askk
Hi. When I do traceroute from host 192.168.11.0/24 to the server 10.0.0.0/24, which is site B. When the packets get into the public area it show Request timed out (as shown in this figure). I'm using IPSec protocol btw. thank you… 
NETWORK DIAGRAM.
KCP 1 (SITE A) Conf
Current configuration : 1284 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname KCP1
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1524EEWL-
license boot module c2900 technology-package securityk9
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key bjj address 209.165.100.1
!
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map bjjtunnel 1 ipsec-isakmp
set peer 209.165.100.1
set transform-set TS
match address vpn-ke-bjjpusat
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 209.165.101.1 255.255.255.248
duplex auto
speed auto
crypto map bjjtunnel
!
interface GigabitEthernet0/1
ip address 192.168.11.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.101.2
!
ip flow-export version 9
!
!
ip access-list extended vpn-ke-bjjpusat
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
BJJPUSAT (SITE B) Conf
Current configuration : 1290 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname BJJPUSAT
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1524I08N-
license boot module c2900 technology-package securityk9
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key bjj address 209.165.101.1
!
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map bjjtunnel 1 ipsec-isakmp
set peer 209.165.101.1
set transform-set TS
match address vpn-ke-kcp1
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 209.165.100.1 255.255.255.248
duplex auto
speed auto
crypto map bjjtunnel
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.100.2
!
ip flow-export version 9
!
!
ip access-list extended vpn-ke-kcp1
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 192.168.11.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Best Answer
KCP 1, the tunnel side towards the source, doesn't send an Time Exceeded ICMP message when TTL runs out. It just silently drops the probe packet.
Note that the tunneled packet doesn't enter the public zone itself. It's encapsulated in an outer packet that crosses that zone. Accordingly, the tunnel only decrements the TTL by 1 and traceroute sees the tunnel as a single hop, regardless of the number of hops the outer packet takes.