Link to home
Start Free TrialLog in
Avatar of awilderbeast
awilderbeastFlag for United Kingdom of Great Britain and Northern Ireland

asked on

VPN tunnel between cisco 837 and ilnksys BEFVP41

Hi all,

Have major problems connection my 837 to a linksys BEFVP41

the two deviced have been connected for months now, but i changed the access-list on the cisco to a named access-list and added an access-list to prevent telnet on the dialer1 interface
also the cisco has been rebooted there the only things that have happend

the linksys keeps kicking out these errors in the view log

as you can see one of the tunnels is still up-active after doing said changes

but its the down negotiating connection that i want to get up


can anyone help
############## LINKSYS OUTPUT ##################
2009-03-03 14:03:18 IKE[71] **Check your ISAKMP Pre-share Key setting !
2009-03-03 14:03:18 IKE[71] Tx >> Notify : INVALID-PAYLOAD-TYPE
2009-03-03 14:03:28 IKE[71] **Check your ISAKMP Pre-share Key setting !
2009-03-03 14:03:28 IKE[71] Tx >> Notify : INVALID-PAYLOAD-TYPE
2009-03-03 14:03:32 IKE[6] is requested by 192.168.170.2
2009-03-03 14:03:32 IKE[6] ERROR: Remote Security Gateway domain name problem
2009-03-03 14:03:34 IKE[6] ERROR: Remote Security Gateway domain name problem
2009-03-03 14:03:38 IKE[71] **Check your ISAKMP Pre-share Key setting !
2009-03-03 14:03:38 IKE[71] Tx >> Notify : INVALID-PAYLOAD-TYPE
2009-03-03 14:04:02 IKE[6] is requested by 192.168.170.2
2009-03-03 14:04:02 IKE[6] ERROR: Remote Security Gateway domain name problem
2009-03-03 14:04:04 IKE[6] ERROR: Remote Security Gateway domain name problem
2009-03-03 14:04:07 IKE[71] Rx << MM_I1 : 77.86.95.189 SA, VID, VID, VID
2009-03-03 14:04:07 IKE[71] Tx >> MM_R1 : 77.86.95.189 SA
2009-03-03 14:04:07 IKE[71] ISAKMP SA CKI=[4b503731 2205aa44] CKR=[22a45afa e325587f]
2009-03-03 14:04:07 IKE[71] ISAKMP SA 3DES / SHA / PreShared / MODP_768 / 86400 sec (*0 sec)
2009-03-03 14:04:07 IKE[71] Rx << MM_I2 : 77.86.95.189 KE, NONCE, VID, VID, VID, VID
2009-03-03 14:04:07 IKE[71] Tx >> MM_R2 : 77.86.95.189 KE, NONCE
2009-03-03 14:04:08 IKE[71] **Check your ISAKMP Pre-share Key setting !
2009-03-03 14:04:08 IKE[71] Tx >> Notify : INVALID-PAYLOAD-TYPE
 
############## SHOW CRYP SESS ################
Crypto session current status
 
Interface: Dialer1
Session status: DOWN
Peer: 213.249.152.251 port 500
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 10.0.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map
 
Interface: Dialer1
Session status: DOWN-NEGOTIATING
Peer: 213.249.241.43 port 500
  IKE SA: local 77.86.95.189/500 remote 213.249.xxx.xxx/500 Inactive
  IKE SA: local 77.86.95.189/500 remote 213.249.xxx.xxx/500 Inactive
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.170.0/255.255.255.0
        Active SAs: 0, origin: crypto map
 
Interface: Dialer1
Session status: UP-ACTIVE
Peer: 87.102.80.44 port 500
  IKE SA: local 77.86.xxx.xxx/500 remote 87.102.80.44/500 Active
  IPSEC FLOW: permit ip 192.168.174.0/255.255.255.0 192.168.172.0/255.255.255.0
        Active SAs: 2, origin: crypto map
 
############## SHOW RUN ############
Current configuration : 5724 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWADSL
!
boot-start-marker
boot-end-marker
!
 
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login admin local
!
aaa session-id common
!
!
ip cef
no ip domain lookup
ip domain name cityworks.org.uk
 
!
!
crypto pki trustpoint TP-self-signed-1545441403
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1545441403
revocation-check none
rsakeypair TP-self-signed-1545441403
!
!
crypto pki certificate chain TP-self-signed-1545441403
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31353435 34343134 3033301E 170D3032 30333037 32313530
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35343534
  34313430 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C048 641EC14A C492C14C 37F4222A 0CE54628 605B126D 2352C997 D5D99796
  8FD24F3A C44AEEA4 F0B1EDB1 318AC149 67736CCF 5AB1D453 E99A5CAD 02B9B43E
  7A79E694 2DF49E3C FFB76137 2074F941 E799E318 13A8E59B D30797AD DD8B5AD5
  4EC3C316 9663F902 463B47B6 368C57CC 797878E3 2DE8BF35 F90EE9FF C72B00AD
  16F90203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17435741 44534C2E 63697479 776F726B 732E6F72 672E756B
  301F0603 551D2304 18301680 14CB40B1 156713A4 08EE351B F4F4CD69 D2012386
  EC301D06 03551D0E 04160414 CB40B115 6713A408 EE351BF4 F4CD69D2 012386EC
  300D0609 2A864886 F70D0101 04050003 818100B4 E377726D 63B00ECC 9159C9FD
  921D6FA8 03C20E78 18CAED65 2E32AAC4 DA714DD3 281156AC 3596453C 89A9FF4C
  E309A88C 6F99FCC5 3875AC1A 0400A4B4 20F5947C A2885184 319A1D03 C5C3D9E3
  8C2E8CCE 6A664530 1B0ED104 6AA6AE2B ED2736DC B22BE0D8 8234E45F D4CE372D
  47D10EB8 56FFF1EE C858EE0B 0C52C908 190E44
  quit
 
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key xxxxxx address 213.249.xxx.xxx
crypto isakmp key xxxxxx address 87.102.xxx.xxx
crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set TS_IPSEC esp-3des esp-sha-hmac
!
crypto map ptc 1 ipsec-isakmp
set peer 213.249.xxx.xxx
set transform-set TS_IPSEC
match address 101
crypto map ptc 10 ipsec-isakmp
set peer 87.102.xxx.xxx
set transform-set TS_IPSEC
match address 102
crypto map ptc 20 ipsec-isakmp
set peer xxx.dyndns.org dynamic
set transform-set TS_IPSEC
match address 103
 
!
!
!
interface Loopback0
ip address 192.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 192.168.174.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
description LAN
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 1/50
  dialer pool-member 1
  protocol ppp dialer
!
!
interface FastEthernet1
description TO LAN SWITCH
duplex auto
speed auto
!
interface FastEthernet2
shutdown
duplex auto
speed auto
!
interface FastEthernet3
shutdown
duplex auto
speed auto
!
interface FastEthernet4
shutdown
duplex auto
speed auto
!
interface Dialer1
description ADSL DIALER TO KAROO
ip address negotiated
ip access-group TELNET_SSH_ACCESS in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
crypto map ptc
!
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list INTERNET_VPN_ACCESS interface Dialer1 overload
ip nat inside source static tcp 192.168.174.1 500 interface Dialer1 500
!
!
ip access-list extended INTERNET_VPN_ACCESS
deny   ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
deny   ip 192.168.174.0 0.0.0.255 192.168.172.0 0.0.0.255
deny   ip 192.168.174.0 0.0.0.255 192.168.173.0 0.0.0.255
deny   ip 192.168.174.0 0.0.0.255 10.0.1.0 0.0.0.255
deny   ip 192.168.174.0 0.0.0.255 host 69.63.176.140
permit ip 192.168.174.0 0.0.0.255 any
ip access-list extended TELNET_SSH_ACCESS
permit tcp 192.168.170.0 0.0.0.255 any eq 22
permit tcp 192.168.174.0 0.0.0.255 any eq 22
permit tcp 192.168.172.0 0.0.0.255 any eq 22
permit tcp 192.168.173.0 0.0.0.255 any eq 22
deny   tcp any any eq telnet
permit ip any any
access-list 101 permit ip 192.168.174.0 0.0.0.255 192.168.170.0 0.0.0.255
access-list 102 permit ip 192.168.174.0 0.0.0.255 192.168.172.0 0.0.0.255
access-list 103 permit ip 192.168.174.0 0.0.0.255 192.168.173.0 0.0.0.255
access-list 104 permit ip 192.168.174.0 0.0.0.255 10.0.1.0 0.0.0.255
!
control-plane
!
banner motd ^C
#################### WARNING! ####################
Access to this device is for authorized users only!
unauthorized users will be prosecuted!
################################################## ^C
!
 
end

Open in new window

Avatar of JFrederick29
JFrederick29
Flag of United States of America image

The Cisco config looks okay.  Try inputting the preshared key on both the Cisco and the Linksys again to make sure they match.  Did anything change on the Linksys side?
Avatar of awilderbeast

ASKER

nothign changed either sides

they both have the same preshared key

when inputting on the cisco for the pre shared key

crypto isakmp key (0 or  6 here) 0 for uncrypeted 6 crpyted, i tried both
how can i tell if its encrypted or unincrypted on the linksys?

the only thing that has just changed is that we now have a static ip address, so i need to change over th the dialer int but the address its using is the same

that cant effect it can it?
Make sure you add the key to the Cisco unencrypted (0).

As long as the IP address on the dialer interface is the same, no problem.
that was it, i had to retype the password in the linksys id already done it on the cisco but not the linksys

why would i have to do that though if i hadnt changed them :S
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
hmm wierd, well thanks alot anyway :)