Ciao a tutti,
ho trovato molto interessante questo script di configurazione per accesso da VPN client e ho provato a cimentarmi anch'io nell'implementazione.
Ho aggiunto la configurazione necessaria su di un router Cisco 837 che gestiva già un tunnel GRE over IPsec verso un Remote Office.
Il tunnel site-to-site continua (per fortuna) a funzionare correttamente.
Non riesco ad accedere da VPN client. In particolare uno dei due user (remoto02) sembra funzionare vedo il prompt di login, inserisco la password e il router la accetta ma sul più bello quando è ora di ricevere ip address va giù tutto e sul client in basso a sinistra compare "not connected". Con l'utente "remoto02" non riesco a fare l'accesso, mi pianto sulla schermata di login.
Qualcuno mi può dare qualche dritta?Posto qui la conf, grazie.
Codice: Seleziona tutto
Current configuration : 4915 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
!
username remoto01 password XXX
username remoto02 password XXX
!
!
crypto logging session
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key abtlgb3 address 9X.XX.XXX.X7 no-xauth
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group remote-vpn
key XXX
dns 151.99.125.2
domain XXX.local
pool remote-pool
acl 158
save-password
split-dns XXX.local
max-users 10
max-logins 10
banner ^C
--------------------------------------------------------------
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
--------------------------------------------------------------
^C
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set RTRtran esp-3des esp-sha-hmac
crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
set transform-set RTRtran
!
!
crypto dynamic-map remote-dyn 20
set transform-set VPN-CLI-SET
!
!
crypto map remotemap local-address ATM0.35
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 65535 ipsec-isakmp dynamic remote-dyn
!
!
!
!
interface Loopback0
description Loopback di NAT
ip address 9X.XX.XX.X5 255.255.255.248
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
tunnel source 9X.XX.XX.X5
tunnel destination 9X.XX.XXX.X7
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Ethernet0
ip address 192.168.92.253 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
ip virtual-reassembly
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.35 point-to-point
ip address 9X.XX.XX.XX1 255.255.255.252
ip nat outside
ip virtual-reassembly
no snmp trap link-status
crypto map remotemap
pvc 8/35
oam-pvc manage
encapsulation aal5snap
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip local pool remote-pool 192.168.100.1
ip route 0.0.0.0 0.0.0.0 ATM0.35
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip route 192.168.100.0 255.255.255.0 ATM0.35
no ip http server
no ip http secure-server
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 101 interface Loopback0 overload
!
access-list 23 permit 192.168.92.0 0.0.0.255
access-list 101 remark ************************************************************
access-list 101 remark *** ACL PER PAT ***
access-list 101 remark ************************************************************
access-list 101 deny ip 192.168.92.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.92.0 0.0.0.255 any
access-list 158 remark *** ACL PER SPLIT-TUNNEL DA VPN-CLIENT ***
access-list 158 remark *************************************************************
access-list 158 permit ip 192.168.92.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 158 remark *************************************************************
!
control-plane
!
!
line con 0 XXXXXXXXXXXXX
password
login
no modem enable
line aux 0
password XXXXXXXXXXXXXXX
login
line vty 0 4
password XXXXXXXXXXXXXXX
login
!
scheduler max-task-time 5000
end