VPN IPSec L2L Cisco 877 - SonicWall

[Wizard]

Ciao, ho una vpn l2l tra un Cisco 877 (gestito da me) e un firewall SonicWall (gestito da altri)...
Il problema è che la vpn va su solo se le richieste partono dalla rete dietro al "mio" router.
Mai successa una cosa del genere?
Mai configurata una vpn l2l tra un cisco e un sonicwall?

Ecco la config del mio router:

version 12.4
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ***
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000
enable password ***
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect one-minute high 500
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 0
ip inspect name IDS tcp
ip inspect name IDS udp
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
no ip bootp server
ip name-server 151.99.125.1
ip ssh time-out 60
ip scp server enable
!
!
!
!
!
username admin password 7 ***
username assistenza password 7 ***
username vpnuser1 password 7 ***
username vpnuser2 password 7 ***
username vpnuser3 password 7 ***
username vpnuser4 password 7 ***
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key vpn%c5fl2l0k%olkg address *** no-xauth
!
crypto isakmp client configuration group remote-vpn
key mt%aidv^^doigtle009isooXDbreone
pool remote-pool
acl 151
!
!
crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
crypto ipsec transform-set VPN-L2L ah-md5-hmac esp-3des
!
crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI-SET
!
!
crypto map remotemap local-address Loopback0
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 20 ipsec-isakmp
set peer ***
set transform-set VPN-CLI-SET
match address 152
crypto map remotemap 65535 ipsec-isakmp dynamic remote-dyn
!
!
!
!
interface Loopback0
ip address *** 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
no ip mroute-cache
hold-queue 224 in
!
interface ATM0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
ip address *** 255.255.255.252
ip access-group 131 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map remotemap
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.22.253 255.255.255.0
ip inspect IDS in
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
!
ip local pool remote-pool 192.168.22.240 192.168.22.243
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.22.240 255.255.255.252 ATM0.1
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Loopback0 overload
!
logging history debugging
access-list 101 remark *************************************************************
access-list 101 remark *** ACL PER PAT E NAT0 ***
access-list 101 remark *************************************************************
access-list 101 deny ip 192.168.22.0 0.0.0.255 192.168.22.240 0.0.0.3
access-list 101 deny ip 192.168.22.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.22.0 0.0.0.255 any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER PERMETTERE ACCESSO DA SEDOC DIGITAL GROUP ***
access-list 131 remark *************************************************************
access-list 131 permit ip *** 0.0.0.31 any
access-list 131 permit ip host **** any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER TRAFFICO VPN ***
access-list 131 remark *************************************************************
access-list 131 permit esp any any
access-list 131 permit udp any any eq isakmp
access-list 131 permit udp any any eq non500-isakmp
access-list 131 permit udp any eq isakmp any
access-list 131 permit udp any eq non500-isakmp any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 remark *************************************************************
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 remark *************************************************************
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark ***************************************************************
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 remark *************************************************************
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 remark *************************************************************
access-list 131 deny ip any any log
access-list 131 remark *************************************************************
access-list 151 remark *** ACL PER SPLIT-TUNNEL DA VPN-CLIENT ***
access-list 151 remark *************************************************************
access-list 151 permit ip 192.168.22.0 0.0.0.255 192.168.22.240 0.0.0.3
access-list 151 remark *************************************************************
access-list 152 remark *** CRYPTO ACL PER TUNNEL IPSEC CON CIS&MET ***
access-list 152 remark *************************************************************
access-list 152 permit ip 192.168.22.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 152 remark *************************************************************
no cdp run
!
!
!
control-plane
!
banner motd ^C
---------------------------------------------------------------
---------------------------------------------------------------
This system is for the use of authorized users only.
Individuals using this computer system without authority, or in
excess of their authority, are subject to having all of their
activities on this system monitored and recorded by system
personnel.
In the course of monitoring individuals improperly using this
system, or in the course of system maintenance, the activities
of authorized users may also be monitored.
Anyone using this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the
evidence of such monitoring to law enforcement officials.
---------------------------------------------------------------
---------------------------------------------------------------
^C
!
line con 0
exec-timeout 0 0
login local
no modem enable
transport output telnet ssh
line aux 0
exec-timeout 0 0
login local
transport output telnet ssh
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
ntp clock-period 17179720
ntp server 193.204.114.232
ntp server 193.204.114.233
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end

[gullio23]

credo che sicuramente l'interesting traffic e questo:
access-list 152 permit ip 192.168.22.0 0.0.0.255 192.168.0.0 0.0.0.255
quindi lui tira su la vpn solo se le richieste provengono da questa subnet.
dall'altra parte ovviamente(sonicwall) deve esserci la stessa conf quindi il discorso e lo stesso.

spero di esserti dtato di aiuto
saluti
Giulio

[Wizard]

access-list 152 permit ip 192.168.22.0 0.0.0.255 192.168.0.0 0.0.0.255

Questa è la crypto map per il traffico ipsec e quindi della vpn.
Dalla altra parte dovrebbe essere reciproca chiaramente...

[gullio23]

si intendevo che era la acl della crypto map cmq il tuo problema e che vuoi far accedere altre lan che stanno dietro il tuo router oppure se la richiesta viene dalla lan opposta non sale la vpn?
se ti puoi spiegare meglio, ti posso aiutare.
magari se avessi la conf del firewall sonicwall ti potrei fare un'analisi migliore(sempre se il problema sta dall'altra parte)

saluti
Giulio

[Wizard]

il tuo problema e che vuoi far accedere altre lan che stanno dietro il tuo router oppure se la richiesta viene dalla lan opposta non sale la vpn?

Il mio problema è che se la vpn è giù e quindi va tirata su, se il traffico parte da dietro al sonicwall la vpn non si attiva.
Purtroppo la configurazione del sonicwall non la ho...

[gullio23]

allora nel tab advanced del sonicwall c'e un impostazione che potrebbe fare al caso tuo.

"try to bring all possible tunnel"

e ovviamente se la conf del sonicwall e corretta deve essere specificata una lan di destinazione del tunnel per cui il traffico deve attivare la vpn, altrimenti non funge.

pero e possibile che per problemi di connettivita il keepalive tra i due router va giu e quindi con la conseguente perdita del tunnel

questa opzione potrebbe risolverti il problema sul sonicwall

ovviamente il problema non e tuo ma e della conf del sonic da come tu mi hai spiegato.

prova a parlare con i tizi del sonic magari risolvi in pochi minuti.


ciao
Giulio

[Wizard]

Grazie mille!
Ho mandato una mail all'altro sistemsta con le tue indicazioni, ora vedremo.

[Wizard]

Scusate, il firewall non gestito da me non è un sonicwall ma un Firebox 700

[Wizard]

Ci abbiamo lavorato in 3 per diverso tempo...alla fine debuggando sul router Cisco, quando la vpn la si doveva tirare su facendo traffico da dietro il firebox, la fase 1 andava su ma la fase 2 no, sembra che le policy nn matchino ma non ha senso perchè se fosse così non andrebbe neppure se il traffico partisse da dietro al Cisco.
In tutti i casi ora c'è un tunnel isdn che funziona bene e x quello che devo fare loro va bene.