Vpn Ipsec IOS <---> IOS

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
pastoreerrante
n00b
Messaggi: 16
Iscritto il: dom 22 feb , 2009 11:52 am

Un saluto al forum,

non riesco ad allestire una semplice vpn site-to-site fra un Cisco 870 e un UC520, dal comando "sh crypto isakmp sa" vedo che le SA non vengono nemmeno create e di conseguenza la sessione ipsec vera e propria non viene attivata.

CONFIGURAZIONE CISCO 870

Codice: Seleziona tutto

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key vpnpsw address xxx.xxx.xxx.xxx 255.255.255.252
!         
!         
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac 
!         
crypto map vpn_cliente 10 ipsec-isakmp 
 set peer xxx.xxx.xxx.xxx
 set transform-set transform-1 
 match address 100
!
interface FastEthernet4 
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn_cliente
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.2.254 22 interface FastEthernet4 22000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 150 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp run
!         
!         
route-map nonat permit 10
 match ip address 150
!
CONFIGURAZIONE UC520

Codice: Seleziona tutto

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key vpnpsw address xxx.xxx.xxx.xxx 255.255.255.248
!         
!         
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac 
!         
!         
!         
!         
crypto map vpn_cliente 10 ipsec-isakmp 
 set peer xxx.xxx.xxx.xxx
 set transform-set transform-1 
 match address 100
!         
!         
interface FastEthernet0/0
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn_cliente
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
ip http server
ip http secure-server
ip http path flash
ip nat inside source static tcp 10.1.1.254 22 interface FastEthernet0/0 22000
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip host 10.1.1.253 any
access-list 150 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
route-map nonat permit 10
 match ip address 150
!
Ecco l'output di qualche comando show:

CISCO 870:

Codice: Seleziona tutto

#show crypto ipsec transform-set
Transform set transform-1: { esp-3des esp-sha-hmac  } 
   will negotiate = { Tunnel,  },

Codice: Seleziona tutto

#show crypto ipsec sa

interface: FastEthernet4
    Crypto map tag: jgmartinvpn, local addr xxx.xxx.xxx.xxx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer xxx.xxx.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
          
     outbound ah sas:
          
     outbound pcp sas:
UC520:

Codice: Seleziona tutto

#show crypto ipsec transform-set
Transform set transform-1: { esp-3des esp-sha-hmac  } 
   will negotiate = { Tunnel,  },

Codice: Seleziona tutto

show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: jgmartinvpn, local addr xxx.xxx.xxx.xxx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer xxx.xxx.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:
          
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
Grazie per l'aiuto - Daniele
Top
pastoreerrante
n00b
Messaggi: 16
Iscritto il: dom 22 feb , 2009 11:52 am

Ho fatto un passo in avanti: ora la vpn sembra attivarsi correttamente, ma i due peer fra loro non si pingano.

Il problema principale cmq. era l'ordine errato delle acl per evitare il nat dei pacchetti destinati al tunnel vpn; il deny era sotto il permit, quindi il tutto non poteva funzionare.

Una volta corretto l'ordine delle acl, ho:

Codice: Seleziona tutto

#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
xx.xx.xxx.xx   xx.xx.xxx.xx    QM_IDLE           2001    0 ACTIVE
anche sull'altro peer la SA è in QM_IDLE, tuttavia dall'870 (192.168.2.254) non riesco a pingare l'UC520 (192.168.0.254)e viceversa.

Qualcuno sa come risolvere?

Grazie

[/code]
Top
Rispondi

Torna a “VPN”