Ik probeer een site-to-site VPN tussen een cisco 877 en een cisco 831 te configureren echter het werkt totaal niet. Als ik de debugging aanzet dan gebeurt er na het pingen ook niets. De enige manier om enige vorm van debugging op mijn scherm te krijgen is als ik met peer discovery werk.
Mijn isakmp en ipsec configuraties zien er ok uit, ze ze exact gelijk en de netwerkadressen zijn gespiegeld dus dat ziet er ook ok uit. Het moet een klein foutje zijn denk ik maar met grote gevolgen :-)
Ik werk met dynamische IP's en ik gebruik ddns via DynDNS om updates te krijgen zodat ik met mijn dynamische ip's kan werken. Bij de debugging van mijn ddns update zie ik dat alles werkt dus daar kan het niet aan liggen.
Dit is de config file van de 877: (ik heb de Firewall-ACL en de cbac firewall eruit gelaten op beide routers)
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HAL9000
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$sxtQ$95e/NNSsRTqYMZW6skGQk1
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.5
!
ip dhcp pool BUITENNETWERK
network 10.10.10.0 255.255.255.0
domain-name buitenomgeving.com
dns-server 195.130.131.5 4.2.2.1
default-router 10.10.10.1 255.255.255.0
!
!
ip name-server 4.2.2.1
ip ssh version 2
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall icmp
ip inspect name Firewall cuseeme
ip inspect name Firewall rcmd
ip inspect name Firewall http
ip inspect name Firewall tftp
ip inspect name Firewall ftp
ip inspect name Firewall realaudio
ip inspect name Firewall h323
ip inspect name Firewall ddns-v3
ip inspect name Firewall dns
ip ddns update method DynDNS
HTTP
add http://xxxxx:xxxxx.dyndns.org/nic/up...dojo.com&myip=
interval maximum 1 0 0 0
!
!
multilink bundle-name authenticated
!
!
!
!
username AdminDomi82 privilege 15 secret 5 $1$zlCe$MaYBbz1HKVj/mo/C/zR5t/
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key testsleutel address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
!
crypto dynamic-map 877-VPN 1
set peer 94.224.180.199
set transform-set SET1
set pfs group2
match address VPN-ACL
!
!
crypto map VPN 1 ipsec-isakmp dynamic 877-VPN discover
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 4
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map geen-NAT-LAN
!
interface Vlan4
description WAN interface via DHCP van ISP
ip ddns update hostname cisco1.dnsdojo.com
ip ddns update DynDNS host members.dyndns.org
ip address dhcp
ip access-group Firewall-ACL in
ip nat outside
ip virtual-reassembly
crypto map VPN
!
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map geen-NAT interface Vlan4 overload
!
ip access-list extended NAT
deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.0.255
ip access-list extended geen-NAT-LAN-ACL
permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.0.255
!
!
!
!
route-map geen-NAT-LAN permit 10
match ip address geen-NAT-LAN
set interface Loopback0
!
route-map geen-NAT permit 10
match ip address NAT
!
!
control-plane
!
!
line con 0
exec-timeout 300 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 300 0
login local
transport input ssh
!
scheduler max-task-time 5000
end
Dit is de config file van de 831:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$v7to$S36tPkRIhKW3UH0JuaISS/
!
no aaa new-model
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.1 172.16.0.5
!
ip dhcp pool NETWERK
network 172.16.0.0 255.255.255.0
domain-name testomgeving.com
default-router 172.16.0.1 255.255.255.0
dns-server 195.130.131.5 4.2.2.1
lease 0 12
!
!
ip cef
ip name-server 195.130.131.5
ip name-server 4.2.2.1
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall icmp
ip inspect name Firewall cuseeme
ip inspect name Firewall rcmd
ip inspect name Firewall http
ip inspect name Firewall tftp
ip inspect name Firewall ftp
ip inspect name Firewall realaudio
ip inspect name Firewall h323
ip inspect name Firewall ddns-v3
ip inspect name Firewall dns
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method DynDNS
HTTP
add http://xxxxx:xxxxx@members.dyndns.or...dojo.com&myip=
interval maximum 1 0 0 0
!
!
!
!
username AdminDomi82 privilege 15 secret 5 $1$8jQO$U73H4J0UMDVWfst.hIBqd/
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key testsleutel address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
!
crypto dynamic-map 831-VPN 1
set peer 94.224.180.207
set transform-set SET1
set pfs group2
match address VPN-ACL
!
!
crypto map VPN 1 ipsec-isakmp dynamic 831-VPN discover
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map geen-NAT-LAN
!
interface Ethernet1
ip ddns update hostname cisco2.dnsdojo.com
ip ddns update DynDNS host members.dyndns.org
ip address dhcp
ip access-group Firewall-ACL in
ip nat outside
ip virtual-reassembly
duplex auto
crypto map VPN
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source route-map geen-NAT interface Ethernet1 overload
!
!
ip access-list extended NAT
deny ip 172.16.0.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 172.16.0.0 0.0.0.255 any
ip access-list exd VPN-ACL
permit ip 172.16.0.0 0.0.0.255 10.10.10.0 0.0.0.255
ip access-list extended geen-NAT-LAN-ACL
permit ip 172.16.0.0 0.0.0.255 10.10.10.0 0.0.0.255
!
route-map geen-NAT-LAN permit 10
match ip address geen-NAT-LAN-ACL
set default interface Loopback0
!
route-map geen-NAT permit 10
match ip address NAT
!
!
!
control-plane
!
!
line con 0
exec-timeout 300 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 300 0
password juno
login local
transport input ssh
!
scheduler max-task-time 5000
end
Dit is de debugging dat ik krijg op de 877 na poging tot pingen naar de host op de 831:
Het valt me op dat deze outbound is en bij transform staat NONE??
Mar 20 11:42:11.071: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.10.10.7, remote= 172.16.0.2,
local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 94.224.180.199/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 dest=Vlan4 94.224.180.1
Mar 20 11:42:11.071: ISAKMP: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!
Mar 20 11:42:11.071: src = 10.10.10.7 to 172.16.0.2
Mar 20 11:42:11.071: proxy source is 10.10.10.0/255.255.255.0 and my address (not used now) is 94.224.180.199
Mar 20 11:42:11.071: ISAKMP:(0): SA request profile is (NULL)
Mar 20 11:42:11.071: ISAKMP: Created a peer struct for 172.16.0.2, peer port 500
Mar 20 11:42:11.071: ISAKMP: New peer created peer = 0x83CB28D8 peer_handle = 0x80000008
Mar 20 11:42:11.071: ISAKMP: Locking peer struct 0x83CB28D8, refcount 1 for isakmp_initiator
Mar 20 11:42:11.071: ISAKMP: local port 500, remote port 500
Mar 20 11:42:11.071: ISAKMP: set new node 0 to QM_IDLE
Mar 20 11:42:11.071: insert sa successfully sa = 83F80CA4
Mar 20 11:42:11.071: ISAKMP:(0):SA is doing unknown authentication!
Mar 20 11:42:11.071: ISAKMP (0:0): ID payload
next-payload : 5
type : 1
address : 94.224.180.199
protocol : 17
port : 500
length : 12
Mar 20 11:42:11.075: ISAKMP:(0):Total payload length: 12
Mar 20 11:42:11.075: 1st ID is 94.224.180.199
Mar 20 11:42:11.075: 2nd ID is 10.10.10.0 255.255.255.0
Mar 20 11:42:11.075: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_TED_REQ
Mar 20 11:42:11.075: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_TED_RESP
Mar 20 11:42:11.075: ISAKMP:(0): beginning peer discovery exchange
Mar 20 11:42:11.075: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) PEER_DISCOVERY via Vlan4:94.224.180.1
Mar 20 11:43:26.071: ISAKMP: quick mode timer expired.
Mar 20 11:43:26.071: ISAKMP:(0):src 10.10.10.7 dst 172.16.0.2, SA is not authenticated
Mar 20 11:43:26.071: ISAKMP:(0)eer does not do paranoid keepalives.
Mar 20 11:43:26.071: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) PEER_DISCOVERY (peer 172.16.0.2)
Mar 20 11:43:26.071: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) PEER_DISCOVERY (peer 172.16.0.2)
Mar 20 11:43:26.071: ISAKMP: Unlocking peer struct 0x83CB28D8 for isadb_mark_sa_deleted(), count 0
Mar 20 11:43:26.071: ISAKMP: Deleting peer node by peer_reap for 172.16.0.2: 83CB28D8
Mar 20 11:43:26.071: ISAKMP:(0):deleting node 0 error FALSE reason "IKE deleted"
Mar 20 11:43:26.071: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 20 11:43:26.071: ISAKMP:(0):Old State = IKE_I_TED_RESP New State = IKE_DEST_SA
Mar 20 11:43:26.071: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 20 11:44:16.071: ISAKMP:(0)urging node 0
Mar 20 11:44:26.071: ISAKMP:(0)urging SA., sa=83F80CA4, delme=83F80CA4
Tenslotte nog de debugging op de 831 wanneer ik ping naar de host op de 877:
het valt me op dat deze hier inbound is en dat de transform-set hier wel gespecifiëerd staat.
Mar 20 11:37:55.203: IPSEC(tunnel discover request): ,
(key eng. msg.) INBOUND local= 172.16.0.2, remote= 10.10.10.7,
local_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 94.224.180.207/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4003 dest=Ethernet1 94.224.180.1
Mar 20 11:37:55.207: ISAKMP: received ke message (1/1)
Mar 20 11:37:55.207: ISAKMP: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!
Mar 20 11:37:55.207: src = 172.16.0.2 to 10.10.10.7, protocol 3, transform 3, hmac 1
Mar 20 11:37:55.207: proxy source is 172.16.0.0/255.255.255.0 and my address (not used now) is 94.224.180.207
Mar 20 11:37:55.207: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Mar 20 11:37:55.207: ISAKMP: Created a peer struct for 10.10.10.7, peer port 500
Mar 20 11:37:55.211: ISAKMP: New peer created peer = 0x82237AAC peer_handle = 0x80000008
Mar 20 11:37:55.211: ISAKMP: Locking peer struct 0x82237AAC, IKE refcount 1 for isakmp_initiator
Mar 20 11:37:55.211: ISAKMP: local port 500, remote port 500
Mar 20 11:37:55.211: ISAKMP: set new node 0 to QM_IDLE
Mar 20 11:37:55.211: insert sa successfully sa = 8201104C
Mar 20 11:37:55.211: ISAKMP:(0:0:N/A:0):SA is doing unknown authentication!
Mar 20 11:37:55.215: ISAKMP (0:0): ID payload
next-payload : 5
type : 1
address : 94.224.180.207
protocol : 17
port : 500
length : 12
Mar 20 11:37:55.215: ISAKMP:(0:0:N/A:0):Total payload length: 12
Mar 20 11:37:55.215: 1st ID is 94.224.180.207
Mar 20 11:37:55.215: 2nd ID is 172.16.0.0/255.255.255.0
Mar 20 11:37:55.215: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_TED_REQ
Mar 20 11:37:55.215: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_TED_RESP
Mar 20 11:37:55.219: ISAKMP:(0:0:N/A:0): beginning peer discovery exchange
Mar 20 11:37:55.219: ISAKMP:(0:0:N/A:0): sending packet to 10.10.10.7 my_port 500 peer_port 500 (I) PEER_DISCOVERY via Ethernet1:94.224.180.1
Mar 20 11:39:10.211: ISAKMP: quick mode timer expired.
Mar 20 11:39:10.211: ISAKMP:(0:0:N/A:0):src 172.16.0.2 dst 10.10.10.7, SA is not authenticated
Mar 20 11:39:10.211: ISAKMP:(0:0:N/A:0)eer does not do paranoid keepalives.
Mar 20 11:39:10.211: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) PEER_DISCOVERY (peer 10.10.10.7)
Mar 20 11:39:10.211: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_active since it's already 0.
Mar 20 11:39:10.215: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) PEER_DISCOVERY (peer 10.10.10.7)
Mar 20 11:39:10.215: ISAKMP: Unlocking IKE struct 0x82237AAC for isadb_mark_sa_deleted(), count 0
Mar 20 11:39:10.215: ISAKMP: Deleting peer node by peer_reap for 10.10.10.7: 82237AAC
Mar 20 11:39:10.215: ISAKMP:(0:0:N/A:0):deleting node 0 error FALSE reason "IKE deleted"
Mar 20 11:39:10.219: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 20 11:39:10.219: ISAKMP:(0:0:N/A:0):Old State = IKE_I_TED_RESP New State = IKE_DEST_SA
Mar 20 11:39:10.219: IPSEC(key_engine): got a queue event with 1 kei messages
Mar 20 11:40:00.215: ISAKMP:(0:0:N/A:0)urging node 0
Ik hoop dat iemand mij hierbij kan helpen want ik weet het echt niet meer.
vriendelijke groeten
Favorieten/bladwijzers