(VPN Down) VPN L2L IPSec su IOS con ip dinamici

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
TeCer
Cisco fan
Messaggi: 67
Iscritto il: sab 16 mag , 2009 5:28 pm

Ciao a tutti,
per scopo didattico sto cercando di tirare su una vpn tra due router cisco entrambi con ip dinamici, il risultato di uno sh crypto session è questo.

p.s.
Router 1 = Cisco 1841 ios c1841-adventerprisek9-mz.124-9.T7.bin
Router 2 = Cisco 1760 ios c1700-advipservicesk9-mz.124-15.T9.bin

Codice: Seleziona tutto

Router 1

Crypto session current status

Interface: Dialer0
Session status: DOWN
Peer: x.x.x.x port 500 (l'ip viene risolto correttamente)
  IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 192.168.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 192.168.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Codice: Seleziona tutto

Router 2

Crypto session current status

Interface: Dialer0 Virtual-Access2
Session status: DOWN
Peer: x.x.x.x port 500 (l'ip viene risolto correttamente)
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.5.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Questa è la parte di configurazione che ho messo sui due router per la vpn.
192.168.5.0 è la lan di router1
192.168.1.0 è la lan di router2

Codice: Seleziona tutto

Router 1

crypto isakmp policy 10 
 encr 3des 
 hash md5 
 authentication pre-share 
 group 2 
crypto isakmp key xxx address 0.0.0.0 0.0.0.0 no-xauth 

crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac 

crypto map VPN local-address dialer0 
crypto map VPN 10 ipsec-isakmp 
 set peer router2.gotdns.com dynamic
 set transform-set VPN-SET 
 match address 151 

interface dialer0 
crypto map VPN 

no access-list 101 
access-list 101 remark ************************************************************* 
access-list 101 remark *** ACL PER PAT E NAT0 *** 
access-list 101 remark ************************************************************* 
access-list 101 deny   ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 
access-list 101 permit ip 192.168.5.0 0.0.0.255 any 

access-list 151 remark *** CRYPTO ACL PER TUNNEL IPSEC *** 
access-list 151 remark ************************************************************* 
access-list 151 permit   ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 
access-list 151 remark *************************************************************

Codice: Seleziona tutto

Router 2

crypto isakmp policy 10 
 encr 3des 
 hash md5 
 authentication pre-share 
 group 2 
crypto isakmp key xxx address 0.0.0.0 0.0.0.0 no-xauth 

crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac 

crypto map VPN local-address dialer0 
crypto map VPN 10 ipsec-isakmp 
 set peer router1.gotdns.com dynamic
 set transform-set VPN-SET 
 match address 151 

interface dialer0 
crypto map VPN 

no access-list 101 
access-list 101 remark ************************************************************ 
access-list 101 remark *** ACL PER PAT ***  
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any 


access-list 151 remark *** CRYPTO ACL PER TUNNEL IPSEC *** 
access-list 151 remark ************************************************************* 
access-list 151 permit   ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 
access-list 151 remark *************************************************************
Dato che in materia vpn non sono una scienza per me potrebbe essere tutto e niente (pensavo magari al valore mtu diverso sui due router).

grazie in anticipo per i vostri consigli/suggerimenti.
Top
Rispondi

Torna a “VPN”