9-mz.124-11.T4.bin"

    Also you can see from the sh ip eigrp neighbors, eigrp hello packets are not been sent to the remote router.

    urvin, Apr 14, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.