> Salut,
Hey. Imi cer scuze pt. top-posting-ul din mailurile anterioare.
> Acl trebuie sa fie facut pe subneturile care vrei sa le conectezi cu
> ipsec
> Ai definit aici
> conn ipsec01-cisco6500
> left=19.1.255.254
> leftsubnet=19.2.0.0/16 linux net
> right=19.1.255.253
> rightsubnet=66.6.0.0/16 cisco net
> auto=add
> authby=secret
> auth=esp
> compress=no
> pfs=yes
> esp=3des-md5-modp1024
> ike=3des-md5-modp1024
> keyexchange=ikev1
> mobike=no
>
dap, se face tunnel intre cele 2 subnet-uri (19.2.0.0/16 al linuxului si
66.6.0.0/16 al cisco-ului), nu transport, asta e conn-ul:
1. ----linux-------
conn ipsec01-cisco6500
type=tunnel
left=19.1.255.254
leftsubnet=19.2.0.0/16
leftfirewall=yes //asta a fost adaugat, insa rezultatul
e la fel cu sau fara linia asta
right=19.1.255.253
rightsubnet=66.6.0.0/16
auto=add
authby=secret
auth=esp
compress=no
pfs=yes
esp=3des-md5-modp1024
ike=3des-md5-modp1024
keyexchange=ikev1
mobike=no
cvintila-ipsec01:/etc# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.205.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
66.6.0.0 19.1.255.253 255.255.0.0 UG 0 0 0 eth1
19.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
19.2.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth4
0.0.0.0 10.205.16.1 0.0.0.0 UG 0 0 0 eth0
am allow all in iptables
si
net.ipv4.ip_forward=1
in sysctl.conf
>
> access-list 100 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255 --
> aici e in
> access-list 100 permit ip 66.6.0.0 0.0.255.255 19.2.0.0 0.0.255.255 --
> aici e out
>
2. ----cisco-------
asa sunt si la mine pe cisco:
6500#sh access-lists
Extended IP access list 100
10 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255
20 permit ip 66.6.0.0 0.0.255.255 19.2.0.0 0.0.255.255 (23 matches)
deasemenea
6500#sh crypto map
Crypto Map "IL" 20 ipsec-isakmp
Peer = 19.1.255.254
Extended IP access list 100
access-list 100 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255
access-list 100 permit ip 66.6.0.0 0.0.255.255 19.2.0.0 0.0.255.255
Current peer: 19.1.255.254
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
IL,
}
Interfaces using crypto map IL:
GigabitEthernet4/27
6500#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
19.0.0.0/16 is subnetted, 2 subnets
S 19.2.0.0 [1/0] via 19.1.255.254
C 19.1.0.0 is directly connected, GigabitEthernet4/27
C 21.0.0.0/8 is directly connected, GigabitEthernet4/11.1
C 20.0.0.0/8 is directly connected, GigabitEthernet4/10.1
66.0.0.0/16 is subnetted, 1 subnets
C 66.6.0.0 is directly connected, GigabitEthernet4/28
am activat debugging verbose pe ipsec
#debug crypto verbose
3.------subnet-uri------
a) o masina in spatele linuxului, cu IP 19.2.0.1/16 care are ca default gateway
masina de linux (interfata interna este 19.2.0.254)
b) o masina in spatele cisco-ului, cu IP 66.6.0.10/16 care are ca default
gateway masina cisco (interfata interna este 66.6.0.1)
4.----scenarii incercate----
a) ping de pe linux catre cisco-interfata-externa 19.1.255.253 => succes, fara
ipsec
b) ping de la linux catre cisco-interfata-interna 66.6.0.1 => succes, fara ipsec
c) ping de la cisco catre linux-interfata-externa 19.1.255.254 => succes, fara
ipsec
d) ping de la cisco catre linux-interfata-interna 19.2.0.254 => succes, fara
ipsec
e) ping de la masina 19.2.0.1 catre cisco-interfata-externa 19.1.255.253 =>
succes, fara ipsec
f) ping de la masina 19.2.0.1 catre cisco-interfata-interna 66.6.0.1 => niciun
raspuns, logul de crypto de pe cisco nu arata nicio negociere !
g) ping de la masina 19.2.0.1 catre masina 66.6.0.10 => niciun raspuns, logul
de crypto de pe cisco nu arata nicio negociere !
h) ping de la masina 66.6.0.10 catre linux-interfata-externa 19.1.255.254 =>
succes, fara ipsec
i) ping de la masina 66.6.0.10 catre linux-interfata-interna 19.2.0.254 =>
succes, fara ipsec !
j) ping de la masina 66.6.0.10 catre masina 19.2.0.1 => niciun raspuns, logul
de crypto de pe cisco nu arata nicio negociere !
In cazurile in care nu am niciun raspuns la ping (f, g, j) observ ca se
incrementeaza nr. de 'matches' din access-list 100
(
6500#sh access-lists
Extended IP access list 100
10 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255
20 permit ip 66.6.0.0 0.0.255.255 19.2.0.0 0.0.255.255 (23 matches)
)
insa nu are loc nicio negociere
Deasemenea, daca
- access-list-ul 100 nu este definit pe subnet-uri, ci are numai permit ip any
any
si
- dau ping de pe cisco pe linux
logurile de pe cisco incep sa arate negociere (logul este cel atasat in mailul
anterior): se realizeaza Phase1, dar nu si Phase 2
(
7w3d: ISAKMP:(0:1:SW:1):deleting SA reason "recevied fatal
informational" state (I) QM_IDLE (peer 19.1.255.254) input queue
0
7w3d: ISAKMP:(0:1:SW:1):deleting node -2036547555 error FALSE reason
"informational (in) state 1"
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
)
Sper sa fie utile info astea si sa ma puteti ajuta.
Mersi frumos,
Cristina
> Daca ai alte access-list pe interfate trebuie sa ii dai access intre
> cele doua capete de tunnel 19.1.255.254 19.1.255.253
> Sa communice de genul permit ip 19.1.255.254 19.1.255.253 . Daca vrei sa
> fii mai specifica ca exemplu
>
> access-list 110 permit udp any host IPSec headend device eq 500
> access-list 110 permit udp any host IPSec headend device eq 4500
> access-list 110 permit 50 any host IPSec headend device
> access-list 110 permit 51 any host IPSec headend device
> access-list 110 deny ip any host IPSec headend device
>
>
> Depinde de ce rute ai prin retea poate e necesar sa le spui celor doua
> capete cum sa ajunga unul la altul pentru reteau pe
> Care o protejezi
>
> Ca exemplu
>
> Router(config)# ip route 19.2.0.0 255.255.0.0 19.1.255.254
>
> In cisco pe crypto map IL 10 pune 'set pfs group2' - asta se aplica
> numai pentru peerul 19.1.255.254 daca ai alte tunele nu au acelasi
> Settings.
>
>
> Daca faci tunnel intre cele doua capete in mod normal poti sa dai un
> ping din reteau 19.2.0.0/16 pe 66.6.0.0/16 dar nu inseamna
> Ca daca faci ping de pe linux gateway pe cisco automat o sa ai ipsec
> creat (traficul a fost definit in access-list 100 !) Daca e in mod
> Transport poti sa faci ipsec numai intre cele doua capete - linux-cisco
> (access-list trebuie sa fie diferita)
>
> Silviu
>
> Ps: uite un exemplu de ipsec facut intre doua IOS e destul de
> explicatoriu http://www.vpnc.org/InteropProfiles/cisco-ios.txt
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
___________________________________________________________
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good
http://uk.promotions.yahoo.com/forgood/environment.html
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
