CiscoForums.it

Ciao a tutti,
ho un problema su una vpn site-to-site tra due 1700.

Il primo 1700 fa anche da vpn concentrator per Vpn client e quello funziona. La navigazione su Internet degli utenti viene nattata. Ecco la configurazione:

Current configuration : 4962 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterCisco1721Castegnato
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 ***************************
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ********** address 213.150.188.174
!
crypto isakmp client configuration group vpnclients
key **********
dns 192.168.0.2
wins 192.168.0.2
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 5 ipsec-isakmp
set peer 213.150.188.174
set transform-set myset
match address 115
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface ATM0
description Connessione alla rete Internet mediante NGI
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
half-duplex
!
interface FastEthernet0
description Connessione alla rete locale di Castegnato
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Dialer0
description Interfaccia Virtuale per connessione Internet
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username ******** password 7 **********
ppp multilink
crypto map clientmap
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 443 88.149.132.145 443 extendable
!
access-list 108 permit ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.87.0 0.0.0.255
access-list 130 deny ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 130 deny ip 192.168.0.0 0.0.0.255 192.168.87.0 0.0.0.255
access-list 130 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 130
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7 *************
transport input telnet ssh
line vty 5 15
password 7 *************
!
end

Mentre questa è la configurazione per il secondo 1700 che fa solo da vpn endpoint e consente la navigazione nattata agli utenti della rete locale.

Current configuration : 1943 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gervasoni
!
logging queue-limit 100
enable password **********
!
ip subnet-zero
!
!
isdn switch-type basic-net3
!
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 ******** address 88.149.132.145
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map test 5 ipsec-isakmp
set peer 88.149.132.145
set transform-set myset
match address 115
!
!
interface BRI0
description connected to Internet
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type basic-net3
no cdp enable
!
interface FastEthernet0
ip address 192.168.87.254 255.255.255.0
ip nat inside
speed auto
!
interface Serial0
ip address 213.150.188.174 255.255.255.252
ip nat outside
encapsulation ppp
backup delay 3 3
backup interface Dialer1
crypto map test
!
interface Dialer0
no ip address
!
interface Dialer1
description connected to Internet
ip address negotiated
encapsulation ppp
no ip split-horizon
dialer in-band
dialer string 1619
dialer hold-queue 10
dialer load-threshold 10 outbound
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname *******
ppp chap password 0 ********
ppp multilink
!
ip nat inside source route-map nonat interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
access-list 115 permit ip 192.168.87.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 deny ip 192.168.87.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 permit ip 192.168.87.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 130
!
!
line con 0
password *****
line aux 0
line vty 0 4
password ******
login
!
no scheduler allocate
!
end


Grazie per l'aiuto che mi saprete dare!!

Marco

devi, secondo mè modificare le seguenti righe su tutti e due i router

crypto isakmp key ********** address 213.150.188.174

Aggiungendo alla fine il comando no-xauth

altrimenti anche la site-to-site prova ad utilizzare l'authenticazione xauth del client VPN

Ciao

Ciao a tutti,
grazie per le risposte. HO RISOLTO il problema, ora tutto funziona alla grande!! In fondo vi allego le configurazioni.

La cosa buffa è che, forse è sempre stato ok. Solo che io provavo la vpn pingando tra loro le due interfacce Ethernet dei 2 router, cioè facevo:

RouterCisco1721Castegnato#ping 192.168.1.254

oppure

gervasoni#ping 192.168.0.254

e, in questo modo, i router non tentavano nemmeno di tirare su la vpn.

Facendo invece un ping da un pc di una rete locale verso un pc dell'altra rete locale tutto è ok!!!

Se qualcuno sa il perchè.....

Ecco le configurazione del primo router:

Current configuration : 5040 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterCisco1721Castegnato
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Lp.d$5jpgiSDGDh3x3.ZFZFKFY.
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
!!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key *********** address 213.150.188.174 no-xauth
!
crypto isakmp client configuration group vpnclients
key ***********
dns 192.168.0.2
wins 192.168.0.2
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 5 ipsec-isakmp
set peer 213.150.188.174
set transform-set myset
match address 115
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface ATM0
description Connessione alla rete Internet mediante NGI
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
half-duplex
!
interface FastEthernet0
description Connessione alla rete locale di Castegnato
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Dialer0
description Interfaccia Virtuale per connessione Internet
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username ********** password 7 **********
ppp multilink
crypto map clientmap
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 443 88.149.132.145 443 extendable
!
access-list 108 permit ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 130 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 130
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 *************
transport input telnet ssh
line vty 5 15
password 7 *************
!
end

Ecco quella del secondo (come noterete ho dovuto cambiare l'IP della FastEthernet)


Current configuration : 1904 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gervasoni
!
logging queue-limit 100
enable password ***********

Quando fai le verifiche con dei ping dai router è meglio fare dei ping "estesi",ovvero specificare tra le altre cose anche l'interfaccia di origine del ping.
Che è poi la stessa cosa che provare dai pc della lan,come hai già scoperto!
Ciao!