VPN site-to-site semmpre down

Virtual private networks e affini

Moderatore: Federico.Lagni

marfab
n00b
Messaggi: 11
Iscritto il: mer 11 feb , 2015 12:15 pm

Ciao a tutti,
da qualche giorno cerco di mettere su una vpn, su linea adsl (telecom e tiscali con ip statici) tra due le 2 sedi della mia azienda utilizzando cisco 2801 e cisco 1801.
L'adsl funziona perfettamente, la vpn sempre DOWN. Mi date una mano a comprendere il mio errore??
Vi ringrazio
Fabio

queste sono le configurazioni da ma impostate:

ROUTER 1 LINEA TISCALI


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname host
!
boot-start-marker
boot system flash:c2801-advipservicesk9-mz.124-16.bin
boot-end-marker
!
enable secret 5 $1$IJY3caHg44DpbtWDLLL6PnZ3.
!
no aaa new-model
network-clock-participate wic 2
ip cef
!
!
!
!
ip name-server 213.205.32.70
ip name-server 213.205.36.70
!
!
voice-card 0
username user privilege 15 password 7 e74305070B070A5F2F1F1C594850
!
!
ip tcp mss 1460
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key KEY address 95.XXX.XXX.XXX #ip altro punto
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map mymap 10 ipsec-isakmp
set peer 95.XXX.XXX.XXX #ip altro punto
set transform-set myset
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
hold-queue 100 out
!
interface Service-Engine0/0
no ip address
shutdown
interface FastEthernet0/1
ip address 192.168.69.50 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/1/0
description Atm line
no ip address
no ip route-cache cef
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
no ip route-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0/2/0
no ip address
!
interface BRI0/2/1
no ip address
interface Dialer0
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 7 06575D7DD81B5F
ppp pap sent-username [email protected] password 7 124DDD44465E5A
crypto map mymap
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload

!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.69.0 0.0.0.255
access-list 100 permit ip 192.168.69.0 0.0.0.255 192.168.5.0 0.0.0.255
!
!
!
!
control-plane

!
!
line con 0
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
exec-timeout 120 0
login local
!
scheduler allocate 20000 1000
end



ROUTER 2 LINEA TELECOM

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
boot system flash:c180x-adventerprisek9-mz.124-15.T.bin
service password-encryption
!
hostname host2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$yrdM$I28UV2ee333ByuUNqbjT8F51
!
no aaa new-model
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key KEY address 217.XXX.XXX.XXX # ip altro punto
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map mymap 10 ipsec-isakmp
set peer 217.XXX.XXX.XXX # ip linea tiscali
set transform-set myset
match address 100
!
!
!
ip cef
!
!
ip name-server 8.8.8.8
ip name-server 151.99.125.1
!
multilink bundle-name authenticated
username utente privilege 15 password 7 070C714F441509471C585E547B7E
archive
log config
hidekeys
!
!
ip tcp mss 1460
!
!
!
interface FastEthernet0
ip address 192.168.5.4 255.255.255.0 secondary
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
hold-queue 100 out
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
description ATM line
no ip address
no ip route-cache cef
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip route-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface Vlan1
no ip address
!
interface Dialer0
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp pap sent-username XXXX-USER @alicebiz.it password 7 0000000000C0E0410
crypto map mymap
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
!
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.69.0 0.0.0.255
!

!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 120 0
login local
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao.
Posta il risultato dei comandi

Codice: Seleziona tutto

show crypto isakmp sa
show crypto ipsec sa
Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
marfab
n00b
Messaggi: 11
Iscritto il: mer 11 feb , 2015 12:15 pm

Grazie per la celere risposta:
di seguito quanto richiesto.

Router1 linea telecom:

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

sh crypto ipsec sa

interface: Dialer0
Crypto map tag: mymap, local addr 95.XXX,XXX,XXX

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
current_peer 217.XXX.XXX.XXX port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 95.XXX.XXX.XXX, remote crypto endpt.: 217.XXX.XXX.XXX
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)

inbound esp sas:
inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2
Crypto map tag: mymap, local addr 0.0.0.0

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
current_peer 217.XXX.XXX.XXX port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 0.0.0.0, remote crypto endpt.: 217.XXX.XXX.XXX
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

sh crypto session
Crypto session current status

Interface: Virtual-Access2
Session status: DOWN
Peer: 217.XXX.XXX.XXX port 500
IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 192.168.69.0/255.255.255.0
Active SAs: 0, origin: crypto map

Interface: Dialer0
Session status: DOWN
Peer: 217.XXX.XXX.XXX port 500
IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 192.168.69.0/255.255.255.0
Active SAs: 0, origin: crypto map



ROUTER 2 Linea Tiscali

#sh crypto isakmp sa
dst src state conn-id slot status


#sh crypto ipsec sa
interface: Dialer0
Crypto map tag: mymap, local addr 217.XXX.XXX.XXX

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 95.XXX.XXX.XXX port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 217.XXX.XXX.XXX, remote crypto endpt.: 95.XXX.XXX.XXX
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2
Crypto map tag: mymap, local addr 0.0.0.0

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 95.XXX.XXX.XXX port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 0.0.0.0, remote crypto endpt.: 95.XXX.XXX.XXX
path mtu 1492, ip mtu 1492, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

#sh crypto session
Crypto session current status

Interface: Dialer0
Session status: DOWN
Peer: 95.XXX.XXX.XXX port 500
IPSEC FLOW: permit ip 192.168.69.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map

Interface: Virtual-Access2
Session status: DOWN
Peer: 95.XXX.XXX.XXX port 500
IPSEC FLOW: permit ip 192.168.69.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map


outbound pcp sas:

TI ringrazio per la disponibilità.
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao,
sembra un problema di fase 1.
Posta

Codice: Seleziona tutto

debug crypto isakmp
Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Hai risolto?
Non cade foglia che l'inconscio non voglia (S.B.)
marfab
n00b
Messaggi: 11
Iscritto il: mer 11 feb , 2015 12:15 pm

Scusami, ma ho visto la tua risposta solo ora.

Linea Telecom

#debug crypto isakmp
Crypto ISAKMP debugging is on

Linea Tiscali
#debug crypto isakmp
Crypto ISAKMP debugging is on
marfab
n00b
Messaggi: 11
Iscritto il: mer 11 feb , 2015 12:15 pm

Potrebbe esserci un problema relativo all'mtu?

ti ringrazio.
Fabio
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Non restituisce niente il debug? Hai provato a pingare la parte remota della VPN con il debug attivo?

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
marfab
n00b
Messaggi: 11
Iscritto il: mer 11 feb , 2015 12:15 pm

Si, Paolo, ho provato a pingare un pc remoto (anche la stessa fast0 del router remoto) affinche si inizializzasse la vpn.
Il comando debug crypto isakmp non restituisce nessun debug.
Ho riconfigurato il router decine di volte.
Hai notato errori nella configurazione che a me sono sfuggiti??
Potrebbe dipendere dalla versione ios?
O come ti dicevo prima, dall'impstazione dell'mtu?
grazie per l'attenzione
Fabio
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

L'unica cosa che mi viene in mente è che l'IOS non supporta IPsec site-to-site. Sicuro che ha tale features?
MTU non dovrebbe inibire l'avvio della sezione.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ho rivisto la configurazione, l'unico errore che ho visto è che devi escludere dal NAT i pacchetti della VPN.
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Penso che il problema sta li ;-). Cancella la ACL 2 e creane una estesa che non fa nattare la comunicazione tra gli IP della VPN, e natta tutto il resto

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Hai provato?
Non cade foglia che l'inconscio non voglia (S.B.)
marfab
n00b
Messaggi: 11
Iscritto il: mer 11 feb , 2015 12:15 pm

Ciao Paolo,
scusami per il ritardo ma ero fuori sede.
Le mie configurazioni ora sono queste:

.
Linea telecom
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key CHIAVE address 217.XXX.XXX.XXX
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 217.XXX.XXX.XXX
set transform-set myset
match address VPN-ACL
.
.
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended VPN-ACL
permit ip 192.168.5.0 0.0.0.255 192.168.69.0 0.0.0.255
!
access-list 1 permit 192.168.60.0 0.0.0.255


Linea Tiscali
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key CHIAVE address 95.XXX.XXX.XXX
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 95.XXX.XXX.XXX
set transform-set myset
match address VPN-ACL

no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended VPN-ACL
permit ip 192.168.69.0 0.0.0.255 192.168.5.0 0.0.0.255
!
access-list 1 permit 192.168.0.0 0.0.0.255
!


il resto rimane invariato.
Purtroppo rimane invariato anche il fatto che la VPN resta down. :oops: :cry:

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

#sh crypto ipsec sa

interface: Dialer0
Crypto map tag: mymap, local addr 95.224.56.126

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)
current_peer 217... port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 95..., remote crypto endpt.: 217...
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Che IOS hai?

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
Rispondi