VPN stabilita con successo ma no routing fra i due endpoint.

[maro]

riscrivo qui, sperando in qualche anima pia.. ho provato ad integrare sul mio 877W la parte di connessione VPN.
siccome ho una ADSL con IP dinamico, uso l'877 come VPN client, e uso un ASA 5505 come VPN server (Ip statico). Direi che son riuscito a fare quasi tutto senza grossi problemi, il tunnel viene stabilito con la sede remota, e anche la parte IPSec funziona bene.
Il punto è che le due reti remote non si pingano, non si vedono.. e se faccio un "show crypto ipsec sa" i pacchetti sono sempre a zero. non c'è traffico.

credo che il problema sia a lato router, vi posto la conf. e ringrazio sin da ora se qualcuno (magari wizard ) potesse darmi un indizio. Non voglio la pappa pronta, se ho la dritta vado a cercarmi la documentazione necessaria.

Grazie mille !


(è riportato solo quello che può riguardare la vpn, il resto è tagliato..)
la rete locale è 192.168.100.0/24 e la remota è 192.168.1.0/24


Building configuration...

Current configuration : 7833 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!

ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.20 192.168.100.254
!
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
no ip bootp server
ip name-server 151.99.125.2
ip name-server 151.99.125.3

!
!
!
!
crypto ipsec client ezvpn ASA
connect auto
group DefaultRAGroup key cisco
mode network-extension
peer 213.82.171.4
xauth userid mode interactive
!
!
bridge irb
!
!
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Interfaccia LAN
no ip address
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1452
no ip mroute-cache
bridge-group 1
!
interface Dialer0
description Interfaccia PPPoA Verso ISP
ip ddnsxxxxxxxxxxxxxxxxx
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip inspect Firewall out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
no cdp enable
crypto ipsec client ezvpn ASA
!
interface BVI1
description Bridge fra LAN e WLAN verso WAN
ip address 192.168.100.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static udp 192.168.100.100 4682 interface Dialer0 4682
ip nat inside source static tcp 192.168.100.105 4673 interface Dialer0 4673
ip nat inside source static udp 192.168.100.105 4673 interface Dialer0 4673
ip nat inside source static tcp 192.168.100.100 4672 interface Dialer0 4672
ip nat inside source static udp 192.168.100.100 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.100.100 3724 interface Dialer0 3724
ip nat inside source route-map EzVPN1 interface Dialer0 overload
!
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any
access-list 105 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 deny ip 192.168.100.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 105 permit ip 192.168.100.0 0.0.0.255 any
access-list 700 permit 0013.e8f7.eed5 0000.0000.0000
access-list 700 permit 0020.002a.e611 0000.0000.0000
access-list 700 permit 001c.df38.21e6 0000.0000.0000
access-list 700 permit 0013.e8f7.52a9 0000.0000.0000
access-list 700 permit 001b.fc11.12ab 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
no cdp run
route-map EzVPN1 permit 1
description Routing verso endpoint VPN
match ip address 103![/u]

[Wizard]

Questa cosa nn la avrei conigurata così io...
Avrei configurato su entrambi i lati una vpn l2l classica mettendo come ip remoto sul asa 0.0.0.0 (come insegna Cisco)

Cmq, con questa conf prova a rifare la acl 103 così:

Codice: Seleziona tutto

access-list 103 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

e vedi se quella acl e la 105 hanno dei match

[maro]

Grazie mille per la risposta Wizard !!

ma in ogni caso no, non è un problema di ACL.. in ogni caso i pacchetti non vengono instradati nel tunnel..

giusto per curiosità.. perchè avresti usato L2L invece dell'IPSEC ?

ciao e grazie




Router# sh crypto ipsec sa

interface: Dialer0
Crypto map tag: Dialer0-head-0, local addr 151.65.170.216

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 213.82.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

interface: Virtual-Access1
Crypto map tag: Dialer0-head-0, local addr 151.65.170.216

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 213.82.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

[Wizard]

Appunto, se il traffico nn viene ruotato nella vpn è x forza un problema delle acl che gestiscono il tunnel...

Cmq io sta config come ti dicevo non la ho mai provata

[maro]

ariciao e arigrazie per la risp.

ho cercato documentazione su come fare una VPN L2L, visto che consigliavi ma di peggio in peggio..

viene fuori

Router#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
213.82.xxx.xxx 151.65.170.216 MM_NO_STATE 0 0 ACTIVE

IPv6 Crypto ISAKMP SA

Router#
*Jul 26 16:04:26.682: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 213.82.xxx.xxx
*Jul 26 16:04:28.328: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 213.82.xxx.xxx


Il tunnel sembra stabilito.. (Active) di fatto non passa traffico, il led VPN sul frontale è spento e da errori di IKE..

se qualcuno ha idee sono mooolto ansioso di ascoltarle




LATO ROUTER 877 IOS 12.4


crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 213.82.xxx.xxx no-xauth
!
crypto ipsec transform-set asa-set esp-3des esp-md5-hmac
!
crypto map asa local-address Dialer0
crypto map asa 10 ipsec-isakmp
set peer 213.82.xxx.xxx
set transform-set asa-set
match address 103

interface Dialer0
description Interfaccia PPPoA Verso ISP
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip inspect Firewall out
ip nat outside
ip virtual-reassembly
crypto map asa

ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 103 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 192.168.70.0 0.0.0.255

access-list 105 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 deny ip 192.168.100.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 105 permit ip 192.168.100.0 0.0.0.255 any

no cdp run
route-map nonat permit 10
match ip address 105
!



LATO ASA 5500 IOS 8.03



access-list vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list NO_NAT_Inside extended permit ip 192.168.1.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list NO_NAT_Inside extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

nat-control
global (outside) 1 interface
nat (inside) 0 access-list NO_NAT_Inside
nat (inside) 1 192.168.1.0 255.255.255.0

access-group INSIDE in interface inside
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 213.82.xxx.xxx 1

crypto ipsec transform-set router-set esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set router-set
crypto dynamic-map cisco 1 set reverse-route
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key cisco123

[/i]

[maro]

l'errore IKE l'ho trovato... la policy 1 dell ISAKMP su router era settata come HASH MD5, mentre sull'ASA era HASH SHA.

messo sull'ASA in MD5 è sparito l'errore... rimane il fatto che non funziona..