Pagina 1 di 1
VPN site-2-site tra più di 2 sedi
Inviato: gio 10 gen , 2008 8:02 pm
da zot
Ho provato un pò tutto prima di scrivere.....
Ho già una VPN con 2 837 tra due sedi che sta in piedi (grazie a i consigli del buon Wizard)come una roccia...
ora debbo aggiungere un'altra sede con un 857...ma non ci riesco...almeno ho presto la strada giusta o sto sbagliando tutto?
#################################################################
***Router 837 con 2 VPN di cui 1 funzionante***
version 12.4
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
ip inspect name FWOUT icmp
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
username user privilege 15 password 123456
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 11.11.11.11 no-xauth
crypto isakmp key 123456 address 22.22.22.22 no-xauth
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map VPN local-address Loopback0
crypto map VPN 10 ipsec-isakmp
set peer 11.11.11.11
set transform-set VPN-SET
match address 150
crypto map VPN 11 ipsec-isakmp
set peer 22.22.22.22
set transform-set VPN-SET
match address 151
!
!
!
interface Loopback0
ip address 33.33.33.33 255.255.255.248
ip virtual-reassembly
no ip mroute-cache
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 44.44.44.44 255.255.255.0
ip nat outside
ip inspect FWOUT out
ip virtual-reassembly
no snmp trap link-status
crypto map VPN
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 44.44.44.254
!
no ip http server
ip http access-class 80
no ip http secure-server
!
ip nat inside source list 100 interface Loopback0 overload
!
access-list 100 remark ***NAT 0***
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 151 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
!
!
control-plane
!
end
show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Loopback0
Session status: UP-ACTIVE
Peer: 11.11.11.11 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 11.11.11.11
Desc: (none)
IKE SA: local 33.33.33.33/500 remote 11.11.11.11/500 Active
Capabilities:(none) connid:11 lifetime:22:04:30
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 612 drop 0 life (KB/Sec) 4444647/3556
Outbound: #pkts enc'ed 496 drop 0 life (KB/Sec) 4444647/3556
Interface: Loopback0
Session status: DOWN
Peer: 22.22.22.22 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.20.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
###################################################################
***Router 857 con 1 VPN che non funziona***
version 12.4
!
hostname xxxxxxx
!
!
no aaa new-model
!
resource policy
!
!
ip cef
ip inspect name FWOUT icmp
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
!
!
!
username user privilege 15 password 123456
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 33.33.33.33 no-xauth
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map VPN local-address Loopback0
crypto map VPN 10 ipsec-isakmp
set peer 33.33.33.33
set transform-set VPN-SET
match address 150
!
!
!
!
interface Loopback0
ip address 22.22.22.22 255.255.255.248
ip virtual-reassembly
no ip mroute-cache
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 55.55.55.55 255.255.255.252
no ip redirects
no ip unreachables
ip inspect FWOUT out
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map VPN
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
no ip http server
ip http access-class 80
no ip http secure-server
ip nat inside source list 100 interface Loopback0 overload
!
access-list 100 remark ***NAT 0***
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 150 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
end
show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Loopback0
Session status: DOWN
Peer: 33.33.33.33 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.20.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Inviato: ven 11 gen , 2008 12:19 pm
da Wizard
Sai che nn vedo errori...?!
Ma almeno la fase 1 va su?
Prova a fare un ping da una parte alla altra e dopo, da entrambe le parti fai:
"sh cry isa sa"
Inviato: gio 17 gen , 2008 2:31 pm
da zot
Non ho risposto subito perchè volevo riprovare a fare tutto con calma ma il risultato non cambia....
sh cry isa sa
dst src state conn-id slot status
sh cry ses det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Dialer1
Session status: DOWN
Peer: 22.22.22.22 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
questo è quello che ottengo......mi sto disperando....anche se mi viene un forte dubbio...... ma se la sessione ISAKMP avviene sulla porta 500 per ogni peer,come fa il router ad usare sempre la 500 per due sessioni ?
Inviato: gio 17 gen , 2008 2:38 pm
da zot
e questo è il debug crypto isakmp
Jan 17 14:34:55.576 CET: ISAKMP: received ke message (1/1)
Jan 17 14:34:55.576 CET: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jan 17 14:34:55.580 CET: ISAKMP: Created a peer struct for 80.183.227.136, peer port 500
Jan 17 14:34:55.580 CET: ISAKMP: New peer created peer = 0x85E342F8 peer_handle = 0x80000003
Jan 17 14:34:55.580 CET: ISAKMP: Locking peer struct 0x85E342F8, IKE refcount 1 for isakmp_initiator
Jan 17 14:34:55.580 CET: ISAKMP: local port 500, remote port 500
Jan 17 14:34:55.580 CET: ISAKMP: set new node 0 to QM_IDLE
Jan 17 14:34:55.580 CET: insert sa successfully sa = 85C2AEF8
Jan 17 14:34:55.580 CET: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, tryin g Main mode.
Jan 17 14:34:55.584 CET: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 8 0.183.227.136
Jan 17 14:34:55.584 CET: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jan 17 14:34:55.584 CET: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jan 17 14:34:55.584 CET: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jan 17 14:34:55.584 CET: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_ REQ_MM
Jan 17 14:34:55.584 CET: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = I KE_I_MM1
Jan 17 14:34:55.584 CET: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jan 17 14:34:55.588 CET: ISAKMP:(0:0:N/A:0): sending packet to 80.183.227.136 my _port 500 peer_port 500 (I) MM_NO_STATE
Jan 17 14:35:05.599 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE. ..
Jan 17 14:35:05.599 CET: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jan 17 14:35:05.599 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
Jan 17 14:35:05.599 CET: ISAKMP:(0:0:N/A:0): sending packet to 80.183.227.136 my _port 500 peer_port 500 (I) MM_NO_STATE
Jan 17 14:35:15.611 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
Jan 17 14:35:15.611 CET: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jan 17 14:35:15.611 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
Jan 17 14:35:15.611 CET: ISAKMP:(0:0:N/A:0): sending packet to 80.183.227.136 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 17 14:35:25.610 CET: ISAKMP: received ke message (1/1)
Jan 17 14:35:25.610 CET: ISAKMP: set new node 0 to QM_IDLE
Jan 17 14:35:25.610 CET: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 81.174.13.110, remote 80.183.227.136)
Jan 17 14:35:25.622 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
Jan 17 14:35:25.622 CET: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jan 17 14:35:25.622 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
Jan 17 14:35:25.622 CET: ISAKMP:(0:0:N/A:0): sending packet to 80.183.227.136 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 17 14:35:35.633 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
Jan 17 14:35:35.633 CET: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jan 17 14:35:35.633 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
Jan 17 14:35:35.633 CET: ISAKMP:(0:0:N/A:0): sending packet to 80.183.227.136 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 17 14:35:45.645 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
Jan 17 14:35:45.645 CET: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jan 17 14:35:45.645 CET: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
Jan 17 14:35:45.645 CET: ISAKMP:(0:0:N/A:0): sending packet to 80.183.227.136 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 17 14:35:55.644 CET: ISAKMP: received ke message (3/1)
Jan 17 14:35:55.644 CET: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
Jan 17 14:35:55.644 CET: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 80.183.227.136)
Jan 17 14:35:55.648 CET: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 80.183.227.136)
Jan 17 14:35:55.648 CET: ISAKMP: Unlocking IKE struct 0x85E342F8 for isadb_mark_sa_deleted(), count 0
Jan 17 14:35:55.652 CET: ISAKMP: Deleting peer node by peer_reap for 80.183.227.136: 85E342F8
Jan 17 14:35:55.652 CET: ISAKMP:(0:0:N/A:0):deleting node 1788397007 error FALSE reason "IKE deleted"
Jan 17 14:35:55.652 CET: ISAKMP:(0:0:N/A:0):deleting node -455217897 error FALSE reason "IKE deleted"
Jan 17 14:35:55.652 CET: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 17 14:35:55.652 CET: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Jan 17 14:36:45.709 CET: ISAKMP:(0:0:N/A:0):purging node 1788397007
Jan 17 14:36:45.709 CET: ISAKMP:(0:0:N/A:0):purging node -455217897
Jan 17 14:36:55.720 CET: ISAKMP:(0:0:N/A:0):purging SA., sa=85C2AEF8, delme=85C2AEF8
Inviato: gio 17 gen , 2008 4:37 pm
da Wizard
Metti a posto gli mtu sulle int esterne e interne (non è questo il problema ma serve dopo).
Per il tuo problema mi viene solo in mente di:
no cry isa ena
int atm0.1
no crypto-map
crypto-map VPN
exit
cry isa ena
Se puoi aggiorna anche la ios e un bel ruavvio
Inviato: sab 19 gen , 2008 3:21 pm
da zot
oggi l'ho fatta andare.....il problema dovrebbe essere che il nat overload dovrebbe essere impostato con una route map.....appena provo, e so per certo che è così ,posto la conf...ma non chiedetemi il perchè...perchè non lo sò....
l'mtu l'imposto a 1500 ? sul' ATM e sulla LAN ?
Inviato: lun 21 gen , 2008 10:39 am
da Wizard
Eccoti la conf di un router con una vpn l2l funzionante:
Codice: Seleziona tutto
version 12.4
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ***
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000
logging console critical
enable secret ***
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address *** no-xauth
!
crypto isakmp client configuration group ***
key ****
pool remote-pool
acl 151
max-users 10
max-logins 3
banner ^C
*** VPN ____ ***
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
^C
!
!
crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
!
crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI-SET
!
!
crypto map remotemap local-address Loopback0
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 20 ipsec-isakmp
set peer ***
set transform-set VPN-CLI-SET
match address 151
crypto map remotemap 65535 ipsec-isakmp dynamic remote-dyn
!
!
!
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS-OUT udp
ip inspect name IDS-OUT tcp
no ip bootp server
ip domain name ****
ip name-server 208.67.222.222
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
!
username admin privilege 15 password ***
username remoto01 password ***
username remoto02 password ***
username remoto03 password ***
username remoto04 password ***
username remoto05 password ***
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
ip telnet source-interface Dialer1
ip ssh time-out 60
ip ssh version 1
ip scp server enable
!
!
!
interface Loopback0
description END-POINT PER VPN CLIENT E NAT
ip address *** 255.255.255.248
!
interface Null0
no ip unreachables
!
interface ATM0
description INTERFACCIA FISICA PER GESTIONE ADSL
mtu 1500
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
mtu 1500
ip address *** 255.255.255.0
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip inspect IDS-OUT out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map remotemap
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1350
no ip mroute-cache
!
interface Dialer1
no ip address
!
ip local pool remote-pool 192.168.10.240 192.168.10.243
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.10.240 255.255.255.252 ATM0.1
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Loopback0 overload
!
!
logging history notifications
access-list 101 remark *************************************************************
access-list 101 remark *** ACL PER PAT E NAT0 ***
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.10.240 0.0.0.3
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER TRAFFICO VPN ***
access-list 131 permit esp any any
access-list 131 permit udp any any eq isakmp
access-list 131 permit udp any any eq non500-isakmp
access-list 131 permit udp any eq isakmp any
access-list 131 permit udp any eq non500-isakmp any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER TRAFFICO NTP ***
access-list 131 permit udp any any eq ntp
access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark **************************************************************
access-list 131 remark *** ACL PER BLOCCARE WORM ***
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 8888
access-list 131 deny tcp any any eq 8594
access-list 131 deny tcp any any eq 8563
access-list 131 deny tcp any any eq 7778
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny ip any any log
access-list 131 remark *************************************************************
access-list 151 remark *** CRYPTO ACL PER TUNNEL IPSEC ***
access-list 151 remark *************************************************************
access-list 151 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 151 remark *************************************************************
snmp-server community ***RO
snmp-server location ***
snmp-server contact ***
no cdp run
!
!
!
control-plane
!
banner motd ^C
****************************************************************
****************************************************************
ROUTER PERIMETRALE ***
Authorized access only
This system is the property of *** Enterprise
Disconnect IMMEDIATELY if you are not an authorized user!
Contact *** for help.
****************************************************************
****************************************************************
^C
!
line con 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
ntp clock-period 17175046
ntp server 193.204.114.232
ntp server 193.204.114.233
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
!
webvpn cef
end
Inviato: lun 21 gen , 2008 4:33 pm
da bike70
azz..tosta... ora me la studio e riusciro' a carpirne i segreti...prima o poi..
grazieee anche da me
Inviato: lun 21 gen , 2008 4:49 pm
da Wizard
Nella config precedente, oltre ad una vpn l2l ipsec c'è anche una connessione vpn client ipsec
Inviato: dom 27 gen , 2008 12:25 pm
da zot
Che dire...sei un grande Wizard.... spero d'incontrarti un giorno,così ti affogo di birra!!!!
Basandomi su quello che mi hai postato,ho fatto la mia conf,unica cosa.... questa è la conf per un 857 con IOS c850-advsecurityk9-mz.124-6.T9.bin
ed ha voluto per forza 2 transform-set ,se ne metto 1 solo,i tunnel VPN vanno giù se mi collego con il CLient VPN.
Altra cosa, il l
ogging buffered 150000 è troppo per un 857 con 64Mb di RAM?
E se non chiedo troppo,come faccio a bloccare un client che si connette in VPN al solo accesso alla mia LAN?Cioè mi capita di collegarmi con il client Cisco in alcuni posti e,al momento della connessione,il mio PC può acedere solo alla LAN aldilà della VPN,la LAN del mio PC risulta bloccata.Tramite ACL o qualche comando sotto
crypto isakmp client configuration group VPNxxxx ?
Codice: Seleziona tutto
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000
logging console critical
enable secret xxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone CET 1
clock summer-time ROMA recurring last Sun Mar 2:00 last Sun Oct 2:00
no ip dhcp use vrf connected
!
!
!
ip cef
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name FWOUT icmp
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip domain name xxxxxxxxxxxxxx.local
ip name-server 192.168.0.2
ip name-server 151.99.0.100
ip name-server 212.216.112.112
ip name-server 88.149.128.20
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
username xxx privilege 15 password xxxxx
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key xxxxxxxxx address xx.xx.xx.xx no-xauth
crypto isakmp key xxxxxxxxx address xx.xx.xx.xx no-xauth
crypto isakmp key xxxxxxxxx address xx.xx.xx.xx no-xauth
crypto isakmp key xxxxxxxxx address xx.xx.xx.xx no-xauth
!
crypto isakmp client configuration group VPNxxxx
key xxxxxxx
pool remote-pool
acl 199
max-users 5
max-logins 3
banner ^
**************************************************************************
Se non siete esplicitamente autorizzati,DISCONNETETEVI
IMMEDIATAMENTE.
Ogni abuso verrà perseguito.
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
*************************************************************************
^
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
crypto ipsec transform-set VPN-CLI esp-3des esp-md5-hmac
!
crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI
!
!
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list VPNxxxx
crypto map VPN client configuration address respond
crypto map VPN 1 ipsec-isakmp
description Tunnel to xxxxxxx
set peer xx.xx.xx.xx
set transform-set VPN-SET
match address 151
crypto map VPN 2 ipsec-isakmp
description Tunnel to xxxxxxx
set peer xx.xx.xx.xx
set transform-set VPN-SET
match address 152
crypto map VPN 3 ipsec-isakmp
description Tunnel to xxxxxxxxx
set peer xx.xx.xx.xx
set transform-set VPN-SET
match address 153
crypto map VPN 65535 ipsec-isakmp dynamic remote-dyn
!
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!
!
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
archive
log config
hidekeys
!
interface ATM0
mtu 1500
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
mtu 1500
ip address xx.xx.xx.xx 255.255.255.248
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
no ip mroute-cache
no snmp trap link-status
ip inspect FWOUT out
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map VPN
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip route-cache flow
ip tcp adjust-mss 1350
no ip mroute-cache
ip nat inside
ip virtual-reassembly
!
ip local pool remote-pool 192.168.10.239 192.168.10.243
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
no ip http server
ip http access-class 80
ip http secure-server
ip nat inside source route-map NAT0-RM interface ATM0.1 overload
!
access-list 1 remark *********************
access-list 1 remark *** ACL ROUTE-MAP ***
access-list 1 remark *********************
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 22 remark ********************
access-list 22 remark *** AC-CLASS SSH ***
access-list 22 remark ********************
access-list 22 permit xx.xx.xx.xx
access-list 22 permit 10.0.0.0 0.255.255.255
access-list 22 permit 192.168.0.0 0.0.0.255
access-list 22 permit 192.168.1.0 0.0.0.255
access-list 22 permit 192.168.2.0 0.0.0.255
access-list 22 permit 192.168.3.0 0.0.0.255
access-list 80 remark *********************
access-list 80 remark *** ACC-CLASS SDM ***
access-list 80 remark *********************
access-list 80 permit xx.xx.xx.xx
access-list 80 permit 10.0.0.0 0.255.255.255
access-list 80 permit 192.168.0.0 0.0.0.255
access-list 80 permit 192.168.1.0 0.0.0.255
access-list 80 permit 192.168.2.0 0.0.0.255
access-list 80 permit 192.168.3.0 0.0.0.255
access-list 100 remark *******************
access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark *******************
access-list 100 remark --xxxxxxx--
access-list 100 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 remark --xxxxxxxxxx--
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 remark --xxxxxxxx--
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark --xxxxxxxxxxxx--
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 remark --vpn client--
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 remark --to translate--
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 131 remark ********************
access-list 131 remark *** ACL PER TS ***
access-list 131 remark ********************
access-list 131 permit tcp host xx.xx.xx.xx any eq 3389
access-list 131 remark **************************
access-list 131 remark *** ACL PER ACC-CLASS ***
access-list 131 remark **************************
access-list 131 permit tcp any any eq 443 log
access-list 131 permit tcp any any eq 22 log
access-list 131 remark *****************************
access-list 131 remark *** ACL PER TRAFFICO VPN ***
access-list 131 remark *****************************
access-list 131 permit esp any any
access-list 131 permit udp any any eq isakmp
access-list 131 permit udp any any eq non500-isakmp
access-list 131 permit udp any eq isakmp any
access-list 131 permit udp any eq non500-isakmp any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER TRAFFICO NTP ***
access-list 131 remark *****************************
access-list 131 permit udp any any eq ntp
access-list 131 remark *************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 remark *************************
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *****************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 remark *****************************************
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER BLOCCARE WORM ***
access-list 131 remark *****************************
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 8888
access-list 131 deny tcp any any eq 8594
access-list 131 deny tcp any any eq 8563
access-list 131 deny tcp any any eq 7778
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark ************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 remark ************************************************
access-list 131 deny ip any any log
access-list 151 remark ************************
access-list 151 remark *** ACL TRAFFICO VPN ***
access-list 151 remark ************************
access-list 151 remark --VPN-xxxxxxx--
access-list 151 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 152 remark --VPN-xxxxxxxxx--
access-list 152 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 153 remark --VPN-xxxxxx--
access-list 153 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 remark --VPN-xxxxxxx--
access-list 154 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 199 remark --VPN-xxxxxxx--
access-list 199 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
no cdp run
!
route-map NAT0-RM permit 1
match ip address 100
!
!
control-plane
!
banner login ^
****************************************************************
Se non siete esplicitamente autorizzati,DISCONNETETEVI
IMMEDIATAMENTE.
Ogni abuso verrà perseguito.
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
****************************************************************
^
!
line con 0
password xxxxxxxx
no modem enable
line aux 0
line vty 0 4
access-class 22 in
exec-timeout 120 0
login local
transport input ssh
transport output telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175498
ntp server 193.204.114.232
ntp server 193.204.114.233
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end
Inviato: lun 28 gen , 2008 10:23 am
da Wizard
Altra cosa, il logging buffered 150000 è troppo per un 857 con 64Mb di RAM?
Direi di no.
E se non chiedo troppo,come faccio a bloccare un client che si connette in VPN al solo accesso alla mia LAN?Cioè mi capita di collegarmi con il client Cisco in alcuni posti e,al momento della connessione,il mio PC può acedere solo alla LAN aldilà della VPN,la LAN del mio PC risulta bloccata.Tramite ACL o qualche comando sotto crypto isakmp client configuration group VPNxxxx ?
In sostanza vuoi che una volta collegato in vpn non si possa accedere ad internet e alla lan locale ma solo alla rete remota?
Niente di + semplice... non configurare lo split-tunnel
Inviato: sab 02 feb , 2008 11:32 pm
da zot
Detto in soldoni basta eliminare la ACL relativa ai VPN client...nel caso della conf che ho postato basta eliminare
access-list 199 remark --VPN-xxxxxxx--
access-list 199 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255