Cisco classe 800, VPN client e SDM

claudio.dgm · mar 04 nov , 2008 9:01 pm

Ciao a tutti,

Vi seguo da un pò di tempo e un grattacapo con un Cisco 800 mi spinge a chiedere il vostro parere. Un amico che ha un piccolo ufficio mi ha chiesto di aiutarlo a configurare l'accesso in VPN con un client remoto. Ho provato a configurare l'accesso esterno IPSec attraverso SDM e sembra che la configurazione sia andata a buon fine.

Purtroppo con il client Cisco (versione 5.0.00.0340) non riesco a instaurare la connessione da remoto.

Vi allego la configurazione del router e vi ringrazio per qualsiasi suggerimento utile che arriverà!

Claudio

=============================
Current configuration : 6004 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname ********_ITALIA
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable password <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool CLIENT
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 151.99.125.2 151.99.125.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 151.99.0.100
ip name-server 151.99.125.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3296730759
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3296730759
revocation-check none
rsakeypair TP-self-signed-3296730759
!
!
crypto pki certificate chain TP-self-signed-3296730759
certificate self-signed 01
******** 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323936 37333037 3539301E 170D3032 30333031 30303431
35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393637
33303735 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C415 DA7B058A C741742E 09CF8491 B3189130 188F1082 B4AB01CB 98B7995E
893A46FE D775A909 1AD6A1C9 D9704F3F B08346F6 56DC8589 17B23FB5 1272B276
6FFC257E A84E7E4D F75E8D50 D09967A8 2D1FB05F 2C9B0D3A 3C6AD1AE 4C425486
ED5169BA 34175484 E1599348 87F3BA33 71F74939 DFE3D399 B2D7461E FF70FC4A
0B090203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F484F54 454C424F 585F4954 414C4941 301F0603 551D2304
18301680 14B7284D 604A16AE 42E4AABA C8914F60 1CB1F8BB 7D301D06 03551D0E
04160414 B7284D60 4A16AE42 E4AABAC8 914F601C B1F8BB7D 300D0609 2A864886
F70D0101 04050003 81810047 4A1ECA8A 651736C6 8BC9DD81 24416E1E 7F06A7B8
2ACC78D4 769E70D3 2EF3B009 AF148B7A 27591EEA 3B270F88 CF89F186 524DAFC1
6B376B50 F449067B 5F27E422 36C48A11 BA191B6D 2421418A 0F71E7D8 EE12193D
05AC6158 E8804BE2 27133782 07535AB5 486FFEE8 7737A8A0 79B93599 2199FDF4
6342318D B8FE6A87 0B1098
quit
username ***** password 0 <removed>
username superuser privilege 15 secret 5 <removed>
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteHotelBox
key hotelbox123
crypto isakmp profile sdm-ike-profile-1
match identity group RemoteHotelBox
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 88.55.xx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
ubr 640
oam-pvc manage
oam retry 5 5 1
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 40bit 7 3E60ED16BE34 transmit-key
encryption mode ciphers wep40
!
ssid ********_ITALIA
authentication open
guest-mode
infrastructure-ssid optional
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
ip address 192.168.1.1 255.255.255.0 secondary
ip address 80.20.xxx.xx 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 151.99.0.0 255.255.0.0 ATM0.1
!
ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool net-ibs 80.20.xxx.xx 80.20.xxx.xx netmask 255.255.255.248
ip nat inside source list 1 pool net-ibs overload
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner motd ^CCCCCC

-----------------------------------------------

Ogni accesso non autorizzato e' proibito
Unauthorized access is prohibited

-----------------------------------------------

********* ITALIA
ALICE BUSINESS CLICK 20M

^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway gateway_1
ip address 80.20.xxx.xx port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3296730759
inservice
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

xanio · mer 05 nov , 2008 12:01 am

ciao,
magari se posti l'errore ottenuto durante la fare di connessione.

In ogni caso controlla i log del router e vedi che succede, magari vieni autenticato ma non riesci a impostare routing et simili.

claudio.dgm · mer 05 nov , 2008 12:09 pm

Certo!

"Server VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding."

Io l'IP remoto lo pingo tranquillamente...

xanio · mer 05 nov , 2008 1:53 pm

hai aperto le porte sul roter da dove ti connetti (usi il client), sempre se il client è diero nat.

claudio.dgm · mer 05 nov , 2008 6:41 pm

xanio ha scritto:hai aperto le porte sul roter da dove ti connetti (usi il client), sempre se il client è diero nat.

L'errore me lo dà sia dietro ad un NAT che da una connessione cojn IP pubblico (senza FW ne altro). Ho provato anche da una connessione 3G di Vodafone: stesso risultato.

claudio.dgm · ven 07 nov , 2008 6:07 pm

Nessuno riesce a darmi una mano?

claudio.dgm · mar 09 dic , 2008 1:23 pm

OK, cambio domanda: c'è qualcuno che darebbe un'occhiata alla configurazione postata ad inizio discussione? Mi servirebbe sapere se contiene qualche impostazione errata.

Grazie!

Wizard · mar 09 dic , 2008 3:03 pm

Cosa hai capito della config che hai fatto via sdm?
Se ti dico di attivare il debug su ipsec e isakmp ci capisci qualcosa?

claudio.dgm · mar 09 dic , 2008 7:12 pm

certo!

Wizard · mer 10 dic , 2008 5:19 pm

Riconfigura la vpn seguendo questo topic va: http://www.ciscoforums.it/viewtopic.php?t=9241

Cisco classe 800, VPN client e SDM

Login • Iscriviti