Salve mondo, sono ormai diversi giorni che sbatto la testa su questo problema. Ho un 1751v con modulo atm e ho creato una vpn ipsec con un firewall pfsense che ho in ufficio. Fin qui tutto ok. Ora sto cercando di fare in modo che il mio router accetti anche connessioni ipsec roadwarrior, che posso usare quando sono in vacanza o fuori casa.
Premetto che dopo aver aggiunto la parte "roadwarrior" la L2L aveva smesso di funzionare fino a quando ho impostato l' opzione no-xauth, dato che uso la sola preshared key senza utenti.
Incolla la mia attuale conf sperando in qualche consiglio:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1751v
!
boot-start-marker
boot-end-marker
!
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username simone password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
clock timezone GMT 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
voice-card 1
!
voice-card 2
!
aaa new-model
!
!
aaa authentication login LOCAL_DB local
aaa session-id common
ip subnet-zero
!
!
!
ip dhcp pool LOCAL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.254
netbios-name-server 192.168.10.1
lease 7
class RANGE
address range 192.168.10.100 192.168.10.120
!
ip dhcp pool STATIC-FISSO_SIMONE
host 192.168.10.100 255.255.255.0
client-identifier 016c.626d.7194.55
!
ip dhcp pool STATIC-FISSO_ALBERTO
host 192.168.10.101 255.255.255.0
client-identifier 0100.1195.c42e.a5
!
!
ip dhcp class RANGE
!
ip cef
ip domain name XXXXXXXXXX.homeip.net
ip name-server 213.205.32.70
ip name-server 8.8.8.8
ip name-server 213.205.36.70
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
ip inspect name MYFW http
ip ips po max-events 100
no ftp-server write-enable
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
voice translation-rule 1
rule 2 /41/ /41/
rule 3 /42/ /42/
rule 5 /44/ /44/
rule 6 /45/ /45/
rule 7 /^4/ /0,/
!
!
voice translation-profile out_pstn
translate called 1
!
!
!
!
!
!
translation-rule 1
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 XXXXXXXXX address xxx.yyy.xxx.yyy no-xauth
!
crypto isakmp client configuration group HOME_ROADWARRIOR
key XXXXXXXXX
dns 192.168.10.254
wins 192.168.10.1
pool ROADWARRIOR_POOL
acl ACL_ROADWARRIOR
max-users 5
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
crypto ipsec transform-set STRONG_ROADWARRIOR esp-3des esp-md5-hmac
!
crypto dynamic-map CLIENT_MAP 10
set transform-set STRONG_ROADWARRIOR
!
!
crypto map VPN local-address Dialer0
crypto map VPN client authentication list LOCAL_DB
crypto map VPN isakmp authorization list LOCAL_DB
crypto map VPN client configuration address respond
crypto map VPN 15 ipsec-isakmp
set peer xxx.yyy.xxx.yyy
set transform-set STRONG
set pfs group2
match address ACL_VPN
crypto map VPN 1000 ipsec-isakmp dynamic CLIENT_MAP
!
!
!
!
interface ATM0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip inspect MYFW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXXXXXXxxx
ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXXXx
crypto map VPN
!
ip local pool ROADWARRIOR_POOL 192.168.11.1 192.168.11.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list ACL_NAT interface Dialer0 overload
ip nat inside source static udp 192.168.10.101 5617 interface Dialer0 5617
ip nat inside source static tcp 192.168.10.101 37857 interface Dialer0 37857
ip nat inside source static udp 192.168.10.100 32505 interface Dialer0 32505
ip nat inside source static tcp 192.168.10.100 32476 interface Dialer0 32476
!
ip dns server
!
!
ip access-list extended ACL_NAT
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended ACL_ROADWARRIOR
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
ip access-list extended ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended SSH
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
!
!
control-plane
!
!
voice-port 1/0
!
voice-port 1/1
!
voice-port 2/0
echo-cancel coverage 32
no vad
cptone IT
timeouts interdigit 20
timeouts ringing 10
connection plar opx 299
description xxxxxxxxxx
!
voice-port 2/1
!
!
!
!
dial-peer cor custom
!
!
!
dial-peer voice 299 voip
destination-pattern T
session protocol sipv2
session target ipv4:192.168.10.240:5060
session transport udp
codec g711ulaw
!
dial-peer voice 1 pots
translation-profile outgoing out_pstn
destination-pattern T
no digit-strip
port 2/0
authentication username cisco password XXXXXXXXXXXXXXXXXXXx
!
sip-ua
retry invite 3
retry response 3
retry bye 3
retry cancel 3
timers trying 1000
registrar ipv4:192.168.10.240 expires 3600
sip-server ipv4:192.168.10.240
!
banner motd ATTENTO A QUELLO CHE FAI !!!
!
line con 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXX
line aux 0
line vty 0 4
access-class SSH in
exec-timeout 30 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXXX
transport input ssh
!
ntp clock-period 17180002
ntp server 85.18.189.242
end
VPN L2L e roadwarrior
Moderatore: Federico.Lagni
-
thorpe
- Cisco fan
- Messaggi: 72
- Iscritto il: mer 03 mar , 2010 5:39 pm
Forse questo può essere d'aiuto; il problema credo che riguardi la crypto identity. Come client vpn utilizzo shrew e devo settare due parametri in local identity e remote identity e posso scegliere tra ip address, fqdn, key string e any.
Ho notato che il cisco client non richiede l' impostazione di queste voci. Come mai?
Ho notato che il cisco client non richiede l' impostazione di queste voci. Come mai?
-
thorpe
- Cisco fan
- Messaggi: 72
- Iscritto il: mer 03 mar , 2010 5:39 pm
Incollo la configurazione aggiornata con l' utilizzo del profilo isakmp. La vpn L2L continua a funzionare ma la roadwarrior no. Ho provato con il cisco client, shrew e greenbox. Quando mi collego da remoto sono dietro nat.
Potete darmi qualche dritta?
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1751v
!
boot-start-marker
boot-end-marker
!
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username simone password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
clock timezone GMT 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
voice-card 1
!
voice-card 2
!
aaa new-model
!
!
aaa authentication login LOCAL_DB local
aaa authorization network LOCAL_DB local
aaa session-id common
ip subnet-zero
!
!
!
ip dhcp pool LOCAL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.254
netbios-name-server 192.168.10.1
lease 7
class RANGE
address range 192.168.10.100 192.168.10.120
!
ip dhcp pool STATIC-FISSO_SIMONE
host 192.168.10.100 255.255.255.0
client-identifier 016c.626d.7194.55
!
ip dhcp pool STATIC-FISSO_ALBERTO
host 192.168.10.101 255.255.255.0
client-identifier 0100.1195.c42e.a5
!
!
ip dhcp class RANGE
!
ip cef
ip domain name XXXXXXXXX.homeip.net
ip name-server 213.205.32.70
ip name-server 8.8.8.8
ip name-server 213.205.36.70
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
ip inspect name MYFW http
ip ips po max-events 100
no ftp-server write-enable
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
voice translation-rule 1
rule 2 /41/ /41/
rule 3 /42/ /42/
rule 5 /44/ /44/
rule 6 /45/ /45/
rule 7 /^4/ /0,/
!
!
voice translation-profile out_pstn
translate called 1
!
!
!
!
!
!
translation-rule 1
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 11
encr aes
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 XXXXXXXXXXaddress xxx.yyy.xxx.yyy no-xauth
!
crypto isakmp client configuration group HOME_ROADWARRIOR
key XXXXXXXX
dns 192.168.10.254
wins 192.168.10.1
domain XXXXXXXXX.homeip.net
pool ROADWARRIOR_POOL
acl ACL_ROADWARRIOR
max-users 5
crypto isakmp profile ROADWARRIOR
match identity group HOME_ROADWARRIOR
client authentication list LOCAL_DB
isakmp authorization list LOCAL_DB
client configuration address respond
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto dynamic-map CLIENT_MAP 10
set transform-set STRONG
set isakmp-profile ROADWARRIOR
reverse-route
!
!
crypto map VPN local-address Dialer0
crypto map VPN 15 ipsec-isakmp
set peer xxx.yyy.xxx.yyy
set transform-set STRONG
set pfs group2
match address ACL_VPN
crypto map VPN 1000 ipsec-isakmp dynamic CLIENT_MAP
!
!
!
!
interface ATM0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip inspect MYFW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxxxx
ppp pap sent-username [email protected] password 7 xxxxxxxxxxxxxx
crypto map VPN
!
ip local pool ROADWARRIOR_POOL 192.168.11.1 192.168.11.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list ACL_NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.10.100 32476 interface Dialer0 32476
ip nat inside source static udp 192.168.10.100 32505 interface Dialer0 32505
ip nat inside source static tcp 192.168.10.101 37857 interface Dialer0 37857
ip nat inside source static udp 192.168.10.101 5617 interface Dialer0 5617
!
ip dns server
!
!
ip access-list extended ACL_NAT
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended ACL_ROADWARRIOR
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
ip access-list extended ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended SSH
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
!
!
control-plane
!
!
voice-port 1/0
!
voice-port 1/1
!
voice-port 2/0
echo-cancel coverage 32
no vad
cptone IT
timeouts interdigit 20
timeouts ringing 10
connection plar opx 299
description TISCALI
!
voice-port 2/1
!
!
!
!
dial-peer cor custom
!
!
!
dial-peer voice 299 voip
destination-pattern T
session protocol sipv2
session target ipv4:192.168.10.240:5060
session transport udp
codec g711ulaw
!
dial-peer voice 1 pots
translation-profile outgoing out_pstn
destination-pattern T
no digit-strip
port 2/0
authentication username cisco password xxxxxxxxxxxxxxxxxxx
!
sip-ua
retry invite 3
retry response 3
retry bye 3
retry cancel 3
timers trying 1000
registrar ipv4:192.168.10.240 expires 3600
sip-server ipv4:192.168.10.240
!
banner motd ATTENTO A QUELLO CHE FAI !!!
!
line con 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
line aux 0
line vty 0 4
access-class SSH in
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
transport input ssh
!
ntp clock-period 17180074
ntp server 85.18.189.242
end
Potete darmi qualche dritta?
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1751v
!
boot-start-marker
boot-end-marker
!
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username simone password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
clock timezone GMT 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
voice-card 1
!
voice-card 2
!
aaa new-model
!
!
aaa authentication login LOCAL_DB local
aaa authorization network LOCAL_DB local
aaa session-id common
ip subnet-zero
!
!
!
ip dhcp pool LOCAL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.254
netbios-name-server 192.168.10.1
lease 7
class RANGE
address range 192.168.10.100 192.168.10.120
!
ip dhcp pool STATIC-FISSO_SIMONE
host 192.168.10.100 255.255.255.0
client-identifier 016c.626d.7194.55
!
ip dhcp pool STATIC-FISSO_ALBERTO
host 192.168.10.101 255.255.255.0
client-identifier 0100.1195.c42e.a5
!
!
ip dhcp class RANGE
!
ip cef
ip domain name XXXXXXXXX.homeip.net
ip name-server 213.205.32.70
ip name-server 8.8.8.8
ip name-server 213.205.36.70
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
ip inspect name MYFW http
ip ips po max-events 100
no ftp-server write-enable
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
voice translation-rule 1
rule 2 /41/ /41/
rule 3 /42/ /42/
rule 5 /44/ /44/
rule 6 /45/ /45/
rule 7 /^4/ /0,/
!
!
voice translation-profile out_pstn
translate called 1
!
!
!
!
!
!
translation-rule 1
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 11
encr aes
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 XXXXXXXXXXaddress xxx.yyy.xxx.yyy no-xauth
!
crypto isakmp client configuration group HOME_ROADWARRIOR
key XXXXXXXX
dns 192.168.10.254
wins 192.168.10.1
domain XXXXXXXXX.homeip.net
pool ROADWARRIOR_POOL
acl ACL_ROADWARRIOR
max-users 5
crypto isakmp profile ROADWARRIOR
match identity group HOME_ROADWARRIOR
client authentication list LOCAL_DB
isakmp authorization list LOCAL_DB
client configuration address respond
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto dynamic-map CLIENT_MAP 10
set transform-set STRONG
set isakmp-profile ROADWARRIOR
reverse-route
!
!
crypto map VPN local-address Dialer0
crypto map VPN 15 ipsec-isakmp
set peer xxx.yyy.xxx.yyy
set transform-set STRONG
set pfs group2
match address ACL_VPN
crypto map VPN 1000 ipsec-isakmp dynamic CLIENT_MAP
!
!
!
!
interface ATM0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip inspect MYFW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxxxx
ppp pap sent-username [email protected] password 7 xxxxxxxxxxxxxx
crypto map VPN
!
ip local pool ROADWARRIOR_POOL 192.168.11.1 192.168.11.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list ACL_NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.10.100 32476 interface Dialer0 32476
ip nat inside source static udp 192.168.10.100 32505 interface Dialer0 32505
ip nat inside source static tcp 192.168.10.101 37857 interface Dialer0 37857
ip nat inside source static udp 192.168.10.101 5617 interface Dialer0 5617
!
ip dns server
!
!
ip access-list extended ACL_NAT
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended ACL_ROADWARRIOR
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
ip access-list extended ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended SSH
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
!
!
control-plane
!
!
voice-port 1/0
!
voice-port 1/1
!
voice-port 2/0
echo-cancel coverage 32
no vad
cptone IT
timeouts interdigit 20
timeouts ringing 10
connection plar opx 299
description TISCALI
!
voice-port 2/1
!
!
!
!
dial-peer cor custom
!
!
!
dial-peer voice 299 voip
destination-pattern T
session protocol sipv2
session target ipv4:192.168.10.240:5060
session transport udp
codec g711ulaw
!
dial-peer voice 1 pots
translation-profile outgoing out_pstn
destination-pattern T
no digit-strip
port 2/0
authentication username cisco password xxxxxxxxxxxxxxxxxxx
!
sip-ua
retry invite 3
retry response 3
retry bye 3
retry cancel 3
timers trying 1000
registrar ipv4:192.168.10.240 expires 3600
sip-server ipv4:192.168.10.240
!
banner motd ATTENTO A QUELLO CHE FAI !!!
!
line con 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
line aux 0
line vty 0 4
access-class SSH in
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
transport input ssh
!
ntp clock-period 17180074
ntp server 85.18.189.242
end
-
thorpe
- Cisco fan
- Messaggi: 72
- Iscritto il: mer 03 mar , 2010 5:39 pm
Ho notato che di default crypto isakmp identity è settato su address, difatti il gateway remote del tunnel che ho in piedi che è un pfsense ha come "my identifier" my ipaddress. Modificandolo in hostname la vpn non sale e vedo che la conn id è in uno stato di mm_key_exch.
Collegandosi da remoto col client ipsec, che tipo di identity devo settare? Ho letto che hostname non funziona con la preshared key, quindi dovrei utilizzare per forsa address. Ma quale ?
Help
Collegandosi da remoto col client ipsec, che tipo di identity devo settare? Ho letto che hostname non funziona con la preshared key, quindi dovrei utilizzare per forsa address. Ma quale ?
Help
-
thorpe
- Cisco fan
- Messaggi: 72
- Iscritto il: mer 03 mar , 2010 5:39 pm
Aggiornamento: col client cisco riesco a stabilire la vpn ottenendo un ip del pool stabilito. Il problema è che non riesco a pingare l' interfaccia Lan del router ne i pc della Lan e nemmeno viceversa.
Facendo uno show crypto dynamic-map vedo che nessuna ACL è stata assegnata.
Facendo uno show crypto dynamic-map vedo che nessuna ACL è stata assegnata.
