Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco IPSec VPN crashing when changes made to router

Posted on 2007-11-20
2
Medium Priority
?
1,589 Views
Last Modified: 2008-03-19
Hi,
I have 2 Cisco routers running an IPSec VPN between them. The first is a Cisco 1721 and the second is a Cisco 878. I can establish a tunnel and it will work fine. My problem is whenever I make a change to the config of the 878 router and reboot, the tunnel wont come back up. The change doesn't even have to relate to the VPN tunnel.
I have attached the 878 config. I have removed/changed  IP's and passwords.
Thanks.
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.59
ip dhcp excluded-address 192.168.3.80 192.168.3.255
!
ip dhcp pool routername
   network 192.168.3.0 255.255.255.0
   dns-server 192.168.1.1 
   netbios-name-server 192.168.1.1 
   default-router 192.168.3.254 
!
!
no ip domain lookup
!
!
!
!
!
controller DSL 0
 mode atm
 line-term cpe
 line-mode 2-wire line-zero
 dsl-mode shdsl symmetric annex B
 line-rate auto
! 
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxxxxxxxxxxxxx address a.b.c.d no-xauth
!
!
crypto ipsec transform-set tunneltxset esp-3des esp-md5-hmac 
!
crypto map mytunnel 11 ipsec-isakmp 
 description tunnel
 set peer a.b.c.d
 set transform-set tunneltxset  
 match address 113
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface ATM0
 no ip address
 no ip unreachables
 load-interval 30
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description ---- Customer SHDSL WAN PVC
 no ip proxy-arp
 no snmp trap link-status
 pvc 0/33 
  ubr 512
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface ATM0.2 point-to-point
 description Inband PVC
 ip address a.b.c.d 255.255.255.0
 no snmp trap link-status
 pvc 0/34 
  protocol ip a.b.c.d broadcast
  encapsulation aal5snap
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 hold-queue 100 out
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname 
 ppp chap password 7 
 crypto map mytunnel
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 113 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
 password 7 
 login
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 password 7 
 login
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Open in new window

0
Comment
Question by:mark_06
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 9

Accepted Solution

by:
trinak96 earned 1000 total points
ID: 20326571
A vpn tunnel is only established when "interesting traffic" is observed. In your case access-list 113.
So when you reboot the 878 it will come but not do anything unless the end user is able to generate a request - which will create your interesting traffic and bring up the tunnel.
Personally I have ssh access to the external interface. When router comes back up, ssh to the external ip address and ping something on the main network.
Also, you dont need to reboot everytime you make a change, when you make a config chnage it is immediatley "live" and being used.
0
 
LVL 6

Author Comment

by:mark_06
ID: 20355803
Whats happening is, when I make the slightest change and then the tunnel goes down eventually, it wont come backup again. Normally to get the tunnel up I just send a ping through and it brings it up, nothing will bring it up! The tunnel just wont work with any changes made to the route, regaurdless of interesting traffic.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question