Ho la necessità di collegare in vpn due uffici uno gestito da una macchina linux con interfaccia esterna pubblica e l'altra da un cisco 878 .
Ho cercato ovunque ma c'è pochissima documentazione ....
Qualcuno puo' aiutarmi ?
la struttura è questa:
lan remota 192.168.1.0/24
|
| 192.168.1.1/24
router cisco 878
| ip pubblici 217.x.x.24/29
|
| 217.133.x.x/29
linux box
| 10.50.157.254
|
lan ufficio principale 10.50.157.0/24
Ho la necessitò di far passare in vpn solo il traffico diretto alla lan ufficio principale .
grazie
cisco 878 e racoon ipsec tunnell
Moderatore: Federico.Lagni
-
febelus
- n00b
- Messaggi: 17
- Iscritto il: mar 18 ott , 2005 10:27 pm
anche se non ve lo meritate ecco le configurazioni:
Lo scenario è:
remote lan 192.168.1.0/24
|
| vlan1 (192.168.1.1/24)
cisco 878
| Dialer0 217.133.x.24/32
|
|
| eth0 217.220.x.26/32
linux with racoon
| eth1 10.50.157.254
|
main office lan 10.50.157.0/24
cisco 878 config:
Current configuration : 2549 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c878_SHDSL.NOMEDOMINIO
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$BzT.$/YsL.M0Wi714.TUNmC1JU1
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip domain name gm-nomedominio.it
!
isdn switch-type basic-net3
!
!
username ciscoadm password 0 pwd
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxx address 217.220.x.26
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set racoon esp-3des esp-md5-hmac
!
crypto map racoon 10 ipsec-isakmp
set peer 217.220.x.26
set transform-set racoon
set pfs group2
match address 100
!
archive
log config
hidekeys
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!
!
!
interface BRI0
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description ---> Dialer Interface
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 0 16luglio
ppp pap sent-username [email protected] password 0 pwdppp
crypto map racoon
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
ip nat inside source list 122 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.50.157.0 0.0.0.255
access-list 122 deny ip 192.168.1.0 0.0.0.255 10.50.157.0 0.0.0.255
access-list 122 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport preferred telnet
transport input all
transport output all
!
scheduler max-task-time 5000
end
this is the racoon configuration
racoon.conf
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
#PROMETEO
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug;
remote 217.133.x.24 {
exchange_mode aggressive,main;
my_identifier address 217.220.x.26;
initial_contact off;
# nat_traversal on;
# dpd_delay 20;
# ike_frag on;
# proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 10.50.157.0/24 any address 192.168.1.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
lifetime time 28800 sec;
}
setkey
spdadd 192.168.1.0/24 10.50.157.0/24 any -P in ipsec esp/tunnel/217.133.x.24-217.220.x.26/require;
spdadd 10.50.157.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/217.220.x.26-217.133.x.24/require;
psk.txt
217.220.x.26 xxxxxxxx
217.133.x.24 xxxxxxxx
route
route add -net 192.168.1.0/24 gw 10.50.157.254
e okkio ai firewall!!!!!!!!!!
Lo scenario è:
remote lan 192.168.1.0/24
|
| vlan1 (192.168.1.1/24)
cisco 878
| Dialer0 217.133.x.24/32
|
|
| eth0 217.220.x.26/32
linux with racoon
| eth1 10.50.157.254
|
main office lan 10.50.157.0/24
cisco 878 config:
Current configuration : 2549 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c878_SHDSL.NOMEDOMINIO
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$BzT.$/YsL.M0Wi714.TUNmC1JU1
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip domain name gm-nomedominio.it
!
isdn switch-type basic-net3
!
!
username ciscoadm password 0 pwd
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxx address 217.220.x.26
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set racoon esp-3des esp-md5-hmac
!
crypto map racoon 10 ipsec-isakmp
set peer 217.220.x.26
set transform-set racoon
set pfs group2
match address 100
!
archive
log config
hidekeys
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!
!
!
interface BRI0
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description ---> Dialer Interface
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 0 16luglio
ppp pap sent-username [email protected] password 0 pwdppp
crypto map racoon
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
ip nat inside source list 122 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.50.157.0 0.0.0.255
access-list 122 deny ip 192.168.1.0 0.0.0.255 10.50.157.0 0.0.0.255
access-list 122 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport preferred telnet
transport input all
transport output all
!
scheduler max-task-time 5000
end
this is the racoon configuration
racoon.conf
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
#PROMETEO
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug;
remote 217.133.x.24 {
exchange_mode aggressive,main;
my_identifier address 217.220.x.26;
initial_contact off;
# nat_traversal on;
# dpd_delay 20;
# ike_frag on;
# proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 10.50.157.0/24 any address 192.168.1.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
lifetime time 28800 sec;
}
setkey
spdadd 192.168.1.0/24 10.50.157.0/24 any -P in ipsec esp/tunnel/217.133.x.24-217.220.x.26/require;
spdadd 10.50.157.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/217.220.x.26-217.133.x.24/require;
psk.txt
217.220.x.26 xxxxxxxx
217.133.x.24 xxxxxxxx
route
route add -net 192.168.1.0/24 gw 10.50.157.254
e okkio ai firewall!!!!!!!!!!
-
zot
- Messianic Network master
- Messaggi: 1274
- Iscritto il: mer 17 nov , 2004 1:13 am
- Località: Teramo
- Contatta:
Se ironico vero??febelus ha scritto:anche se non ve lo meritate ecco le configurazioni:
........
route add -net 192.168.1.0/24 gw 10.50.157.254
Cmq grzie di aver postato la con di racoon...P.S.
route add -net 192.168.1.0/24 gw 10.50.157.254 ...ummmh quel Server hai provato a riavviarlo dopo il comando di route?
