Pagina 1 di 1
Problema configurazione VPN Client
Inviato: mar 02 ott , 2007 3:53 pm
da Richi_one
Ciao a tutti,
ho un problemino con la configurazione di un 1801 per quanto riguarda le connessioni con VPN client,in pratica gli indirizzi del pool non vengono liberati dopo l'uso e dopo un po' non essendocene più di disponibili non è più possibile connettersi.
Come posso fare?
Grazie in anticipo a tutti!
Inviato: mar 02 ott , 2007 4:17 pm
da Wizard
beh, almeno facci vedere la config...
Cmq se non hai abbastanza ip nel pool, aumentali...mettine 10 (di + non credo che tu riesca). Una volta allargato il pool x la vpn devi controllare le rotte, il nat0 e lo split tunnel.
Inviato: mar 09 ott , 2007 11:55 am
da Richi_one
Di indirizzi nel pool ne ho quindici,il mio problema è che questi dopo l'uso non vengono liberati:dal sedicesimo tentativo in poi non ci si riesce a connettere.Se riavvio ho di nuovo gli ip a disposizione.
Qualche idea?
Più tardi posto la conf...
Inviato: gio 25 ott , 2007 10:57 am
da Richi_one
Ecco la configurazione,spero che potrete aiutarmi!
Current configuration : 6605 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cliente_1801
!
boot-start-marker
boot-end-marker
!
enable secret XXXXXXXXXXX
enable password XXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication login clientauth local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
no ip domain lookup
ip domain name telecom.it
ip name-server 151.99.125.2
ip name-server 151.99.0.100
ip name-server 151.99.125.3
no ip ips deny-action ips-interface
!
!
!
username XXXXXXXX password XXXXXXXXXXXX
username XXXXXXXXXXXXXX password XXXXXXXXXXX
!
!
crypto keyring spokes
pre-shared-key address XXX.XXX.XXX.XXX key XXXXXXXXXXXXXXX4
pre-shared-key address XXX.XXX.XXX.XXX key XXXXXXXXXXXXXXX4
pre-shared-key address XXX.XXX.XXX.XXX key XXXXXXXXXXXXXXX4
pre-shared-key address XXX.XXX.XXX.XXX key XXXXXXXXXXXXXXX4
pre-shared-key address XXX.XXX.XXX.XXX key XXXXXXXXXXXXXXX4
pre-shared-key address XXX.XXX.XXX.XXX key XXXXXXXXXXXXXXX4
pre-shared-key address XXX.XXX.XXX.XXX key XXXXXXXXXXXXXXX4
pre-shared-key address XXX.XXX.XXX.XXX key XXXXXXXXXXXXXXX4
pre-shared-key address XXX.XXX.XXX.XXX XXXXXXXXXXXXXXX4
pre-shared-key address 0.0.0.0 0.0.0.0 key XXXXXXXXXXXXXXX
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXXXXXXXXXXXXXXXXXX
key XXXXXXXXXXXXXXXXXX
dns 10.70.1.1
wins 10.70.1.1
domain cliente.com
pool ippool
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
crypto isakmp profile VPNclient
description VPN clients profile
match identity group XXXXXXXXXXXXXXXXXXXXXXX
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile L2LFix
description LAN-to-LAN for router(s) connection
keyring spokes
match identity address XXX.XXX.XXX.XXX 255.255.255.255
match identity address XXX.XXX.XXX.XXX 255.255.255.255
match identity address XXX.XXX.XXX.XXX 255.255.255.255
match identity address XXX.XXX.XXX.XXX 255.255.255.255
match identity address XXX.XXX.XXX.XXX 255.255.255.255
match identity address XXX.XXX.XXX.XXX 255.255.255.255
match identity address XXX.XXX.XXX.XXX 255.255.255.255
match identity address XXX.XXX.XXX.XXX 255.255.255.255
match identity address XXX.XXX.XXX.XXX 255.255.255.255
!
!
crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 5
set transform-set rtpset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set rtpset
set isakmp-profile L2L
!
!
crypto map rtp local-address Loopback0
crypto map rtp 10 ipsec-isakmp
description SEDEREMOTA
set peer XXX.XXX.XXX.XXX
set transform-set rtpset
set isakmp-profile L2LFix
match address 110
crypto map rtp 12 ipsec-isakmp
description cliente
set peer XXX.XXX.XXX.XXX
set transform-set rtpset
set isakmp-profile L2LFix
match address 111
crypto map rtp 15 ipsec-isakmp
description cliente
set peer XXX.XXX.XXX.XXX
set transform-set rtpset
set isakmp-profile L2LFix
match address 112
crypto map rtp 20 ipsec-isakmp
description cliente
set peer XXX.XXX.XXX.XXX
set transform-set rtpset
set isakmp-profile L2LFix
match address 113
crypto map rtp 25 ipsec-isakmp
description cliente
set peer 8XXX.XXX.XXX.XXX
set transform-set rtpset
set isakmp-profile L2LFix
match address 114
CUT
crypto map rtp 199 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback0
ip address XXX.XXX.XXX.XXX 255.255.255.252
crypto map rtp
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
ip address XXX.XXX.XXX.XXX 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
pvc 8/35
encapsulation aal5snap
!
!
interface Vlan1
ip address 10.70.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
hold-queue 100 out
!
ip local pool ippool 10.70.3.240 10.70.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.0.0.0 255.0.0.0 Loopback0
ip route 10.70.1.0 255.255.255.0 Vlan1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Loopback0 overload
!
access-list 110 permit ip 10.70.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 111 permit ip 10.0.0.0 0.255.255.255 10.70.2.16 0.0.0.7
access-list 112 permit ip 10.0.0.0 0.255.255.255 10.70.2.8 0.0.0.7
access-list 113 permit ip 10.0.0.0 0.255.255.255 10.70.2.48 0.0.0.7
access-list 114 permit ip 10.0.0.0 0.255.255.255 10.70.2.64 0.0.0.7
access-list 115 permit ip 10.0.0.0 0.255.255.255 10.70.2.56 0.0.0.7
access-list 116 permit ip 10.0.0.0 0.255.255.255 10.70.2.40 0.0.0.7
access-list 117 permit ip 10.0.0.0 0.255.255.255 10.70.2.32 0.0.0.7
access-list 118 permit ip 10.0.0.0 0.255.255.255 10.70.2.72 0.0.0.7
access-list 120 deny ip 10.70.1.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 120 deny ip 10.70.1.0 0.0.0.255 10.70.2.0 0.0.0.255
access-list 120 deny ip 10.70.1.0 0.0.0.255 10.70.3.0 0.0.0.255
access-list 120 permit ip 10.70.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 120
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password XXXXXXXXXX
!
no scheduler allocate
end
Inviato: gio 25 ott , 2007 3:14 pm
da Wizard
Inviato: gio 25 ott , 2007 3:26 pm
da Richi_one
Non è già compresa in
ip route 0.0.0.0 0.0.0.0 ATM0.1
?
Comunque funziona tutto benissimo,a parte il problema degli ip del pool che non vengono liberati
Inviato: gio 25 ott , 2007 3:31 pm
da Wizard
Aggiorna la ios e la regola mettila che non gli fa male!
Inviato: gio 25 ott , 2007 3:52 pm
da Richi_one
Ah,quindi comunque dici che non dipende dalla conf,ma dall'IOS?
Non ho ancora esperienza con le release 12.4,vedrò di documentarmi.
Peccato,grazie comunque!