Absolutely,
1) When I ping their network
TV-FW-60D # diag sniffer packet any "host 10.254.0.2"
interfaces=[any]
filters=[host 10.254.0.2]
0 packets received by filter
0 packets dropped by kernel
2) On their end a week ago the tech did a tcmpdump and stated that he see's a udp encapsulated ipsec packet sent to our WAN address and can see his ping traversing the vpn connection but no response packet
# tcpdump -nn net 172.21.1.0/24
23:29:42.788605 IP 10.33.0.9 > 172.21.1.7: ICMP echo request, id 31588, seq 1, length 64
23:30:03.973789 IP 10.33.0.9 > 172.21.1.7: ICMP echo request, id 31696, seq 1, length 64
# tcpdump -nn 'net 50.254.200.220'
23:29:42.788636 IP 10.33.252.205.4500 > 50.254.200.220.4500: UDP-encap: ESP(spi=0x170f4be0,seq=0xa), length 132
23:29:49.307656 IP 10.33.252.205.4500 > 50.254.200.220.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
23:29:49.329883 IP 50.254.200.220.4500 > 10.33.252.205.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
23:29:57.450404 IP 10.33.252.205.4500 > 50.254.200.220.4500: isakmp-nat-keep-alive
23:29:57.450550 IP 10.33.252.205.4500 > 50.254.200.220.4500: isakmp-nat-keep-alive
23:29:57.450670 IP 10.33.252.205.4500 > 50.254.200.220.4500: isakmp-nat-keep-alive
23:29:57.450830 IP 10.33.252.205.4500 > 50.254.200.220.4500: isakmp-nat-keep-alive
23:29:57.451292 IP 10.33.252.205.4500 > 50.254.200.220.4500: isakmp-nat-keep-alive
23:29:59.114239 IP 10.33.252.205.4500 > 50.254.200.220.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
23:29:59.137438 IP 50.254.200.220.4500 > 10.33.252.205.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
23:30:03.973823 IP 10.33.252.205.4500 > 50.254.200.220.4500: UDP-encap: ESP(spi=0x170f4be0,seq=0xb), length 132
I've attached an image of the Phase 2 selectors (using named address)
Attached Image(s)
