IPSEC Problem

hi

i´m trying to set an VPN with ipsec on mk 2.9.28.

peer added, policies added, remote peer estabilished

BUT installed SAs=BLANK - the secret was configured in peer

policies said:
no phase2

log said:
received ISAKMP packet from 200.xxx.xxx.xxx:500, phase 1, identity protection
received ISAKMP packet from 200.xxx.xxx.xxx:500, phase 1, identity protection
received ISAKMP packet from 200.xxx.xxx.xxx:500, phase 2, informational
ignoring packet, it contains unexpected payload (remote unknown)
ISAKMP SA estabilished (local 201.xxx.xxx.xxx:500) (remote 200.xxx.xxx.xxx:500)

installed SAs, still BLANK, does not occurred the exchange of keys between routers

any ideas?

ok. problem solved!!

just disable NAT rule and tunnel is OK.

let me explain the scenario:

A side:

MK v2.9.28 on routerboard just using the ETH´s interfaces (routing)
Public IP: 201.xxx.xxx.xxx
Private IP: 172.101.xxx.xxx

B side:

Cisco 3000 VPN concentrator
Public IP: 200.xxx.xxx.xxx
Private IP: 10.16.xxx.xxx

on MK the policies are:

Src Add: 172.101.xxx.xxx/32 Dst Add: 10.16.xxx.xxx/32
SA Src Add: 201.xxx.xxx.xxx SA Dst Add: 200.xxx.xxx.xxx

Routes:

AS Dst: 0.0.0.0/0 Gateway: 201.xxx.xxx.1
DAC Dst: 172.101.xxx.0/16 Pref Source: 172.101.xxx.xxx/32
DAC Dst: 201.xxx.xxx.0/24 Pref Source: 201.xxx.xxx.xxx/32

now, the #2 problem:

no icmp reply from any sides (A → B) (B → A)

the tunnel is up, secretkeys OK, phase 2 UP

it seems like a routing problem??

Problem solved!!!

just change the LAN private range and voilá… all works fine…

we still do not know the reason of this yet…