VPN Site-to-Site a singhiozzo

[KMarco]

Ciao a tutti,
ho una VPN tra due router Cisco 877 uno su una rete Telecom Italia
l'altro su una rete Eutelia.

Il tunnel VPN site-to-site tra i due router viene instaurato senza problemi,
ma poi ho delle anomalie facendo passare dei pacchetti grandi soprattutto dal MAGAZZINO verso il CED. Se pingo, anche con pacchetti di dimensioni pari a 1024byte non ho problemi (in entrambe le direzioni), ma se provo ad accedere al web server che ho sul CED, la pagina non si apre. Ho lo stesso problema anche ad esempio provando ad instaurare una connessione RDP.

Ho già provato ad impostare l'MTU a 1500 su entrambi i router, ma niente...

Potete aiutarmi?

Ecco la configurazione del MAGAZZINO:

Codice: Seleziona tutto

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MAGAZZINO
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 PASSWORD
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip name-server 151.99.0.100
ip name-server 151.99.125.1
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3504550821
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3504550821
 revocation-check none
 rsakeypair TP-self-signed-3504550821
!
!
crypto pki certificate chain TP-self-signed-3504550821
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33353034 35353038 3231301E 170D3038 30373239 31343130 
  30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35303435 
  35303832 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100A922 8A1546A5 DF7DD914 20D72E54 8E34B52E D80E97D9 3A2A5DFB 39D49054 
  2D1ABCF5 A345346D 2551B45B A951CE75 B98AA695 2E42FF27 80EB7649 1074DE20 
  2F17A894 D81EACCF 8AE2125E F782710C E632BD95 CE24B906 9D8DAD29 16A4EED6 
  D728D50A B2F94FFF B0F86DE2 768E5A1B 86E06344 1F9D0D77 8D544BDF 9CBCF471 
  AA4B0203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603 
  551D1104 14301282 10526F6C 65747469 2D475541 52454E45 2E301F06 03551D23 
  04183016 8014D81D F1EAFBF9 37F4FF68 96CAB54F 9AA16C2C E7C1301D 0603551D 
  0E041604 14D81DF1 EAFBF937 F4FF6896 CAB54F9A A16C2CE7 C1300D06 092A8648 
  86F70D01 01040500 03818100 459C9338 D3234E9D AC9403CB 064BA004 D963C57D 
  B5DA5A18 DEF8ADC3 ACFDDD37 376A746C 7EB16B96 DB09F6ED 7303914A C2D194D3 
  8B71D561 876BA62D 34784832 45D9F188 9BE2CC2C 99FD8AFD 92A053D1 B1F4B24F 
  AD05E082 C329B6C7 41472A62 607BD827 369E7D92 9B4C8860 06D266AB 4FE030CC 
  F83B4734 3BE5FEF7 E2313B59
  quit
username UTENTE privilege 15 secret 5 PASSWORD
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key PASSWORD address 1.1.1.8
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to1.1.1.8
 set peer 1.1.1.8
 set transform-set ESP-3DES-SHA 
 match address 102
!
!
!
interface ATM0
 mtu 1500
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
 crypto ipsec df-bit clear
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
 shutdown
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.250 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 2.2.2.2 255.255.255.254
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname USERNAME
 ppp chap password 7 PASSWORD
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 1.1.1.2 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 1.1.1.8 host 2.2.2.2 eq non500-isakmp
access-list 101 permit udp host 1.1.1.8 host 2.2.2.2 eq isakmp
access-list 101 permit esp host 1.1.1.8 host 2.2.2.2
access-list 101 permit ahp host 1.1.1.8 host 2.2.2.2
access-list 101 permit udp host 151.99.125.1 eq domain host 2.2.2.2
access-list 101 permit udp host 151.99.0.100 eq domain host 2.2.2.2
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 2.2.2.2 echo
access-list 101 permit icmp any host 2.2.2.2 echo-reply
access-list 101 permit icmp any host 2.2.2.2 time-exceeded
access-list 101 permit icmp any host 2.2.2.2 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Ecco la configurazione sul CED:

Codice: Seleziona tutto

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CED
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$v2/a$KSE7XvL3D6C7VAk9bSNUJ0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip name-server 151.99.0.100
ip name-server 151.99.125.1
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-498544502
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-498544502
 revocation-check none
 rsakeypair TP-self-signed-498544502
!
!
crypto pki certificate chain TP-self-signed-498544502
 certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34393835 34343530 32301E17 0D303830 37323931 35323933 
  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3439 38353434 
  35303230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  CBDBC2BB BADD695F D409F517 C5BB3446 233BA12B 482EFADF 3C257A25 7D318D11 
  B0108A9D 775E5AF8 4A3D2191 35E03FB6 8E8B2610 9CC75DF3 CEAAD655 FCCCB6D1 
  0D342DB3 F72CB198 A0E321B7 7F0DC27D F2728ED7 29BCC665 FA34FAD0 D8C6BC16 
  010F650D 957BCA30 05D2B31B E51F0315 F774CE90 BCF53B7D 93F09760 E30059E3 
  02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D 
  11042130 1F821D52 6F6C6574 74692D54 4F52494E 4F2E796F 7572646F 6D61696E 
  2E636F6D 301F0603 551D2304 18301680 141263C9 D4E94C55 82D30EE3 3F973989 
  D81CA3FD FD301D06 03551D0E 04160414 1263C9D4 E94C5582 D30EE33F 973989D8 
  1CA3FDFD 300D0609 2A864886 F70D0101 04050003 81810060 1B413AEC 25792936 
  F48B9E41 617E1156 62F8CAA3 6BD0255A 31DC5590 69982977 D61E884A 21AF70F6 
  CBBBDB90 9F6D5BB5 953460C8 2C3ED566 CBECD79E 4F5DA263 CFAEF166 846238B1 
  06893041 FCB202E7 F1FDC0DB 7312B49B 6AA58533 1E69FD86 98467B99 240A19BA 
  86BBFE7D 636AD0C9 C91C7F1B 586EF24B 2A79D612 7A0015
  quit
username USERNAME privilege 15 secret 5 PASSWORD
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key PASSWORD address 2.2.2.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to2.2.2.2
 set peer 2.2.2.2
 set transform-set ESP-3DES-SHA 
 match address 102
!
!
!
interface ATM0
 mtu 1500
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
 crypto ipsec df-bit clear
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip address 1.1.1.8 255.255.255.252
 ip access-group 101 in
 ip verify unicast reverse-path
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 pvc 8/35 
  encapsulation aal5snap
 !
 crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
 shutdown
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.250 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
ip nat inside source static tcp 192.168.0.1 3389 1.1.1.8 3389 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 1.1.1.6 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit udp host 2.2.2.2 host 1.1.1.8 eq non500-isakmp
access-list 101 permit udp host 2.2.2.2 host 1.1.1.8 eq isakmp
access-list 101 permit esp host 2.2.2.2 host 1.1.1.8
access-list 101 permit ahp host 2.2.2.2 host 1.1.1.8
access-list 101 permit udp host 151.99.125.1 eq domain host 1.1.1.8
access-list 101 permit udp host 151.99.0.100 eq domain host 1.1.1.8
access-list 101 permit tcp any host 1.1.1.8 eq 3389
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 1.1.1.8 echo
access-list 101 permit icmp any host 1.1.1.8 echo-reply
access-list 101 permit icmp any host 1.1.1.8 time-exceeded
access-list 101 permit icmp any host 1.1.1.8 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Grazie a TUTTI in anticipo!
Ciao

Marco

[zot]

Prova a disabilitare access-list e firewall e vedi se così funge.

[Ogekuri]

[quote="KMarco"]Ciao a tutti,
Potete aiutarmi?

Codice: Seleziona tutto

prova a cambiare i "no ip unreachables" in "ip unreachables"

Io avevo un problema analogo in cui la vpn era su, il ping ok, ma non andavano a buon fine i file trasfert, ... apportata quella modifica miracolosamente ha ripreso a funzionare.

Non so perchè ... se qualche master me la spiega :D
-- 
Ciao
Fra