VPN tunnel up but cannot ping

[wilson2468]

I have the following situation:

Tunnel was up and working to remote site Netscreen firewall with VPN concentrator at my site.

I want to replace the concentrator with a 2800 series router.

I tried to get it up and working today with the netscreen guy at the remote site.

Looks like negotioation is ok, but I cannot ping remote site inside network.

I see sa on my side as established but QM_Idle.

I see sccess-lists being matched.

Trace from my end shows packets die right out of my router.

If I put the concentrator back, it comes back up.

Anyone see anything obvious?

Config is as follows:






!
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$EvwK$YaGX6IwgGv4e5OyUuoDHQ/
!

ip subnet-zero
!
!
ip cef
!
!
ip domain name yourdomain.com
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 888888 address 26.23.1.6
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!
crypto map To_Sungard 1 ipsec-isakmp
set peer 26.23.1.6
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface GigabitEthernet0/0
ip address 4.27.66.26 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map To_Sungard
!
interface GigabitEthernet0/1
ip address 10.10.150.251 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/3/0
no ip address
shutdown
!
interface FastEthernet0/3/1
no ip address
shutdown
!
interface FastEthernet0/3/2
no ip address
shutdown
!
interface FastEthernet0/3/3
no ip address
shutdown
!
interface Vlan1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 4.27.66.25
ip route 10.10.33.0 255.255.255.0 10.10.150.254
ip route 10.10.41.0 255.255.255.0 10.10.150.254
ip route 10.10.49.0 255.255.255.0 10.10.150.254
ip route 10.10.50.0 255.255.255.0 10.10.150.254
ip route 10.10.51.0 255.255.255.0 10.10.150.254
ip route 10.10.55.0 255.255.255.0 10.10.150.254
ip route 10.10.56.0 255.255.255.0 10.10.150.254
ip route 10.10.57.0 255.255.255.0 10.10.150.254
ip route 10.10.58.0 255.255.255.0 10.10.150.254
ip route 10.10.61.0 255.255.255.0 10.10.150.254
ip route 10.10.62.0 255.255.255.0 10.10.150.254
ip route 10.10.151.0 255.255.255.0 10.10.150.254
ip route 10.10.152.0 255.255.255.0 10.10.150.254
ip route 10.10.153.0 255.255.255.128 10.10.150.254
ip route 10.10.153.128 255.255.255.128 10.10.150.254
ip route 10.10.160.0 255.255.255.0 10.10.150.254
ip route 172.16.0.0 255.255.0.0 10.10.150.254
ip route 198.104.204.0 255.255.255.0 10.10.150.254
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
!
ip access-list extended nat
remark SDM_ACL Category=2
deny ip 10.10.160.0 0.0.0.255 10.10.125.0 0.0.0.255
deny ip 10.10.153.0 0.0.0.255 10.10.125.0 0.0.0.255
deny ip 10.10.152.0 0.0.0.255 10.10.125.0 0.0.0.255
deny ip 10.10.151.0 0.0.0.255 10.10.125.0 0.0.0.255
remark IPSec Rule
deny ip 10.10.150.0 0.0.0.255 10.10.125.0 0.0.0.255
permit ip 10.10.150.0 0.0.0.255 any
permit ip 10.10.151.0 0.0.0.255 any
permit ip 10.10.152.0 0.0.0.255 any
permit ip 10.10.153.0 0.0.0.255 any
permit ip 10.10.160.0 0.0.0.255 any
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.150.0 0.0.0.255 10.10.125.0 0.0.0.255
access-list 100 permit ip 10.10.151.0 0.0.0.255 10.10.125.0 0.0.0.255
access-list 100 permit ip 10.10.152.0 0.0.0.255 10.10.125.0 0.0.0.255
access-list 100 permit ip 10.10.153.0 0.0.0.255 10.10.125.0 0.0.0.255
access-list 100 permit ip 10.10.160.0 0.0.0.255 10.10.125.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
match ip address nat

 

[DC2006]

Have you checked that the lifetimes match on both ends of the tunnel?

Darren Campbell
Technical Design Architect