CiscoForums.it

Cisco Users Group
https://www.ciscoforums.it/

EasyVPN Server su 837

https://www.ciscoforums.it/viewtopic.php?f=16&t=8016

Pagina 1 di 1

EasyVPN Server su 837

Inviato: mer 16 gen , 2008 9:01 am
da tanja-hr
Salve,
utlilizzo il router Cisco 837-k9 per la nostra adsl in ufficio.
Ip statico Tiscali, navigazione tutto ok.
Sto cercando di implementare una Vpn tra il router e un client remoto che
utilizza il Cisco Vpn client 4.x, 5.0.
Ho utilizzato il wizard di SDM 2.41 che ha prodotto la seguente
configurazione:

Configuration commands for the router: 192.168.10.101
saved on 15-gen-2008 19.17.03
----------------------------------------------------------------------------
aaa authorization network sdm_vpn_group_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_1 local
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any host 172.16.0.10
access-list 102 deny ip any host 172.16.0.11
access-list 102 deny ip any host 172.16.0.12
access-list 102 deny ip any host 172.16.0.13
access-list 102 deny ip any host 172.16.0.14
access-list 102 deny ip any host 172.16.0.15
access-list 102 deny ip any host 172.16.0.16
access-list 102 deny ip any host 172.16.0.17
access-list 102 deny ip any host 172.16.0.18
access-list 102 deny ip any host 172.16.0.19
access-list 102 deny ip any host 172.16.0.20
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
no access-list 101
access-list 101 remark auto generated by Cisco SDM Express firewall
configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 172.16.0.10 any
access-list 101 permit ip host 172.16.0.11 any
access-list 101 permit ip host 172.16.0.12 any
access-list 101 permit ip host 172.16.0.13 any
access-list 101 permit ip host 172.16.0.14 any
access-list 101 permit ip host 172.16.0.15 any
access-list 101 permit ip host 172.16.0.16 any
access-list 101 permit ip host 172.16.0.17 any
access-list 101 permit ip host 172.16.0.18 any
access-list 101 permit ip host 172.16.0.19 any
access-list 101 permit ip host 172.16.0.20 any
access-list 101 permit udp any host 217.133.x.xxx eq non500-isakmp
access-list 101 permit udp any host 217.133.x.xxx eq isakmp
access-list 101 permit esp any host 217.133.x.xxx
access-list 101 permit ahp any host 217.133.x.xxx
access-list 101 permit udp host 151.99.125.2 eq domain host 217.133.x.xxx
access-list 101 permit udp host 192.168.10.1 eq domain host 217.133.x.xxx
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host 217.133.x.xxx echo-reply
access-list 101 permit icmp any host 217.133.x.xxx time-exceeded
access-list 101 permit icmp any host 217.133.x.xxx unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
ip local pool SDM_POOL_1 172.16.0.10 172.16.0.20
crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des
mode tunnel
exit
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
set security-association idle-time 900
exit
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface Dialer0
no crypto map
crypto map SDM_CMAP_1
exit
route-map SDM_RMAP_1 permit 1
match ip address 102
exit
interface Ethernet0
no ip nat inside
exit
interface Dialer0
no ip nat outside
exit
do clear ip nat translation forced
no ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
interface Ethernet0
ip nat inside
exit
interface Dialer0
ip nat outside
exit
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto isakmp client configuration group Collaboratori
key 0 ********
pool SDM_POOL_1
exit
crypto isakmp policy 2
authentication pre-share
encr 3des
hash md5
group 2
lifetime 86400
exit
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp xauth timeout 15

Dal client però, nessuna risposta alla fase I.

13 23:02:12.375 01/14/08 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

14 23:02:12.375 01/14/08 Sev=Info/4 IKE/0xE30000A4
Invalid payload: Stated payload length, 568, is not sufficient for
Notification:(PayloadList:149)

mentre sul router logga l'ip di provenienza ma dà stato AG_NO_STATE

Qualcuno sa aiutarmi, indicandomi dove sta l'inghippo ?
In passato avevo settato altre Vpn con Firewall SonicWall o server OpenVpn e
non avevo avuto tutti questi problemi !
Se serve posso postare anche il resto della configurazione.

Grazie mille,

Tanja

Inviato: gio 17 gen , 2008 12:32 pm
da Wizard
Che brutto lavoro il SDM...
Cmq, prova a debbuggare (da cli) mentre provi dal vpn client:

conf t
logging monitor debugging
exit
debug cry isakmp
debug cry ipsec
ter mon

Inviato: ven 18 gen , 2008 11:20 pm
da tanja-hr
Grazie del consiglio. Dopo qualche oretta di smanettamento sono arrivato ad una configurazione che sembra andare.
Due sole cose ho da chiedere:
1. la configurazione (che posto) è pulita o ci sono parti che si possono eliminare ?
2. è corretto che il pc client una volta collegato in vpn non riesca più a navigare su internet perchè credo utilizzi la vpn come gateway (con un Sonicwall ciò non mi succede) ?

3. posso permettere di vedere un solo host (il server della rete in ufficio) tramite vpn vero ?

Ecco la configurazione ultima:

!This is the running config of the router: 192.168.10.101
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CF-VPN
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$rxxxxxx7wAndetSB60egpf.m1
enable password 7 xxxxxx70A0E70
!
aaa new-model
!
!
aaa authentication login userlist group radius local
aaa authorization network grouplist group radius local
aaa session-id common
!
resource manager
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.101
ip dhcp excluded-address 192.168.10.121 192.168.10.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1 151.99.125.2
default-router 192.168.10.101
!
!
ip tcp synwait-time 10
ip cef
ip domain name studio.local
ip name-server 192.168.10.1
ip name-server 151.99.125.2
no ip bootp server
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
ip ssh time-out 60
ip ssh authentication-retries 2
!
no ftp-server write-enable
!
crypto pki trustpoint TP-self-signed-1807494621
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1807494621
revocation-check none
rsakeypair TP-self-signed-1807494621
!
!
crypto pki certificate chain TP-self-signed-1807494621
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2DEEE355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383037 34393436 3231301E 170D3038 30313138 31373337
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38303734
39343632 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A28A 9A7104C8 401BBCF8 8ACA1EDB FC31835C 4AAE658E A62F257A BCCFE5FA
6FC737F2 9F35EB91 AADEADC8 541D67D5 482F1CFC 1DF3C37A F49C3059 C0509C4F
9E477892 B88E23D8 963D0930 5F8A2BEA 8D668A40 E97807E4 F432C038 5DE3A426
205A2916 6BF34492 A73FC4E8 71F50A2D 3980D83B 00F1B393 4ABDD314 014E803D
98E30203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B43462D 56EEEE2E 73747564 696F6365 72666F67 6C692E6C
6F63616C 301F0603 551D2304 18301680 149F6210 5A8D63BB EC95F157 B5344A05
8E17F6B9 62301D06 03551D0E 04160414 9F62105A 8D6EEEEC 95F157B5 344A058E
17F6B962 300D0609 2A864886 F70D0101 04050003 81810047 673E7CA7 2A1C59B0
E5358222 03B6B0CF 81DCC3AC 570DFD51 32B6F6C5 186F4C43 A543DCFD EE96235C
A7D934E6 2CA7EDE3 316DF833 66D8BFB9 DA184CAF F713109C 1FF45833 812C1A21
8E867DED 74BE3EF2 D881501D F9054B06 C8E97E2D 042ADA9B FE1CE6DC F419A34A
C810D9CC 1D8C87A3 BD51A8E5 A0213418 B34DAEB5 FE9251
quit
username giorgio privilege 15 secret 5 $1$b24234NwsPsrlf5jxvLkpt7A6WH.
username bertogli password 7 014343465E191200
!
!
!
crypto isakmp policy 1
group 2
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp identity hostname
!
crypto isakmp client configuration group clienti
key xxxxxxxxxx
domain studio.local
pool green
!
!
crypto ipsec transform-set dessha esp-3des esp-sha-hmac
!
crypto dynamic-map mode 1
set transform-set dessha
!
!
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode
!
!
!
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.101 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
hold-queue 100 out
!
interface Ethernet2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 8/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address 217.111.111.111 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 14354f5542B180205
ppp pap sent-username [email protected] password 7 143BrwerweB180205
crypto map mode
!
ip local pool green 192.168.20.10 192.168.20.20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 217.111.111.111 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.20.10 any
access-list 101 permit ip host 192.168.20.11 any
access-list 101 permit ip host 192.168.20.12 any
access-list 101 permit ip host 192.168.20.13 any
access-list 101 permit ip host 192.168.20.14 any
access-list 101 permit ip host 192.168.20.15 any
access-list 101 permit ip host 192.168.20.16 any
access-list 101 permit ip host 192.168.20.17 any
access-list 101 permit ip host 192.168.20.18 any
access-list 101 permit ip host 192.168.20.19 any
access-list 101 permit ip host 192.168.20.20 any
access-list 101 permit udp any host 217.111.111.111 eq non500-isakmp
access-list 101 permit udp any host 217.111.111.111 eq isakmp
access-list 101 permit esp any host 217.111.111.111
access-list 101 permit ahp any host 217.111.111.111
access-list 101 permit udp host 151.99.125.2 eq domain host 217.111.111.111
access-list 101 permit udp host 192.168.10.1 eq domain host 217.111.111.111
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host 217.111.111.111 echo-reply
access-list 101 permit icmp any host 217.111.111.111 time-exceeded
access-list 101 permit icmp any host 217.111.111.111 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any host 192.168.20.10
access-list 102 deny ip any host 192.168.20.11
access-list 102 deny ip any host 192.168.20.12
access-list 102 deny ip any host 192.168.20.13
access-list 102 deny ip any host 192.168.20.14
access-list 102 deny ip any host 192.168.20.15
access-list 102 deny ip any host 192.168.20.16
access-list 102 deny ip any host 192.168.20.17
access-list 102 deny ip any host 192.168.20.18
access-list 102 deny ip any host 192.168.20.19
access-list 102 deny ip any host 192.168.20.20
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
exec-timeout 0 0
no modem enable
length 25
transport preferred all
transport output telnet
line aux 0
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
end


Grazie a tutti,

Tanja

Inviato: lun 21 gen , 2008 10:24 am
da Wizard
2. è corretto che il pc client una volta collegato in vpn non riesca più a navigare su internet perchè credo utilizzi la vpn come gateway (con un Sonicwall ciò non mi succede) ?

3. posso permettere di vedere un solo host (il server della rete in ufficio) tramite vpn vero ?
La risposta alla tue domande: configura lo split-tunnel!
Tutti gli orari sono UTC+01:00
Pagina 1 di 1

Creato da phpBB® Forum Software © phpBB Limited

Traduzione Italiana phpBB-Store.it