I am having trouble getting a site to site VPN tunnel running with a Cisco 3620 and a Cisco/Linksys router. The connection is established, but I am unable to access either ends. Below is the config - SA displays dropped packets
no ip domain lookup
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
!
vpdn-group ppoe
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
#CISCO/LINKSYS ROUTER
crypto isakmp key mykey address PEERIP no-xauth
!
!
crypto ipsec transform-set tranSet esp-3des esp-md5-hmac
!
!
!
!
!
crypto map fusionMap 1 ipsec-isakmp
description ****** Link to Router2 ******
set peer PEERIP
set security-association lifetime seconds 86400
set transform-set tranSet
set pfs group1
match address 100
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Ethernet0/0
no ip address
ip access-group ACL_INBOUND in
ip nbar protocol-discovery
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Ethernet0/1
no ip address
ip nbar protocol-discovery
ip route-cache flow
half-duplex
!
interface Ethernet0/1.1
encapsulation dot1Q 1 native
ip address 10.10.7.1 255.255.255.0 secondary
ip address 199.x.x.x 255.255.255.248 secondary
ip address 199.x.x.x. 255.255.255.248b
ip nat outside
crypto map fusionMap
!
interface Ethernet0/1.2
description NetFusion Network
encapsulation dot1Q 2
ip address 10.10.3.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1.3
description Blackline Network
encapsulation dot1Q 3
ip address 10.10.4.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1.4
description Hydroxyl Network
encapsulation dot1Q 4
ip address 10.10.5.1 255.255.255.0
ip nat inside
ip nbar protocol-discovery
!
interface Ethernet0/1.5
description Available
encapsulation dot1Q 5
ip address 10.10.6.1 255.255.255.0
ip nat inside
!
#CURRENTLY NOT USED
interface Ethernet0/1.6
description local-network
encapsulation dot1Q 6
ip address 192.168.5.90 255.255.255.0
!
interface Dialer0
no ip address
ip nat outside
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group ACL_INBOUND in
ip nat outside
ip nbar protocol-discovery
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username USERNAME password 7 PASSWORD
ppp ipcp dns request
ppp ipcp address accept
!
router rip
version 2
network 10.0.0.0
!
ip nat inside source route-map nonat interface Ethernet0/1.1 overload
ip nat inside source static 10.10.3.5 EXTIP
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip flow-export source Dialer1
ip flow-export version 5
ip flow-export destination 10.10.4.2 2055
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
ip access-list standard VTY_ACCESS
permit 10.10.0.0 0.0.255.255
permit 192.168.5.0 0.0.0.255
deny any log
access-list 100 remark ****** Link to Router2 ******
access-list 100 permit ip 10.10.0.0 0.0.255.255 172.16.50.0 0.0.0.255
access-list 100 permit ip 10.10.4.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 101 remark ****** NAT ACL ******
access-list 101 deny ip 10.10.0.0 0.0.255.255 172.16.50.0 0.0.0.255
access-list 101 deny ip 10.10.4.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 101
!
dial-peer cor custom
!
!
!
!
no ip domain lookup
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
!
vpdn-group ppoe
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
#CISCO/LINKSYS ROUTER
crypto isakmp key mykey address PEERIP no-xauth
!
!
crypto ipsec transform-set tranSet esp-3des esp-md5-hmac
!
!
!
!
!
crypto map fusionMap 1 ipsec-isakmp
description ****** Link to Router2 ******
set peer PEERIP
set security-association lifetime seconds 86400
set transform-set tranSet
set pfs group1
match address 100
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Ethernet0/0
no ip address
ip access-group ACL_INBOUND in
ip nbar protocol-discovery
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Ethernet0/1
no ip address
ip nbar protocol-discovery
ip route-cache flow
half-duplex
!
interface Ethernet0/1.1
encapsulation dot1Q 1 native
ip address 10.10.7.1 255.255.255.0 secondary
ip address 199.x.x.x 255.255.255.248 secondary
ip address 199.x.x.x. 255.255.255.248b
ip nat outside
crypto map fusionMap
!
interface Ethernet0/1.2
description NetFusion Network
encapsulation dot1Q 2
ip address 10.10.3.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1.3
description Blackline Network
encapsulation dot1Q 3
ip address 10.10.4.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1.4
description Hydroxyl Network
encapsulation dot1Q 4
ip address 10.10.5.1 255.255.255.0
ip nat inside
ip nbar protocol-discovery
!
interface Ethernet0/1.5
description Available
encapsulation dot1Q 5
ip address 10.10.6.1 255.255.255.0
ip nat inside
!
#CURRENTLY NOT USED
interface Ethernet0/1.6
description local-network
encapsulation dot1Q 6
ip address 192.168.5.90 255.255.255.0
!
interface Dialer0
no ip address
ip nat outside
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group ACL_INBOUND in
ip nat outside
ip nbar protocol-discovery
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username USERNAME password 7 PASSWORD
ppp ipcp dns request
ppp ipcp address accept
!
router rip
version 2
network 10.0.0.0
!
ip nat inside source route-map nonat interface Ethernet0/1.1 overload
ip nat inside source static 10.10.3.5 EXTIP
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip flow-export source Dialer1
ip flow-export version 5
ip flow-export destination 10.10.4.2 2055
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
ip access-list standard VTY_ACCESS
permit 10.10.0.0 0.0.255.255
permit 192.168.5.0 0.0.0.255
deny any log
access-list 100 remark ****** Link to Router2 ******
access-list 100 permit ip 10.10.0.0 0.0.255.255 172.16.50.0 0.0.0.255
access-list 100 permit ip 10.10.4.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 101 remark ****** NAT ACL ******
access-list 101 deny ip 10.10.0.0 0.0.255.255 172.16.50.0 0.0.0.255
access-list 101 deny ip 10.10.4.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 101
!
dial-peer cor custom
!
!
!
!