CiscoForums.it

Cisco Users Group
https://ciscoforums.it/

Problemi VPN

https://ciscoforums.it/viewtopic.php?f=16&t=3206

Pagina 1 di 1

Problemi VPN

Inviato: mer 20 set , 2006 4:14 pm
da saso
Salve a tutti, di seguito posto le configurazioni di due router cisco 837. il problema sta nel fatto che, una volta configuarata la vpn nn riesco ad aprire il tunnel, la linea è una multigroup con 8 ip statici, aggiungo inoltre che uno dei due router ha gia una vpn lan-lan configurata e perfettamente funzionante con un terzo router piu' un accesso attraverso easy vpn.

ROUTER 1

Codice: Seleziona tutto

Building configuration...

Current configuration : 4137 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname _______
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 grA2x.u3C$K6tn$af./MYYkvdUJ/$1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa session-id common
ip subnet-zero
!
!
ip name-server 194.243.154.62
ip ips po max-events 100
no ftp-server write-enable
!
!
username xxxxxxx password 0 yyyyyy
username zzzzzzzzz privilege 15 secret 5 CtGBK$KN5sbzJwsW41$w2WY$Ooeww/
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 1111111 address 85.xxx.yyy.110 no-xauth
crypto isakmp key 2222222 address 85.zzz.www.169
crypto isakmp key 3333333 address 0.0.0.0 0.0.0.0
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group xxxxxxxxxxxx
 key xxxxxxxxxxxx
 pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 2
 set transform-set ESP-3DES-SHA 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to85.xxx.yyy.110
 set peer 85.xxx.yyy.110
 set transform-set ESP-3DES-SHA 
 match address 100
crypto map SDM_CMAP_1 10 ipsec-isakmp 
 description tunnel to 85.zzz.wwww.169
 set peer 85.zzz.wwww.169
 set transform-set ESP-3DES-SHA 
 match address 105
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
interface Ethernet0
 ip address 192.168.0.110 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 ip address 82.aaa.bbb.158 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 crypto map SDM_CMAP_1
 pvc 8/35 
  encapsulation aal5snap
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.0.250 192.168.0.251
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark SDM_ACL Category=18
access-list 102 deny   ip any 192.168.0.250 0.0.0.1
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 120 0
 length 0
!
scheduler max-task-time 5000
end
ROUTER 2

Codice: Seleziona tutto


Building configuration...

Current configuration : 2505 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname _______
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1vDEDcs0Jya8$VpPL$TEv7uz6Ebg.
!
username ______ password 0 ---------
no aaa new-model
ip subnet-zero
!
!
ip name-server 194.243.154.62
ip audit notify log
ip audit po max-events 100
ip ssh break-string 
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxx address 82.xxx.yyy.158
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to82.xxx.yyy.158
 set peer 82.xxx.yyy.158
 set transform-set ESP-3DES-SHA 
 match address 100
!
!
!
!
interface Ethernet0
 ip address 192.168.2.110 255.255.255.0 secondary
 ip address 85.zzz.www.169 255.255.255.248
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 ip unnumbered Ethernet0
 ip nat outside
 pvc 8/35 
  encapsulation aal5snap
 !
 crypto map SDM_CMAP_1
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
no ip http secure-server
!
!
access-list 23 remark SDM_ACL Category=16
access-list 23 permit 85.zzz.www.168 0.0.0.7
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 remark SDM_ACL Category=16
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 exec-timeout 120 0
 password xxxxxxxxx
 login
 length 0
 transport preferred all
 transport input telnet
 transport output all
!
scheduler max-task-time 5000
!
end
il router 2 è stato configurato in modo da pubblicare uno degli ip pubblici forniti dato che ormai il ptp non è piu' pingabile, a differenza del router 1 configurato tempo prima. Io credo che il problema sia nel router 2.

grazie anticipatamente per il supporto.

Inviato: ven 22 set , 2006 10:24 am
da saso
risolto:

nel router 1 al posto dell' istruzione:
crypto isakmp key 2222222 address 85.zzz.www.169
ho messo:
crypto isakmp key 2222222 address 85.zzz.www.169 no-xauth

nel router 2 al posto di:
crypto isakmp key xxxxxxxxxxx address 82.xxx.yyy.158
ho messo
crypto isakmp key xxxxxxxxxxx address 82.xxx.yyy.158 no-xauth
Tutti gli orari sono UTC+01:00
Pagina 1 di 1

Creato da phpBB® Forum Software © phpBB Limited

Traduzione Italiana phpBB-Store.it