cisco 837 VPN Tunnel

First off you need to remove these two redundant nat statements with these to no statements
no ip nat inside source list 1 interface Dialer1 overload
no ip nat inside source list 100 interface Dialer1 overload
 
Secondly you need to add a transform set and finish your Crypto map. Make sure your setting are the same on both sides of the tunnel
crypto ipsec transform-set LANVPN esp-3des esp-md5-hmac
crypto map ptc 1 ipsec-isakmp
match address 101
set transform-set LANVPN
 
Here is a guide to do exactly what you are doing
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml 

i cant remove them i get

%Dynamic mapping in use, cannot remove

crypto ipsec transform-set LANVPN esp-3des esp-md5-hmac

the above line, ive been told to use sha, where would i put it in there?

thanks

Please fix below items ...
!
crypto isakmp policy 1
encr 3des
authentication pre-share
no crypto isakmp key 0 xxxxx address 192.168.175.1
crypto isakmp key 0 xxxxxx address 213.249.241.43
!
!
crypto ipsec transform-set TS_IPSEC esp-3des esp-md5-hmac
crypto map ptc 1 ipsec-isakmp
match address 101
set transform-set TS_IPSEC
set peer 213.249.241.43
!
!
interface Dialer1
description ADSL Dialer to Karoo
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxx@kcinternet
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
crypto map ptc
!
no ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 100 interface Dialer1 overload
no ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.175.2 500 interface Dialer1 500
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
access-list 100 permit ip 192.168.175.0 0.0.0.255 192.168.170.0 0.0.0.255
access-list 100 permit ip 192.168.175.0 0.0.0.255 any
access-list 101 permit ip 192.168.175.0 0.0.0.255 192.168.170.0 0.0.0.255
no access-list 101 deny ip 192.168.175.0 0.0.0.255 any
no access-list 102 deny ip 192.168.175.0 0.0.0.255 192.168.170.0 0.0.0.255
no access-list 102 permit ip 192.168.175.0 0.0.0.255 any
no route-map nonat permit 10

!

I would remove the ip nat outside and ip nat inside and then remove the NAT statements
crypto ipsec transform-set LANVPN esp-sha-hmac
And you can past it into just plain global configuration mode when your prompt looks like this
Router(config)#

and one more information what i forgot.
crypto ipsec transform-set TS_IPSEC esp-3des esp-md5-hmac

this command depend on remote router configuration. You need to find out remote router enryption method.

equalizer, He would still need to fix acl 100 first to deny his vpn traffic. But yes these changes are the same that I suggested.

Oh and if he issues the command
no access-list 101 deny ip 192.168.175.0 0.0.0.255 any

this will delete the entire 101 acl

Dear bkepford;

He already knows how he will delete and add ACL. We are not communicating him first times. For this reason I just sent him where is wrong. :)

ohh yes
i forgot to chage acl 100 deny / permit
ACL 100 will be as below.
access-list 100 deny ip 192.168.175.0 0.0.0.255 192.168.170.0 0.0.0.255
access-list 100 permit ip 192.168.175.0 0.0.0.255 any

ok heres my config now

i still cant remove the other nat statements even when i remove the inside and outside from the dialer1, e0 and loopback0 int

i cant get rid of them :|

thanks

Current configuration : 2310 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWADSL
!
enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
ip domain name cityworks.org.uk
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 0 xxxxxxxx address 213.249.241.43
!
!
crypto ipsec transform-set TS_IPSEC esp-3des esp-md5-hmac
!
crypto map ptc 1 ipsec-isakmp
 ! Incomplete
 set peer 213.249.241.43
 set transform-set TS_IPSEC
 match address 101
!
!
!
!
interface Loopback0
 ip address 192.1.1.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.174.1 255.255.255.0
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 description LAN
 no ip address
 no atm ilmi-keepalive
 pvc 1/50
  dialer pool-member 1
  protocol ppp dialer
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Dialer1
 description ADSL Dialer to Karoo
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname xxxxxxxxxxxxxxxxxxxx@kcinternet
 ppp chap password 7 xxxxxxxxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.175.2 500 interface Dialer1 500
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
access-list 100 permit ip 192.168.175.0 0.0.0.255 any
access-list 100 permit ip 192.168.174.0 0.0.0.255 any
tftp-server flash
tftp-server system
tftp-server webflash
tftp-server nvram
tftp-server null
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end

Select allOpen in new window

Try and reload your router and then remove before anyone can use them.

Don't forget to save your configuration
 

just noticed your other post ive changed access list 100 approriatley now

thanks

you dont need to reload router.

please erase a
interface ethernet 0
  no ip nat inside

router# Clear ip nat traslation *

router-conf#no ip nat inside source list 1 interface Dialer1 overload
router-conf#interface ethernet 0
router-conf# ip nat inside

sorry
Clear ip nat translation *

Yes bkepford. You were right. He forgot"

please add below acl
access-list 101 permit ip 192.168.175.0 0.0.0.255 192.168.170.0 0.0.0.255

Or he could do that I figure telling him to reload clears the translations and is just cleaner incase it is not just the translation table.  But yes "clear ip nat traslation *" is also correct and most likely will work.  

LOL I copied and pasted your typo sorry it is Clear ip nat translation *

ooops i already reloaded before i read the clear nat trans post

well its ok now, so heres my full config as of now....

is this in a ok state to start making the tunnel work now?

thanks a bunch for all the assistance

Current configuration : 2180 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWADSL
!
enable secret 5 xxxxxxxxxxxxxxxxxxx.
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
ip domain name cityworks.org.uk
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 0 xxxxxx address 213.249.241.43
!
!
crypto ipsec transform-set TS_IPSEC esp-3des esp-md5-hmac
!
crypto map ptc 1 ipsec-isakmp
 ! Incomplete
 set peer 213.249.241.43
 set transform-set TS_IPSEC
 match address 101
!
!
!
!
interface Loopback0
 ip address 192.1.1.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.174.1 255.255.255.0
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 description LAN
 no ip address
 no atm ilmi-keepalive
 pvc 1/50
  dialer pool-member 1
  protocol ppp dialer
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Dialer1
 description ADSL Dialer to Karoo
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname xxxxxxxxxxxxx@kcinternet
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxx
!
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.174.1 500 interface Dialer1 500
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
access-list 100 deny   ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
access-list 100 permit ip 192.168.174.0 0.0.0.255 any
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end
 
CWADSL#

Select allOpen in new window

You need to add your crypto map ptc back on to your dialer but yes it looks good.

still you didnt add acc 101
access-list 101 permit ip 192.168.175.0 0.0.0.255 192.168.170.0 0.0.0.255
for this reason you see
crypto map ptc 1 ipsec-isakmp
! Incomplete
set peer 213.249.241.43
set transform-set TS_IPSEC
match address 101

Umm yeah what he said.

right ive added the access 101 list it no longer says incomplete, and ive added the ptc map to the dilaler1 interface

below is my config

i just tried to ping 192.168.170.2 add it didnt work, should i be able to ping?

how can i test to see if the tunnel is up?

thanks

Current configuration : 2256 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWADSL
!
enable secret 5 xxxxxxxxxxxxxxxxxxx
!
username xxxxxxxxxxxx privilege 15 secret 5 $xxxxxxxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
ip domain name cityworks.org.uk
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 0 xxxxxxx address 213.249.241.43
!
!
crypto ipsec transform-set TS_IPSEC esp-3des esp-md5-hmac
!
crypto map ptc 1 ipsec-isakmp
 set peer 213.249.241.43
 set transform-set TS_IPSEC
 match address 101
!
!
!
!
interface Loopback0
 ip address 192.1.1.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.174.1 255.255.255.0
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 description LAN
 no ip address
 no atm ilmi-keepalive
 pvc 1/50
  dialer pool-member 1
  protocol ppp dialer
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Dialer1
 description ADSL Dialer to Karoo
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname xxxxxxxxxxxxxxxxx@kcinternet
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
 crypto map ptc
!
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.174.1 500 interface Dialer1 500
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
access-list 100 deny   ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
access-list 100 permit ip 192.168.174.0 0.0.0.255 any
access-list 101 permit ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end

Select allOpen in new window

show crypto session

but it needs traffic over tunnel to be up

i cant show session only available commands are below

should the tunnel be working now then?

the other end of the tunnel doesnt run through a cisco device though

its a linksys at the other end

CWADSL#show crypto ?
  ca               Show certification authority policy
  debug-condition  Debug Condition filters
  dynamic-map      Crypto map templates
  engine           Show crypto engine info
  identity         Show crypto identity list
  ipsec            Show IPSEC policy
  isakmp           Show ISAKMP Security Associations
  key              Show long term public keys
  map              Crypto maps
  mib              Show Crypto-related MIB Parameters
  optional         Optional Encryption Status
  sockets          Secure Socket Information
 
CWADSL#show crypto 

Select allOpen in new window

normally you need to see below mesage with this command.

r-EC-Core-sw>sh crypto session
Crypto session current status

Interface: FastEthernet4.14
Session status: UP-ACTIVE    
Peer: 81.23.29.36 port 500
  IKE SA: local 195.138.218.189/500 remote 81.23.29.36/500 Active
  IPSEC FLOW: permit ip 172.24.0.0/255.255.255.0 172.27.128.0/255.255.128.0
        Active SAs: 4, origin: crypto map

i have below IOS. It is supporting. I think you should upgrade your IOS to AdvSecurity.
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(4)T8, RELEASE SOFTWARE (fc3)

im using a 837 i cant get hold of newer IOS as i dont have a privileged account that will do so

my version info

OS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT REL
EASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:13 by ealyon
Image text-base: 0x800131E8, data-base: 0x80B93040

do you know how i can get hold of a newer ios?

thanks

please send me all show version output.

full info

Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT REL
EASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:13 by ealyon
Image text-base: 0x800131E8, data-base: 0x80B93040
 
ROM: System Bootstrap, Version 12.2(11r)YV1, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE
 SOFTWARE (fc1)
 
CWADSL uptime is 17 hours, 49 minutes
System returned to ROM by reload
System image file is "flash:c837-k9o3y6-mz.123-2.XC2.bin"
 
 
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
Importers, exporters, distributors and users are responsible for
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
 
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
 
If you require further assistance please contact us by sending email to
export@cisco.com.
 
CISCO C837 (MPC857DSL) processor (revision 0x501) with 44237K/4915K bytes of mem
ory.
Processor board ID FOC090147K9 (1545441403), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
 
Configuration register is 0x2142

Select allOpen in new window

your router memory and flash is not enough. you need 16Mb flash and 64 Mb ram for IPSEC+Plus IOS>

so the router cannot support a vpn tunnel?

right ive tried following the below as it looks like exactly what i want it to do

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

below is my config but still no luck

looking at this thread
https://www.experts-exchange.com/questions/21944891/vpn-tunnel-between-two-Cisco-837's.html

the above thread uses almost the same methods as the tut i followed in the above above link (cisco one)
the 837 can support the tunnels but in that thread the IOS verison is 12.4

do i need to get a newer IOS?

and if i get the newer ios will the below config work?

Thanks

Current configuration : 2274 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWADSL
!
enable secret 5 x
!
username x privilege 15 secret 5 x
no aaa new-model
ip subnet-zero
ip domain name cityworks.org.uk
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 0 x address 213.249.241.43
!
!
crypto ipsec transform-set TS_IPSEC esp-3des esp-md5-hmac
!
crypto map ptc 1 ipsec-isakmp
 set peer 213.249.241.43
 set transform-set TS_IPSEC
 match address 101
!
!
!
!
interface Loopback0
 ip address 192.1.1.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.174.1 255.255.255.0
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 description LAN
 no ip address
 no atm ilmi-keepalive
 pvc 1/50
  dialer pool-member 1
  protocol ppp dialer
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Dialer1
 description ADSL Dialer to Karoo
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname x@kcinternet
 ppp chap password 7 x
 crypto map ptc
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
access-list 100 deny   ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
access-list 100 permit ip 192.168.174.0 0.0.0.255 any
access-list 101 permit ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 100
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password 7 x
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end
 
CWADSL(config)#

Select allOpen in new window

right back again, i have IOS 12.4 installed and i can view the crpyto session

heres the session results

Crypto session current status

Interface: Dialer1
Session status: DOWN
Peer: 213.249.241.43 port 500
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0

        Active SAs: 0, origin: crypto map

Interface: Virtual-Access2
Session status: DOWN
Peer: 213.249.241.43 port 500
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0

        Active SAs: 0, origin: crypto map

as you can see its down, anybody know why its down?

new config below

thankyou

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWADSL
!
boot-start-marker
boot-end-marker
!
enable secret x
!
 
no aaa new-model
!
!
ip cef
ip domain name cityworks.org.uk
!
!
crypto pki trustpoint TP-self-signed-1545441403
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1545441403
 revocation-check none
 rsakeypair TP-self-signed-1545441403
!
!
crypto pki certificate chain TP-self-signed-1545441403
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31353435 34343134 3033301E 170D3032 30333031 30303033
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35343534
  34313430 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A01A 20A238B7 033B2B1B E01E99C6 5046D0D6 AF1FF954 FC46653C 96FFE22B
  A84D6468 A9E93AE0 787C5496 1074208B 916F2B01 793FA4CE CFF920BC 5F8C70C6
  FC7D8E33 C98CF7C9 57DD8204 6C2037CE 10D783D4 B3FB3CDA 8FD3921E A206B9D2
  B44EB332 75257700 E86A1BA4 81252C13 BA228FF3 B056E59A 053BA088 888E9312
  B56D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17435741 44534C2E 63697479 776F726B 732E6F72 672E756B
  301F0603 551D2304 18301680 1494704B 819EB133 B2A18E2F C836AD0C F74DC87C
  94301D06 03551D0E 04160414 94704B81 9EB133B2 A18E2FC8 36AD0CF7 4DC87C94
  300D0609 2A864886 F70D0101 04050003 81810088 EA761EAE B92F8447 781BF60C
  CC38C0EB E33B5543 F91A41B0 EB51BC28 8524458C 2CBC1FA1 6A48F5C4 A6538793
  D2E1656D B712933A BF5C49F1 9C3BF59C 42203FC9 2D6DA51C A56F99EB EF10994E
  C237F591 A9DC3CBD 9299D8ED 9F51FB2B 8D7608D4 0701E5A4 6764DBFB 5DE37EBC
  C593A58A 63758988 A6034A6F 721C9AD9 335DEA
  quit
username x privilege 15 secret 5 x
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key x address 213.249.241.43
!
!
crypto ipsec transform-set TS_IPSEC esp-3des esp-md5-hmac
!
crypto map ptc 1 ipsec-isakmp
 set peer 213.249.241.43
 set transform-set TS_IPSEC
 match address 101
!
!
!
interface Loopback0
 ip address 192.1.1.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.174.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!
interface ATM0
 description LAN
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 1/50
  dialer pool-member 1
  protocol ppp dialer
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 shutdown
 duplex auto
 speed auto
!
interface Dialer1
 description ADSL Dialer to Karoo
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp chap hostname x@kcinternet
 ppp chap password 7 x
 crypto map ptc
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.174.1 500 interface Dialer1 500
!
access-list 100 deny   ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
access-list 100 permit ip 192.168.174.0 0.0.0.255 any
access-list 101 permit ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 3
 privilege level 15
 login local
 transport input telnet ssh
line vty 4
 privilege level 15
 password 7 x
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
 
CWADSL#

Select allOpen in new window

This config is correct. You have to send remote side router config also.

you mean the config at the other end?

the other ends vpn tunnel goes through a linksys device

can i tunnel from the cisco to the linksys?

thanks

i se in this link linksys using differant isakmp policy. Please copy paste below codes.

crypto isakmp policy 1
 encryption des 
 group 1
 authentication pre-share
!
crypto map ptc 1 ipsec-isakmp
no  set transform-set TS_IPSEC
exit
no crypto ipsec transform-set TS_IPSEC esp-3des esp-md5-hmac
!
crypto ipsec transform-set TS_IPSEC  esp-des esp-md5-hmac 
crypto map ptc 1 ipsec-isakmp
 set transform-set TS_IPSEC

Select allOpen in new window

I forgot to put link.
http://www.cisco.com/en/US/products/ps9923/products_qanda_item09186a0080a364f1.shtml

right i see

the linksys model is not the same as the one in the link

but ive copied and pasted what you have suggested

and below is my result for the crypto session now

it was down-negotiating for a while but then when to down

what info would i need to find out on teh linksys to make the tunnel work?

thanks

Interface: Dialer1
Session status: DOWN
Peer: 213.249.241.43 port 500
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0
 
        Active SAs: 0, origin: crypto map
 
Interface: Virtual-Access2
Session status: DOWN
Peer: 213.249.241.43 port 500
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0
 
        Active SAs: 0, origin: crypto map

Select allOpen in new window

try adding these
crypto isakmp policy 5
encr des
group 2
authentication pre-share
crypto isakmp policy 10
encr 3des
group 2
authentication pre-share
 

addded those lines still nothing, luckily the other office was only round the corner i went and found out some info about the linksys

heres what i gathered
Enc: 3DES
Auth: Sha
Key Management: IKE
Key Life: 3600
768 bit group
Model: befvp41

this help?

thanks

ok just checked the tunnel session and im getting the below now

do both interfaces need to be up?

CHeers

WADSL(config)#do show cry sess
Crypto session current status
 
Interface: Dialer1
Session status: UP-IDLE
Peer: 213.249.241.43 port 500
  IKE SA: local 87.102.92.37/500 remote 213.249.241.43/500 Active
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0
 
        Active SAs: 0, origin: crypto map
 
Interface: Virtual-Access2
Session status: DOWN
Peer: 213.249.241.43 port 500
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0
 
        Active SAs: 0, origin: crypto map

Select allOpen in new window

Try and ping across the tunnel. It may be that phase 1 is complete which is the ISAKMP stage and now we need to fic the ipsec transform set.
Try changing it to use sha
crypto ipsec transform-set TS_IPSEC esp-3des esp-sha-hmac

changed to sha

Dialer1 is Up-Active now, but i dont know how long it will last

when it said up-idle before it went down a couple of minutes after

the virtual interface still down though does this matter|?

also still cannot ping any adress on the 192.168.170.0 range

thankyou

Crypto session current status
 
Interface: Dialer1
Session status: UP-ACTIVE
Peer: 213.249.241.43 port 500
  IKE SA: local 87.102.92.37/500 remote 213.249.241.43/500 Active
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0
 
        Active SAs: 2, origin: crypto map
 
Interface: Virtual-Access2
Session status: DOWN
Peer: 213.249.241.43 port 500
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0
 
        Active SAs: 0, origin: crypto map

Select allOpen in new window

I think that your tunnel is up I just think that maybe the linksys needs to make sure that it is set to send traffic to 192.168.174.0/24 down the tunnel and to make sure that traffic coming from 192.168.175.0/24 going to 192.168.174.0/24 is not NATed.

If you look you have successfully built two sas which says that phase 2 (ipsec) was successful.

ah right i see, its just new to me this, so sas have confirmed that i have a phase 2 connection now

which im just reading more on vpns now that this should be up then

how come i cant ping the 192.168.170.0 network from the 192.168.174.0 network?

something to do with the linksys?

ill ring the people that mange the linksys see what they say

and reagards to the virtual 2 interface that does nothing then?

whats it for?

Thanks

You need to check other side linksys configuration. I send you before.
this means it was up. When you start to send packet it will pass.

virtual interface is not important
also please  add below command

interface Dialer1
  ip mtu 1492

some of the info in the link i looked at before was unavailable to get

aded the mtu

just speaking with the guy who manages the linksys now
hes said the the tunnels says connected but we cant ping one another

just for my revision notes what are virtual interfaces for

do i need to allow icmp protocols

also how do i initiate a tunnel if the other end drops?

cheers

a better command to use is
"ip tcp adjust-mss 1350"
The reason is that with IPSEC header it can add more overhead and using the tcp command makes the change on a layer 4 level so it is host to host.

it is not correct. ATM channells spending 8Bytes for frame headers. For this reason "ip mtu" organize physicaly mtu size. If you will adjust-mss other should make also same config.
additionally, you don't need exra permission for icmp. we already give permision to IP. can he send screen shot of Lnksys ipsec conf. everthing is ok this router side.

right so its going to be a NAT issue on the linksys, ill mention that to him, im on hold! lol

also how can i show debug info of incoming attempts down the tunnel?

i did debug crpyto ipsec but nothings coming up for that as yet

thanks

please check
sh access-list 102

counter will increase.

right its up :D

it wasnt the linksys

it was the ISA server they said, the 174 range wasnt on there so it was blocking it, i dont exactly know what that means

can someone explain it to me?

one more final question, can i add multiple tunnels to this?
and can the tunnels run from dynamic do dynamic ips? (that question seems wron gto me, it seems like it shoudlnt be possible in my head but i thought id ask anyway)

and finalyl id like to thank you both for all yoru help and patience

i wish i could award both 10,000 points for helping me with this
its been great revision and agreat insight into what i want to be doing on a day to day basis

Thanks a bunch
Alex

Thankyou very much! :)