Problema VPN

[email protected] · mar 25 lug , 2006 10:54 am

Ciao a tutti...
sto' cercando di configurare una VPN tra client VPN Cisco e Cisco 837.
Ecco la mia conf:

------------------------------------------------------------------------
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router_Casa
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging
enable secret 5 xxxxxx
enable password 7xxxx
aaa new-model
!
aaa authentication login LISTA-UTENTI-VPN local
aaa authorization network GRUPPO-UTENTI-VPN local
!
aaa session-id common
!
resource policy
!
clock timezone SOLARE 1
clock summer-time LEGALE recurring last Sat Mar 2:00 last Sat Oct 3:00
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.20.1 192.168.20.9
!
ip dhcp pool casa
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 85.37.17.47
lease 7
!
!
ip dhcp update dns both
ip cef
ip name-server 85.37.17.47
ip name-server 151.99.125.3
ip inspect name LOW cuseeme
ip inspect name LOW dns
ip inspect name LOW ftp
ip inspect name LOW h323
ip inspect name LOW https
ip inspect name LOW icmp
ip inspect name LOW imap
ip inspect name LOW pop3
ip inspect name LOW netshow
ip inspect name LOW rcmd
ip inspect name LOW realaudio
ip inspect name LOW rtsp
ip inspect name LOW esmtp
ip inspect name LOW sqlnet
ip inspect name LOW streamworks
ip inspect name LOW tftp
ip inspect name LOW tcp
ip inspect name LOW udp
ip inspect name LOW vdolive
ip ssh time-out 15
ip ssh version 2
ip ddns update method dyndns
HTTP
add http://xxx:[email protected]/nic/u ... ns&hostnam
e=<h>&myip=<a>
interval maximum 0 23 0 0
!
ip dhcp-client update dns server both
username xxx privilege 15 password 7 xxx
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local VPN-CLIENT-POOL
crypto isakmp client configuration group GRUPPO-UTENTI-VPN
key xxx
pool VPN-CLIENT-POOL
acl 111
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-des esp-md5-hmac
!
crypto ipsec profile CRYPTO-VPN
!
!
crypto dynamic-map VPNDYNAMIC 1
set transform-set ESP-3DES-MD5

crypto map CRYPTO-VPN client authentication list LISTA-UTENTI-VPN
crypto map CRYPTO-VPN isakmp authorization list GRUPPO-UTENTI-VPN
crypto map CRYPTO-VPN client configuration address respond
crypto map CRYPTO-VPN 1 ipsec-isakmp dynamic VPNDYNAMIC
!
interface Ethernet0
ip address 192.168.20.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
crypto map CRYPTO-VPN
hold-queue 100 out
!
interface Ethernet2
--More--
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
ip ddns update hostname xxx
ip ddns update dyndns host xxx
ip address negotiated
ip access-group 101 in
ip nat outside
ip inspect LOW out
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
ppp chap hostname xxx
ppp chap password 7 xxx
ppp pap sent-username xxx password 7 xxx
crypto map CRYPTO-VPN
!
ip local pool VPN-CLIENT-POOL 172.160.24.50 172.160.24.99
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list 25 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.10 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.20.10 6882 interface Dialer0 6882
ip nat inside source static tcp 192.168.20.11 4662 interface Dialer0 4662
ip nat inside source static tcp 192.168.20.11 6881 interface Dialer0 6881
ip nat inside source static udp 192.168.20.11 4673 interface Dialer0 4673
ip nat inside source static udp 192.168.20.10 23580 interface Dialer0 23580
ip nat inside source static tcp 192.168.20.10 7954 interface Dialer0 7954
!
logging trap debugging
access-list 1 remark PERMESSI PER IL TELNET
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 25 remark PERMESSI PER LA NAT
access-list 25 permit any
access-list 100 permit udp host 62.152.126.5 eq ntp host 192.168.20.1 eq ntp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 62.152.126.5 eq ntp any eq ntp
access-list 101 deny ip 192.168.20.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 7954
access-list 101 permit udp any any eq 23580
access-list 101 permit udp any any eq 4673
access-list 101 permit tcp any any eq 6881
access-list 101 permit tcp any any eq 4662
access-list 101 permit tcp any any eq 6882
access-list 101 permit tcp host x.x.x.x any eq 3389 log
access-list 101 permit udp any any eq isakmp log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 111 remark PERMESSI PER IL CLIENT VPN
access-list 111 permit ip 192.168.20.0 0.0.0.255 172.160.24.0 0.0.0.255
no cdp run
!
!
control-plane
!
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
!
scheduler max-task-time 5000
sntp server 62.152.126.5
end

------------------------------------------------------------------------

Nei log, vedo che cerca di fare qualcosa:

21131: Jul 25 14:40:36.398: %SEC-6-IPACCESSLOGP: list 101 denied tcp 87.3.28.141(3557) -> 87.3.88.149(445), 1 packet
21130:
21129: Jul 25 14:40:21.410: ISAKMP:(1015):Old State = IKE_R_AM2 New State = IKE_DEST_SA
21128: Jul 25 14:40:21.410: ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
21127: Jul 25 14:40:21.406: IPSEC(key_engine): got a queue event with 1 KMI message(s)
21126: Jul 25 14:40:21.402: ISAKMP: Deleting peer node by peer_reap for xxx 82C17FCC
21125: Jul 25 14:40:21.402: ISAKMP: Unlocking peer struct 0x82C17FCC for isadb_mark_sa_deleted(), count 0
21124: Jul 25 14:40:21.394: ISAKMP:(1015):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer xxx
21123: Jul 25 14:40:21.394: ISAKMP:(1015):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer xxx)
21122:
21121: Jul 25 14:40:21.394: ISAKMP:(1015):peer does not do paranoid keepalives.
21120: Jul 25 14:40:21.394: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH...
21119: Jul 25 14:40:11.390: ISAKMP:(1015): sending packet to xxx my_port 500 peer_port 500 (R) AG_INIT_EXCH
21118: Jul 25 14:40:11.390: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH
21117: Jul 25 14:40:11.390: ISAKMP (0:1015): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
21116: Jul 25 14:40:11.390: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH...
21115: Jul 25 14:40:05.002: %SEC-6-IPACCESSLOGP: list 101 denied tcp 84.222.255.98(4662) -> 87.3.88.149(2212), 3 packets
21114: Jul 25 14:40:05.002: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 6 packets
21113: Jul 25 14:40:04.866: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 87.3.84.91 -> 87.3.88.149 (8/0), 1 packet
21112: Jul 25 14:40:01.386: ISAKMP:(1015): sending packet to xxx my_port 500 peer_port 500 (R) AG_INIT_EXCH
21111: Jul 25 14:40:01.386: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH
21110: Jul 25 14:40:01.386: ISAKMP (0:1015): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
21109: Jul 25 14:40:01.386: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH...
21108: Jul 25 14:39:51.382: ISAKMP:(1015): sending packet to xxx my_port 500 peer_port 500 (R) AG_INIT_EXCH
21107: Jul 25 14:39:51.382: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH
21106: Jul 25 14:39:51.382: ISAKMP (0:1015): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
21105: Jul 25 14:39:51.382: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH...
21104: Jul 25 14:39:41.378: ISAKMP:(1015): sending packet to xxx my_port 500 peer_port 500 (R) AG_INIT_EXCH
21103: Jul 25 14:39:41.378: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH
21102: Jul 25 14:39:41.378: ISAKMP (0:1015): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
21101: Jul 25 14:39:41.378: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH...
21100: Jul 25 14:39:31.382: ISAKMP:(1015): sending packet to xxx my_port 500 peer_port 500 (R) AG_INIT_EXCH
21099: Jul 25 14:39:31.382: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH
21098: Jul 25 14:39:31.382: ISAKMP (0:1015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
21097: Jul 25 14:39:31.382: ISAKMP:(1015): retransmitting phase 1 AG_INIT_EXCH...
21096: Jul 25 14:39:29.130: %SEC-6-IPACCESSLOGP: list 101 denied tcp 82.53.155.141(4949) -> 87.3.88.149(445), 1 packet
21095: Jul 25 14:39:26.354: %SEC-6-IPACCESSLOGP: list 101 denied udp 204.16.208.60(49475) -> 87.3.88.149(1026), 1 packet
21094:
21093: Jul 25 14:39:21.386: ISAKMP:(1015):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
21092: Jul 25 14:39:21.382: ISAKMP:(1015):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

e alla fine non succede niente..
Dove sbaglio??

Ciao

[email protected] · mer 26 lug , 2006 9:33 am

OK, sono riuscito a risolverlo da solo...

Il problema è strato risolto aprendo la porta UDP non500-isakmp (4500).
Cia a tutti

TheIrish · mer 26 lug , 2006 10:11 am

Le vittorie più belle sono quelle che si ottengono con le proprie forze
Ben fatto

[email protected] · mar 08 ago , 2006 9:48 am

TheIrish ha scritto:Le vittorie più belle sono quelle che si ottengono con le proprie forze
Ben fatto

Un altra domanda...
La Vpn mi si collega perfettamente e mi viene assegnato l'ip dalla pool vpn..
se tento di pingare il router, mi risponde con l'ip pubblico e non con quello privato, mentre se pingo la rete interna, non pinga niente..
Che regola devo applicare per non farmi rispondere con ip nattato??
Grazie

[email protected] · ven 01 set , 2006 8:10 am

[email protected] ha scritto:
TheIrish ha scritto:Le vittorie più belle sono quelle che si ottengono con le proprie forze
Ben fatto
Un altra domanda...
La Vpn mi si collega perfettamente e mi viene assegnato l'ip dalla pool vpn..
se tento di pingare il router, mi risponde con l'ip pubblico e non con quello privato, mentre se pingo la rete interna, non pinga niente..
Che regola devo applicare per non farmi rispondere con ip nattato??
Grazie

Nessuno riesce ad aiutarmi per favore?

TheIrish · ven 01 set , 2006 9:51 am

se tento di pingare il router, mi risponde con l'ip pubblico e non con quello privato

Asp asp, dici di tentare di pingare il router... ma cosa pinghi in realtà? Il nome di un dominio? Altrimenti come farebbe a risponderti un altro ip?

[email protected] · ven 01 set , 2006 10:11 am

TheIrish ha scritto:
se tento di pingare il router, mi risponde con l'ip pubblico e non con quello privato
Asp asp, dici di tentare di pingare il router... ma cosa pinghi in realtà? Il nome di un dominio? Altrimenti come farebbe a risponderti un altro ip?

No, tento semplicemente di pingare l'indirizo privato del pc della rete interna..e mi risponde con l'indirizzo pubblico adsl..
Se invece viceversa pingo dal pc della rete interna l'indirizzo ip del pc con il client VPN, allora risponde correttamente...
Ciao

Wizard · mar 05 set , 2006 2:26 pm

E' un problema di NAT, verifia la ACL per il NAT!

[email protected] · mar 05 set , 2006 3:41 pm

Wizard ha scritto:E' un problema di NAT, verifia la ACL per il NAT!

Ecco appunto...
mi manca sto' passaggio...devo usare il comando ip nat inside.... oppure modificare access-list?...
Sto' diventando pazzo..confido in un tuo aiuto..
Grazie per la eventuale collaborazione.

Ciao

[email protected] · mer 06 set , 2006 3:33 pm

[email protected] ha scritto:
Wizard ha scritto:E' un problema di NAT, verifia la ACL per il NAT!
Ecco appunto...
mi manca sto' passaggio...devo usare il comando ip nat inside.... oppure modificare access-list?...
Sto' diventando pazzo..confido in un tuo aiuto..
Grazie per la eventuale collaborazione.

Ciao

TROVATA SOLUZIONE (ho cercato bene nel forum!!!!)

Ho creato una nuova access-list extended

ip nat inside source list 150 interface Dialer0 overload
access-list 150 deny ip 192.168.20.0 0.0.0.255 172.18.10.0 0.0.0.255
access-list 150 permit ip 192.168.20.0 0.0.0.255 any

e cancellato la 25 che non mi serviva

TUTTO OK!!!!

Problema VPN

Login • Iscriviti