Support
Community

Since you are using the firewall feature, you will want to put a rule in to allow the IPSEC tunnel traffic into the WAN of each 3448.  What's likely happening now is that the tunnel is getting established through open ports and then the firewall is closing them.  Add an ACL like this at each site and apply it to your policy.  You could also filter by the specific IPAKMP port (500) and ESP protocol that are used, but since your other site should be a trusted host this is just easier.

ip access-list extended Allow_IPSEC_IN

  permit ip host x.x.x.1  any    (other site's WAN)

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors1

  allow list Allow_IPSEC_IN self

  nat destination list web-acl-3 address 192.168.123.5

  allow list web-acl-4 self

I would like to make a few recommendations too.  I would suggest using AES encrytion instead of 3DES.  It is more secure and has better performance than 3DES.  I would also recommend specifying source networks in the"ip access-list extended web-acl-4" admin access list if you can to limit the exposure of your admin ports to the internet.  I also see that you have IP Flow enabled as well as RTP monitoring.  Depending on how much traffic your sites do, this could load the CPU and lead to throughput issues because of a lack of resources.

I hope this helps.  If it doesn't, then you may need to run a debug and let us know what is happening on each router when the tunnel drops out. 

That line was in your original configuration file titled "georgebizet" attached above.

Here is the matching ACL.  This looks like a nat port forward for mail service.

ip access-list extended web-acl-3

  remark mail

  permit tcp any  any eq smtp   log

  permit tcp any  any eq pop3   log

  permit tcp any eq 143 any eq 143   log

The config example I pasted was just sampled from your config but it wasn't the whole thing.  I was just trying to show you where you would want to put the Allow IPSEC list.  Here is how you want your policy to look (based upon the current config).

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors1

  allow list Allow_IPSEC_IN self  

  allow list web-acl-4 self

  nat destination list web-acl-3 address 192.168.123.5

  nat destination list web-acl-5 address 192.168.123.5

  nat destination list web-acl-6 address 192.168.123.5

  nat destination list web-acl-9 address 192.168.123.20

  nat destination list web-acl-10 address 192.168.123.50

  nat destination list web-acl-11 address 192.168.123.5

-

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor