?
Solved

Cisco IPSec VPN crashing when changes made to router

Posted on 2007-11-20
2
Medium Priority
?
1,588 Views
Last Modified: 2008-03-19
Hi,
I have 2 Cisco routers running an IPSec VPN between them. The first is a Cisco 1721 and the second is a Cisco 878. I can establish a tunnel and it will work fine. My problem is whenever I make a change to the config of the 878 router and reboot, the tunnel wont come back up. The change doesn't even have to relate to the VPN tunnel.
I have attached the 878 config. I have removed/changed  IP's and passwords.
Thanks.
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.59
ip dhcp excluded-address 192.168.3.80 192.168.3.255
!
ip dhcp pool routername
   network 192.168.3.0 255.255.255.0
   dns-server 192.168.1.1 
   netbios-name-server 192.168.1.1 
   default-router 192.168.3.254 
!
!
no ip domain lookup
!
!
!
!
!
controller DSL 0
 mode atm
 line-term cpe
 line-mode 2-wire line-zero
 dsl-mode shdsl symmetric annex B
 line-rate auto
! 
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxxxxxxxxxxxxx address a.b.c.d no-xauth
!
!
crypto ipsec transform-set tunneltxset esp-3des esp-md5-hmac 
!
crypto map mytunnel 11 ipsec-isakmp 
 description tunnel
 set peer a.b.c.d
 set transform-set tunneltxset  
 match address 113
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface ATM0
 no ip address
 no ip unreachables
 load-interval 30
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description ---- Customer SHDSL WAN PVC
 no ip proxy-arp
 no snmp trap link-status
 pvc 0/33 
  ubr 512
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface ATM0.2 point-to-point
 description Inband PVC
 ip address a.b.c.d 255.255.255.0
 no snmp trap link-status
 pvc 0/34 
  protocol ip a.b.c.d broadcast
  encapsulation aal5snap
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 hold-queue 100 out
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname 
 ppp chap password 7 
 crypto map mytunnel
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 113 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
 password 7 
 login
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 password 7 
 login
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Open in new window

0
Comment
Question by:mark_06
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 9

Accepted Solution

by:
trinak96 earned 1000 total points
ID: 20326571
A vpn tunnel is only established when "interesting traffic" is observed. In your case access-list 113.
So when you reboot the 878 it will come but not do anything unless the end user is able to generate a request - which will create your interesting traffic and bring up the tunnel.
Personally I have ssh access to the external interface. When router comes back up, ssh to the external ip address and ping something on the main network.
Also, you dont need to reboot everytime you make a change, when you make a config chnage it is immediatley "live" and being used.
0
 
LVL 6

Author Comment

by:mark_06
ID: 20355803
Whats happening is, when I make the slightest change and then the tunnel goes down eventually, it wont come backup again. Normally to get the tunnel up I just send a ping through and it brings it up, nothing will bring it up! The tunnel just wont work with any changes made to the route, regaurdless of interesting traffic.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question