VPN L2L e roadwarrior
Inviato: mer 08 dic , 2010 5:01 pm
Salve mondo, sono ormai diversi giorni che sbatto la testa su questo problema. Ho un 1751v con modulo atm e ho creato una vpn ipsec con un firewall pfsense che ho in ufficio. Fin qui tutto ok. Ora sto cercando di fare in modo che il mio router accetti anche connessioni ipsec roadwarrior, che posso usare quando sono in vacanza o fuori casa.
Premetto che dopo aver aggiunto la parte "roadwarrior" la L2L aveva smesso di funzionare fino a quando ho impostato l' opzione no-xauth, dato che uso la sola preshared key senza utenti.
Incolla la mia attuale conf sperando in qualche consiglio:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1751v
!
boot-start-marker
boot-end-marker
!
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username simone password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
clock timezone GMT 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
voice-card 1
!
voice-card 2
!
aaa new-model
!
!
aaa authentication login LOCAL_DB local
aaa session-id common
ip subnet-zero
!
!
!
ip dhcp pool LOCAL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.254
netbios-name-server 192.168.10.1
lease 7
class RANGE
address range 192.168.10.100 192.168.10.120
!
ip dhcp pool STATIC-FISSO_SIMONE
host 192.168.10.100 255.255.255.0
client-identifier 016c.626d.7194.55
!
ip dhcp pool STATIC-FISSO_ALBERTO
host 192.168.10.101 255.255.255.0
client-identifier 0100.1195.c42e.a5
!
!
ip dhcp class RANGE
!
ip cef
ip domain name XXXXXXXXXX.homeip.net
ip name-server 213.205.32.70
ip name-server 8.8.8.8
ip name-server 213.205.36.70
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
ip inspect name MYFW http
ip ips po max-events 100
no ftp-server write-enable
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
voice translation-rule 1
rule 2 /41/ /41/
rule 3 /42/ /42/
rule 5 /44/ /44/
rule 6 /45/ /45/
rule 7 /^4/ /0,/
!
!
voice translation-profile out_pstn
translate called 1
!
!
!
!
!
!
translation-rule 1
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 XXXXXXXXX address xxx.yyy.xxx.yyy no-xauth
!
crypto isakmp client configuration group HOME_ROADWARRIOR
key XXXXXXXXX
dns 192.168.10.254
wins 192.168.10.1
pool ROADWARRIOR_POOL
acl ACL_ROADWARRIOR
max-users 5
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
crypto ipsec transform-set STRONG_ROADWARRIOR esp-3des esp-md5-hmac
!
crypto dynamic-map CLIENT_MAP 10
set transform-set STRONG_ROADWARRIOR
!
!
crypto map VPN local-address Dialer0
crypto map VPN client authentication list LOCAL_DB
crypto map VPN isakmp authorization list LOCAL_DB
crypto map VPN client configuration address respond
crypto map VPN 15 ipsec-isakmp
set peer xxx.yyy.xxx.yyy
set transform-set STRONG
set pfs group2
match address ACL_VPN
crypto map VPN 1000 ipsec-isakmp dynamic CLIENT_MAP
!
!
!
!
interface ATM0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip inspect MYFW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXXXXXXxxx
ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXXXx
crypto map VPN
!
ip local pool ROADWARRIOR_POOL 192.168.11.1 192.168.11.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list ACL_NAT interface Dialer0 overload
ip nat inside source static udp 192.168.10.101 5617 interface Dialer0 5617
ip nat inside source static tcp 192.168.10.101 37857 interface Dialer0 37857
ip nat inside source static udp 192.168.10.100 32505 interface Dialer0 32505
ip nat inside source static tcp 192.168.10.100 32476 interface Dialer0 32476
!
ip dns server
!
!
ip access-list extended ACL_NAT
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended ACL_ROADWARRIOR
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
ip access-list extended ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended SSH
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
!
!
control-plane
!
!
voice-port 1/0
!
voice-port 1/1
!
voice-port 2/0
echo-cancel coverage 32
no vad
cptone IT
timeouts interdigit 20
timeouts ringing 10
connection plar opx 299
description xxxxxxxxxx
!
voice-port 2/1
!
!
!
!
dial-peer cor custom
!
!
!
dial-peer voice 299 voip
destination-pattern T
session protocol sipv2
session target ipv4:192.168.10.240:5060
session transport udp
codec g711ulaw
!
dial-peer voice 1 pots
translation-profile outgoing out_pstn
destination-pattern T
no digit-strip
port 2/0
authentication username cisco password XXXXXXXXXXXXXXXXXXXx
!
sip-ua
retry invite 3
retry response 3
retry bye 3
retry cancel 3
timers trying 1000
registrar ipv4:192.168.10.240 expires 3600
sip-server ipv4:192.168.10.240
!
banner motd ATTENTO A QUELLO CHE FAI !!!
!
line con 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXX
line aux 0
line vty 0 4
access-class SSH in
exec-timeout 30 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXXX
transport input ssh
!
ntp clock-period 17180002
ntp server 85.18.189.242
end
Premetto che dopo aver aggiunto la parte "roadwarrior" la L2L aveva smesso di funzionare fino a quando ho impostato l' opzione no-xauth, dato che uso la sola preshared key senza utenti.
Incolla la mia attuale conf sperando in qualche consiglio:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1751v
!
boot-start-marker
boot-end-marker
!
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username simone password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
clock timezone GMT 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
voice-card 1
!
voice-card 2
!
aaa new-model
!
!
aaa authentication login LOCAL_DB local
aaa session-id common
ip subnet-zero
!
!
!
ip dhcp pool LOCAL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.254
netbios-name-server 192.168.10.1
lease 7
class RANGE
address range 192.168.10.100 192.168.10.120
!
ip dhcp pool STATIC-FISSO_SIMONE
host 192.168.10.100 255.255.255.0
client-identifier 016c.626d.7194.55
!
ip dhcp pool STATIC-FISSO_ALBERTO
host 192.168.10.101 255.255.255.0
client-identifier 0100.1195.c42e.a5
!
!
ip dhcp class RANGE
!
ip cef
ip domain name XXXXXXXXXX.homeip.net
ip name-server 213.205.32.70
ip name-server 8.8.8.8
ip name-server 213.205.36.70
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
ip inspect name MYFW http
ip ips po max-events 100
no ftp-server write-enable
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
voice translation-rule 1
rule 2 /41/ /41/
rule 3 /42/ /42/
rule 5 /44/ /44/
rule 6 /45/ /45/
rule 7 /^4/ /0,/
!
!
voice translation-profile out_pstn
translate called 1
!
!
!
!
!
!
translation-rule 1
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 XXXXXXXXX address xxx.yyy.xxx.yyy no-xauth
!
crypto isakmp client configuration group HOME_ROADWARRIOR
key XXXXXXXXX
dns 192.168.10.254
wins 192.168.10.1
pool ROADWARRIOR_POOL
acl ACL_ROADWARRIOR
max-users 5
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
crypto ipsec transform-set STRONG_ROADWARRIOR esp-3des esp-md5-hmac
!
crypto dynamic-map CLIENT_MAP 10
set transform-set STRONG_ROADWARRIOR
!
!
crypto map VPN local-address Dialer0
crypto map VPN client authentication list LOCAL_DB
crypto map VPN isakmp authorization list LOCAL_DB
crypto map VPN client configuration address respond
crypto map VPN 15 ipsec-isakmp
set peer xxx.yyy.xxx.yyy
set transform-set STRONG
set pfs group2
match address ACL_VPN
crypto map VPN 1000 ipsec-isakmp dynamic CLIENT_MAP
!
!
!
!
interface ATM0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip inspect MYFW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXXXXXXxxx
ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXXXx
crypto map VPN
!
ip local pool ROADWARRIOR_POOL 192.168.11.1 192.168.11.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list ACL_NAT interface Dialer0 overload
ip nat inside source static udp 192.168.10.101 5617 interface Dialer0 5617
ip nat inside source static tcp 192.168.10.101 37857 interface Dialer0 37857
ip nat inside source static udp 192.168.10.100 32505 interface Dialer0 32505
ip nat inside source static tcp 192.168.10.100 32476 interface Dialer0 32476
!
ip dns server
!
!
ip access-list extended ACL_NAT
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended ACL_ROADWARRIOR
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
ip access-list extended ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended SSH
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
!
!
control-plane
!
!
voice-port 1/0
!
voice-port 1/1
!
voice-port 2/0
echo-cancel coverage 32
no vad
cptone IT
timeouts interdigit 20
timeouts ringing 10
connection plar opx 299
description xxxxxxxxxx
!
voice-port 2/1
!
!
!
!
dial-peer cor custom
!
!
!
dial-peer voice 299 voip
destination-pattern T
session protocol sipv2
session target ipv4:192.168.10.240:5060
session transport udp
codec g711ulaw
!
dial-peer voice 1 pots
translation-profile outgoing out_pstn
destination-pattern T
no digit-strip
port 2/0
authentication username cisco password XXXXXXXXXXXXXXXXXXXx
!
sip-ua
retry invite 3
retry response 3
retry bye 3
retry cancel 3
timers trying 1000
registrar ipv4:192.168.10.240 expires 3600
sip-server ipv4:192.168.10.240
!
banner motd ATTENTO A QUELLO CHE FAI !!!
!
line con 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXX
line aux 0
line vty 0 4
access-class SSH in
exec-timeout 30 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXXX
transport input ssh
!
ntp clock-period 17180002
ntp server 85.18.189.242
end
