Un saluto a tutti ,dopo aver letto diversi post ho cercato di creare una vpn L2L , ma dallo sh crypto isakmp sa non riesco a vedere l’ip dst e src, lo sh crypto ipsec sa mi sembra corretto,allego le due config con il debug crypto isakmp, dove stò sbagliando nella config?
grazie in anticipo
ROUTER_1841_VPN#sh run
!
hostname ROUTER_1841_VPN
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.27 no-xauth
no crypto isakmp ccm
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.27
set transform-set VPN-SET
match address 101
!
interface Loopback0
ip address 85.0.0.26 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.1 point-to-point
bandwidth 1024
ip address 80.20.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 132 IETF
crypto map masvpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
ROUTER_1751_VPN#sh conf
!
hostname ROUTER_1751_VPN
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.26 no-xauth
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.26
set transform-set VPN-SET
match address 101
!
interface Loopback0
ip address 85.0.0.27 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 80.20.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 166
crypto map masvpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
!
ROUTER_1751_VPN#sh crypto ipsec sa
interface: Serial0/0.1
Crypto map tag: masvpn, local addr 85.0.0.27
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 85.0.0.26 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 56, #recv errors 0
local crypto endpt.: 85.0.0.27, remote crypto endpt.: 85.0.0.26
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
ROUTER_1751_VPN#sh crypto isakmp sa
dst src state conn-id slot status
ROUTER_1751_VPN#debug crypto isakmp
Crypto ISAKMP debugging is on
ROUTER_1751_VPN#
*Mar 1 01:56:58.059: ISAKMP: received ke message (1/1)
*Mar 1 01:56:58.059: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar 1 01:56:58.059: ISAKMP: Created a peer struct for 85.0.0.26, peer port 500
*Mar 1 01:56:58.063: ISAKMP: New peer created peer = 0x82A3817C peer_handle = 0x8000000B
*Mar 1 01:56:58.063: ISAKMP: Locking peer struct 0x82A3817C, IKE refcount 1 for isakmp_initiator
*Mar 1 01:56:58.063: ISAKMP: local port 500, remote port 500
*Mar 1 01:56:58.063: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:56:58.063: insert sa successfully sa = 83316CB0
*Mar 1 01:56:58.063: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar 1 01:56:58.063: ISAKMP:(0:0:N/A:0):Looking for a matching key for 85.0.0.26 in default
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0): : success
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 85.0.0.26
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 01:56:58.071: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 01:56:58.071: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 1 01:56:58.071: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:57:08.071: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:57:08.071: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 01:57:08.071: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:57:08.071: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:57:18.083: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:57:18.083: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 1 01:57:18.083: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:57:18.083: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
L2L config
Moderatore: Federico.Lagni
-
valerio1976
- Network Emperor
- Messaggi: 263
- Iscritto il: ven 05 mar , 2010 9:05 am
nat ha scritto:Un saluto a tutti ,dopo aver letto diversi post ho cercato di creare una vpn L2L , ma dallo sh crypto isakmp sa non riesco a vedere l’ip dst e src, lo sh crypto ipsec sa mi sembra corretto,allego le due config con il debug crypto isakmp, dove stò sbagliando nella config?
grazie in anticipo
ROUTER_1841_VPN#sh run
!
hostname ROUTER_1841_VPN
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.27 no-xauth
no crypto isakmp ccm
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.27
set transform-set VPN-SET
match address 101
!
interface Loopback0
ip address 85.0.0.26 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.1 point-to-point
bandwidth 1024
ip address 80.20.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 132 IETF
crypto map masvpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
ROUTER_1751_VPN#sh conf
!
hostname ROUTER_1751_VPN
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.26 no-xauth
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.26
set transform-set VPN-SET
match address 101
!
interface Loopback0
ip address 85.0.0.27 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 80.20.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 166
crypto map masvpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
!
ROUTER_1751_VPN#sh crypto ipsec sa
interface: Serial0/0.1
Crypto map tag: masvpn, local addr 85.0.0.27
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 85.0.0.26 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 56, #recv errors 0
local crypto endpt.: 85.0.0.27, remote crypto endpt.: 85.0.0.26
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
ROUTER_1751_VPN#sh crypto isakmp sa
dst src state conn-id slot status
ROUTER_1751_VPN#debug crypto isakmp
Crypto ISAKMP debugging is on
ROUTER_1751_VPN#
*Mar 1 01:56:58.059: ISAKMP: received ke message (1/1)
*Mar 1 01:56:58.059: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar 1 01:56:58.059: ISAKMP: Created a peer struct for 85.0.0.26, peer port 500
*Mar 1 01:56:58.063: ISAKMP: New peer created peer = 0x82A3817C peer_handle = 0x8000000B
*Mar 1 01:56:58.063: ISAKMP: Locking peer struct 0x82A3817C, IKE refcount 1 for isakmp_initiator
*Mar 1 01:56:58.063: ISAKMP: local port 500, remote port 500
*Mar 1 01:56:58.063: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:56:58.063: insert sa successfully sa = 83316CB0
*Mar 1 01:56:58.063: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar 1 01:56:58.063: ISAKMP:(0:0:N/A:0):Looking for a matching key for 85.0.0.26 in default
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0): : success
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 85.0.0.26
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 01:56:58.067: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 01:56:58.071: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 01:56:58.071: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 1 01:56:58.071: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:57:08.071: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:57:08.071: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 01:57:08.071: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:57:08.071: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:57:18.083: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:57:18.083: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 1 01:57:18.083: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:57:18.083: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
ciao io aggiungerei anche
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
e metterei pure sulla loopback
crypto map masvpn
ciao
-
nat
- Cisco fan
- Messaggi: 70
- Iscritto il: dom 25 nov , 2007 2:18 pm
- Località: ABRUZZO
grazie mille x la veloce risposta, come da te consigliato ho aggiunto le righe di config, stesso problema,ora facendo un ping da un host del primo router,verso host secondo router, al comando sh crypto isakmp sa mi da
ROUTER_1841_VPN#sh crypto isakmp sa
dst src state conn-id slot status
85.0.0.26 85.0.0.27 MM_NO_STATE 1 0 ACTIVE (deleted)
su state trovo MM_NO_STATE forse è questo il problema?
di nuovo grazie
ROUTER_1841_VPN#sh crypto isakmp sa
dst src state conn-id slot status
85.0.0.26 85.0.0.27 MM_NO_STATE 1 0 ACTIVE (deleted)
su state trovo MM_NO_STATE forse è questo il problema?
di nuovo grazie
-
valerio1976
- Network Emperor
- Messaggi: 263
- Iscritto il: ven 05 mar , 2010 9:05 am
Ciao, allora se hai questo errore MM_NO_STATE vuol dire che ti fallice la fase 1 della VPN quindi il mio modesto parere è di fare un bel debug crypto isakmpnat ha scritto:grazie mille x la veloce risposta, come da te consigliato ho aggiunto le righe di config, stesso problema,ora facendo un ping da un host del primo router,verso host secondo router, al comando sh crypto isakmp sa mi da
ROUTER_1841_VPN#sh crypto isakmp sa
dst src state conn-id slot status
85.0.0.26 85.0.0.27 MM_NO_STATE 1 0 ACTIVE (deleted)
su state trovo MM_NO_STATE forse è questo il problema?
di nuovo grazie
poi controlla:
la password della VPN che sia uguale su entrambi gli end point, des vs. 3des, group 1 vs group 2, ecc...
se non sai come far partire il debug crypto basta che scrivi ad esempio ping indirizzo lan remota source interfaccia router e guardi quello che il debug ti dice
ciao
-
nat
- Cisco fan
- Messaggi: 70
- Iscritto il: dom 25 nov , 2007 2:18 pm
- Località: ABRUZZO
Ciao valerio1976,grazie x i consigli che mi dai, ho controlato le key e tutto il resto,la config che ho postato è quella reale tranne x indirizzi ip, e le due config risultano uguali inserico, i debug crypto isakam e ipsec
ROUTER_1751_VPN#debug crypto isakmp
Crypto ISAKMP debugging is on
ROUTER_1751_VPN#
*Mar 1 00:13:27.495: ISAKMP: received ke message (1/1)
*Mar 1 00:13:27.495: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar 1 00:13:27.499: ISAKMP: Created a peer struct for 85.0.0.26, peer port 500
*Mar 1 00:13:27.499: ISAKMP: New peer created peer = 0x82D180F8 peer_handle = 0x80000003
*Mar 1 00:13:27.499: ISAKMP: Locking peer struct 0x82D180F8, IKE refcount 1 for isakmp_initiator
*Mar 1 00:13:27.499: ISAKMP: local port 500, remote port 500
*Mar 1 00:13:27.499: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:13:27.499: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83079CBC
*Mar 1 00:13:27.499: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0):Looking for a matching key for 85.0.0.26 in default
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0): : success
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 85.0.0.26
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 00:13:27.507: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:13:27.507: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:13:27.507: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 1 00:13:27.507: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:13:37.507: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:13:37.507: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 00:13:37.507: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:13:37.507: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
VPN#debug crypto ipsec
Crypto IPSEC debugging is on
Mar 1 00:15:26.827: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 85.0.0.27, remote= 85.0.0.26,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x69DC6BDF(1776053215), conn_id= 0, keysize= 0, flags= 0x400A
ROUTER_1751_VPN#debug crypto isakmp
Crypto ISAKMP debugging is on
ROUTER_1751_VPN#
*Mar 1 00:13:27.495: ISAKMP: received ke message (1/1)
*Mar 1 00:13:27.495: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar 1 00:13:27.499: ISAKMP: Created a peer struct for 85.0.0.26, peer port 500
*Mar 1 00:13:27.499: ISAKMP: New peer created peer = 0x82D180F8 peer_handle = 0x80000003
*Mar 1 00:13:27.499: ISAKMP: Locking peer struct 0x82D180F8, IKE refcount 1 for isakmp_initiator
*Mar 1 00:13:27.499: ISAKMP: local port 500, remote port 500
*Mar 1 00:13:27.499: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:13:27.499: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83079CBC
*Mar 1 00:13:27.499: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0):Looking for a matching key for 85.0.0.26 in default
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0): : success
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 85.0.0.26
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 00:13:27.503: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 00:13:27.507: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:13:27.507: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:13:27.507: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 1 00:13:27.507: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:13:37.507: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:13:37.507: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 00:13:37.507: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:13:37.507: ISAKMP:(0:0:N/A:0): sending packet to 85.0.0.26 my_port 500 peer_port 500 (I) MM_NO_STATE
VPN#debug crypto ipsec
Crypto IPSEC debugging is on
Mar 1 00:15:26.827: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 85.0.0.27, remote= 85.0.0.26,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x69DC6BDF(1776053215), conn_id= 0, keysize= 0, flags= 0x400A
-
nat
- Cisco fan
- Messaggi: 70
- Iscritto il: dom 25 nov , 2007 2:18 pm
- Località: ABRUZZO
ok è partito ora riesco a fare i ping tra gli host delle due sedi,ma non riesco a vedere le cartelle condivise, cioè dalla sede A non vedo le cartelle dell'host B,non credo che sia normale,ho sbaglio?se puo essere utile posto le config funzionanti attuali.
un felice grazie
ROUTER_1751_VPN#sh run
Building configuration...
Current configuration : 1878 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER_1751_VPN
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
resource policy
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.26 no-xauth
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.26
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set VPN-SET
match address 101
!
!
!
interface Loopback0
ip address 85.0.0.27 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
cdp enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 80.20.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 166
crypto map masvpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
no ip http server
no ip http secure-server
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
ROUTER_1841_VPN#sh run
Building configuration...
Current configuration : 2096 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER_1841_VPN
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.27 no-xauth
no crypto isakmp ccm
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.27
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set VPN-SET
match address 101
!
!
!
interface Loopback0
ip address 85.0.0.26 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.1 point-to-point
bandwidth 1024
ip address 80.20.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 132 IETF
crypto map masvpn
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip http server
no ip http secure-server
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
un felice grazie
ROUTER_1751_VPN#sh run
Building configuration...
Current configuration : 1878 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER_1751_VPN
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
resource policy
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.26 no-xauth
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.26
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set VPN-SET
match address 101
!
!
!
interface Loopback0
ip address 85.0.0.27 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
cdp enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 80.20.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 166
crypto map masvpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
no ip http server
no ip http secure-server
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
ROUTER_1841_VPN#sh run
Building configuration...
Current configuration : 2096 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER_1841_VPN
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.27 no-xauth
no crypto isakmp ccm
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.27
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set VPN-SET
match address 101
!
!
!
interface Loopback0
ip address 85.0.0.26 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.1 point-to-point
bandwidth 1024
ip address 80.20.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 132 IETF
crypto map masvpn
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip http server
no ip http secure-server
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
-
valerio1976
- Network Emperor
- Messaggi: 263
- Iscritto il: ven 05 mar , 2010 9:05 am
nat ha scritto:ok è partito ora riesco a fare i ping tra gli host delle due sedi,ma non riesco a vedere le cartelle condivise, cioè dalla sede A non vedo le cartelle dell'host B,non credo che sia normale,ho sbaglio?se puo essere utile posto le config funzionanti attuali.
un felice grazie
ROUTER_1751_VPN#sh run
Building configuration...
Current configuration : 1878 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER_1751_VPN
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
resource policy
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.26 no-xauth
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.26
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set VPN-SET
match address 101
!
!
!
interface Loopback0
ip address 85.0.0.27 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
cdp enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 80.20.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 166
crypto map masvpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
no ip http server
no ip http secure-server
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
ROUTER_1841_VPN#sh run
Building configuration...
Current configuration : 2096 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER_1841_VPN
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 85.0.0.27 no-xauth
no crypto isakmp ccm
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map masvpn local-address Loopback0
crypto map masvpn 1 ipsec-isakmp
set peer 85.0.0.27
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set VPN-SET
match address 101
!
!
!
interface Loopback0
ip address 85.0.0.26 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.1 point-to-point
bandwidth 1024
ip address 80.20.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 132 IETF
crypto map masvpn
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip http server
no ip http secure-server
ip nat inside source route-map FORSE interface Loopback0 overload
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map FORSE permit 1
match ip address 102
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
ciao bene se si vedano è già un passo avanti da questa mattina !
mi spieghi come mai sul secondo router c'è no crypto isakmp ccm
Dalla sede A non vedi gli host della sede B ma uan domanda sciocca ma ha quaclhe cartella condivisa ? e nella codivisione gli hai detto che tutti gli utenti possono accedervi ?
-
nat
- Cisco fan
- Messaggi: 70
- Iscritto il: dom 25 nov , 2007 2:18 pm
- Località: ABRUZZO
ciao valerio1976,
sul secondo router no crypto isakmp ccm esce di default anche a config vuota,da quello che ho capito il 1841 ha un modulo vpn.
sicuramente ho le cartelle condivise ,tanto e vero che ho preso un portatile della sede B portato sulla A ,cambiato la rete, si vedono e si accede da tutti gli altri host di A.
potrebbe essere qualche problema di acl mancante di qualche porta non aperta mancante?
grazie a chiunque può dare qualche suggerimento
sul secondo router no crypto isakmp ccm esce di default anche a config vuota,da quello che ho capito il 1841 ha un modulo vpn.
sicuramente ho le cartelle condivise ,tanto e vero che ho preso un portatile della sede B portato sulla A ,cambiato la rete, si vedono e si accede da tutti gli altri host di A.
potrebbe essere qualche problema di acl mancante di qualche porta non aperta mancante?
grazie a chiunque può dare qualche suggerimento
-
valerio1976
- Network Emperor
- Messaggi: 263
- Iscritto il: ven 05 mar , 2010 9:05 am
Ciao, stavo tornando a casa e stavo pensando al tuo problemino e mi sono ricordato un piccolo particolare della tua configurazione...nat ha scritto:ciao valerio1976,
sul secondo router no crypto isakmp ccm esce di default anche a config vuota,da quello che ho capito il 1841 ha un modulo vpn.
sicuramente ho le cartelle condivise ,tanto e vero che ho preso un portatile della sede B portato sulla A ,cambiato la rete, si vedono e si accede da tutti gli altri host di A.
potrebbe essere qualche problema di acl mancante di qualche porta non aperta mancante?
grazie a chiunque può dare qualche suggerimento
te hai configurato lo split tunnel cosi route-map FORSE e va anche bene però manca una cosina...lo devi appliccare all'itnterfaccia f0/0 con
ip policy route-map FORSE
perchè altrimenti il comando che hai dato non funziona
prova e fammi sapere grazie idem lo devi fare sull'altro
ciao
-
valerio1976
- Network Emperor
- Messaggi: 263
- Iscritto il: ven 05 mar , 2010 9:05 am
ciao... solitamente no, oppure hai delle access-list che bloccano il netbiosnat ha scritto:niente, si pingano ma tra le due sedi nessuna cartella visibile,non è che centra netbios e la porta udp 137 che serve per la risoluzione delle host name?
grazie x l'interessamento
ma scusa, se condidi una cartella Es. pippo nella sede A se ti colleghi alla sede B e fai Es:. \\IP_PC\pippo non ti ci fa entrare ?
Tutte le access -list che hai sono quelle che hai postato ?
-
nat
- Cisco fan
- Messaggi: 70
- Iscritto il: dom 25 nov , 2007 2:18 pm
- Località: ABRUZZO
ok funziona,le access-list sono quelle postate,io dalla sede A facevo cerca pippo condiviso in B e non va,come mi hai suggerito tutto ok.leggendo ho trovato il comando ip helper-address da aggiungere all'interfaccia fasteth,che serve a propagare il traffico di broadcast,infatti Netbios e quello che permette tramite la porta udp 137 e tcp 139 la 137 per la risoluzione host name e la 139 x condivisione file e stampanti.I nomi di host di NetBios su TCP/IP (che coincidono con i nomi SMB) possono essere registrati (annunciati) e risolti (trovati) sul network locale tramite broadcasted ecco il comando ip helper-address.aggiungeno questi due comandi se faccio cerca pippo dalla sede A alla B trovo la cartella.
Spero di non dire fesserie.
ciao e grazie
Spero di non dire fesserie.
ciao e grazie
-
valerio1976
- Network Emperor
- Messaggi: 263
- Iscritto il: ven 05 mar , 2010 9:05 am
Bene non si finisce mai di impararenat ha scritto:ok funziona,le access-list sono quelle postate,io dalla sede A facevo cerca pippo condiviso in B e non va,come mi hai suggerito tutto ok.leggendo ho trovato il comando ip helper-address da aggiungere all'interfaccia fasteth,che serve a propagare il traffico di broadcast,infatti Netbios e quello che permette tramite la porta udp 137 e tcp 139 la 137 per la risoluzione host name e la 139 x condivisione file e stampanti.I nomi di host di NetBios su TCP/IP (che coincidono con i nomi SMB) possono essere registrati (annunciati) e risolti (trovati) sul network locale tramite broadcasted ecco il comando ip helper-address.aggiungeno questi due comandi se faccio cerca pippo dalla sede A alla B trovo la cartella.
Spero di non dire fesserie.
ciao e grazie
bene hai risolto il problema Bravo !
-
nat
- Cisco fan
- Messaggi: 70
- Iscritto il: dom 25 nov , 2007 2:18 pm
- Località: ABRUZZO
grazie mille valerio1976 x la collaborazione ,spero che possa servire anche ad altri,ultima cosa vorrei chiederti in una tua risposta dici "hai configurato lo split tunnel cosi route-map FORSE e va anche bene ", presumo da che ci siano anche altri modi di config le vpn,qualche accenno così ho modo di cercare e capire?
ciao
ciao
-
valerio1976
- Network Emperor
- Messaggi: 263
- Iscritto il: ven 05 mar , 2010 9:05 am
ciao si può fare anche cosi:nat ha scritto:grazie mille valerio1976 x la collaborazione ,spero che possa servire anche ad altri,ultima cosa vorrei chiederti in una tua risposta dici "hai configurato lo split tunnel cosi route-map FORSE e va anche bene ", presumo da che ci siano anche altri modi di config le vpn,qualche accenno così ho modo di cercare e capire?
ciao
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set paperino
match address 101
ip nat inside source list 102 interface FastEthernet0/1 overload
access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.4.0 0.0.3.255
access-list 102 deny ip 192.168.16.0 0.0.0.255 192.168.4.0 0.0.3.255
access-list 102 permit ip 192.168.16.0 0.0.0.255 any
ma alla fine il risultato è lo stesso, sinceramente con il router-map è più pulito
ciao
prego
