Configurazione IPSEC tra 2 Router 1721

[nefero]

Buongiorno a tutti,
Avrei un quesito da porvi. Devo abilitare una vpn tra 2 router 1721 i quali hanno una configurazione un po' particolare che potete vedere negli sh run allegati. Il mio problema è che attivando la crittografia e digitando show crypto ipsec sa, i contatori aumentano solo se genero del traffico direttamente dai router (ad esempio se faccio un ping da uno dei 2 router verso l'altro il contatore si incrementa). Se invece provo a generare traffico da un qualsiasi pc della rete, i contatori no si muovono per niente. Da ciò deduco che il traffico generato dai pc sulla rete viene scambiato in chiaro tra i 2 router, quello che non riesco a capire è il perche'...
Se qualcuno ha qualche ipotesi è ben accetta... grazie a tutti per l'attenzione.

------- ROUTER A ---------

!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1700fa
!
no logging console
enable password xxxx
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip routing
!
!
!
crypto isakmp policy 15
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address 10.153.102.18
!
!
crypto ipsec transform-set 1700map1 esp-3des esp-md5-hmac
!
!
crypto map 1700map1 10 ipsec-isakmp
set peer 10.153.102.18
set transform-set 1700map1
match address 101
cns event-service server
!
!
!
interface Serial0
ip unnumbered FastEthernet0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
bridge-group 1
bridge-group 1 spanning-disabled
crypto map 1700map1
!
interface FastEthernet0
ip address 10.153.102.17 255.255.0.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
half-duplex
bridge-group 1
bridge-group 1 spanning-disabled
!
ip classless
no ip http server
!
access-list 101 permit ip any any

snmp-server engineID local 00000009020000B0C2895C06
snmp-server community public RO
snmp-server trap-source FastEthernet0
snmp-server enable traps snmp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps rsvp
bridge 1 protocol ieee
bridge 1 address 0040.63d6.92b5 discard Serial0
!
line con 0
exec-timeout 5 0
password xxxxx
login
transport input none
line aux 0
exec-timeout 5 0
password xxxxx
login
line vty 0 4
password xxxxx
login
!
end



------------- ROUTER B -----------------------------------

!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1700fb
!
no logging console
enable password xxxx
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip routing
!
!
!
crypto isakmp policy 15
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address 10.153.102.17
!
!
crypto ipsec transform-set 1700map1 esp-3des esp-md5-hmac
!
!
crypto map 1700map1 10 ipsec-isakmp
set peer 10.153.102.17
set transform-set 1700map1
match address 101
cns event-service server
!
!
!
interface Serial0
ip unnumbered FastEthernet0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
bridge-group 1
bridge-group 1 spanning-disabled
crypto map 1700map1
!
interface FastEthernet0
ip address 10.153.102.18 255.255.0.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
half-duplex
bridge-group 1
bridge-group 1 spanning-disabled
!
ip classless
no ip http server
!
access-list 101 permit ip any any

snmp-server engineID local 00000009020000B0C2895C06
snmp-server community public RO
snmp-server trap-source FastEthernet0
snmp-server enable traps snmp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps rsvp
bridge 1 protocol ieee
bridge 1 address 0040.63d6.92b5 discard Serial0
!
line con 0
exec-timeout 5 0
password xxxxx
login
transport input none
line aux 0
exec-timeout 5 0
password xxxxx
login
line vty 0 4
password xxxxx
login
!
end

[Renato.Efrati]

nn mi sono messo a guardare tutta la cfg pero' ho visto ke hai fatto un gravissimo errore nella crypto map hai specificato cm crypto access list la 101 e se andiamo a vederla hai detto access-list 101 permit ip any any
cio e' sbagliato xke cosi' gli dici di cryptare tutto invece tu devi dirgli ke crypta solo il traffico dalla tua lan alla lan remota ex( access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255) intanto pova a cambiare le access list ovviamente sono a specchio sui due router in quanto la lan sorgente e di destinazione sono invertite a seconda del verso.

[nefero]

Ciao,
Innanzi tutto grazie per la risposta e per il suggerimento. (Appena torno a casa provo). Comunque, ho fatto svariate prove con le crypto acl(quella che c'e' nella conf che ho messo era quella di partenza), ma in tutti i casi vedo che viene cifrato solo il traffico generato dal router e non dalle macchine intorno. Inizio a temere che la configurazione in bridge dia qualche problema al funzionamento di ipsec.
Grazie ancora

Ciao
Nefero

[Renato.Efrati]

nn avevo notato ke avevi fatto un bridge , sai nn ho mai provato sinceramente un ipsec con un bridge pero' nn dovrebbero esserci problemi, cmq cm mai hai fatto quest operazione??? spiega un po d cose magari riusciamo a dirti qualke opzione ke puoi utilizare invece ke fare il bridge

[Renato.Efrati]

prova a fare cosi'


Router A
_____________________

!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1700fa
!
no logging console
enable password xxxx
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip routing
!
!
!
crypto isakmp policy 15
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address 10.153.102.18
!
!
crypto ipsec transform-set 1700map1 esp-3des esp-md5-hmac
!
!
crypto map 1700map1 10 ipsec-isakmp
set peer 10.153.102.18
set transform-set 1700map1
match address 101
cns event-service server
!
crypto map 1700map1 local-address loopback0
!
interface loopback0
ip address 10.153.102.17 255.255.0.0
no sh
!
interface Serial0
ip unnumbered loopback0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
bridge-group 1
bridge-group 1 spanning-disabled
crypto map 1700map1
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
half-duplex
bridge-group 1
bridge-group 1 spanning-disabled
!
ip classless
no ip http server
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
!
snmp-server engineID local 00000009020000B0C2895C06
snmp-server community public RO
snmp-server trap-source FastEthernet0
snmp-server enable traps snmp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps rsvp
bridge 1 protocol ieee
bridge 1 address 0040.63d6.92b5 discard Serial0
!
line con 0
exec-timeout 5 0
password xxxxx
login
transport input none
line aux 0
exec-timeout 5 0
password xxxxx
login
line vty 0 4
password xxxxx
login
!
end

_____________________________-----

Router B
_________________________________



!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1700fb
!
no logging console
enable password xxxx
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip routing
!
!
!
crypto isakmp policy 15
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address 10.153.102.17
!
!
crypto ipsec transform-set 1700map1 esp-3des esp-md5-hmac
!
!
crypto map 1700map1 10 ipsec-isakmp
set peer 10.153.102.17
set transform-set 1700map1
match address 101
cns event-service server
!
crypto map 1700map1 local-address loopback0
!
interface loopback0
ip address 10.153.102.18 255.255.0.0
no sh
!
interface Serial0
ip unnumbered FastEthernet0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
bridge-group 1
bridge-group 1 spanning-disabled
crypto map 1700map1
!
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
half-duplex
bridge-group 1
bridge-group 1 spanning-disabled
!
ip classless
no ip http server
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

snmp-server engineID local 00000009020000B0C2895C06
snmp-server community public RO
snmp-server trap-source FastEthernet0
snmp-server enable traps snmp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps rsvp
bridge 1 protocol ieee
bridge 1 address 0040.63d6.92b5 discard Serial0
!
line con 0
exec-timeout 5 0
password xxxxx
login
transport input none
line aux 0
exec-timeout 5 0
password xxxxx
login
line vty 0 4
password xxxxx
login
!
end






_____________

fammi sapere se funzia cia' cia'

[Renato.Efrati]

manca un comando ke gli indicava cm peer sorgente la loopback0 ma nn me lo ricordo mi informo e ti posto la configurazione corretta

[Renato.Efrati]

ok trovato la cfg e' corretta (dovrebbe) provala e fammi sapere se funziona se hai dubbi chiama