Ciao , ho un problema con una vpn tra un asa e un cisco 877. L'asa ha un indirizzo pubblico, mentre il cisco 877 è in rete fastweb.
Il cisco 877 ha la seguente configurazione : crypto isakmp policy 9 encr aes 256 authentication pre-share group 5 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key xxx address IP_remote_ASA no-xauth ! crypto ipsec security-association idle-time 86400 ! crypto ipsec transform-set asa-set esp-3des esp-md5-hmac crypto ipsec transform-set asa esp-aes 256 esp-sha-hmac ! crypto map asa 1 ipsec-isakmp set peer IP_remote_ASA set transform-set asa set pfs group2 match address 100 ! interface Vlan1 description $WAN$ ip address ip_vlan1 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly ip route-cache flow crypto map asa ! access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 100 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.7 Sull ' ASA : crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set pfs crypto map outside_map 1 set peer ip_vlan1 crypto map outside_map 1 set transform-set ESP-AES-256-SHA crypto isakmp policy 9 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group ip_vlan1 type ipsec-l2l tunnel-group ip_vlan1 general-attributes default-group-policy pippo tunnel-group ip_vlan1 ipsec-attributes pre-shared-key * Di seguito i log : asa# Jul 23 13:19:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:13 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:15 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:16 [IKEv1 DEBUG]: IP = ip_vlan1, IKE MM Initiator FSM error history (struct &0xd9f58d80) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY Jul 23 13:19:16 [IKEv1 DEBUG]: IP = ip_vlan1, IKE SA MM:15da7cc9 terminating: flags 0x01000022, refcnt 0, tuncnt 0 Jul 23 13:19:16 [IKEv1 DEBUG]: IP = ip_vlan1, sending delete/delete with reason message Jul 23 13:19:16 [IKEv1]: IP = ip_vlan1, Removing peer from peer table failed, no match! Jul 23 13:19:16 [IKEv1]: IP = ip_vlan1, Error: Unable to remove PeerTblEntry Jul 23 13:19:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:18 [IKEv1]: IP = ip_vlan1, IKE Initiator: New Phase 1, Intf inside, IKE Peer ip_vlan1 local Proxy Address 192.168.0.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map) Jul 23 13:19:18 [IKEv1 DEBUG]: IP = ip_vlan1, constructing ISAKMP SA payload Jul 23 13:19:18 [IKEv1 DEBUG]: IP = ip_vlan1, constructing NAT-Traversal VID ver 02 payload Jul 23 13:19:18 [IKEv1 DEBUG]: IP = ip_vlan1, constructing NAT-Traversal VID ver 03 payload Jul 23 13:19:18 [IKEv1 DEBUG]: IP = ip_vlan1, constructing Fragmentation VID + extended capabilities payload Jul 23 13:19:18 [IKEv1]: IP = ip_vlan1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 Jul 23 13:19:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:20 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:23 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:25 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:26 [IKEv1]: IP = ip_vlan1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 Jul 23 13:19:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:28 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:30 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:33 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:34 [IKEv1]: IP = ip_vlan1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 Jul 23 13:19:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:35 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:38 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:40 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:42 [IKEv1]: IP = ip_vlan1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 Jul 23 13:19:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:43 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:45 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:48 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:49 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 23 13:19:50 [IKEv1 DEBUG]: IP = ip_vlan1, IKE MM Initiator FSM error history (struct &0xd9f58d80) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY Jul 23 13:19:50 [IKEv1 DEBUG]: IP = ip_vlan1, IKE SA MM:9dfe6a35 terminating: flags 0x01000022, refcnt 0, tuncnt 0 Jul 23 13:19:50 [IKEv1 DEBUG]: IP = ip_vlan1, sending delete/delete with reason message Jul 23 13:19:50 [IKEv1]: IP = ip_vlan1, Removing peer from peer table failed, no match! Jul 23 13:19:50 [IKEv1]: IP = ip_vlan1, Error: Unable to remove PeerTblEntry Jul 23 13:19:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:53 [IKEv1]: IP = ip_vlan1, IKE Initiator: New Phase 1, Intf inside, IKE Peer ip_vlan1 local Proxy Address 192.168.0.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map) Jul 23 13:19:53 [IKEv1 DEBUG]: IP = ip_vlan1, constructing ISAKMP SA payload Jul 23 13:19:53 [IKEv1 DEBUG]: IP = ip_vlan1, constructing NAT-Traversal VID ver 02 payload Jul 23 13:19:53 [IKEv1 DEBUG]: IP = ip_vlan1, constructing NAT-Traversal VID ver 03 payload Jul 23 13:19:53 [IKEv1 DEBUG]: IP = ip_vlan1, constructing Fragmentation VID + extended capabilities payload Jul 23 13:19:53 [IKEv1]: IP = ip_vlan1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 Jul 23 13:19:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:54 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. undebuJul 23 13:19:58 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:58 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. gJul 23 13:19:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:19:59 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. allJul 23 13:20:01 [IKEv1]: IP = ip_vlan1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 Jul 23 13:20:04 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 23 13:20:04 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Ho già abilitato il nat-traversal settandolo a 3600. Grazie dell'aiuto. _______________________________________________ http://cug.areanetworking.it [email protected] http://ml.areanetworking.it/mailman/listinfo/cug
