CiscoForums.it

Buongiorno
ho due sedi e vorrei fare un tunnel GRE+IPSEC (gre perchè non ho mai risolto problemi di frammentazione pacchetti).

Sede 1:
C1721 32F/128D 12.4(23) ADVSECK9

connettività RFC1483 1 punto punto 1.1.1.1
range /29. 1.1.1.1.232/29
LAN: 192.168.1.x

atm0.1 1.1.1.1
fast0: 192.168.1.254
loop0: 1.1.1.238/32




Sede 2:
C2611 16F/64D 12.3(25) completo
connettività RFC1483 con 1 ip assegnato al router
LAN: 192.168.2.x

atm0/0.1 ip punto punto 2.2.2.2
eth0/0: 192.168.2.254


Riesco a stabilire tranquillamente il tunnel gre tra i due router, e già riesco quindi a collegare le due lan. Il problema è che isakmp non funziona e in pratica non sale il tunnel GRE.

Ora di seguito le configurazioni:

ROUTER1 C1721

{SNIP}
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key xxxxx address IPROUTER2
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set VPN-3DES esp-3des esp-sha-hmac
!
crypto map VPN local-address Loopback0
crypto map VPN 1 ipsec-isakmp
set peer IPROUTER2
set transform-set VPN-3DES
set pfs group5
match address 103
!
!
!
interface Loopback0
description hostname xxxx
ip address IP DEL RANGE /29 ASSEGNATOMI 255.255.255.255
no ip redirects
no ip proxy-arp
ip mtu 1500
!
interface Tunnel1
ip address 10.0.0.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source Loopback0
tunnel destination IP ROUTER2
tunnel checksum
tunnel path-mtu-discovery
!
interface Null0
no ip unreachables
!
interface ATM0
description SHDSL
no ip address
no ip redirects
no ip proxy-arp
atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description Point to Point Uplink
bandwidth 3584
ip address IP PUNTO PUNTO
no ip redirects
no ip proxy-arp
ip mtu 1500
ip inspect OUT-IN in
ip inspect IN-OUT out
ip nat outside
ip virtual-reassembly max-reassemblies 256
crypto map VPN
pvc 8/35
protocol ip 77.93.236.161
encapsulation aal5snap
!
!
interface Ethernet0
description To LAN
ip address 192.168.1.251 255.255.255.0
no ip redirects
no ip proxy-arp
ip inspect IN-OUT-LAN in
ip nat inside
ip virtual-reassembly
no ip mroute-cache
full-duplex
no cdp enable
standby use-bia
standby delay minimum 20 reload 20
standby 20 ip 192.168.1.254
standby 20 preempt delay minimum 20 reload 20 sync 10
standby 20 name lan-gw
standby 20 track 1
standby 20 track ATM0
!
interface FastEthernet0
description To DMZ
ip address 172.16.0.27 255.255.255.224
no ip redirects
no ip proxy-arp
ip inspect IN-OUT-DMZ in
ip nat inside
ip virtual-reassembly
no ip mroute-cache
speed auto
no cdp enable
standby delay minimum 20 reload 20
standby 10 ip 172.16.0.30
standby 10 preempt delay minimum 20 reload 20 sync 10
standby 10 name border-routers
standby 10 track 1
standby 10 track ATM0
!
interface Virtual-Template1
ip unnumbered FastEthernet0
ip nat inside
ip virtual-reassembly
peer default ip address pool VPN-IN
ppp encrypt mppe auto required
ppp authentication ms-chap-v2
!
ip local pool VPN-IN 10.0.0.1 10.0.0.5
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.2.0 255.255.255.0 10.0.0.2
!
no ip http server
no ip http secure-server
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
ip nat inside source list 102 interface Loopback0 overload

ip dns server
!
!
no logging trap
[SNIP}
access-list 102 deny ip 172.16.0.0 0.0.0.31 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 172.16.0.0 0.0.0.31 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit icmp 172.16.0.0 0.0.0.31 192.168.1.0 0.0.0.255 echo-reply
access-list 110 permit tcp 172.16.0.0 0.0.0.31 192.168.1.0 0.0.0.255 established
access-list 110 deny ip 172.16.0.0 0.0.0.31 192.168.1.0 0.0.0.255
access-list 110 permit ip 172.16.0.0 0.0.0.31 any




ROUTER 2 C2611

[SNIP]
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key PASSWORD address REMOTE PEER
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set VPN-3DES esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer REMOTEPEER
set transform-set VPN-3DES
set pfs group5
match address 103
!
!
!
!
interface Null0
no ip unreachables
!
interface Tunnel1
ip address 10.0.0.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source ATM0/0.1
tunnel destination REMOTE PEER
tunnel checksum
tunnel path-mtu-discovery
!
interface ATM0/0
no ip address
no ip redirects
no ip proxy-arp
no ip mroute-cache
atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0/0.1 point-to-point

bandwidth 640
ip address IP MIO DEL ROUTER
no ip redirects
no ip proxy-arp
ip mtu 1500
ip nat outside
ip inspect OUT-IN in
no ip mroute-cache
crypto map VPN
pvc 8/35
encapsulation aal5snap
!
!
interface Ethernet0/0
description LAN Interface
ip address 192.168.2.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip inspect IN-OUT in
no ip mroute-cache
full-duplex
no cdp enable
hold-queue 100 in
hold-queue 100 out
!
interface Ethernet0/1
description Public WAN Subnet /29
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
shutdown
half-duplex
no cdp enable
hold-queue 100 in
hold-queue 100 out
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
ip nat inside source list 102 interface ATM0/0.1 overload

no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 IP PUNTO PUNTO
ip route 10.0.0.1 255.255.255.255 REMOTE PEER
ip route 192.168.1.0 255.255.255.0 10.0.0.1
!
ip dns server
!
logging history notifications
no logging trap
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
[SNIP]
!
!
!
banner login ^C
You are connected to $(hostname).$(domain) on line $(line).
If you are not authorized to access this system, disconnect now.

THIS IS FOR AUTHORIZED USE ONLY

Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and consent
to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this warning.

Network Administrator: [email protected]
^C
!
line con 0
login local
transport output telnet
stopbits 1
line aux 0
transport preferred none
transport output telnet
stopbits 1
line vty 0 4
login local
transport preferred ssh
transport input ssh
transport output all
flowcontrol software
!
scheduler max-task-time 5000
ntp clock-period 17208800
ntp server 192.43.244.18
ntp server 193.204.114.105
!
end





Mi dite perfavore dove sbaglio e perchè la ipsec non funziona???

ho fatto un sh crypto ipsec sa e anche sh crypto isakmp sa e tutto è 0
ho disattivato le ACL ed è tutto libero
non c'è verso di farlo andare

Ho risolto parte dei rpoblemi in quanto

ho tolto la ip route alla lan remota
ho spento i tunnel gre

ora ipsec si alza e i pacchetti matchano la ACL
però non pingo da nessuna parte

Mi sono risolto da solo
sbagliavo la ip route 192.168.2.0 255.255.255.0 tunnel1

e cosi via

ora sono sempre rimasto con GRE+IPSEC perchè se faccio solo IPSEC funziona ma frammentano i pacchetti e non riesco nemmeno a fare RDP.

Io questa cosa non la sono MAI riuscita a risovlere, in quanto vorrei IPSEC da solo senza il GRE.

suggestions? So che è una cosa trita e ritrita ma io in 2 anni non ho mai risolto.

clear df in entrambi i punti... senza esito
le mie int esterne ho impostato a mano mtu 1500

perchè se facevo sh crypto ipsec sa mi veninvano fuori mtu 4470 e oltre
ho fatto bene?

Mi sono risolto da solo

Tutto è bene quel che finisce bene

Buondì

però rimane l'eterno problema del fatto che io solo con IPSEC pingo tutto ma non passa nulla (frammentazione paccketti SYN SENT e poi finita)

come tento dopo 2 anni di risolverE?

le mie int esterne ho impostato a mano mtu 1500

Fatto benissimo...

mtu 1500
ip mtu 1500

su tutte le interfaccie e

ip tcp adjust-mss 1452

sulla int interne

maggiore81 ha scritto:Buondì

però rimane l'eterno problema del fatto che io solo con IPSEC pingo tutto ma non passa nulla (frammentazione paccketti SYN SENT e poi finita)

come tento dopo 2 anni di risolverE?

Ciao,

sh cry isakmp sa
sh cry ipsec sa

cosa ti dice solo con ipsec senza GRE ???


facci sapere


Lev

Ciao
dunque ora la vpn gre+ipsec ce l'ho e funziona

appena ho un attimo levo il gre e ti posto le aree richeiste.

Ecco
ora sono riuscito levando il tunnel a tenere il tunnel vpn sempre up
in pratica pingo da A verso B (ma non riesco a fare altro tranne un ssh sul router usando l'ip remoto 192.168.2.254)
da B verso A va tutto perfetto.

ROUTER A:

6.68.186.89.dsl.static.ip#sh crypto ipsec sa

interface: ATM0.1
Crypto map tag: VPN, local addr 77.93.235.238

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 77.93.230.26 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3343, #pkts encrypt: 3343, #pkts digest: 3343
#pkts decaps: 3289, #pkts decrypt: 3289, #pkts verify: 3289
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0

local crypto endpt.: 77.93.235.238, remote crypto endpt.: 77.93.230.26
path mtu 1500, ip mtu 1500, ip mtu idb ATM0.1
current outbound spi: 0xD7F5E619(3623216665)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x4DE0C15B(1306575195)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 35, flow_id: Onboard VPN:35, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4529274/25)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x1C2EC139(472826169)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4594675/3513)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB18BEEC9(2978737865)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 36, flow_id: Onboard VPN:36, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4529274/25)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xD7F5E619(3623216665)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4594675/3513)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 93.42.226.220 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 77.93.235.238, remote crypto endpt.: 93.42.226.220
path mtu 1500, ip mtu 1500, ip mtu idb ATM0.1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:







6.68.186.89.dsl.static.ip#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
77.93.235.238 93.42.203.112 MM_NO_STATE 2551 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2550 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2549 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2548 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2547 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2546 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2545 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2544 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2543 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2542 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2541 ACTIVE (deleted)
77.93.235.238 93.42.203.112 MM_NO_STATE 2540 ACTIVE (deleted)
77.93.230.26 77.93.235.238 QM_IDLE 2003 ACTIVE

IPv6 Crypto ISAKMP SA

quel 93.43 è un test da fastweb solo che li cambia sempre l'ip e non so come fare a fare la vpn


--------------

ROUTER B:

77-93-230-26.dcpool.ip#sh crypto ipsec sa

interface: ATM0.1
Crypto map tag: VPN-MEZZANO, local addr 77.93.230.26

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 77.93.235.238 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 46711, #pkts encrypt: 46711, #pkts digest: 46711
#pkts decaps: 47233, #pkts decrypt: 47233, #pkts verify: 47233
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 77.93.230.26, remote crypto endpt.: 77.93.235.238
path mtu 1500, ip mtu 1500, ip mtu idb ATM0.1
current outbound spi: 0x1C2EC139(472826169)

inbound esp sas:
spi: 0xD7F5E619(3623216665)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: C83X_MBRD:4, crypto map: VPN-MEZZANO
sa timing: remaining key lifetime (k/sec): (4587471/3441)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x1C2EC139(472826169)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: C83X_MBRD:3, crypto map: VPN-MEZZANO
sa timing: remaining key lifetime (k/sec): (4587471/3441)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:


77-93-230-26.dcpool.ip#sh crypto isakmp sa
dst src state conn-id slot status
77.93.230.26 77.93.235.238 QM_IDLE 12 0 ACTIVE