Ciao a tutti, ho configurato una vpn l2l con un router cisco 871 che si connette al router della rete fastweb.
Il tunnel VPN sale ma non riesco a pingare la lan di destinazione e altrettanto non riescono a fare dall'altra sede dove hanno un Checkpoint Firewall NGX R60 da loro configurato
effettuando un test del tunnel con SDM mi conferma che il tunnel è attivo e mi dice che per problemi di MTU non è possibile effettuare il ping
ho cercato sul forume e s cisco e ho modifiato i parametri senza però risolvere il problema
questa è la config del mio router
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c800
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip cef
!
!
ip domain name xxx.it
ip name-server x.x.x.x
ip name-server x.x.x.x
!
crypto pki trustpoint TP-self-signed-3809482072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3809482072
revocation-check none
rsakeypair TP-self-signed-3809482072
!
!
crypto pki certificate chain TP-self-signed-3809482072
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383039 34383230 3732301E 170D3038 30323132 30303432
34385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38303934
38323037 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810099E2 FD09EFD3 0D79B3FF 7987B9BB F02175CA 0040A8D8 E74C712E 63B3114F
637E138E E62D1E1B 95635781 8A73820D E4D3FCDE AEF424D6 34F9BFEB 2A76BEEF
0FE198B5 1AD62E67 6423B50D B24448FE A4D7E541 D8E5EB0C DA446DE3 DD8B0370
A6E327C4 12588065 3F42063E 7FA0F8B3 A84DC7DF 342837FA 60CD8156 5516D87E
53650203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 10633830 302E616C 6974746C 65622E69 74301F06 03551D23
04183016 80146AF5 529CA019 0196310B 54E98720 D3719ED4 D887301D 0603551D
0E041604 146AF552 9CA01901 96310B54 E98720D3 719ED4D8 87300D06 092A8648
86F70D01 01040500 03818100 012A0D08 74AD72BF 7A38F793 B7F4DBF1 DA599735
6053B567 BC6F8234 666B09D7 814C0274 AA5599EE 9C0AF4E8 323FCDC0 3AB3B7D4
C63A030C 24B3C04C D1E1F810 87472BD5 ED8EC963 8A0F705A EA312095 873289FB
D9AEBCE9 5CE40F83 F67FCA24 247C39D6 D822DC67 4CE186F4 3E770199 D7F83FAC
91DC09D1 83F75381 A5221C4B
quit
username LittleBIT privilege 15 secret 5 $1$f69.$TF0MC50Op6nxQNYBVqe/2.
username administrator privilege 15 secret 5 $1$8P0I$0pMKgqOH0De1p3aFyR26E/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address x.x.x.200
crypto isakmp keepalive 1440
!
crypto ipsec security-association lifetime seconds 3200
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x..200
set peer x.x.x.200
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-LAN$
ip address x.x.x.195 255.255.255.248 (ip pubblico fornito da fastweb)
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
ip nat inside
ip virtual-reassembly
shutdown
!
ssid LittleBIT
vlan 1
authentication open
wpa-psk ascii 0 7RECOLB8
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
shutdown
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.22.177.241 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1350
crypto ipsec df-bit copy
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip x.x.x.240 0.0.0.7 x.x.x.16 0.0.0.7
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
Grazie
Arobby
VPN L2L con 871 su rete fastweb
Moderatore: Federico.Lagni
