Tunnel Interface always "line protocol is down"

Unanswered Question
Mar 1st, 2010

Hello experts,


I am trying to configure a Site-to-site IPSec VPN using tunnel interfaces. I define the tunnel interfaces at both ends, but within the tunnel interfaces' configuration mode, whenever I input the "tunnel mode ipsec ipv4" line the tunnel interface immediately goes down (line protocol is down). I have been following the example located at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1027265 but no luck so far.


When I input the "show ip route" command, since the Tunnel 0 interface is down the remote LAN route does not appear.


I am not that familiar with using Tunnels for IPSec VPNs, so any advice or comment will really be appreciated! Thank you very much in advance! Best regards!


Following one of my router's config:


(831 router with Version 12.4(4)T8 (c831-k9o3y6-mz.124-4.T8), local IP addressing is 192.168.20.0/24, and remote traffic is 192.168.10.0/24; this router is getting internet address using PPPoE via IPCP negotiation, and to avoid problems I have not configured any FW functionality yet).


Current configuration : 3012 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MchRemoto1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Kuns$rRN78HqUoZlUFBzZKSscE1
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.20.1 192.168.20.3
!
ip dhcp pool pooldeips
   import all
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1
   dns-server 192.168.20.1
   option 150 ip 10.1.1.1
!
!
ip cef
!
!
!
no crypto engine software ipsec
username localuser password 0 localpassword
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key L2Lclave hostname <PeerDDNS-resolvedAddress>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set ESP-3DES-SHA
!
!
interface Tunnel1
no ip address
!
interface Tunnel0
ip address 172.168.0.2 255.255.255.0
tunnel source Dialer1
tunnel destination <PeerInternetAddress>
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Ethernet0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet1
no ip address
duplex auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password 0 password
ppp pap sent-username username password 0 password
ppp ipcp dns request accept
ppp ipcp wins request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.10.0 255.255.255.0 Tunnel0
ip http server
no ip http secure-server
!
ip dns server
ip nat inside source route-map nnat interface Dialer1 overload
!
access-list 100 deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nnat permit 1
match ip address 100
!
!
control-plane
!
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
password password
login
transport input all
transport output all
!
scheduler max-task-time 5000
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

 

 

Trending Topics - Security & Network