VPN Client 4.0.3(F) e modem router ADSL Trust Speedlink 445A

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
raffru
n00b
Messaggi: 4
Iscritto il: mer 15 nov , 2006 11:59 am

Ciao,
ho un problema gravissimo che mi affligge da settimane.
Dovrei collegarmi da casa alla rete aziendale utlizzando l'ADSL (libero flat).
Utilizzo il client cisco 4.0.3 e la fase di login è perfetta. Da quel momento in poi però non posso far nulla: non pingo nulla, non posso navigare ecc.
Il modem router è compatibile con "VPN pass through (IPSec-ESP Tunnel mode, L2TP, PPTP)" (così recita il manuale).
Con questo router è possibile settare il NAT a: disabled, NAT, NAPT e dynamic NAPT.
Ho aperto (port forwarding) anche le porte 4500 (UDP), 500 (UDP) e provato ad utilizzare il client ciesco con le opzioni di trasport IPSEC over UDP e over TCP (80) ma nulla di fatto.

Il numero di pacchetti "discarded" ad ogni richiesta sale vertiginosamente mentre i pacchetti criptati e decriptati sono minori (lo vado sulle statistiche del client).

Premetto che la VPN funziona correttamente utlizzando un modem analogico.
Nel log del client (apparentemente) non vedo nulla di strano. Appena posso cerco di fare un upload.
Se avete bisogno di altre info....ditelo.

Per favore aiutatemi, non posso lavorare a 56K!!!! :cry:
Top
emanuele.ciani
Cisco fan
Messaggi: 62
Iscritto il: gio 11 mag , 2006 1:47 pm
Località: Forlì

Probabilmente attraverso un modem analogico funziona perchè hai un ip pubblico mentre sotto il tuo router hai un ip nattato, quindi chiedi a chi ti fa il management del router/firewall che ti attivi il nat-traversal,

Altra cosa che puoi provare subito e diminuire l'mtu dal client cisco e credo sia un eseguibile nella cartella dove risiede il programma

Facci sapere se risolvi

Ciao
Top
raffru
n00b
Messaggi: 4
Iscritto il: mer 15 nov , 2006 11:59 am

Dal log del client Cisco (che magari domani posterò) sembra che il NAT-T sia attivo già sul router aziendale....

Per quanto riguarda l'MTU, qualche settimana fa l'ho modificato con il sw DRTCP per ottenere maggiori performance... magari lo rimetto al valore di default e provo...

Grazie...per ora!!!
Top
raffru
n00b
Messaggi: 4
Iscritto il: mer 15 nov , 2006 11:59 am

Ho impostato l'MTU al valore di default e riavviato il PC ma nulla da fare...

Ecco cosa accade sul mio client cisco durante la connessione alla VPN (file allegato).

Cisco Systems VPN Client Version 4.0.3 (F)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.0.2195

4 21:51:20.316 11/15/06 Sev=Info/4 CM/0x63100002
Begin connection process

5 21:51:20.416 11/15/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

6 21:51:20.416 11/15/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

7 21:51:20.416 11/15/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "eni-vpn1.eni.it"

8 21:51:21.528 11/15/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 151.96.0.3.

9 21:51:21.608 11/15/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 151.96.0.3

10 21:51:21.608 11/15/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

11 21:51:21.608 11/15/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

12 21:51:21.788 11/15/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 151.96.0.3

13 21:51:21.788 11/15/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 151.96.0.3

14 21:51:21.788 11/15/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

15 21:51:21.788 11/15/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

16 21:51:21.788 11/15/06 Sev=Info/5 IKE/0x63000001
Peer supports DPD

17 21:51:21.788 11/15/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

18 21:51:21.788 11/15/06 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

19 21:51:21.788 11/15/06 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text

20 21:51:21.818 11/15/06 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

21 21:51:21.818 11/15/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 151.96.0.3

22 21:51:21.818 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

23 21:51:21.818 11/15/06 Sev=Info/4 IKE/0x63000082
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

24 21:51:21.818 11/15/06 Sev=Info/5 IKE/0x63000071
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device

25 21:51:21.818 11/15/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

26 21:51:21.848 11/15/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 151.96.0.3

27 21:51:21.848 11/15/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 151.96.0.3

28 21:51:21.848 11/15/06 Sev=Info/4 CM/0x63100015
Launch xAuth application

29 21:51:32.163 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

30 21:51:42.178 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

31 21:51:44.090 11/15/06 Sev=Info/4 CM/0x63100017
xAuth application returned

32 21:51:44.100 11/15/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 151.96.0.3

33 21:51:48.617 11/15/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 151.96.0.3

34 21:51:48.617 11/15/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 151.96.0.3

35 21:51:48.617 11/15/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 151.96.0.3

36 21:51:48.617 11/15/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

37 21:51:48.947 11/15/06 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator

38 21:51:48.947 11/15/06 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

39 21:51:48.967 11/15/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 151.96.0.3

40 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 151.96.0.3

41 21:51:49.007 11/15/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 151.96.0.3

42 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.143.16.130

43 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.254.0

44 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.130.0.69

45 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 10.130.0.70

46 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 10.130.0.5

47 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(2) (a.k.a. WINS) : , value = 10.130.0.6

48 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

49 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

50 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc./VPN 3000 Concentrator Version 4.1.7.E built by vmurphy on Mar 14 2005 11:25:43

51 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

52 21:51:49.017 11/15/06 Sev=Info/4 CM/0x63100019
Mode Config data received

53 21:51:49.037 11/15/06 Sev=Info/4 IKE/0x63000055
Received a key request from Driver: Local IP = 10.143.16.130, GW IP = 151.96.0.3, Remote IP = 0.0.0.0

54 21:51:49.047 11/15/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 151.96.0.3

55 21:51:49.097 11/15/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 151.96.0.3

56 21:51:49.097 11/15/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 151.96.0.3

57 21:51:49.097 11/15/06 Sev=Info/5 IKE/0x63000044
RESPONDER-LIFETIME notify has value of 86400 seconds

58 21:51:49.097 11/15/06 Sev=Info/5 IKE/0x63000046
This SA has already been alive for 28 seconds, setting expiry to 86372 seconds from now

59 21:51:49.097 11/15/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 151.96.0.3

60 21:51:49.097 11/15/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 151.96.0.3

61 21:51:49.097 11/15/06 Sev=Info/5 IKE/0x63000044
RESPONDER-LIFETIME notify has value of 28800 seconds

62 21:51:49.097 11/15/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 151.96.0.3

63 21:51:49.108 11/15/06 Sev=Info/5 IKE/0x63000058
Loading IPsec SA (MsgID=8191EB5D OUTBOUND SPI = 0x661A84C2 INBOUND SPI = 0xE67E513C)

64 21:51:49.108 11/15/06 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x661A84C2

65 21:51:49.108 11/15/06 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xE67E513C

66 21:51:51.731 11/15/06 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.143.16.130/255.255.254.0
DNS=10.130.0.69,10.130.0.70
WINS=10.130.0.5,10.130.0.6
Domain=
Split DNS Names=

67 21:51:51.751 11/15/06 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 0.0.0.0 10.0.0.6 1
0.0.0.0 0.0.0.0 0.0.0.0 10.143.16.130 1
10.0.0.0 10.0.0.0 10.0.0.0 10.0.0.6 1
10.0.0.6 10.0.0.6 10.0.0.6 127.0.0.1 1
10.143.16.0 10.143.16.0 10.143.16.0 10.143.16.130 1
10.143.16.130 10.143.16.130 10.143.16.130 127.0.0.1 1
10.255.255.255 10.255.255.255 10.255.255.255 10.0.0.6 1
10.255.255.255 10.255.255.255 10.255.255.255 10.143.16.130 1
127.0.0.0 127.0.0.0 127.0.0.0 127.0.0.1 1
224.0.0.0 224.0.0.0 224.0.0.0 10.0.0.6 1
224.0.0.0 224.0.0.0 224.0.0.0 10.143.16.130 1
255.255.255.255 255.255.255.255 255.255.255.255 10.0.0.6 1


68 21:51:51.861 11/15/06 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 0.0.0.0 10.0.0.6 2
0.0.0.0 0.0.0.0 0.0.0.0 10.143.16.130 1
10.0.0.0 10.0.0.0 10.0.0.0 10.0.0.6 1
10.0.0.0 10.0.0.0 10.0.0.0 10.143.16.130 1
10.0.0.2 10.0.0.2 10.0.0.2 10.0.0.6 1
10.0.0.6 10.0.0.6 10.0.0.6 127.0.0.1 1
10.143.16.0 10.143.16.0 10.143.16.0 10.143.16.130 1
10.143.16.130 10.143.16.130 10.143.16.130 127.0.0.1 1
10.255.255.255 10.255.255.255 10.255.255.255 10.0.0.6 1
10.255.255.255 10.255.255.255 10.255.255.255 10.143.16.130 1
127.0.0.0 127.0.0.0 127.0.0.0 127.0.0.1 1
151.96.0.3 151.96.0.3 151.96.0.3 10.0.0.6 1
224.0.0.0 224.0.0.0 224.0.0.0 10.0.0.6 1
224.0.0.0 224.0.0.0 224.0.0.0 10.143.16.130 1
255.255.255.255 255.255.255.255 255.255.255.255 10.0.0.6 1


69 21:51:51.861 11/15/06 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter

70 21:51:52.072 11/15/06 Sev=Info/4 CM/0x6310001A
One secure connection established

71 21:51:52.102 11/15/06 Sev=Info/4 CM/0x63100038
Address watch added for 10.0.0.6. Current address(es): 10.143.16.130, 10.0.0.6.

72 21:51:52.142 11/15/06 Sev=Info/4 CM/0x63100038
Address watch added for 10.143.16.130. Current address(es): 10.143.16.130, 10.0.0.6.

73 21:51:52.152 11/15/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

74 21:51:52.152 11/15/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

75 21:51:52.152 11/15/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xc2841a66 into key list

76 21:51:52.152 11/15/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

77 21:51:52.152 11/15/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x3c517ee6 into key list

78 21:51:52.152 11/15/06 Sev=Info/4 IPSEC/0x6370002E
Assigned VA private interface addr 10.143.16.130

79 21:51:52.212 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

80 21:51:53.444 11/15/06 Sev=Info/4 IPSEC/0x63700019
Activate outbound key with SPI=0xc2841a66 for inbound key with SPI=0x3c517ee6

81 21:52:32.750 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

82 21:52:42.765 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

83 21:53:22.822 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

84 21:53:32.837 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

85 21:53:42.921 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

86 21:53:53.366 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

87 21:54:03.391 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

88 21:54:23.419 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA

89 21:54:33.434 11/15/06 Sev=Info/6 IKE/0x63000054
Sent a keepalive on the IPSec SA
Top
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:
Contatta Wizard

La VPN dove termina? su un PIX?
Controlla su quel apparato se è attivo il NAT-T, il problma al 99% è questo!
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
Top
raffru
n00b
Messaggi: 4
Iscritto il: mer 15 nov , 2006 11:59 am

Sicuramente c'è il supporto alla NAT-T infatti lo vedo dal Log:

17 21:51:21.788 11/15/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

e poi:

51 21:51:49.007 11/15/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

la porta 1194 (hex) è la UDP 4500....
Top
Rispondi

Torna a “VPN”