Help configurazione VPN di tutti i tipi...

[Richi_one]

Salve a tutti,
ho un problema con la configurazione di un Cisco 1841.In pratica nella stessa configurazione devo far coesistere vpn lan-to-lan,vpn tra il router ed altri apparecchi con IP dinamico e vpn fatte con il software vpn client.
Sapreste consigliarmi sul come procedere?Ho fatto dei tentativi ma fatte salve le vpn lan-to-lan (che funzionano sempre) riesco a far funzionare o il vpn client o le vpn dinamiche (dipende dal numero della crypto map dinamica che inserisco,funziona solo quello più basso).
Ah,dimenticavo...sto facendo tutto con riga di comando,ma magari tramite SDM...
Tempo fa avevo trovato qualcosa sulla configurazione tramite "profili" (possibile se sul router è installata una versione T dell'IOS),ma non ero riuscito ad ottenere risultati positivi...

[Wizard]

Continua a lavorare in cli
Facci vedere la config attuale

[Richi_one]

Eccola (ho tolto un po' di vpn lan-to-lan)

!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 2811
!
boot-start-marker
boot-end-marker
!
enable secret XXXXXXXXX
enable password XXXXXXXXXX
!
memory-size iomem 15
clock timezone GMT 1
clock summer-time GMT date Mar 31 2000 0:00 Sep 30 2000 0:00 59
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa authorization network ppp none
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip domain name test.com
!
ip cef
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name cisco_pns
!
!
!
username cisco password cisco
username sede password sede
username negozio password negozio
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 5
lifetime 7200
!
crypto keyring router
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 no-xauth
!
crypto isakmp profile L2LDyn
description LAN-to-LAN for spoke router(s) connection
keyring router
match identity address 0.0.0.0 0.0.0.0
!
crypto isakmp profile L2LFix
description LAN-to-LAN for router(s) connection
match identity address XXX.XXX.XXX.XXX
match identity address XXX.XXX.XXX.XXX

!
crypto isakmp profile VPNclient
description VPN clients profile
match identity group 3000client
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
!
crypto isakmp key cisco123 address XXX.XXX.XXX.XXX no-xauth
crypto isakmp key cisco123 address XXX.XXX.XXX.XXX no-xauth

!
crypto isakmp client configuration group 3000client
key XXXXXXXX
dns XXX.XXX.XXX.XXX
domain test.com
pool ippool
acl 195
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap1 10
set transform-set myset
set isakmp-profile VPNclient
!
crypto dynamic-map dynmap1 20
set transform-set rtpset
set isakmp-profile L2LDyn
!
!
crypto map rtp local-address FastEthernet0/0
crypto map rtp 10 ipsec-isakmp
description Avellino
set peer XXX.XXX.XXX.XXX
set transform-set rtpset
set isakmp-profile L2LFix
match address 101
crypto map rtp 11 ipsec-isakmp
description Roncadelle
set peer XXX.XXX.XXX.XXX
set transform-set rtpset
set isakmp-profile L2LFix
match address 139

crypto map rtp 199 ipsec-isakmp dynamic dynmap1
!
!
!
interface FastEthernet0/1
ip address 10.80.1.252 255.255.255.0
no shut
ip accounting output-packets
ip accounting mac-address input
ip accounting mac-address output
ip accounting access-violations
full-duplex
no keepalive
!
interface FastEthernet0/0
ip address XXX.XXX.XXX.XXX 255.255.255.224
no shut
full-duplex
speed 100
no keepalive
crypto map rtp
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool ippool
no keepalive
ppp encrypt mppe 40
ppp authentication ms-chap
!
ip local pool ippool 10.10.2.1 10.10.2.250
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
ip route 10.5.0.0 255.255.0.0 10.80.1.254
ip route 10.80.1.0 255.255.255.0 FastEthernet0/1
ip route 10.80.2.0 255.255.255.0 10.80.1.254
ip route 10.80.4.0 255.255.254.0 10.80.1.254
no ip http server
no ip http secure-server
!
!
!
ip access-list extended addr-pool
ip access-list extended default-domain
ip access-list extended dns-servers
ip access-list extended group-lock
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended protocol
ip access-list extended service
ip access-list extended timeout
ip access-list extended tty6
ip access-list extended tty7
ip access-list extended tunnel-password
ip access-list extended wins-servers
access-list 101 permit ip 10.80.0.0 0.0.255.255 10.15.156.0 0.0.0.255
access-list 101 permit ip 10.5.0.0 0.0.255.255 10.15.156.0 0.0.0.255
access-list 139 permit ip 10.80.0.0 0.0.255.255 10.15.98.0 0.0.0.255
access-list 139 permit ip 10.5.0.0 0.0.255.255 10.15.98.0 0.0.0.255

access-list 195 permit ip 10.5.0.0 0.0.255.255 any
access-list 195 permit ip 10.10.0.0 0.0.255.255 any
access-list 195 permit ip 10.11.0.0 0.0.255.255 any
access-list 195 permit ip 10.12.0.0 0.0.255.255 any
access-list 195 permit ip 10.13.0.0 0.0.255.255 any
access-list 195 permit ip 10.14.0.0 0.0.255.255 any
access-list 195 permit ip 10.15.0.0 0.0.255.255 any
access-list 195 permit ip 10.16.0.0 0.0.255.255 any
access-list 195 permit ip 10.80.0.0 0.0.255.255 any

line con 0
exec-timeout 0 0
line aux 0
line vty 0
password bbc
line vty 1 4
password bbc
line vty 5 15
!
ntp clock-period 17208082
ntp server XXX.XXX.XXX.XXX key 0
end

[Richi_one]

Nessuno può aiutarmi?Please!

[Wizard]

Procediamo x gradi:

1) Configura le l2l e controlla che tutto funzioni correttamente (il resto delle vpn toglilo x ora)

2) Ti diamo una mano per la config della\e vpn client

3) Come ultima cosa vedremo le vpn l2l con ip dinamico

P.s. Usa una singola crypto isakmp policy se puoi.

[Richi_one]

Dunque dunque....miracolosamente sono riuscito a far funzionare quasi tutto al primo colpo...ho ancora qualche problemino che spero mi aiuterete a risolvere....
Per cominciare...ecco la conf:


Cliente_1801#sh ver
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.3(14)YT1, RELEASE SOFTWARE (fc1)
Synched to version 12.4(1.7)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 07-Sep-05 16:40 by ealyon

ROM: System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
ROM: Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.3(14)YT1, RELEASE SOFTWARE (fc

Cliente_1801 uptime is 55 minutes
System returned to ROM by power-on
System image file is "flash:c180x-advipservicesk9-mz.123-14.YT1.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco 1801 (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FOC11270W3M, with hardware revision 0000

9 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Cliente_1801#sh run
Building configuration...

Current configuration : 6583 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cliente_1801
!
boot-start-marker
boot-end-marker
!
enable secret xxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication login clientauth local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
no ip domain lookup
ip domain name telecom.it
ip name-server 151.99.125.2
ip name-server 151.99.0.100
ip name-server 151.99.125.3
no ip ips deny-action ips-interface
!
!
!
username xxxxxxx password xxxxxxxxxx
username xxxxxxxxx password xxxxxxxxxxxxxxxxxxx
!
!
crypto keyring spokes
pre-shared-key address xxx.xxx.xxx.xxx key cisco1234
pre-shared-key address xxx.xxx.xxx.xxx key cisco1234
pre-shared-key address xxx.xxx.xxx.xxx key cisco1234
pre-shared-key address xxx.xxx.xxx.xxx key cisco1234
pre-shared-key address xxx.xxx.xxx.xxx key cisco1234
pre-shared-key address xxx.xxx.xxx.xxx key cisco1234
pre-shared-key address xxx.xxx.xxx.xxx key cisco1234
pre-shared-key address xxx.xxx.xxx.xxx key cisco1234
pre-shared-key address xxx.xxx.xxx.xxx key cisco1234
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxxxxxxxxxxxxxxxxxxxxx
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxxxx
key xxxxxxxx
dns 10.70.1.1
wins 10.70.1.1
domain Cliente.com
pool ippool
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
crypto isakmp profile VPNclient
description VPN clients profile
match identity group xxxxxxxx
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile L2LFix
description LAN-to-LAN for router(s) connection
keyring spokes
match identity address xxx.xxx.xxx.xxx 255.255.255.255
match identity address xxx.xxx.xxx.xxx 255.255.255.255
match identity address xxx.xxx.xxx.xxx 255.255.255.255
match identity address xxx.xxx.xxx.xxx 255.255.255.255
match identity address xxx.xxx.xxx.xxx 255.255.255.255
match identity address xxx.xxx.xxx.xxx 255.255.255.255
match identity address xxx.xxx.xxx.xxx 255.255.255.255
match identity address xxx.xxx.xxx.xxx 255.255.255.255
match identity address xxx.xxx.xxx.xxx 255.255.255.255
!
!
crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 5
set transform-set rtpset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set rtpset
set isakmp-profile L2L
!
!
crypto map rtp local-address Loopback0
crypto map rtp 10 ipsec-isakmp
description BBC
set peer xxx.xxx.xxx.xxx
set transform-set rtpset
set isakmp-profile L2LFix
match address 110
crypto map rtp 12 ipsec-isakmp
description Cliente_Primavera
set peer xxx.xxx.xxx.xxx
set transform-set rtpset
set isakmp-profile L2LFix
match address 111
crypto map rtp 15 ipsec-isakmp
description Cliente_Anagnina
set peer xxx.xxx.xxx.xxx
set transform-set rtpset
set isakmp-profile L2LFix
match address 112
crypto map rtp 20 ipsec-isakmp
description Cliente_Lingotto
set peer xxx.xxx.xxx.xxx
set transform-set rtpset
set isakmp-profile L2LFix
match address 113
crypto map rtp 25 ipsec-isakmp
description Cliente_Busnago
set peer xxx.xxx.xxx.xxx
set transform-set rtpset
set isakmp-profile L2LFix
match address 114
crypto map rtp 30 ipsec-isakmp
description Cliente_Rimini
set peer xxx.xxx.xxx.xxx
set transform-set rtpset
set isakmp-profile L2LFix
match address 115
crypto map rtp 35 ipsec-isakmp
description Cliente_BoLame
set peer xxx.xxx.xxx.xxx
set transform-set rtpset
set isakmp-profile L2LFix
match address 116
crypto map rtp 40 ipsec-isakmp
description Cliente_BoNova
set peer xxx.xxx.xxx.xxx
set transform-set rtpset
set isakmp-profile L2LFix
match address 117
crypto map rtp 45 ipsec-isakmp
description Cliente_Leonardo
set peer xxx.xxx.xxx.xxx
set transform-set rtpset
set isakmp-profile L2LFix
match address 118
crypto map rtp 199 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback0
ip address xxx.xxx.xxx.xxx 255.255.255.252
crypto map rtp
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
pvc 8/35
encapsulation aal5snap
!
!
interface Vlan1
ip address 10.70.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
hold-queue 100 out
!
ip local pool ippool 10.70.1.240 10.70.1.250
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.0.0.0 255.0.0.0 Loopback0
ip route 10.70.1.0 255.255.255.0 Vlan1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Loopback0 overload
!
access-list 110 permit ip 10.70.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 111 permit ip 10.0.0.0 0.255.255.255 10.70.2.16 0.0.0.7
access-list 112 permit ip 10.0.0.0 0.255.255.255 10.70.2.8 0.0.0.7
access-list 113 permit ip 10.0.0.0 0.255.255.255 10.70.2.48 0.0.0.7
access-list 114 permit ip 10.0.0.0 0.255.255.255 10.70.2.64 0.0.0.7
access-list 115 permit ip 10.0.0.0 0.255.255.255 10.70.2.56 0.0.0.7
access-list 116 permit ip 10.0.0.0 0.255.255.255 10.70.2.40 0.0.0.7
access-list 117 permit ip 10.0.0.0 0.255.255.255 10.70.2.32 0.0.0.7
access-list 118 permit ip 10.0.0.0 0.255.255.255 10.70.2.72 0.0.0.7
access-list 120 deny ip 10.70.1.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 120 deny ip 10.70.1.0 0.0.0.255 10.70.2.0 0.0.0.255
access-list 120 deny ip 10.70.1.0 0.0.0.255 10.70.3.0 0.0.0.255
access-list 120 permit ip 10.70.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 120
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password xxxxxxx
!
end


I problemi che ho sono i seguenti:

Collegandomi con il VPN Client non riesco a pingare la rete 10.70.1.0 255.255.255.0,è una questione di pool o devo impostare una access list?

A volte non funziona la navigazione in internet dai pc della lan,ma la connessione non cade (il ping dall'esterno all'ip della loopback rimane sempre attivo):può essere un problema di configurazione dell'ATM?

La prima vpn statica non si attiva dal router remoto,ma solo dal router Cliente_1801,facendo un po' di debug sembra un problema di invalid SPI ecc...che roba è?Cosa posso modificare?
Se volete posto la conf anche dell'altro router.
Grazie a tutti in anticipo!

[Wizard]

Intanto metti a posto le rotte:

Codice: Seleziona tutto

no ip route 10.0.0.0 255.0.0.0 Loopback0
no ip route 10.70.1.0 255.255.255.0 Vlan1 
ip route 10.70.1.0 255.255.255.0 atm0.1

[Richi_one]

Ho provato,ma così non funzionano più le vpn statiche...

[Wizard]

Eh?!
Se metti a posto le rotte le sedi remote non comunicano più con il centro stella? Controlla se con le rotte come ti ho scritto io funziona il traffico della vpn client

[Richi_one]

No,dopo aver modificato le route non funziona neanche il VPN client (si connette,ma non pingo alla lan interna,quindi come prima)

[Richi_one]

Allora,
ho lasciato com'erano le route.Ho modificato il pool di indirizzi e ora funzionano anche le connessioni fatte con VPN Client.
Rimane il problema della vpn statica che non si attiva in entrambi i sensi,diciamo così...
posto un po' di debug tra poco!