vpn ipsec point-to-point

Wiadomość

umbro · #1

Hej Forumowicze,
Mógłbym was prosić o przejrzenie mojej konfiguracji tunelu ipsec site to site i pomoc w znalezieniu "babola".
Konfiguracja dla tunelu powinna byc taka:

Ipsec peer: 19xx
Sieć po mojej stronie: 172.18.47.0/24
Sieć po drugiej stronie tunelu : 172.16.0.0/12
IKE group2 1440 min AES-256 SHA1
IPsec group 2 3600 sec AES-254 SHA1
PFS

Kod: Zaznacz cały

yourname#sh run
Building configuration...

Current configuration : 5805 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1199699675
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1199699675
 revocation-check none
 rsakeypair TP-self-signed-1199699675
!
!
crypto pki certificate chain TP-self-signed-1199699675
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313939 36393936 3735301E 170D3032 30333134 30303135
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31393936
  39393637 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A30C 588DD444 4C17E026 077AE454 4458BD87 14D2EC3A 4214D079 4C799B0E
  3686D9F8 614BB582 21E7148D 05E9E229 E92C9484 CA957B49 C4A61B91 6346A049
  7B18DBB9 11EFE143 314C7788 BAAC8C47 F983734D 11EB1453 08CA8EB5 6F41A5CE
  515EF0D8 D579D5BF F54C6DA0 E60EEB78 8C07995E 8C9500B0 131E46C7 674925C2
  1B610203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14313D8A 9D8F9C95 658E2A43 0300ED5F 23425A30
  25301D06 03551D0E 04160414 313D8A9D 8F9C9565 8E2A4303 00ED5F23 425A3025
  300D0609 2A864886 F70D0101 04050003 8181009A CF199046 AF3D6C56 A9C4FC24
  88F57E5A CF04CEC0 7593A856 3B9C64E3 0F99195B 6307D04F 7B2A21F7 2F011528
  99F2DD10 E671E406 2F01DA7C 0B22621E D6F56895 4BACD12A D8983BE6 95150B29
  732E52F2 47D8D47A CC91A820 62DDA662 4E4824A1 EBE80ABB 662089F4 C6A84D17
  54E206AA DE1C7105 382D1BD8 ACD8E004 76FCBD
        quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool DHCP
   network 172.18.47.0 255.255.255.0
   default-router 172.18.47.1
   dns-server 87.204.204.204 62.233.233.233
!
!
no ip domain lookup
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
username axx privilege 15 secret 5 $1$xx/
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 1440
crypto isakmp key 12xx address 195xx
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 19xx
 set transform-set TS
 match address VPN-TRAFFIC
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 mac-address 000e.7b98.ad2c
 ip address dhcp client-id FastEthernet4
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 172.18.47.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended VPN-TRAFFIC
 permit ip 172.18.47.0 0.0.0.255 172.16.0.0 0.15.255.255
 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255
!
access-list 23 permit any
access-list 100 deny   ip 172.18.47.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 100 deny   ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 100 permit ip 172.18.47.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
!
!
control-plane
!

Kod: Zaznacz cały

yourname#ping 172.28.31.200 source vlan1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.31.200, timeout is 2 seconds:
Packet sent with a source address of 172.18.47.1
.....
Success rate is 0 percent (0/5)
yourname#show crypto session
Crypto session current status

Interface: FastEthernet4
Session status: DOWN-NEGOTIATING
Peer: 195.x port 500
  IKE SA: local 90.x/500 remote 195.x/500 Inactive
  IKE SA: local 90.x/500 remote 195.x/500 Inactive
  IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 172.16.0.0/255.240.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 172.18.47.0/255.255.255.0 172.16.0.0/255.240.0.0
        Active SAs: 0, origin: crypto map

frontier · #2

W trakcie negocjacji output z:

Kod: Zaznacz cały

debug cry isa

No i konfig z drugiej strony.

umbro · #3

ok, problem był tutaj:

Kod: Zaznacz cały

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 1440

Obecnie mam tunel w stanie up-idle co sugeruje chyba problem fazy drugiej.

Kod: Zaznacz cały

yourname#sh crypto session
Crypto session current status

Interface: FastEthernet4
Session status: UP-IDLE
Peer: 195.x8 port 500
  IKE SA: local 90x/500 remote 195x/500 Active
  IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 172.16.0.0/255.240.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 172.18.47.0/255.255.255.0 172.16.0.0/255.240.0.0
        Active SAs: 0, origin: crypto map

Test

Kod: Zaznacz cały

yourname#ping 172.28.31.200 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.31.200, timeout is 2 seconds:
Packet sent with a source address of 172.18.47.1
.....
Success rate is 0 percent (0/5)

Zmieniłem też transform-set na:

Kod: Zaznacz cały

crypto ipsec transform-set TS esp-aes esp-sha-hmac
crypto ipsec transform-set TS1 ah-sha-hmac esp-aes 256
crypto ipsec transform-set TS2 esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 195.x
 set transform-set TS
 set pfs group2
 match address VPN-TRAFFIC
!
archive
 log config
  hidekeys

p.s niestety debug z drugiej strony tunelu nie jest mozliwy, nie mam kontroli nad drugą końcówką. [/code]

frontier · #4

W Phase2 nie masz włączonego PFS.

umbro · #5

frontier pisze:W Phase2 nie masz włączonego PFS.

A to nie jest to ?

Kod: Zaznacz cały

crypto map CMAP 10 ipsec-isakmp 
 set peer 195.x 
 set transform-set TS 
 set pfs group2  <<< ---- ??
 match address VPN-TRAFFIC

umbro · #6

Chciałbym zapytać czy ta część konfiguracji jest odpowiednia:

Kod: Zaznacz cały

crypto ipsec transform-set TS esp-aes esp-sha-hmac
crypto ipsec transform-set TS1 ah-sha-hmac esp-aes 256
crypto ipsec transform-set TS2 esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 195x
 set transform-set TS
 set pfs group2
 match address VPN-TRAFFIC

Dla podanych parametrów do tunelu:

Ipsec peer: 19xx
Sieć po mojej stronie: 172.18.47.0/24
Sieć po drugiej stronie tunelu : 172.16.0.0/12
IKE group2 1440 min AES-256 SHA1
IPsec group 2 3600 sec AES-254 SHA1

Dodam jeszcze co debug mowi:

Kod: Zaznacz cały

yourname#ping 172.28.31.200 source vlan1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.31.200, timeout is 2 seconds:
Packet sent with a source address of 172.18.47.1

*Mar 14 17:55:02.490: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 90.x, remote= 195.x,
    local_proxy= 172.18.47.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Mar 14 17:55:02.494: ISAKMP: set new node 0 to QM_IDLE
*Mar 14 17:55:02.494: SA has outstanding requests  (local 131.215.224.64 port 500, remote 131.215.224.36 port 500)
*Mar 14 17:55:02.494: ISAKMP:(2003): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Mar 14 17:55:02.494: ISAKMP:(2003):beginning Quick Mode exchange, M-ID of -612884500
*Mar 14 17:55:02.494: ISAKMP:(2003):QM Initiator gets spi
*Mar 14 17:55:02.494: ISAKMP:(2003): sending packet to 195.250.37.168 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 14 17:55:02.494: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Mar 14 17:55:02.494: ISAKMP:(2003):Node -612884500, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 14 17:55:02.494: ISAKMP:(2003):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar 14 17:55:02.522: ISAKMP (0:2003): received packet from 195.250.37.168 dport 500 sport 500 Global (I) QM_IDLE  
*Mar 14 17:55:02.522: ISAKMP: set new node 1091014559 to QM_IDLE
*Mar 14 17:55:02.522: ISAKMP:(2003): processing HASH payload. message ID = 1091014559
*Mar 14 17:55:02.522: ISAKMP:(2003): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2999247484, message ID = 1091014559, sa = 83D7DEDC
*Mar 14 17:55:02.522: ISAKMP:(2003): deleting spi 2999247484 message ID = -612884500
*Mar 14 17:55:02.522: ISAKMP:(2003):deleting node -612884500 error TRUE reason "Delete Larval"
*Mar 14 17:55:02.526: ISAKMP:(2003):deleting node 1091014559 error FALSE reason "Informational (in) state 1"
*Mar 14 17:55:02.526: ISAKMP:(2003):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 14 17:55:02.526: ISAKMP:(2003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
.....
Success rate is 0 percent (0/5)
yourname#
*Mar 14 17:55:12.615: ISAKMP:(2003):purging node 1073312661
*Mar 14 17:55:22.608: ISAKMP (0:2003): received packet from 195.x dport 500 sport 500 Global (I) QM_IDLE  
*Mar 14 17:55:22.608: ISAKMP: set new node 52740970 to QM_IDLE
*Mar 14 17:55:22.608: ISAKMP:(2003): processing HASH payload. message ID = 52740970
*Mar 14 17:55:22.608: ISAKMP:(2003): processing SA payload. message ID = 52740970
*Mar 14 17:55:22.608: ISAKMP:(2003):Checking IPSec proposal 1
*Mar 14 17:55:22.608: ISAKMP: transform 1, ESP_AES
*Mar 14 17:55:22.608: ISAKMP:   attributes in transform:
*Mar 14 17:55:22.608: ISAKMP:      group is 2
*Mar 14 17:55:22.608: ISAKMP:      SA life type in seconds
*Mar 14 17:55:22.608: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
*Mar 14 17:55:22.608: ISAKMP:      authenticator is HMAC-SHA
*Mar 14 17:55:22.612: ISAKMP:      encaps is 1 (Tunnel)
*Mar 14 17:55:22.612: ISAKMP:      key length is 256
*Mar 14 17:55:22.612: ISAKMP:(2003):atts are acceptable.
*Mar 14 17:55:22.612: IPSEC(validate_proposal_request): proposal part #1
*Mar 14 17:55:22.612: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 90.x, remote= 195.x,
    local_proxy= 172.18.47.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.0.24.0/255.255.252.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Mar 14 17:55:22.612: Crypto mapdb : proxy_match
        src addr     : 172.18.47.0
        dst addr     : 10.0.24.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar 14 17:55:22.612: Crypto mapdb : proxy_match
        src addr     : 172.18.47.0
        dst addr     : 10.0.24.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar 14 17:55:22.612: map_db_find_best did not find matching map
*Mar 14 17:55:22.612: IPSEC(ipsec_process_proposal): proxy identities not supported
*Mar 14 17:55:22.612: ISAKMP:(2003): IPSec policy invalidated proposal with error 32
*Mar 14 17:55:22.612: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 90.156.23.17 remote 195.250.37.168)
*Mar 14 17:55:22.612: ISAKMP: set new node 875995458 to QM_IDLE
*Mar 14 17:55:22.612: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2213199176, message ID = 875995458
*Mar 14 17:55:22.612: ISAKMP:(2003): sending packet to 195.250.37.168 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 14 17:55:22.612: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Mar 14 17:55:22.612: ISAKMP:(2003):purging node 875995458
*Mar 14 17:55:22.616: ISAKMP:(2003):deleting node 52740970 error TRUE reason "QM rejected"
*Mar 14 17:55:22.616: ISAKMP:(2003):Node 52740970, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 14 17:55:22.616: ISAKMP:(2003):Old State = IKE_QM_READY  New State = IKE_QM_READY
*Mar 14 17:55:32.490: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 90.156.23.17, remote= 195.x,
    local_proxy= 172.18.47.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
*Mar 14 17:55:32.490: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 90.156.23.17, remote= 195.x,
    local_proxy= 172.18.47.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Mar 14 17:55:32.490: ISAKMP: set new node 0 to QM_IDLE
*Mar 14 17:55:32.490: SA has outstanding requests  (local 131.215.224.64 port 500, remote 131.215.224.36 port 500)
*Mar 14 17:55:32.490: ISAKMP:(2003): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Mar 14 17:55:32.490: ISAKMP:(2003):beginning Quick Mode exchange, M-ID of 1265617136
*Mar 14 17:55:32.490: ISAKMP:(2003):QM Initiator gets spi
*Mar 14 17:55:32.490: ISAKMP:(2003): sending packet to 195.250.37.168 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 14 17:55:32.490: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Mar 14 17:55:32.494: ISAKMP:(2003):Node 1265617136, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 14 17:55:32.494: ISAKMP:(2003):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar 14 17:55:32.518: ISAKMP (0:2003): received packet from 195.x dport 500 sport 500 Global (I) QM_IDLE  
*Mar 14 17:55:32.518: ISAKMP: set new node -1153272622 to QM_IDLE
*Mar 14 17:55:32.518: ISAKMP:(2003): processing HASH payload. message ID = -1153272622
*Mar 14 17:55:32.518: ISAKMP:(2003): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 4077110252, message ID = -1153272622, sa = 83D7DEDC
*Mar 14 17:55:32.518: ISAKMP:(2003): deleting spi 4077110252 message ID = 1265617136
*Mar 14 17:55:32.518: ISAKMP:(2003):deleting node 1265617136 error TRUE reason "Delete Larval"
*Mar 14 17:55:32.518: ISAKMP:(2003):deleting node -1153272622 error FALSE reason "Informational (in) state 1"
*Mar 14 17:55:32.518: ISAKMP:(2003):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 14 17:55:32.518: ISAKMP:(2003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar 14 17:55:52.524: ISAKMP:(2003):purging node -612884500
*Mar 14 17:55:52.528: ISAKMP:(2003):purging node 1091014559
*Mar 14 17:56:02.493: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 90.x, remote= 195.x8,
    local_proxy= 172.18.47.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
*Mar 14 17:56:12.619: ISAKMP:(2003):purging node 52740970
*Mar 14 17:56:22.520: ISAKMP:(2003):purging node 1265617136
*Mar 14 17:56:22.520: ISAKMP:(2003):purging node -1153272622
*Mar 14 17:56:22.604: ISAKMP (0:2003): received packet from 195.250.37.168 dport 500 sport 500 Global (I) QM_IDLE  
*Mar 14 17:56:22.604: ISAKMP: set new node -1254283385 to QM_IDLE
*Mar 14 17:56:22.608: ISAKMP:(2003): processing HASH payload. message ID = -1254283385
*Mar 14 17:56:22.608: ISAKMP:(2003): processing SA payload. message ID = -1254283385
*Mar 14 17:56:22.608: ISAKMP:(2003):Checking IPSec proposal 1
*Mar 14 17:56:22.608: ISAKMP: transform 1, ESP_AES
*Mar 14 17:56:22.608: ISAKMP:   attributes in transform:
*Mar 14 17:56:22.608: ISAKMP:      group is 2
*Mar 14 17:56:22.608: ISAKMP:      SA life type in seconds
*Mar 14 17:56:22.608: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
*Mar 14 17:56:22.608: ISAKMP:      authenticator is HMAC-SHA
*Mar 14 17:56:22.608: ISAKMP:      encaps is 1 (Tunnel)
*Mar 14 17:56:22.608: ISAKMP:      key length is 256
*Mar 14 17:56:22.608: ISAKMP:(2003):atts are acceptable.
*Mar 14 17:56:22.608: IPSEC(validate_proposal_request): proposal part #1
*Mar 14 17:56:22.608: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 90.x7, remote= 195x,
    local_proxy= 172.18.47.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.0.24.0/255.255.252.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Mar 14 17:56:22.608: Crypto mapdb : proxy_match
        src addr     : 172.18.47.0
        dst addr     : 10.0.24.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar 14 17:56:22.608: Crypto mapdb : proxy_match
        src addr     : 172.18.47.0
        dst addr     : 10.0.24.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar 14 17:56:22.608: map_db_find_best did not find matching map
*Mar 14 17:56:22.608: IPSEC(ipsec_process_proposal): proxy identities not supported
*Mar 14 17:56:22.608: ISAKMP:(2003): IPSec policy invalidated proposal with error 32
*Mar 14 17:56:22.608: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 90.156.23.17 remote 195.250.37.168)
*Mar 14 17:56:22.608: ISAKMP: set new node -1155097540 to QM_IDLE
*Mar 14 17:56:22.608: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2213199176, message ID = -1155097540
*Mar 14 17:56:22.612: ISAKMP:(2003): sending packet to 195.x my_port 500 peer_port 500 (I) QM_IDLE
*Mar 14 17:56:22.612: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Mar 14 17:56:22.612: ISAKMP:(2003):purging node -1155097540
*Mar 14 17:56:22.612: ISAKMP:(2003):deleting node -1254283385 error TRUE reason "QM rejected"
*Mar 14 17:56:22.612: ISAKMP:(2003):Node -1254283385, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 14 17:56:22.612: ISAKMP:(2003):Old State = IKE_QM_READY  New State = IKE_QM_READY

frontier · #7

umbro pisze:
frontier pisze:W Phase2 nie masz włączonego PFS.
A to nie jest to ?
Kod: Zaznacz cały
crypto map CMAP 10 ipsec-isakmp 
 set peer 195.x 
 set transform-set TS 
 set pfs group2  <<< ---- ??
 match address VPN-TRAFFIC 

Żonglujesz tymi konfigami że aż się pogubiłem

Teraz wklejasz jeszcze inny z innym transform-set...

Kod: Zaznacz cały

crypto ipsec transform-set TS esp-aes esp-sha-hmac 
crypto ipsec transform-set TS1 ah-sha-hmac esp-aes 256 
crypto ipsec transform-set TS2 esp-3des esp-sha-hmac 
! 
crypto map CMAP 10 ipsec-isakmp 
 set peer 195x 
 set transform-set TS 
 set pfs group2 
 match address VPN-TRAFFIC

Nie ma sensu dopisywać kolejnych transform set, brany jest pod uwagę tylko TS. Tak więc odpowiedź brzmi: masz zły transform set dobrany. Żaden z powyższych nie spełnia tego co chcesz osiągnąć. W pierwszym konfigu miałeś dobry...

umbro · #8

No właśnie też do tego doszedłem tylko, że nie bardzo wiem jaki transform-set mam ustawić dla moich potrzeb.Nie chce też strzelać na pałę i wolałbym zrozumieć co jest nie tak ;/

OK sprobuje uzyc z pierwszego konfiga.

umbro · #9

sukces, dziękuję Ci bardzo za pomoc !

umbro · #10

ok to może jeszcze jedno pytanko w tym wątku.
Mam taką sytuację, że za drugą stroną tunelu mam dodatkowy router, na którym przekierowałem sobie porty do lanu za nim.
Dokładnie przekierowałem port 40001.
Na port 80 adresu 172.28.31.200 , który natywnie sobie tam słucha mogę sie fajnie połączyć i wszystko fajnie bangla. Schody się zaczynają, gdy na routerze z 172.28.31.200 zaczynam sobie robić przekierowania portów do lanu za nim.

Przekierowanie działa na 100 % jednak niestety w tunelu już nie bardzo chce działać.
Router ma adres 172.28.31.200 , a za nim mam sieć 10.15.3.65/26
Zastanawiam się czy powinienem rozszerzyć tunel o tą sieć 10.15.3.65/26

Kod: Zaznacz cały

yourname#telnet 172.28.31.200 80 /source-interface vlan1
Trying 172.28.31.200, 80 ... Open

HTTP/1.0 400 Bad Request
Connection: close
Content-Length: 113
Date: Sun, 17 May 2015 11:07:29 GMT
Expires: 0

<html>
      <head><title>Error 400: Bad Request</title></head>
                                                        <body>
                                                              <h1>Error 400: Bad Request</h1>
                                                                                             </body>
                                                                                                    </html>

[Connection to 172.28.31.200 closed by foreign host]
yourname#telnet 172.28.31.200 40001 /source-interface vlan1
Trying 172.28.31.200, 40001 ...
% Connection timed out; remote host not responding

frontier · #11

umbro pisze:ok to może jeszcze jedno pytanko w tym wątku.
Mam taką sytuację, że za drugą stroną tunelu mam dodatkowy router, na którym przekierowałem sobie porty do lanu za nim.
Dokładnie przekierowałem port 40001.
Na port 80 adresu 172.28.31.200 , który natywnie sobie tam słucha mogę sie fajnie połączyć i wszystko fajnie bangla. Schody się zaczynają, gdy na routerze z 172.28.31.200 zaczynam sobie robić przekierowania portów do lanu za nim.

Przekierowanie działa na 100 % jednak niestety w tunelu już nie bardzo chce działać.
Router ma adres 172.28.31.200 , a za nim mam sieć 10.15.3.65/26
Zastanawiam się czy powinienem rozszerzyć tunel o tą sieć 10.15.3.65/26
Kod: Zaznacz cały
yourname#telnet 172.28.31.200 80 /source-interface vlan1
Trying 172.28.31.200, 80 ... Open

HTTP/1.0 400 Bad Request
Connection: close
Content-Length: 113
Date: Sun, 17 May 2015 11:07:29 GMT
Expires: 0

<html>
      <head><title>Error 400: Bad Request</title></head>
                                                        <body>
                                                              <h1>Error 400: Bad Request</h1>
                                                                                             </body>
                                                                                                    </html>

[Connection to 172.28.31.200 closed by foreign host]
yourname#telnet 172.28.31.200 40001 /source-interface vlan1
Trying 172.28.31.200, 40001 ...
% Connection timed out; remote host not responding

Czy router ma interfejs w sieci 10.15.3.65/26 ?

umbro · #12

Ten z którego zestawiłem połaczenie vpn do sieci, w której znajduje się router 172.28.31.200 nie ma takiego interfejsu.
Domyślam się, że pakiet, który wraca po takim przekierowaniu portu zawiera adres źrodłowy z sieci 10.15.3.65/26 i albo to w ogóle nie trafia w tunel albo coś nie wie jak odpowiedzieć ze względu na brak routingu.
Jeśli chodzi o router pod adresem 172.28.31.200 to na bank ma interfejs lezacy w sieci 10.15.3.65/26.

umbro · #13

Żeby uniknąć nieścisłości sieć mniej więcej wygląda tak

MojeCISCO----VPN Site to site---- (część sieci za którą nie odpowiadam) Routery, być może wiele---- Mój router 172.28.31.200 - mój lan 10.15.3.65/26