Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

site-to-site VPN na cisco ruterima

[es] :: Enterprise Networking :: site-to-site VPN na cisco ruterima

Strane: 1 2

[ Pregleda: 6932 | Odgovora: 33 ] > FB > Twit

Postavi temu Odgovori

Autor

Pretraga teme: Traži
Markiranje Štampanje RSS

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.dynamic.isp.telekom.rs.



Profil

icon site-to-site VPN na cisco ruterima12.03.2013. u 22:08 - pre 90 meseci
Pozdrav dragi prijatelji,
vec nekoliko dana se patim oko podesavanja IPSec VPN tunela izmedju dve lokacije.
Ja treba da podesim lokaciju u Srbiji, na Cisco 1841 ruteru sa sledecim podesavanjima:

VPN Parameters (Extern) (Serbia)
General
1. Tunnel Type: IPSec
2. Authentication Method: PSK (Pre-Shared-Key)
IKE (Phase 1)
3. Mode: Main Mode
4. Encryption Algorithm: AES-256
5. Hash Algorithm: SHA1
6. Diffie-Hellmann (DH) Group: Group 2
7. Lifetime: 86400 sec
8. IKE keepalives No Yes
IPSec (Phase 2)
9. Mode Tunnel
10. Protocol ESP
11. Encryption Algorithm: AES-256
12. MAC-Algorithm for Authentication SHA1 (ESP-SHA-HMAC)
13. Perfect Forward Secrecy (PFS) Yes
DH Group 2
14. SA Lifetime 86400 sec
15. Tunnel Termination Endpoint IP_extern IP_serbia
16. Encryption Domains (SAs) Serbia: 172.25.93.xx/255.255.255.248
extern:172.25.44.xx /24

Moze li mala pomoc, moj kod izgleda ovako:

R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr aes256
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400

R1(config)# crypto isakmp key mykey address IP_extern

R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 172.25.44.xx 0.0.0.255

R1(config)# crypto ipsec transform-set TS aes256 ESP-SHA-HMAC

R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer IP_extern
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC

i ne radi. Ne znam na sta se odnose ovi Encryption Domains?
 
Odgovor na temu

optix
CH

SuperModerator
Član broj: 7009
Poruke: 1865
2001:470:9da5:.*



+100 Profil

icon Re: site-to-site VPN na cisco ruterima12.03.2013. u 23:42 - pre 90 meseci
Encryption Domains predstavlja mreze koje ce komunicirati preko tunela. Tvoja strana je mreza 172.25.93.xx/29, remote je 172.25.44.xx/24.
Access lista bi onda trebalo da ti izgleda: permit ip 172.25.93.xx 0.0.0.7 172.25.44.xx 0.0.0.255
Pretpostavlja da imas i neki inside interface sa adresom iz mreze 172.25.93.xx... (ne mora naravno da bude nuzno na tom ruteru, ali da do njega dolazi taj saobracaj)

Jesi li primenio crypto mapu na odgovarajuci outside interface? Imas li rutu za 172.25.44.xx/24 mrezu (ili default rutu) da gadja odgovarajuci gateway iza outside interaface-a? Kako proveravas da li je tunel uspostavljen?




[Ovu poruku je menjao optix dana 13.03.2013. u 11:56 GMT+1]
"99% of your thought process is protecting your self-conceptions,
and 98% of that is wrong."
 
Odgovor na temu

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.telekom.yu.



Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 07:48 - pre 90 meseci
ako sam te dobro razumeo onda treba da izmenim crypto map access listu pa da bude:

ip access-list extended VPN TRAFFIC
permit ip 172.25.93.208 0.0.0.07 172.25.44.0 0.0.0.255

crypto map
....
match address VPN TRAFFIC

Vezao sam crypto map na outbond interface Fa 0/1.
Imam default route ip route 0.0.0.0 0.0.0.0 interface dialer 2

[Ovu poruku je menjao smprobus dana 13.03.2013. u 10:22 GMT+1]
 
Odgovor na temu

optix
CH

SuperModerator
Član broj: 7009
Poruke: 1865
2a00:1108:0:c000:.*



+100 Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 09:12 - pre 90 meseci
Ako imas 50 racunara jasno je da tu mrezu moras da prosiris, ali to moras da dogovoris i sa drugom stranom. Na drugom ruteru postoji mirror te access liste koja hvata saobracaj iz mreze 172.25.44.0/24 koji ide ka tvojoj 172.25.93.xx/29, te dve access liste moraju da se poklapaju da bi saobracaj izmedju njih tekao i bio kriptovan.

Druga stvar, ako ti je dialer2 logicki outside interfejs (interfejs sa adresom) onda kripto mapa mora da se nalazi na njemu, a ne na Fa0/1 (ovo ti je pretpostavljam fizicki interface ka nekom modemu).
"99% of your thought process is protecting your self-conceptions,
and 98% of that is wrong."
 
Odgovor na temu

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.telekom.yu.



Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 09:30 - pre 90 meseci
da rezimirao:
prvo moram promeniti LAN adresni opseg, tako da umesto 192.168.1.0/24 stavim 172.25.93.208/29 i po potrebi to kasnije prosirim.
to znaci da bi IP od fa0/0 bio npr. 172.25.93.209?
drugo da izmenim crypto map access listu u skladu sa gornjim stavom
trece da crypto map izmenim na dialer interface, posto je fa 0/1 veza ka modemu a na dialeru dobijam staticku IP.
staticka ruta ip route 0.0.0.0 0.0.0.0 dialer2 ostaje
 
Odgovor na temu

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.telekom.yu.



Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 09:34 - pre 90 meseci
i NAT bi izgledao ovako:
ip nat iside source list 100 interface Dialer 2 overload

gde bi access list 100 izgledao:
deny ip 172.25.93.208 0.0.0.7 172.25.44.0 0.0.0.255
permit ip 172.25.93.208 0.0.0.7 any
 
Odgovor na temu

optix
CH

SuperModerator
Član broj: 7009
Poruke: 1865
2a00:1108:0:c000:.*



+100 Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 10:26 - pre 90 meseci
Sve tacno.
"99% of your thought process is protecting your self-conceptions,
and 98% of that is wrong."
 
Odgovor na temu

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.ptt.rs.



Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 12:51 - pre 90 meseci
probao i na show crypto session se dobija:

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation

Interface: Dialer2 Virtual-Access2
Session status: UP-IDLE
Peer: IP_extern port 500 fvrf: (none) ivrf: (none)
Phase1_id: IP_extern
Desc: (none)
IKE SA: local IP/500 remote IP/500 Active
Capabilities:D connid:1001 lifetime:23:18:55
IPSEC FLOW: permit ip 172.25.93.208/255.255.255.248 172.25.44.0/255.255.255.0

Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 3 life (KB/Sec) 0/0
 
Odgovor na temu

optix
CH

SuperModerator
Član broj: 7009
Poruke: 1865
2a00:1108:0:c000:.*



+100 Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 13:11 - pre 90 meseci
Jesi pokusao da ostvaris neki saobracaj izmedju tih mreza? Pokusaj da pingujes neku adresu iz 172.25.44.0 sa source adresom iz 172.25.93.208
npr: ping 172.25.44.1 source 172.25.93.209.

Jesi siguran da je na drugoj strani podignuta konfiguracija?

"99% of your thought process is protecting your self-conceptions,
and 98% of that is wrong."
 
Odgovor na temu

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.static.isp.telekom.rs.



Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 13:16 - pre 90 meseci
nece i dalje
Geodigit#ping 172.25.44.1 source 172.25.93.209

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.25.44.1, timeout is 2 seconds:
Packet sent with a source address of 172.25.93.209
.....

kaze svaba da nas 'ceka' na Gateway-u
 
Odgovor na temu

optix
CH

SuperModerator
Član broj: 7009
Poruke: 1865
2a00:1108:0:c000:.*



+100 Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 13:17 - pre 90 meseci
Posalji ceo konfig, izbaci sifre i javne ip adrese.
"99% of your thought process is protecting your self-conceptions,
and 98% of that is wrong."
 
Odgovor na temu

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.static.isp.telekom.rs.



Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 13:25 - pre 90 meseci
Current configuration : 1948 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxx
enable password xxxxxxxxxx
!
no aaa new-model
dot11 syslog
ip cef
!
!
!
!
ip domain name xxxxxxxx
!
multilink bundle-name authenticated
!
!
!
!
username xxxxxxx password xxxxxxxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 xxxxxxxxxxxxxxxxxxxxxxxxxxxx address 80.69.x.x
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 80.69.x.x
set security-association lifetime seconds 86400
set transform-set TS
set pfs group2
match address VPN-TRAFFIC
!
!
!
!
!
!
interface FastEthernet0/0
description LAN
ip address 172.25.93.209 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface FastEthernet0/1
description VEZA_KA_INTERNETU
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface Dialer2
ip address negotiated
ip mtu 1400
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
ppp authentication pap callin
ppp pap sent-username [email protected] password 0 xxxxxxxx
crypto map CMAP
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer2
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer2 overload
!
ip access-list extended VPN-TRAFFIC
permit ip 172.25.93.208 0.0.0.7 172.25.44.0 0.0.0.255
!
access-list 100 deny ip 172.25.93.208 0.0.0.7 172.25.44.0 0.0.0.255
access-list 100 permit ip 172.25.93.208 0.0.0.7 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
 
Odgovor na temu

optix
CH

SuperModerator
Član broj: 7009
Poruke: 1865
2a00:1108:0:c000:.*



+100 Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 14:16 - pre 90 meseci
Konfig je ok, jedino sto mi malo cudno deluje je sto ti je prikazao preshared key enkriptovan iako nema aktiviranu enkripciju password-a (password encryption aes)... Izbrisi taj red i pokusaj da dodas key ponovo kao:
crypto isakmp key 0 plain_text_key address 80.69.x.x

Ako ne prodje posle toga, ukljuci debug za isakmp/ipsec pa posalji output kad probas taj ping.

debug crypto ipsec
debug crypto isakmp


"99% of your thought process is protecting your self-conceptions,
and 98% of that is wrong."
 
Odgovor na temu

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.telekom.yu.



Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 14:56 - pre 90 meseci
probao sam da zamenim key i nije uspelo...
Preko Putty-a sam nakacen pa nece da mi pokazuje debug mada sam ih ukljucio :(
 
Odgovor na temu

zeenmc
Nedeljko Scepanovic
Beograd City

Član broj: 54186
Poruke: 419
217.65.192.*



+22 Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 14:57 - pre 90 meseci
Brale, nek ti oni posalju njihovu konfiguraciju, tipa zapakovanu u zip sa sifrom, i ti od njihovog config fajla napravi sebi mirror, realno menjas par stvari, usermame, pass, acl, adresu peer hosta...mozda je kod njih lose podeseno
CCNP Security, CCNA R&S, CCNA Security, CCNA Voice
LinuxIsFree
 
Odgovor na temu

optix
CH

SuperModerator
Član broj: 7009
Poruke: 1865
*.eunet.rs.



+100 Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 15:01 - pre 90 meseci
Citat:
smprobus: probao sam da zamenim key i nije uspelo...
Preko Putty-a sam nakacen pa nece da mi pokazuje debug mada sam ih ukljucio :(


Kucaj 'terminal monitor'.
"99% of your thought process is protecting your self-conceptions,
and 98% of that is wrong."
 
Odgovor na temu

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.dynamic.isp.telekom.rs.



Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 15:10 - pre 90 meseci
evo debug poruka posle pokusaja pinga udaljene strane:

Geodigit#ping 172.25.44.1 source 172.25.93.209

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.25.44.1, timeout is 2 seconds:
Packet sent with a source address of 172.25.93.209

*Mar 13 14:59:23.616: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= local_IP, remote= remote_IP,
local_proxy= 172.25.93.208/255.255.255.248/0/0 (type=4),
remote_proxy= 172.25.44.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Mar 13 14:59:23.616: ISAKMP: set new node 0 to QM_IDLE
*Mar 13 14:59:23.616: SA has outstanding requests (local 101.234.59.180 port 500, remote 101.234.59.152 port 500)
*Mar 13 14:59:23.616: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE )
*Mar 13 14:59:23.616: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1509355874
*Mar 13 14:59:23.672: ISAKMP:(1001):QM Initiator gets spi
*Mar 13 14:59:23.672: ISAKMP:(1001): sending packet to remote_IP my_port 500 peer_port 500 (I) QM_IDLE
*Mar 13 14:59:23.672: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar 13 14:59:23.672: ISAKMP:(1001):Node 1509355874, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 13 14:59:23.672: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 13 14:59:23.744: ISAKMP (0:1001): received packet from remote_IP dport 500 sport 500 Global (I) QM_IDLE
*Mar 13 14:59:23.744: ISAKMP: set new node 438812687 to QM_IDLE
*Mar 13 14:59:23.748: ISAKMP:(1001): processing HASH payload. message ID = 438812687
*Mar 13 14:59:23.748: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2307194519, message ID = 438812687, sa = 65EA3A50
*Mar 13 14:59:23.748: ISAKMP:(1001): deleting spi 2307194519 message ID = 1509355874
*Mar 13 14:59:23.748: ISAKMP:(1001):deleting node 1509355874 error TRUE reason "Delete Larval"
*Mar 13 14:59:23.748: ISAKMP:(1001):deleting node 438812687 error FALSE reason "Informational (in) state 1"
*Mar 13 14:59:23.748: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 13 14:59:23.748: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 13 14:59:23.944: ISAKMP:(1001):purging node -1139932770
*Mar 13 14:59:23.944: ISAKMP:(1001):purging node 570734582.....
Success rate is 0 percent (0/5)


 
Odgovor na temu

optix
CH

SuperModerator
Član broj: 7009
Poruke: 1865
2a00:1108:0:c000:.*



+100 Profil

icon Re: site-to-site VPN na cisco ruterima13.03.2013. u 15:47 - pre 90 meseci
Zameni transform set sa:
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
Deluje kao da Phase2 ne prolazi..


Clear-uj 'sesiju':
Geodigit# clear crypto session remote Remote_IP

Ako mozes, zamoli i drugu stranu da clear-uje isto.


Pusti ping ponovo i pusti par puta ako ne prodje iz prve, nekad mu treba malo vise vremena ;)
"99% of your thought process is protecting your self-conceptions,
and 98% of that is wrong."
 
Odgovor na temu

smprobus
noemploy, admin

Član broj: 275044
Poruke: 38
*.dynamic.isp.telekom.rs.



Profil

icon Re: site-to-site VPN na cisco ruterima14.03.2013. u 13:52 - pre 90 meseci
@optix:

skontao sam i ja posle da je falilo 256 u set transorm...
kada sam to promenio, dobio sam da je tunel UP-ACTIVE

Geo#sh crypto session
Crypto session current status

Interface: Dialer2 Virtual-Access2
Session status: UP-ACTIVE
Peer: remote IP port 500
IKE SA: local IP/500 remote remote/500 Active
IPSEC FLOW: permit ip 172.25.93.208/255.255.255.248 172.25.44.0/255.255.255.0
Active SAs: 2, origin: crypto map

ali kada probam ping i dalje ne prolazi:

Geo#ping 172.25.44.1 source 172.25.93.209

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.25.44.1, timeout is 2 seconds:
Packet sent with a source address of 172.25.93.209
.....
Success rate is 0 percent (0/5)

U cemu je problem, stvarno vise ne znam...
Optixe hvala veliko za sve sto si mi pomogao do sada...
 
Odgovor na temu

optix
CH

SuperModerator
Član broj: 7009
Poruke: 1865
2a00:1108:0:c000:.*



+100 Profil

icon Re: site-to-site VPN na cisco ruterima14.03.2013. u 14:14 - pre 90 meseci
Dobro, to sto ne pinguje 172.25.44.1 specificno, moze da znaci da ta adresa ili nije podignuta nigde na drugoj strani ili se ne odaziva na ping, bitno je bilo samo da se generise saobracaj koji ce uci u tunel (sa ispravnim source/destination adresama) kako bi se tunel podigao.. ;) Nadam se da ti radi aplikacija ili koja je vec druga namena samog tunela.

Posalji jos output od:
show crypto ipsec sa

Ako u inbound esp sas: i outbound esp sas: vidis informacije o tunelu i Status je ACTIVE to je ok onda.


Edit:
Ovo sto sam te pitao se vidi iz tog outputa koji si poslao - "Active SAs: 2" To je sad ok..
"99% of your thought process is protecting your self-conceptions,
and 98% of that is wrong."
 
Odgovor na temu

[es] :: Enterprise Networking :: site-to-site VPN na cisco ruterima

Strane: 1 2

[ Pregleda: 6932 | Odgovora: 33 ] > FB > Twit

Postavi temu Odgovori

Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.