877 --Openswan

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
bike70
Cisco fan
Messaggi: 55
Iscritto il: sab 15 set , 2007 8:55 am

Buongiorno a tutti, a scopo di studio , ho provato a tirare su una vpn fra 2 ip pubblici, una direttamente su cisco 877 e l'altra su Debian openswan con interfaccia con ip pubblico. La Vpn viene tirata su regolarmente ma non si riesce a pingare nulla, probabilmente si tratta di un problema di nat , ma non ne sono sicuro. Vi allego la config del cisco ( semplificata) così mi date un parere
lan dietro al cisco 192.168.2.0/24
lan dietro al linux 10.0.0.0/24

:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key prova address IPPUB-OPENSWAN no-xauth
!
!
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer IPPUB-OPENSWAN
set transform-set VPN
match address 151
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode ansi-dmt
dsl lom 100
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.2.190 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 104F071D171206030906232021
ppp pap sent-username [email protected] password 7 070E2F485C0C0D0D1210020701
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer0 overload


access-list 102 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 151 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 151 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 151 deny ip any any
no cdp run
!
!
!
route-map nonat permit 10
match ip address 151
!


Ecco il mio sh crypto sess

sh crypto session
Crypto session current status

Interface: Dialer0
Session status: UP-ACTIVE
Peer: IPPUB-OPENSWAN port 500
IKE SA: IPPUB_CISCO/500 remote IPPUB-OPENSWAN/500 Active
IPSEC FLOW: deny ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: deny ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map

Top
bike70
Cisco fan
Messaggi: 55
Iscritto il: sab 15 set , 2007 8:55 am

Aggiorno, riesco a pingare da Cisco verso Openswan ma non il contrario...
Top
Rispondi

Torna a “VPN”