awilderbeast
asked on
VPN Tunnel cisco 837 gone down, cant get it back up...
hi all, equalizer and bkeford helped me create this config
however upon trying to createa sencond tunnel i made the 1 st tunnel go down
ive been trying to get the firs tunnel back up since, this first tunnel is the most importnant and i cant get it up!
ive look at the old post.. here
https://www.experts-exchange.com/questions/24031745/cisco-837-VPN-Tunnel.html
and my config is identical to that, yet the show cry sess just says down negotiating all the time
anyone help me out?
however upon trying to createa sencond tunnel i made the 1 st tunnel go down
ive been trying to get the firs tunnel back up since, this first tunnel is the most importnant and i cant get it up!
ive look at the old post.. here
https://www.experts-exchange.com/questions/24031745/cisco-837-VPN-Tunnel.html
and my config is identical to that, yet the show cry sess just says down negotiating all the time
anyone help me out?
Current configuration : 4184 bytes
!
version 12.4
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWADSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
ip cef
ip domain name cityworks.org.uk
!
!
crypto pki trustpoint TP-self-signed-1545441403
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1545441403
revocation-check none
rsakeypair TP-self-signed-1545441403
!
!
crypto pki certificate chain TP-self-signed-1545441403
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353435 34343134 3033301E 170D3032 30333037 32313530
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35343534
34313430 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C048 641EC14A C492C14C 37F4222A 0CE54628 605B126D 2352C997 D5D99796
8FD24F3A C44AEEA4 F0B1EDB1 318AC149 67736CCF 5AB1D453 E99A5CAD 02B9B43E
7A79E694 2DF49E3C FFB76137 2074F941 E799E318 13A8E59B D30797AD DD8B5AD5
4EC3C316 9663F902 463B47B6 368C57CC 797878E3 2DE8BF35 F90EE9FF C72B00AD
16F90203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17435741 44534C2E 63697479 776F726B 732E6F72 672E756B
301F0603 551D2304 18301680 14CB40B1 156713A4 08EE351B F4F4CD69 D2012386
EC301D06 03551D0E 04160414 CB40B115 6713A408 EE351BF4 F4CD69D2 012386EC
300D0609 2A864886 F70D0101 04050003 818100B4 E377726D 63B00ECC 9159C9FD
921D6FA8 03C20E78 18CAED65 2E32AAC4 DA714DD3 281156AC 3596453C 89A9FF4C
E309A88C 6F99FCC5 3875AC1A 0400A4B4 20F5947C A2885184 319A1D03 C5C3D9E3
8C2E8CCE 6A664530 1B0ED104 6AA6AE2B ED2736DC B22BE0D8 8234E45F D4CE372D
47D10EB8 56FFF1EE C858EE0B 0C52C908 190E44
quit
username admin privilege 15 password 7 02050B5518121D344F5A00160B4747
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key xxxxxxxxxx address 213.249.241.43
!
!
crypto ipsec transform-set TS_IPSEC esp-3des esp-sha-hmac
!
crypto map ptc 1 ipsec-isakmp
set peer 213.249.241.43
set transform-set TS_IPSEC
match address 101
!
!
!
interface Loopback0
ip address 192.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 192.168.174.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
description LAN
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 1/50
dialer pool-member 1
protocol ppp dialer
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
shutdown
duplex auto
speed auto
!
interface FastEthernet3
shutdown
duplex auto
speed auto
!
interface FastEthernet4
shutdown
duplex auto
speed auto
!
interface Dialer1
description ADSL Dialer to Karoo
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxxxxxx@kcinternet
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx
crypto map ptc
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.174.1 500 interface Dialer1 500
!
access-list 100 deny ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
access-list 100 permit ip 192.168.174.0 0.0.0.255 any
access-list 101 permit ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
!
control-plane
!
banner login ^C
#################### WARNING! ####################
Access to this device is for authorized users only!
unauthorized users will be prosecuted!
################################################## ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 xxxxxxxxxxxxxxxxxxx
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
CWADSL(config)#
Interface: Dialer1
Session status: DOWN-NEGOTIATING
Peer: 213.249.241.43 port 500
IKE SA: local 77.86.108.201/500 remote 213.249.241.43/500 Inactive
IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0
Active SAs: 0, origin: crypto map
Please run "debug crypto isakmp" and "debug crypto isakmp error" and post the results.
ASKER
hi thanks for the input, it just came up after about 5-10 minutes
whats the startup time for a tunnel do you know?
CHeers
whats the startup time for a tunnel do you know?
CHeers
it depends if there is traffic between ur sites;
u can configure ur router to build the tunnel even if there is no traffic
which is applied to ur dialer interface
!
dialer idle-timeout 300
!
>>>> 300 is time required for the tunnel before going up
BR
u can configure ur router to build the tunnel even if there is no traffic
which is applied to ur dialer interface
!
dialer idle-timeout 300
!
>>>> 300 is time required for the tunnel before going up
BR
ASKER
could you explain that command in a little more detail for me?
so the tunnel will be forced up after 300 seconds?
thanks
so the tunnel will be forced up after 300 seconds?
thanks
I see you changed ISAKMP policy again. I think other side linksys is not supporting 3des. Please change isakmp as below.
crypto isakmp policy 1
encryption des
group 1
authentication pre-share
crypto isakmp policy 1
encryption des
group 1
authentication pre-share
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thankyou :)
p.s. thanks for the input equalizer, but the isakmp policy is 3des, 3des was right, thanks though
p.s. thanks for the input equalizer, but the isakmp policy is 3des, 3des was right, thanks though