Weergegeven resultaten: 1 t/m 2 van 2
  1. #1
    Beginner  
    Geregistreerd
    10 May 2005
    Berichten
    4
    Bedankjes
    1
    Bedankt
    2 keer in 1 post

    site-to-site VPN tussen cisco routers

    Ik probeer een site-to-site VPN tussen een cisco 877 en een cisco 831 te configureren echter het werkt totaal niet. Als ik de debugging aanzet dan gebeurt er na het pingen ook niets. De enige manier om enige vorm van debugging op mijn scherm te krijgen is als ik met peer discovery werk.

    Mijn isakmp en ipsec configuraties zien er ok uit, ze ze exact gelijk en de netwerkadressen zijn gespiegeld dus dat ziet er ook ok uit. Het moet een klein foutje zijn denk ik maar met grote gevolgen :-)

    Ik werk met dynamische IP's en ik gebruik ddns via DynDNS om updates te krijgen zodat ik met mijn dynamische ip's kan werken. Bij de debugging van mijn ddns update zie ik dat alles werkt dus daar kan het niet aan liggen.

    Dit is de config file van de 877: (ik heb de Firewall-ACL en de cbac firewall eruit gelaten op beide routers)

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname HAL9000
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$sxtQ$95e/NNSsRTqYMZW6skGQk1
    !
    no aaa new-model
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.10.10.1 10.10.10.5
    !
    ip dhcp pool BUITENNETWERK
    network 10.10.10.0 255.255.255.0
    domain-name buitenomgeving.com
    dns-server 195.130.131.5 4.2.2.1
    default-router 10.10.10.1 255.255.255.0
    !
    !
    ip name-server 4.2.2.1
    ip ssh version 2
    ip inspect name Firewall tcp
    ip inspect name Firewall udp
    ip inspect name Firewall icmp
    ip inspect name Firewall cuseeme
    ip inspect name Firewall rcmd
    ip inspect name Firewall http
    ip inspect name Firewall tftp
    ip inspect name Firewall ftp
    ip inspect name Firewall realaudio
    ip inspect name Firewall h323
    ip inspect name Firewall ddns-v3
    ip inspect name Firewall dns
    ip ddns update method DynDNS
    HTTP
    add http://xxxxx:xxxxx.dyndns.org/nic/up...dojo.com&myip=
    interval maximum 1 0 0 0
    !
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    username AdminDomi82 privilege 15 secret 5 $1$zlCe$MaYBbz1HKVj/mo/C/zR5t/
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key testsleutel address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
    !
    crypto dynamic-map 877-VPN 1
    set peer 94.224.180.199
    set transform-set SET1
    set pfs group2
    match address VPN-ACL
    !
    !
    crypto map VPN 1 ipsec-isakmp dynamic 877-VPN discover
    !
    !
    !
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.252
    !
    interface ATM0
    no ip address
    shutdown
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    switchport access vlan 4
    !
    interface Vlan1
    ip address 10.10.10.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip policy route-map geen-NAT-LAN
    !
    interface Vlan4
    description WAN interface via DHCP van ISP
    ip ddns update hostname cisco1.dnsdojo.com
    ip ddns update DynDNS host members.dyndns.org
    ip address dhcp
    ip access-group Firewall-ACL in
    ip nat outside
    ip virtual-reassembly
    crypto map VPN
    !
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source route-map geen-NAT interface Vlan4 overload
    !
    ip access-list extended NAT
    deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.0.255
    permit ip 10.10.10.0 0.0.0.255 any
    ip access-list extended VPN-ACL
    permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.0.255
    ip access-list extended geen-NAT-LAN-ACL
    permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.0.255
    !
    !
    !
    !
    route-map geen-NAT-LAN permit 10
    match ip address geen-NAT-LAN
    set interface Loopback0
    !
    route-map geen-NAT permit 10
    match ip address NAT
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 300 0
    no modem enable
    line aux 0
    line vty 0 4
    exec-timeout 300 0
    login local
    transport input ssh
    !
    scheduler max-task-time 5000
    end



    Dit is de config file van de 831:

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname ROUTER2
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$v7to$S36tPkRIhKW3UH0JuaISS/
    !
    no aaa new-model
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.0.1 172.16.0.5
    !
    ip dhcp pool NETWERK
    network 172.16.0.0 255.255.255.0
    domain-name testomgeving.com
    default-router 172.16.0.1 255.255.255.0
    dns-server 195.130.131.5 4.2.2.1
    lease 0 12
    !
    !
    ip cef
    ip name-server 195.130.131.5
    ip name-server 4.2.2.1
    ip inspect name Firewall tcp
    ip inspect name Firewall udp
    ip inspect name Firewall icmp
    ip inspect name Firewall cuseeme
    ip inspect name Firewall rcmd
    ip inspect name Firewall http
    ip inspect name Firewall tftp
    ip inspect name Firewall ftp
    ip inspect name Firewall realaudio
    ip inspect name Firewall h323
    ip inspect name Firewall ddns-v3
    ip inspect name Firewall dns
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip ddns update method DynDNS
    HTTP
    add http://xxxxx:xxxxx@members.dyndns.or...dojo.com&myip=
    interval maximum 1 0 0 0
    !
    !
    !
    !
    username AdminDomi82 privilege 15 secret 5 $1$8jQO$U73H4J0UMDVWfst.hIBqd/
    !
    !
    ip ssh version 2
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key testsleutel address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
    !
    crypto dynamic-map 831-VPN 1
    set peer 94.224.180.207
    set transform-set SET1
    set pfs group2
    match address VPN-ACL
    !
    !
    crypto map VPN 1 ipsec-isakmp dynamic 831-VPN discover
    !
    !
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.252
    !
    interface Ethernet0
    ip address 172.16.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip policy route-map geen-NAT-LAN
    !
    interface Ethernet1
    ip ddns update hostname cisco2.dnsdojo.com
    ip ddns update DynDNS host members.dyndns.org
    ip address dhcp
    ip access-group Firewall-ACL in
    ip nat outside
    ip virtual-reassembly
    duplex auto
    crypto map VPN
    !
    interface Ethernet2
    no ip address
    shutdown
    !
    interface FastEthernet1
    duplex auto
    speed auto
    !
    interface FastEthernet2
    duplex auto
    speed auto
    !
    interface FastEthernet3
    duplex auto
    speed auto
    !
    interface FastEthernet4
    duplex auto
    speed auto
    !
    ip forward-protocol nd
    !
    ip http server
    no ip http secure-server
    !
    ip nat inside source route-map geen-NAT interface Ethernet1 overload
    !
    !
    ip access-list extended NAT
    deny ip 172.16.0.0 0.0.0.255 10.10.10.0 0.0.0.255
    permit ip 172.16.0.0 0.0.0.255 any
    ip access-list exd VPN-ACL
    permit ip 172.16.0.0 0.0.0.255 10.10.10.0 0.0.0.255
    ip access-list extended geen-NAT-LAN-ACL
    permit ip 172.16.0.0 0.0.0.255 10.10.10.0 0.0.0.255
    !
    route-map geen-NAT-LAN permit 10
    match ip address geen-NAT-LAN-ACL
    set default interface Loopback0
    !
    route-map geen-NAT permit 10
    match ip address NAT
    !
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 300 0
    no modem enable
    line aux 0
    line vty 0 4
    exec-timeout 300 0
    password juno
    login local
    transport input ssh
    !
    scheduler max-task-time 5000
    end

    Dit is de debugging dat ik krijg op de 877 na poging tot pingen naar de host op de 831:
    Het valt me op dat deze outbound is en bij transform staat NONE??

    Mar 20 11:42:11.071: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 10.10.10.7, remote= 172.16.0.2,
    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 94.224.180.199/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 dest=Vlan4 94.224.180.1
    Mar 20 11:42:11.071: ISAKMP: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!
    Mar 20 11:42:11.071: src = 10.10.10.7 to 172.16.0.2
    Mar 20 11:42:11.071: proxy source is 10.10.10.0/255.255.255.0 and my address (not used now) is 94.224.180.199
    Mar 20 11:42:11.071: ISAKMP:(0): SA request profile is (NULL)
    Mar 20 11:42:11.071: ISAKMP: Created a peer struct for 172.16.0.2, peer port 500
    Mar 20 11:42:11.071: ISAKMP: New peer created peer = 0x83CB28D8 peer_handle = 0x80000008
    Mar 20 11:42:11.071: ISAKMP: Locking peer struct 0x83CB28D8, refcount 1 for isakmp_initiator
    Mar 20 11:42:11.071: ISAKMP: local port 500, remote port 500
    Mar 20 11:42:11.071: ISAKMP: set new node 0 to QM_IDLE
    Mar 20 11:42:11.071: insert sa successfully sa = 83F80CA4
    Mar 20 11:42:11.071: ISAKMP:(0):SA is doing unknown authentication!
    Mar 20 11:42:11.071: ISAKMP (0:0): ID payload
    next-payload : 5
    type : 1
    address : 94.224.180.199
    protocol : 17
    port : 500
    length : 12
    Mar 20 11:42:11.075: ISAKMP:(0):Total payload length: 12
    Mar 20 11:42:11.075: 1st ID is 94.224.180.199
    Mar 20 11:42:11.075: 2nd ID is 10.10.10.0 255.255.255.0
    Mar 20 11:42:11.075: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_TED_REQ
    Mar 20 11:42:11.075: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_TED_RESP

    Mar 20 11:42:11.075: ISAKMP:(0): beginning peer discovery exchange
    Mar 20 11:42:11.075: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) PEER_DISCOVERY via Vlan4:94.224.180.1
    Mar 20 11:43:26.071: ISAKMP: quick mode timer expired.
    Mar 20 11:43:26.071: ISAKMP:(0):src 10.10.10.7 dst 172.16.0.2, SA is not authenticated
    Mar 20 11:43:26.071: ISAKMP:(0)eer does not do paranoid keepalives.

    Mar 20 11:43:26.071: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) PEER_DISCOVERY (peer 172.16.0.2)
    Mar 20 11:43:26.071: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) PEER_DISCOVERY (peer 172.16.0.2)
    Mar 20 11:43:26.071: ISAKMP: Unlocking peer struct 0x83CB28D8 for isadb_mark_sa_deleted(), count 0
    Mar 20 11:43:26.071: ISAKMP: Deleting peer node by peer_reap for 172.16.0.2: 83CB28D8
    Mar 20 11:43:26.071: ISAKMP:(0):deleting node 0 error FALSE reason "IKE deleted"
    Mar 20 11:43:26.071: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    Mar 20 11:43:26.071: ISAKMP:(0):Old State = IKE_I_TED_RESP New State = IKE_DEST_SA

    Mar 20 11:43:26.071: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    Mar 20 11:44:16.071: ISAKMP:(0)urging node 0
    Mar 20 11:44:26.071: ISAKMP:(0)urging SA., sa=83F80CA4, delme=83F80CA4


    Tenslotte nog de debugging op de 831 wanneer ik ping naar de host op de 877:
    het valt me op dat deze hier inbound is en dat de transform-set hier wel gespecifiëerd staat.

    Mar 20 11:37:55.203: IPSEC(tunnel discover request): ,
    (key eng. msg.) INBOUND local= 172.16.0.2, remote= 10.10.10.7,
    local_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 94.224.180.207/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4003 dest=Ethernet1 94.224.180.1
    Mar 20 11:37:55.207: ISAKMP: received ke message (1/1)
    Mar 20 11:37:55.207: ISAKMP: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!
    Mar 20 11:37:55.207: src = 172.16.0.2 to 10.10.10.7, protocol 3, transform 3, hmac 1
    Mar 20 11:37:55.207: proxy source is 172.16.0.0/255.255.255.0 and my address (not used now) is 94.224.180.207
    Mar 20 11:37:55.207: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
    Mar 20 11:37:55.207: ISAKMP: Created a peer struct for 10.10.10.7, peer port 500
    Mar 20 11:37:55.211: ISAKMP: New peer created peer = 0x82237AAC peer_handle = 0x80000008
    Mar 20 11:37:55.211: ISAKMP: Locking peer struct 0x82237AAC, IKE refcount 1 for isakmp_initiator
    Mar 20 11:37:55.211: ISAKMP: local port 500, remote port 500
    Mar 20 11:37:55.211: ISAKMP: set new node 0 to QM_IDLE
    Mar 20 11:37:55.211: insert sa successfully sa = 8201104C
    Mar 20 11:37:55.211: ISAKMP:(0:0:N/A:0):SA is doing unknown authentication!
    Mar 20 11:37:55.215: ISAKMP (0:0): ID payload
    next-payload : 5
    type : 1
    address : 94.224.180.207
    protocol : 17
    port : 500
    length : 12
    Mar 20 11:37:55.215: ISAKMP:(0:0:N/A:0):Total payload length: 12
    Mar 20 11:37:55.215: 1st ID is 94.224.180.207
    Mar 20 11:37:55.215: 2nd ID is 172.16.0.0/255.255.255.0
    Mar 20 11:37:55.215: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_TED_REQ
    Mar 20 11:37:55.215: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_TED_RESP

    Mar 20 11:37:55.219: ISAKMP:(0:0:N/A:0): beginning peer discovery exchange
    Mar 20 11:37:55.219: ISAKMP:(0:0:N/A:0): sending packet to 10.10.10.7 my_port 500 peer_port 500 (I) PEER_DISCOVERY via Ethernet1:94.224.180.1
    Mar 20 11:39:10.211: ISAKMP: quick mode timer expired.
    Mar 20 11:39:10.211: ISAKMP:(0:0:N/A:0):src 172.16.0.2 dst 10.10.10.7, SA is not authenticated
    Mar 20 11:39:10.211: ISAKMP:(0:0:N/A:0)eer does not do paranoid keepalives.

    Mar 20 11:39:10.211: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) PEER_DISCOVERY (peer 10.10.10.7)
    Mar 20 11:39:10.211: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_active since it's already 0.
    Mar 20 11:39:10.215: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) PEER_DISCOVERY (peer 10.10.10.7)
    Mar 20 11:39:10.215: ISAKMP: Unlocking IKE struct 0x82237AAC for isadb_mark_sa_deleted(), count 0
    Mar 20 11:39:10.215: ISAKMP: Deleting peer node by peer_reap for 10.10.10.7: 82237AAC
    Mar 20 11:39:10.215: ISAKMP:(0:0:N/A:0):deleting node 0 error FALSE reason "IKE deleted"
    Mar 20 11:39:10.219: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    Mar 20 11:39:10.219: ISAKMP:(0:0:N/A:0):Old State = IKE_I_TED_RESP New State = IKE_DEST_SA

    Mar 20 11:39:10.219: IPSEC(key_engine): got a queue event with 1 kei messages
    Mar 20 11:40:00.215: ISAKMP:(0:0:N/A:0)urging node 0


    Ik hoop dat iemand mij hierbij kan helpen want ik weet het echt niet meer.

    vriendelijke groeten

  2. #2
    Beginner  
    Geregistreerd
    10 May 2005
    Berichten
    4
    Bedankjes
    1
    Bedankt
    2 keer in 1 post
    Deze mag afgesloten worden, ik heb het kunnen oplossen

  3. De volgende 2 gebruikers bedanken Spartan 117 voor deze nuttige post:

    peenif (26 March 2010), PeterN ( 4 April 2010)

Discussie informatie

Users Browsing this Thread

Momenteel bekijken 1 gebruikers deze discussie. (0 leden en 1 gasten)

Soortgelijke discussies

  1. *site url verwijderd* gsm site
    Door kurt0015 in forum Site-Check
    Reacties: 6
    Laatste bericht: 8 May 2006, 17:18
  2. cisco soho
    Door visionman in forum Netwerken en internetproviders
    Reacties: 0
    Laatste bericht: 26 October 2005, 20:53

Favorieten/bladwijzers

Favorieten/bladwijzers

Regels voor berichten

  • Je mag geen nieuwe discussies starten
  • Je mag niet reageren op berichten
  • Je mag geen bijlagen versturen
  • Je mag niet je berichten bewerken
  •