REMOTE ACCESS VPN HELP :-)

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
Matteo82
n00b
Messaggi: 1
Iscritto il: dom 01 dic , 2013 6:40 pm

Buonasera,

ho un problema durante la connessione da client vpn verso un 877 (casa mia), premetto che il tutto funziona in locale.

mi chiede correttamente user e password ma poi rimane in disconnect.

la cosa curiosa è che le sessioni con gli show rimangono appese e in IDLE, e devo fare clear manualmente.
Ho già cambiato l'hash in md5 e provato a mappare verso la loopback senza avere risultati.

per sicurezza ho anche levato le access list e gli inspect sulla dialer0

qui la mia config:

crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group euezvpn
key xxxxxx
pool ezvpn
acl split-tunneling
crypto isakmp profile eunet
match identity group euezvpn
client authentication list local_authentication
isakmp authorization list default
client configuration address respond
client configuration group euezvpn
!
!
crypto ipsec transform-set set esp-aes esp-md5-hmac
!
crypto dynamic-map eu-ezvpn 50
set transform-set set
set isakmp-profile eunet
reverse-route
!
!
crypto map eu-ezvpn local-address Loopback1
crypto map eu-ezvpn 50 ipsec-isakmp dynamic eu-ezvpn
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Loopback1
ip address 10.100.0.1 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
switchport access vlan 110
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 99
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 110
!
interface FastEthernet3
switchport access vlan 120
spanning-tree portfast
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.30.82.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan110
ip address 10.30.81.1 255.255.255.0
ip access-group 100 in
no ip redirects
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan120
ip address 10.50.90.1 255.255.255.248
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp chap hostname aliceadsl
ppp chap password 7 14161E020F012B2F3724
ppp pap sent-username aliceadsl password 7 1108150C14170A081726
ppp ipcp dns request
ppp ipcp wins request
crypto map eu-ezvpn
!
ip local pool ezvpn 172.16.30.1 172.16.30.255
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source list gre interface Dialer0 overload
ip nat inside source list venti interface Dialer0 overload
ip nat inside source static tcp 10.30.82.1 50 interface Dialer0 50
ip nat inside source static tcp 10.30.82.1 51 interface Dialer0 51
ip nat inside source static tcp 10.30.82.1 22 interface Dialer0 22
ip nat inside source static udp 10.30.82.1 4500 interface Dialer0 4500
!
ip access-list extended ciazo
ip access-list extended gre
permit gre host 10.30.82.1 any
ip access-list extended split-tunneling
permit ip 10.30.82.0 0.0.0.255 any
ip access-list extended venti
permit ip 172.16.30.0 0.0.0.255 any
!
qualche idea??

Thanks :D

EDIT: ecco l'errore nel debug crypto isakam:
*Mar 9 20:15:07.707: ISAKMP: transform 1, ESP_AES
*Mar 9 20:15:07.707: ISAKMP: attributes in transform:
*Mar 9 20:15:07.707: ISAKMP: authenticator is HMAC-SHA
*Mar 9 20:15:07.707: ISAKMP: key length is 128
*Mar 9 20:15:07.707: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.707: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.707: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.707: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.707: ISAKMP:(2033): IPSec policy invalidated proposal with error 8
*Mar 9 20:15:07.707: ISAKMP:(2033):Checking IPSec proposal 9
*Mar 9 20:15:07.707: ISAKMP: transform 1, ESP_3DES
*Mar 9 20:15:07.707: ISAKMP: attributes in transform:
*Mar 9 20:15:07.707: ISAKMP: authenticator is HMAC-MD5
*Mar 9 20:15:07.707: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.707: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.707: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.711: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.711: ISAKMP:(2033):Checking IPSec proposal 9
*Mar 9 20:15:07.711: ISAKMP:(2033):transform 1, IPPCP LZS
*Mar 9 20:15:07.711: ISAKMP: attributes in transform:
*Mar 9 20:15:07.711: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.711: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.711: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.711: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.711: ISAKMP:(2033): IPSec policy invalidated proposal with error 8
*Mar 9 20:15:07.711: ISAKMP:(2033):Checking IPSec proposal 10
*Mar 9 20:15:07.711: ISAKMP: transform 1, ESP_3DES
*Mar 9 20:15:07.711: ISAKMP: attributes in transform:
*Mar 9 20:15:07.711: ISAKMP: authenticator is HMAC-SHA
*Mar 9 20:15:07.711: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.711: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.711: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.711: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.711: ISAKMP:(2033):Checking IPSec proposal 10
*Mar 9 20:15:07.711: ISAKMP:(2033):transform 1, IPPCP LZS
*Mar 9 20:15:07.711: ISAKMP: attributes in transform:
*Mar 9 20:15:07.711: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.711: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.711: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.711: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.711: ISAKMP:(2033): IPSec policy invalidated proposal with error 8
*Mar 9 20:15:07.711: ISAKMP:(2033):Checking IPSec proposal 11
*Mar 9 20:15:07.711: ISAKMP: transform 1, ESP_3DES
*Mar 9 20:15:07.711: ISAKMP: attributes in transform:
*Mar 9 20:15:07.711: ISAKMP: authenticator is HMAC-MD5
*Mar 9 20:15:07.715: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.715: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.715: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.715: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.715: ISAKMP:(2033): IPSec policy invalidated proposal with error 8
*Mar 9 20:15:07.715: ISAKMP:(2033):Checking IPSec proposal 12
*Mar 9 20:15:07.715: ISAKMP: transform 1, ESP_3DES
*Mar 9 20:15:07.715: ISAKMP: attributes in transform:
*Mar 9 20:15:07.715: ISAKMP: authenticator is HMAC-SHA
*Mar 9 20:15:07.715: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.715: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.715: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.715: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.715: ISAKMP:(2033): IPSec policy invalidated proposal with error 8
*Mar 9 20:15:07.715: ISAKMP:(2033):Checking IPSec proposal 13
*Mar 9 20:15:07.715: ISAKMP: transform 1, ESP_DES
*Mar 9 20:15:07.715: ISAKMP: attributes in transform:
*Mar 9 20:15:07.715: ISAKMP: authenticator is HMAC-MD5
*Mar 9 20:15:07.715: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.715: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.715: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.715: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.715: ISAKMP:(2033):Checking IPSec proposal 13
*Mar 9 20:15:07.715: ISAKMP:(2033):transform 1, IPPCP LZS
*Mar 9 20:15:07.715: ISAKMP: attributes in transform:
*Mar 9 20:15:07.715: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.715: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.715: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.715: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.715: ISAKMP:(2033): IPSec policy invalidated proposal with error 8
*Mar 9 20:15:07.719: ISAKMP:(2033):Checking IPSec proposal 14
*Mar 9 20:15:07.719: ISAKMP: transform 1, ESP_DES
*Mar 9 20:15:07.719: ISAKMP: attributes in transform:
*Mar 9 20:15:07.719: ISAKMP: authenticator is HMAC-MD5
*Mar 9 20:15:07.719: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.719: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.719: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.719: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.719: ISAKMP:(2033): IPSec policy invalidated proposal with error 8
*Mar 9 20:15:07.719: ISAKMP:(2033):Checking IPSec proposal 15
*Mar 9 20:15:07.719: ISAKMP: transform 1, ESP_NULL
*Mar 9 20:15:07.719: ISAKMP: attributes in transform:
*Mar 9 20:15:07.719: ISAKMP: authenticator is HMAC-MD5
*Mar 9 20:15:07.719: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.719: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.719: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.719: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.719: ISAKMP:(2033): IPSec policy invalidated proposal with error 8
*Mar 9 20:15:07.719: ISAKMP:(2033):Checking IPSec proposal 16
*Mar 9 20:15:07.719: ISAKMP: transform 1, ESP_NULL
*Mar 9 20:15:07.719: ISAKMP: attributes in transform:
*Mar 9 20:15:07.719: ISAKMP: authenticator is HMAC-SHA
*Mar 9 20:15:07.719: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 9 20:15:07.719: ISAKMP: SA life type in seconds
*Mar 9 20:15:07.719: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 9 20:15:07.719: ISAKMP:(2033):atts are acceptable.
*Mar 9 20:15:07.719: ISAKMP:(2033): IPSec policy invalidated proposal with error 8
*Mar 9 20:15:07.719: ISAKMP:(2033): phase 2 SA policy not acceptable! (local 10.30.82.1 remote 107.197.248.253)
*Mar 9 20:15:07.723: ISAKMP: set new node 1813393760 to QM_IDLE
*Mar 9 20:15:07.723: ISAKMP:(2033):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2215771656, message ID = 1813393760
R1#
*Mar 9 20:15:07.723: ISAKMP:(2033): sending packet to 107.197.248.253 my_port 4500 peer_port 62734 (R) QM_IDLE
*Mar 9 20:15:07.723: ISAKMP:(2033):Sending an IKE IPv4 Packet.
*Mar 9 20:15:07.723: ISAKMP:(2033):purging node 1813393760
*Mar 9 20:15:07.723: ISAKMP:(2033):deleting node 528658294 error TRUE reason "QM rejected"
*Mar 9 20:15:07.723: ISAKMP:(2033):Node 528658294, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 9 20:15:07.723: ISAKMP:(2033):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 9 20:15:07.887: ISAKMP (0:2033): received packet from 107.197.248.253 dport 4500 sport 62734 Global (R) QM_IDLE
R1#
*Mar 9 20:15:07.887: ISAKMP: set new node 1994457544 to QM_IDLE
*Mar 9 20:15:07.887: ISAKMP:(2033): processing HASH payload. message ID = 1994457544
*Mar 9 20:15:07.887: ISAKMP:(2033): processing DELETE payload. message ID = 1994457544
*Mar 9 20:15:07.887: ISAKMP:(2033):peer does not do paranoid keepalives.
Top
Rispondi

Torna a “VPN”