Hi Georg, yes the cellular is UP and am abloe to reach outside via this device/link. Also there is another tunnel which has been running and UP on this device for long.

***Attached is the full configuration.***

Am able to ping the peer IP address as well from this device.

Phase 1 does not even kick in when I try to initiate interesting traffic by pinging to vendor LAN's server from our device Tunnel 8 interface. The ping also fails.

Please help here. Been stuck with this for a couple of days now. 

Hello

Before  you apply IPSec does the  gre tumnel establish?

Are you able to reach each tumnel destination up from the other tunnel source ip without any IPSec applied.

No, am not able to reach the other end of the tunnel - 192.168.9.254. 

interface Tunnel8
bandwidth 2048
ip address 192.168.9.253 255.255.255.252
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
tunnel source Cellular0

tunnel destination 1.1.1.1
crypto map MAP

ip mtu 1400    >>>>>>>> ADDED THIS CONFIG AS WELL TO THE TUNNEL INTERFACE

3GDEVICE#sh int tun8
Tunnel8 is up, line protocol is up
Hardware is Tunnel
Description: BACKUP_TUNNEL_TO_SAGE
Internet address is 192.168.9.253/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.2.19.54 (Cellular0), destination 1.1.1.1
Tunnel Subblocks:
src-track:
Tunnel8 source tracking subblock associated with Cellular0
Set of tunnels with source Cellular0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:04:11, output 00:01:28, output hang never
Last clearing of "show interface" counters 1w3d
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
40 packets output, 4960 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

3GDEVICE#ping 192.168.9.254 source 192.168.9.253
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.9.253
.....
Success rate is 0 percent (0/5)

Hello,

can you ping 1.1.1.1 ? Best to post the full configs of both routers, with partial configs it remains guesswork...

Hello

---

@rmdcco-us wrote:

No, am not able to reach the other end of the tunnel - 192.168.9.254. 

---

May i suggest to remove the crypto map from the tunnel and test connectivity again, without basic connectivity this isnt going work even if you apply ipsec.

Hello,

the configuration you have posted is partial (the inside source access list NAT is not there, and there are no inside NAT and LAN interfaces). Can you post the full running configuration ?

Either way, the crypto map and the dynamic map have the exact same name, I am not sure what the effect of that is, try and change the name to what I marked in bold.

Also try and apply the crypto map to the physical inside interface instead of the tunnel...

WLAN_AP_SM: Config command is not supported

Current configuration : 6151 bytes
!
! Last configuration change
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 3GDEVICE
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
aaa new-model
!
aaa authentication login default local group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa accounting exec default start-stop group radius
!
aaa session-id common
!
ip flow-cache timeout active 1
ip domain name abc.xyz
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid C819HG-4G-G-K9 sn ***
!
username *** privilege 15 secret 5 ******
!
controller Cellular 0
!
ip ssh version 2
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ***** address 2.2.2.2 >>>>>>>>>>> WORKING TUNNEL KEY
crypto isakmp key ***** address 1.1.1.1 >>>>>>>>>>> NON WORKING TUNNEL KEY
!
crypto ipsec transform-set ABC esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec nat-transparency spi-matching
!
crypto ipsec profile DynVPNprofile
set transform-set office
!
crypto dynamic-map IPSEC-MAP 10
set peer 1.1.1.1
set transform-set TS
match address TUNNEL
!
crypto map MAP 10 ipsec-isakmp dynamic IPSEC-MAP
!
interface Tunnel8 >>>>>>>>>>>>> NON WORKING TUNNEL
bandwidth 2048
ip address 192.168.9.253 255.255.255.252
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
tunnel source Cellular0
tunnel destination 1.1.1.1
crypto map MAP
!
interface Tunnel100 >>>>>>>>>>>> WORKING TUNNEL
bandwidth 1024
ip address 10.0.0.61 255.255.255.0
ip mtu 1400
ip flow ingress
ip flow egress
ip nhrp authentication *****
ip nhrp map 10.0.0.1 2.2.2.2
ip nhrp map multicast 2.2.2.2
ip nhrp network-id 16
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip nhrp registration timeout 10
ip summary-address eigrp 64900 X.X.X.X X.X.X.X
ip tcp adjust-mss 1360
tunnel source Cellular0
tunnel destination 2.2.2.2
tunnel key 16
tunnel protection ipsec profile DynVPNprofile
!
interface Cellular0
ip address negotiated
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
!
interface FastEthernet0
description LAN
switchport access vlan 2
no ip address
!
interface FastEthernet1
description LAN
switchport access vlan 2
no ip address
!
interface FastEthernet2
description LAN
switchport access vlan 2
no ip address
!
interface FastEthernet3
description LAN
switchport access vlan 2
no ip address
!
interface GigabitEthernet0
description LAN
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.8
XXXX
!
interface GigabitEthernet0.74
XXXX
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
no ip address
!
ip nat inside source list NAT interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
ip route 10.2.1.0 255.255.255.0 Tunnel8
!
ip access-list extended TUNNEL
permit ip 192.168.8.0 0.0.0.255 10.2.1.0 0.0.0.255