Un saluto alla lista,
non riesco ad allestire una banale vpn site-to-site fra un Cisco 870 e
un UC520; dal comando "sh crypto isakmp sa" vedo che le SA non vengono
nemmeno create e di conseguenza la sessione ipsec vera e propria non
viene attivata.
La connettività da entrambe le parti è ok, infatti i due apparati si
pingano senza problemi. Dispongono inoltre di un ip pubblico sulle
rispettive interfacce wan.
In allegato le configurazioni dei due router e l'output di qualche
comando show crypto.
Vi ringrazio in anticipo per la collaborazione,
Cordiali saluti - Daniele Visaggio
CONFIGURAZIONE CISCO 870
################################################################################
crypto isakmp policy 10
authentication pre-share
crypto isakmp key vpnpsw address xxx.xxx.xxx.xxx 255.255.255.252
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto map vpn_cliente 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set transform-1
match address 100
!
interface FastEthernet4
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn_cliente
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.2.254 22 interface FastEthernet4 22000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp run
!
!
route-map nonat permit 10
match ip address 150
!
################################################################################
CONFIGURAZIONE UC520
################################################################################
crypto isakmp policy 10
authentication pre-share
crypto isakmp key vpnpsw address xxx.xxx.xxx.xxx 255.255.255.248
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
!
!
!
crypto map vpn_cliente 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set transform-1
match address 100
!
!
interface FastEthernet0/0
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn_cliente
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
ip http server
ip http secure-server
ip http path flash
ip nat inside source static tcp 10.1.1.254 22 interface FastEthernet0/0 22000
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip host 10.1.1.253 any
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
route-map nonat permit 10
match ip address 150
!
################################################################################
Ecco l'output di qualche comando show:
CISCO 870:
#show crypto ipsec transform-set
Transform set transform-1: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },
#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: jgmartinvpn, local addr xxx.xxx.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer xxx.xxx.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
################################################################################
UC520:
#show crypto ipsec transform-set
Transform set transform-1: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: jgmartinvpn, local addr xxx.xxx.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer xxx.xxx.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
################################################################################
_______________________________________________
http://cug.areanetworking.it
[email protected]
http://ml.areanetworking.it/mailman/listinfo/cug
