Aiuto VPN Cisco 2621XM - PIX 501 !!!!
Inviato: mer 30 apr , 2008 8:01 pm
Salve a tutti,
io ho un problema con un tunnel realizzato tra un router 2621XM, che funziona da centro
stella per circa 8-10 tunnel site-to-site con altrettanti Cisco 837 e UN PIX 501. I tunnel
con i cisco 837 funzionano perfettamente, mentre con il PIX sto avendo molti problemi, nel
senso che il tunnel fa molta fatica a partire. Intendo dire che a volte parte, a volte no,
a volte parte dopo ore senza che abbia toccato la configurazione. Quando il tunnel parte
solitamente poi va tutto bene finchè il PIX non viene spento o fino a che il tunnel non
cade per normale timeout.
Qualcuno riesce a spiegarmi il perchè?
Questa la configurazione del PIX:
----------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname pixbiasotto
domain-name biasottospedizioni.it
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.43.0 255.255.255.0 172.24.24.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.43.0 255.255.255.0 172.24.24.0 255.255.255.0
access-list outside_access_in permit tcp any host 78.4.165.74 eq ssh
access-list outside_access_in permit icmp any host 78.4.165.74
pager lines 24
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 78.4.165.74 255.255.255.248
ip address inside 192.168.43.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.43.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 78.4.165.73 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 62.173.191.14
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 62.173.191.14 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
telnet timeout 5
ssh 172.24.24.0 255.255.255.0 outside
ssh 81.174.12.79 255.255.255.255 outside
ssh 195.43.173.202 255.255.255.255 outside
ssh 62.173.191.14 255.255.255.255 outside
ssh 192.168.43.0 255.255.255.0 inside
ssh timeout 60
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXX
: end
----------------------------------------
E questa la config del router:
----------------------------------------
Current configuration : 10371 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hpsmilano
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXXXXXX
!
username fabio password 7 XXXXXXXXXXXXXXXXX
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
!
!
!
!
no ip cef
ip domain name accapiesse.it
ip inspect name defaultfw ftp timeout 3600
ip inspect name defaultfw smtp timeout 3600
ip inspect name defaultfw cuseeme timeout 3600
ip inspect name defaultfw realaudio timeout 3600
ip inspect name defaultfw h323 timeout 3600
ip inspect name defaultfw rcmd timeout 3600
ip inspect name defaultfw udp timeout 15
ip inspect name defaultfw tcp timeout 3600
ip inspect name defaultfw tftp timeout 30
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key LAMIAPWD address 78.4.165.74
[OMISSIS RIGHE ANALOGHE ALLA PREC]
!
!
crypto ipsec transform-set ESP-DES esp-des esp-md5-hmac
!
crypto map vpnmilano local-address FastEthernet0/0
crypto map vpnmilano 18 ipsec-isakmp
set peer 78.4.165.74
set transform-set ESP-DES
set pfs group2
match address vpn-to-biasotto
[OMISSIS 5 RIGHE ANALOGHE ALLE PREC]
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 195.43.190.225 255.255.255.248 secondary
ip address 62.173.191.14 255.255.255.252
ip access-group bloccoentrate in
ip nat outside
ip inspect defaultfw in
ip inspect defaultfw out
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map vpnmilano
!
interface FastEthernet0/1
ip address 172.24.24.254 255.255.255.0
ip access-group bloccouscite in
ip nat inside
ip inspect defaultfw in
ip inspect defaultfw out
ip virtual-reassembly
ip route-cache policy
ip policy route-map nonat
duplex auto
speed auto
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 62.173.191.13
!
no ip http server
no ip http secure-server
ip nat inside source list ipdanattare interface FastEthernet0/0 overload
ip nat inside source static tcp 172.24.24.1 20 195.43.190.226 20 extendable
[OMISSIS RIGHE ANALOGHE ALLA PREC]
ip nat inside source static tcp 172.24.24.5 5630 195.43.190.230 5630 extendable
[OMISSIS RIGHE ANALOGHE ALLA PREC]
!
ip access-list extended acl-nonat
permit ip 172.24.24.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.24.24.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended bloccoentrate
permit icmp any any
permit esp any host 62.173.191.14
permit udp any host 62.173.191.14 eq isakmp
permit udp any host 195.43.190.229 eq 623
permit tcp any host 195.43.190.230 eq ftp-data
[OMISSIS RIGHE ANALOGHE ALLA PREC]
permit tcp any host 62.173.191.14 eq 22
permit ip 10.0.0.0 0.255.255.255 172.24.24.0 0.0.0.255
permit ip 172.24.24.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.0.0 0.0.255.255 172.24.24.0 0.0.0.255
permit ip 172.24.24.0 0.0.0.255 192.168.0.0 0.0.255.255
permit tcp any host 195.43.190.230 eq 5640
[OMISSIS RIGHE ANALOGHE ALLA PREC]
ip access-list extended bloccouscite
permit tcp any any eq 6660 log
[OMISSIS RIGHE ANALOGHE ALLA PREC]
permit ip any any
ip access-list extended ipdanattare
deny ip 172.24.24.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.24.24.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.24.24.0 0.0.0.255 any
ip access-list extended vpn-to-biasotto
permit ip 172.24.24.0 0.0.0.255 192.168.43.0 0.0.0.255
[OMISSIS RIGHE ANALOGHE ALLE 2 PREC]
!
logging facility local2
logging 172.24.24.1
access-list 23 permit 195.43.173.202
[OMISSIS]
!
route-map nonat permit 10
match ip address acl-nonat
set ip next-hop 1.1.1.2
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
exec-timeout 0 0
modem InOut
modem autoconfigure discovery
transport preferred telnet
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
transport input ssh
!
!
end
----------------------------------------
Questo è il log del pix:
----------------------------------------
702208: ISAKMP Phase 1 exchange started (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
return status is IKMP_NO_ERROR
702202: ISAKMP Phase 1 delete sent (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
702210: ISAKMP Phase 1 exchange completed (local 78.4.165.74 (responder), remote 62.173.191.14)
OAK_MM exchange
602202: ISAKMP session connected (local 78.4.165.74 (responder), remote 62.173.191.14)
ISAKMP (0): processing ID payload. message ID = 0
602201: ISAKMP Phase 1 SA created (local 78.4.165.74/500 (responder), remote 62.173.191.14/500, authentication=pre-share, encryption=DES-CBC, hash=MD5, group=2, lifetime=1000s)
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 62.173.191.14
ISAKMP (0): deleting SA: src 62.173.191.14, dst 78.4.165.74
ISADB: reaper checking SA 0xac9ca4, conn_id = 0
ISADB: reaper checking SA 0xa2ee0c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:62.173.191.14/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:62.173.191.14/500 Total VPN peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 62.173.191.14
ISADB: reaper checking SA 0xac9ca4, conn_id = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:62.173.191.14/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:62.173.191.14/500 Ref cnt incremented to:1 Total VPN Peers:1
702206: ISAKMP malformed payload received (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISADB: reaper checking SA 0xac9ca4, conn_id = 0
702206: ISAKMP malformed payload received (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
702206: ISAKMP malformed payload received (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
702206: ISAKMP malformed payload received (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
---------------------------------------------
E questo quello del Cisco 2621XM:
---------------------------------------------
Apr 30 19:06:13 172.24.24.254 705: *Jan 11 20:31:49.808: %CRYPTO-4-IKMP_BAD_MESS
AGE: IKE message from 78.4.165.74 failed its sanity check or is malformed
Apr 30 19:13:00 172.24.24.254 706: *Jan 11 20:38:38.448: %CRYPTO-4-IKMP_NO_SA: I
KE message from 78.4.165.74 has no SA and is not an initialization offer
Apr 30 19:13:00 172.24.24.254 707: *Jan 11 20:38:38.448: %VPN_HW-1-PACKET_ERROR:
slot: 0 Packet Encryption/Decryption error, Bad function code
Apr 30 19:13:01 172.24.24.254 708: *Jan 11 20:38:38.456: %CRYPTO-4-IKMP_BAD_MESS
AGE: IKE message from 78.4.165.74 failed its sanity check or is malformed
---------------------------------------------
Per completezza cito che la connessione è ALBACOM.
Ringrazio tutti quanti vogliano darmi una mano.
Fabio
io ho un problema con un tunnel realizzato tra un router 2621XM, che funziona da centro
stella per circa 8-10 tunnel site-to-site con altrettanti Cisco 837 e UN PIX 501. I tunnel
con i cisco 837 funzionano perfettamente, mentre con il PIX sto avendo molti problemi, nel
senso che il tunnel fa molta fatica a partire. Intendo dire che a volte parte, a volte no,
a volte parte dopo ore senza che abbia toccato la configurazione. Quando il tunnel parte
solitamente poi va tutto bene finchè il PIX non viene spento o fino a che il tunnel non
cade per normale timeout.
Qualcuno riesce a spiegarmi il perchè?
Questa la configurazione del PIX:
----------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname pixbiasotto
domain-name biasottospedizioni.it
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.43.0 255.255.255.0 172.24.24.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.43.0 255.255.255.0 172.24.24.0 255.255.255.0
access-list outside_access_in permit tcp any host 78.4.165.74 eq ssh
access-list outside_access_in permit icmp any host 78.4.165.74
pager lines 24
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 78.4.165.74 255.255.255.248
ip address inside 192.168.43.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.43.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 78.4.165.73 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 62.173.191.14
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 62.173.191.14 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
telnet timeout 5
ssh 172.24.24.0 255.255.255.0 outside
ssh 81.174.12.79 255.255.255.255 outside
ssh 195.43.173.202 255.255.255.255 outside
ssh 62.173.191.14 255.255.255.255 outside
ssh 192.168.43.0 255.255.255.0 inside
ssh timeout 60
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXX
: end
----------------------------------------
E questa la config del router:
----------------------------------------
Current configuration : 10371 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hpsmilano
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXXXXXX
!
username fabio password 7 XXXXXXXXXXXXXXXXX
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
!
!
!
!
no ip cef
ip domain name accapiesse.it
ip inspect name defaultfw ftp timeout 3600
ip inspect name defaultfw smtp timeout 3600
ip inspect name defaultfw cuseeme timeout 3600
ip inspect name defaultfw realaudio timeout 3600
ip inspect name defaultfw h323 timeout 3600
ip inspect name defaultfw rcmd timeout 3600
ip inspect name defaultfw udp timeout 15
ip inspect name defaultfw tcp timeout 3600
ip inspect name defaultfw tftp timeout 30
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key LAMIAPWD address 78.4.165.74
[OMISSIS RIGHE ANALOGHE ALLA PREC]
!
!
crypto ipsec transform-set ESP-DES esp-des esp-md5-hmac
!
crypto map vpnmilano local-address FastEthernet0/0
crypto map vpnmilano 18 ipsec-isakmp
set peer 78.4.165.74
set transform-set ESP-DES
set pfs group2
match address vpn-to-biasotto
[OMISSIS 5 RIGHE ANALOGHE ALLE PREC]
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 195.43.190.225 255.255.255.248 secondary
ip address 62.173.191.14 255.255.255.252
ip access-group bloccoentrate in
ip nat outside
ip inspect defaultfw in
ip inspect defaultfw out
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map vpnmilano
!
interface FastEthernet0/1
ip address 172.24.24.254 255.255.255.0
ip access-group bloccouscite in
ip nat inside
ip inspect defaultfw in
ip inspect defaultfw out
ip virtual-reassembly
ip route-cache policy
ip policy route-map nonat
duplex auto
speed auto
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 62.173.191.13
!
no ip http server
no ip http secure-server
ip nat inside source list ipdanattare interface FastEthernet0/0 overload
ip nat inside source static tcp 172.24.24.1 20 195.43.190.226 20 extendable
[OMISSIS RIGHE ANALOGHE ALLA PREC]
ip nat inside source static tcp 172.24.24.5 5630 195.43.190.230 5630 extendable
[OMISSIS RIGHE ANALOGHE ALLA PREC]
!
ip access-list extended acl-nonat
permit ip 172.24.24.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.24.24.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended bloccoentrate
permit icmp any any
permit esp any host 62.173.191.14
permit udp any host 62.173.191.14 eq isakmp
permit udp any host 195.43.190.229 eq 623
permit tcp any host 195.43.190.230 eq ftp-data
[OMISSIS RIGHE ANALOGHE ALLA PREC]
permit tcp any host 62.173.191.14 eq 22
permit ip 10.0.0.0 0.255.255.255 172.24.24.0 0.0.0.255
permit ip 172.24.24.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.0.0 0.0.255.255 172.24.24.0 0.0.0.255
permit ip 172.24.24.0 0.0.0.255 192.168.0.0 0.0.255.255
permit tcp any host 195.43.190.230 eq 5640
[OMISSIS RIGHE ANALOGHE ALLA PREC]
ip access-list extended bloccouscite
permit tcp any any eq 6660 log
[OMISSIS RIGHE ANALOGHE ALLA PREC]
permit ip any any
ip access-list extended ipdanattare
deny ip 172.24.24.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.24.24.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.24.24.0 0.0.0.255 any
ip access-list extended vpn-to-biasotto
permit ip 172.24.24.0 0.0.0.255 192.168.43.0 0.0.0.255
[OMISSIS RIGHE ANALOGHE ALLE 2 PREC]
!
logging facility local2
logging 172.24.24.1
access-list 23 permit 195.43.173.202
[OMISSIS]
!
route-map nonat permit 10
match ip address acl-nonat
set ip next-hop 1.1.1.2
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
exec-timeout 0 0
modem InOut
modem autoconfigure discovery
transport preferred telnet
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
transport input ssh
!
!
end
----------------------------------------
Questo è il log del pix:
----------------------------------------
702208: ISAKMP Phase 1 exchange started (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
return status is IKMP_NO_ERROR
702202: ISAKMP Phase 1 delete sent (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
702210: ISAKMP Phase 1 exchange completed (local 78.4.165.74 (responder), remote 62.173.191.14)
OAK_MM exchange
602202: ISAKMP session connected (local 78.4.165.74 (responder), remote 62.173.191.14)
ISAKMP (0): processing ID payload. message ID = 0
602201: ISAKMP Phase 1 SA created (local 78.4.165.74/500 (responder), remote 62.173.191.14/500, authentication=pre-share, encryption=DES-CBC, hash=MD5, group=2, lifetime=1000s)
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 62.173.191.14
ISAKMP (0): deleting SA: src 62.173.191.14, dst 78.4.165.74
ISADB: reaper checking SA 0xac9ca4, conn_id = 0
ISADB: reaper checking SA 0xa2ee0c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:62.173.191.14/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:62.173.191.14/500 Total VPN peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 62.173.191.14
ISADB: reaper checking SA 0xac9ca4, conn_id = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:62.173.191.14/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:62.173.191.14/500 Ref cnt incremented to:1 Total VPN Peers:1
702206: ISAKMP malformed payload received (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISADB: reaper checking SA 0xac9ca4, conn_id = 0
702206: ISAKMP malformed payload received (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
702206: ISAKMP malformed payload received (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
702206: ISAKMP malformed payload received (local 78.4.165.74 (responder), remote 62.173.191.14)
crypto_isakmp_process_block:src:62.173.191.14, dest:78.4.165.74 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
---------------------------------------------
E questo quello del Cisco 2621XM:
---------------------------------------------
Apr 30 19:06:13 172.24.24.254 705: *Jan 11 20:31:49.808: %CRYPTO-4-IKMP_BAD_MESS
AGE: IKE message from 78.4.165.74 failed its sanity check or is malformed
Apr 30 19:13:00 172.24.24.254 706: *Jan 11 20:38:38.448: %CRYPTO-4-IKMP_NO_SA: I
KE message from 78.4.165.74 has no SA and is not an initialization offer
Apr 30 19:13:00 172.24.24.254 707: *Jan 11 20:38:38.448: %VPN_HW-1-PACKET_ERROR:
slot: 0 Packet Encryption/Decryption error, Bad function code
Apr 30 19:13:01 172.24.24.254 708: *Jan 11 20:38:38.456: %CRYPTO-4-IKMP_BAD_MESS
AGE: IKE message from 78.4.165.74 failed its sanity check or is malformed
---------------------------------------------
Per completezza cito che la connessione è ALBACOM.
Ringrazio tutti quanti vogliano darmi una mano.
Fabio