VPN pre-shared-key

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
ODPOWIEDZ
Wiadomość
Autor
damiankga
fresh
fresh
Posty: 2
Rejestracja: 09 lut 2017, 10:38

VPN pre-shared-key

#1

#1 Post autor: damiankga »

Witam,
Posiadam Cisco ASA 5505 ASA Version 7.2(3) które odpowiada za router u mnie w pracy oraz do połączeń VPN z filiami.
Ściągnąłem z niego konfigurację i wgrałem na inne urządzenie Cisco ASA 5505 ASA Version 9.0.(1)
Po wgraniu konfiguracji na nowy router, u mnie w firmie sieć i internet działa, natomiast jest problem z połączeniami VPN z filiami.
Spojrzałem na konfigurację i pierwsze co się rzuca w oczy to :

R1 stary:

Kod: Zaznacz cały

tunnel-group 88.77.222.111 type ipsec-l2l
tunnel-group 88.77.222.111 ipsec-attributes
 pre-shared-key jakieshaslo
tunnel-group 77.88.111.222 type ipsec-l2l
tunnel-group 77.88.111.222 ipsec-attributes
 pre-shared-key jakieshaslo

R2 nowy:

Kod: Zaznacz cały

tunnel-group 88.77.222.111 type ipsec-l2l
tunnel-group 88.77.222.111 ipsec-attributes
 ikev1 pre-shared-key jakieshaslo
tunnel-group 77.88.111.222 type ipsec-l2l
tunnel-group 77.88.111.222 ipsec-attributes
 ikev1 pre-shared-key jakieshaslo
Jeśli chodzi o Cisco to jestem ciemny w tej materii i prosiłbym o pomoc jak zmienić konfigurację na nowym routerze aby pozbyć się w konfiguracji nowego routera "ikev1" aby zostało tylko "pre-shared-key"

Pozdrawiam
Na górę
damiankga
fresh
fresh
Posty: 2
Rejestracja: 09 lut 2017, 10:38

Re: VPN pre-shared-key

#2

#2 Post autor: damiankga »

R1 stary:

Kod: Zaznacz cały

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.11.22 255.255.255.240 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 354TRe5dT.ttee encrypted
regex list1 "\.yahoo\.com"
regex list2 "nk\.pl"
regex list3 "youtube"
regex list4 "sex"
regex list5 "porn"
regex list6 "redtube"
regex list7 "fotka"
regex list8 "sympatia"
regex list9 "allegro\.pl"
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list BLOKS extended permit tcp any any eq www 
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.22.100.0 255.255.255.0 
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.250.101.0 255.255.255.0 
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 10.22.100.0 255.255.255.0 
access-list 190 extended permit ip 192.168.1.0 255.255.255.0 10.250.101.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.222.11.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MOJA esp-3des esp-sha-hmac 
crypto map toFilia 10 match address 100
crypto map toFilia 10 set peer 88.77.222.111 
crypto map toFilia 10 set transform-set MOJA
crypto map toFilia 11 match address 135
crypto map toFilia 11 set peer 77.88.111.222 
crypto map toFilia 11 set transform-set MOJA
crypto map toFilia interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
console timeout 0

!
class-map type regex match-any BLOKC
 match regex list1
 match regex list2
 match regex list3
 match regex list4
 match regex list5
 match regex list6
 match regex list7
 match regex list8
 match regex list9
class-map type inspect http match-all BLOKLIST
 match request header host regex class BLOKC
class-map BLOKHTTP
 match access-list BLOKS
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect http HTTP_INSPEKCJA
 parameters
 class BLOKLIST
  reset log
policy-map global_policy
 
policy-map WEWNETRZNA
 class BLOKHTTP
  inspect http HTTP_INSPEKCJA 
!
service-policy global_policy global
username ktos password opfdsfRT.RTuyEW encrypted
tunnel-group 88.77.222.111 type ipsec-l2l
tunnel-group 88.77.222.111 ipsec-attributes
 pre-shared-key jakieshaslo
tunnel-group 77.88.111.222 type ipsec-l2l
tunnel-group 77.88.111.222 ipsec-attributes
 pre-shared-key jakieshaslo
prompt hostname context
R2 nowy:

Kod: Zaznacz cały

passwd 354TRe5dT.ttee encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.11.22 255.255.255.240 
 ospf cost 10
!
regex list1 "\.yahoo\.com"
regex list2 "nk\.pl"
regex list3 "youtube"
regex list4 "sex"
regex list5 "porn"
regex list6 "redtube"
regex list7 "fotka"
regex list8 "sympatia"
regex list9 "allegro\.pl"
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list BLOKS extended permit tcp any any eq www 
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.22.100.0 255.255.255.0 
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.250.101.0 255.255.255.0 
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 10.22.100.0 255.255.255.0 
access-list 190 extended permit ip 192.168.1.0 255.255.255.0 10.250.101.0 255.255.255.0 

pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 111.222.11.21 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set MOJA esp-3des esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map toFilia 10 match address 100
crypto map toFilia 10 set peer 88.77.222.111  
crypto map toFilia 10 set ikev1 transform-set MOJA
crypto map toFilia 11 match address 135
crypto map toFilia 11 set peer 77.88.111.222 
crypto map toFilia 11 set ikev1 transform-set MOJA
crypto map toFilia interface outside
crypto ca trustpool policy
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5

console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec ssl-clientless
username ktos password opfdsfRT.RTuyEW encrypted
tunnel-group 88.77.222.111 type ipsec-l2l
tunnel-group 88.77.222.111 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 77.88.111.222 type ipsec-l2l
tunnel-group 77.88.111.222 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map type regex match-any BLOKC
 match regex list1
 match regex list2
 match regex list3
 match regex list4
 match regex list5
 match regex list6
 match regex list7
 match regex list8
 match regex list9
class-map type inspect http match-all BLOKLIST
 match request header host regex class BLOKC
class-map BLOKHTTP
 match access-list BLOKS
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect http HTTP_INSPEKCJA
 parameters
 class BLOKLIST
  reset log
policy-map global_policy

policy-map WEWNETRZNA
 class BLOKHTTP
  inspect http HTTP_INSPEKCJA 
!
service-policy global_policy global
prompt hostname context
Nie uruchamiałem debugowania.
Na górę
ODPOWIEDZ

Wróć do „Security”