dap, se face tunnel intre cele 2 subnet-uri (19.2.0.0/16 al linuxului si
66.6.0.0/16 al cisco-ului), nu transport, asta e conn-ul:
1. ----linux-------
conn ipsec01-cisco6500
type=tunnel
left=19.1.255.254
leftsubnet=19.2.0.0/16
leftfirewall=yes //asta a fost adaugat, insa
rezultatul e la fel cu sau fara linia asta
right=19.1.255.253
rightsubnet=66.6.0.0/16
auto=add
authby=secret
auth=esp
compress=no
pfs=yes
esp=3des-md5-modp1024
ike=3des-md5-modp1024
keyexchange=ikev1
mobike=no
cvintila-ipsec01:/etc# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.205.16.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
66.6.0.0 19.1.255.253 255.255.0.0 UG 0 0 0
eth1
19.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
19.2.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth4
0.0.0.0 10.205.16.1 0.0.0.0 UG 0 0 0
eth0
am allow all in iptables
si
net.ipv4.ip_forward=1
in sysctl.conf
--------------
Iptables -nL -t nat zice ceva ?
--------------
>
> access-list 100 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255
> -- aici e in access-list 100 permit ip 66.6.0.0 0.0.255.255 19.2.0.0
> 0.0.255.255 -- aici e out
>
2. ----cisco-------
asa sunt si la mine pe cisco:
6500#sh access-lists
Extended IP access list 100
10 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255
20 permit ip 66.6.0.0 0.0.255.255 19.2.0.0 0.0.255.255 (23 matches)
deasemenea
6500#sh crypto map
Crypto Map "IL" 20 ipsec-isakmp
Peer = 19.1.255.254
Extended IP access list 100
access-list 100 permit ip 19.2.0.0 0.0.255.255 66.6.0.0
0.0.255.255
access-list 100 permit ip 66.6.0.0 0.0.255.255 19.2.0.0
0.0.255.255
Current peer: 19.1.255.254
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
IL,
}
Interfaces using crypto map IL:
GigabitEthernet4/27
6500#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
19.0.0.0/16 is subnetted, 2 subnets
S 19.2.0.0 [1/0] via 19.1.255.254
C 19.1.0.0 is directly connected, GigabitEthernet4/27
C 21.0.0.0/8 is directly connected, GigabitEthernet4/11.1
C 20.0.0.0/8 is directly connected, GigabitEthernet4/10.1
66.0.0.0/16 is subnetted, 1 subnets
C 66.6.0.0 is directly connected, GigabitEthernet4/28
am activat debugging verbose pe ipsec
#debug crypto verbose
3.------subnet-uri------
a) o masina in spatele linuxului, cu IP 19.2.0.1/16 care are ca default
gateway masina de linux (interfata interna este 19.2.0.254)
b) o masina in spatele cisco-ului, cu IP 66.6.0.10/16 care are ca
default gateway masina cisco (interfata interna este 66.6.0.1)
4.----scenarii incercate----
a) ping de pe linux catre cisco-interfata-externa 19.1.255.253 =>
succes, fara ipsec
b) ping de la linux catre cisco-interfata-interna 66.6.0.1 => succes,
fara ipsec
c) ping de la cisco catre linux-interfata-externa 19.1.255.254 =>
succes, fara ipsec
d) ping de la cisco catre linux-interfata-interna 19.2.0.254 => succes,
fara ipsec
e) ping de la masina 19.2.0.1 catre cisco-interfata-externa 19.1.255.253
=> succes, fara ipsec
f) ping de la masina 19.2.0.1 catre cisco-interfata-interna 66.6.0.1 =>
niciun raspuns, logul de crypto de pe cisco nu arata nicio negociere !
g) ping de la masina 19.2.0.1 catre masina 66.6.0.10 => niciun raspuns,
logul de crypto de pe cisco nu arata nicio negociere !
h) ping de la masina 66.6.0.10 catre linux-interfata-externa
19.1.255.254 => succes, fara ipsec
i) ping de la masina 66.6.0.10 catre linux-interfata-interna 19.2.0.254
=> succes, fara ipsec !
j) ping de la masina 66.6.0.10 catre masina 19.2.0.1 => niciun raspuns,
logul de crypto de pe cisco nu arata nicio negociere !
In cazurile in care nu am niciun raspuns la ping (f, g, j) observ ca se
incrementeaza nr. de 'matches' din access-list 100
(
6500#sh access-lists
Extended IP access list 100
10 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255
20 permit ip 66.6.0.0 0.0.255.255 19.2.0.0 0.0.255.255 (23 matches)
)
---------------------
Toate scenariile pe care le ai exceptie cele care nu rapsund la ping nu
se aplica la ce vrei sa faci
Access-listul iti spune ca numai din 66.6. catre 19.2. si in reverse sa
incerce sa faca ipsec.
Ce e ciudat este faptul ca numai 66.6 incearca sa trimita traffic si nu
si 19.2 - la g in mod sigur trebuia
Sa vada ceva in prima line de access-list si sa incrementeze matches.
--------------------------
---------------------------
insa nu are loc nicio negociere
Deasemenea, daca
- access-list-ul 100 nu este definit pe subnet-uri, ci are numai permit
ip any any si
- dau ping de pe cisco pe linux
logurile de pe cisco incep sa arate negociere (logul este cel atasat in
mailul anterior): se realizeaza Phase1, dar nu si Phase 2 (
7w3d: ISAKMP:(0:1:SW:1):deleting SA reason "recevied fatal
informational" state (I) QM_IDLE (peer 19.1.255.254) input queue
0
7w3d: ISAKMP:(0:1:SW:1):deleting node -2036547555 error FALSE reason
"informational (in) state 1"
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
)
Incearca sa dai un clear pe ipsec
clear crypto isakmp
clear crypto sa
-------------------
Sper sa fie utile info astea si sa ma puteti ajuta.
Mersi frumos,
Cristina
---------------------
Ce version de IOS ai pe supervisor ?
Inteleg ca switchul merge cu ipsec cu alti peers ?
--------------------
> Daca ai alte access-list pe interfate trebuie sa ii dai access intre
> cele doua capete de tunnel 19.1.255.254 19.1.255.253 Sa communice de
> genul permit ip 19.1.255.254 19.1.255.253 . Daca vrei sa fii mai
> specifica ca exemplu
>
> access-list 110 permit udp any host IPSec headend device eq 500
> access-list 110 permit udp any host IPSec headend device eq 4500
> access-list 110 permit 50 any host IPSec headend device access-list
> 110 permit 51 any host IPSec headend device access-list 110 deny ip
> any host IPSec headend device
>
>
> Depinde de ce rute ai prin retea poate e necesar sa le spui celor doua
> capete cum sa ajunga unul la altul pentru reteau pe Care o protejezi
>
> Ca exemplu
>
> Router(config)# ip route 19.2.0.0 255.255.0.0 19.1.255.254
>
> In cisco pe crypto map IL 10 pune 'set pfs group2' - asta se aplica
> numai pentru peerul 19.1.255.254 daca ai alte tunele nu au acelasi
> Settings.
>
>
> Daca faci tunnel intre cele doua capete in mod normal poti sa dai un
> ping din reteau 19.2.0.0/16 pe 66.6.0.0/16 dar nu inseamna Ca daca
> faci ping de pe linux gateway pe cisco automat o sa ai ipsec creat
> (traficul a fost definit in access-list 100 !) Daca e in mod Transport
> poti sa faci ipsec numai intre cele doua capete - linux-cisco
> (access-list trebuie sa fie diferita)
>
> Silviu
>
> Ps: uite un exemplu de ipsec facut intre doua IOS e destul de
> explicatoriu http://www.vpnc.org/InteropProfiles/cisco-ios.txt
_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug
___________________________________________________________
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good
http://uk.promotions.yahoo.com/forgood/environment.html
_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug
_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug
