Link to home
Start Free TrialLog in
Avatar of awilderbeast
awilderbeastFlag for United Kingdom of Great Britain and Northern Ireland

asked on

VPN Tunnel cisco 837 gone down, cant get it back up...

hi all, equalizer and bkeford helped me create this config

however upon trying to createa  sencond tunnel i made the 1 st tunnel go down
ive been trying to get the firs tunnel back up since, this first tunnel is the most importnant and i cant get it up!

ive look at the old post.. here
https://www.experts-exchange.com/questions/24031745/cisco-837-VPN-Tunnel.html

and my config is identical to that, yet the show cry sess just says down negotiating all the time
anyone help me out?
Current configuration : 4184 bytes
!
version 12.4
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWADSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
ip cef
ip domain name cityworks.org.uk
!
!
crypto pki trustpoint TP-self-signed-1545441403
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1545441403
 revocation-check none
 rsakeypair TP-self-signed-1545441403
!
!
crypto pki certificate chain TP-self-signed-1545441403
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31353435 34343134 3033301E 170D3032 30333037 32313530
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35343534
  34313430 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C048 641EC14A C492C14C 37F4222A 0CE54628 605B126D 2352C997 D5D99796
  8FD24F3A C44AEEA4 F0B1EDB1 318AC149 67736CCF 5AB1D453 E99A5CAD 02B9B43E
  7A79E694 2DF49E3C FFB76137 2074F941 E799E318 13A8E59B D30797AD DD8B5AD5
  4EC3C316 9663F902 463B47B6 368C57CC 797878E3 2DE8BF35 F90EE9FF C72B00AD
  16F90203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17435741 44534C2E 63697479 776F726B 732E6F72 672E756B
  301F0603 551D2304 18301680 14CB40B1 156713A4 08EE351B F4F4CD69 D2012386
  EC301D06 03551D0E 04160414 CB40B115 6713A408 EE351BF4 F4CD69D2 012386EC
  300D0609 2A864886 F70D0101 04050003 818100B4 E377726D 63B00ECC 9159C9FD
  921D6FA8 03C20E78 18CAED65 2E32AAC4 DA714DD3 281156AC 3596453C 89A9FF4C
  E309A88C 6F99FCC5 3875AC1A 0400A4B4 20F5947C A2885184 319A1D03 C5C3D9E3
  8C2E8CCE 6A664530 1B0ED104 6AA6AE2B ED2736DC B22BE0D8 8234E45F D4CE372D
  47D10EB8 56FFF1EE C858EE0B 0C52C908 190E44
  quit
username admin privilege 15 password 7 02050B5518121D344F5A00160B4747
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key xxxxxxxxxx address 213.249.241.43
!
!
crypto ipsec transform-set TS_IPSEC esp-3des esp-sha-hmac
!
crypto map ptc 1 ipsec-isakmp
 set peer 213.249.241.43
 set transform-set TS_IPSEC
 match address 101
!
!
!
interface Loopback0
 ip address 192.1.1.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.174.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!
interface ATM0
 description LAN
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 1/50
  dialer pool-member 1
  protocol ppp dialer
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 shutdown
 duplex auto
 speed auto
!
interface Dialer1
 description ADSL Dialer to Karoo
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp chap hostname xxxxxxxxxx@kcinternet
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx
 crypto map ptc
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.174.1 500 interface Dialer1 500
!
access-list 100 deny   ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
access-list 100 permit ip 192.168.174.0 0.0.0.255 any
access-list 101 permit ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
!
control-plane
!
banner login ^C
#################### WARNING! ####################
Access to this device is for authorized users only!
unauthorized users will be prosecuted!
################################################## ^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password 7 xxxxxxxxxxxxxxxxxxx
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
 
CWADSL(config)#
 
Interface: Dialer1
Session status: DOWN-NEGOTIATING
Peer: 213.249.241.43 port 500
  IKE SA: local 77.86.108.201/500 remote 213.249.241.43/500 Inactive
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0
 
        Active SAs: 0, origin: crypto map

Open in new window

Avatar of asavener
asavener
Flag of United States of America image

Please run "debug crypto isakmp" and "debug crypto isakmp error" and post the results.
Avatar of awilderbeast

ASKER

hi thanks for the input, it just came up after about 5-10 minutes

whats the startup time for a tunnel do you know?

CHeers
it depends if there is traffic between ur sites;
u can configure ur router to build the tunnel even if there is no traffic
which is applied to ur dialer interface
!
dialer idle-timeout 300
!
>>>> 300 is time required for the tunnel before going up

BR
could you explain that command in a little more detail for me?

so the tunnel will be forced up after 300 seconds?

thanks
I see you changed ISAKMP policy again. I think other side linksys is not supporting 3des. Please change isakmp as below.

crypto isakmp policy 1
 encryption des
 group 1
 authentication pre-share
ASKER CERTIFIED SOLUTION
Avatar of memo_tnt
memo_tnt
Flag of Palestine, State of image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thankyou :)

p.s. thanks for the input equalizer, but the isakmp policy is 3des, 3des was right, thanks though