> dap, se face tunnel intre cele 2 subnet-uri (19.2.0.0/16 al linuxului si
> 66.6.0.0/16 al cisco-ului), nu transport, asta e conn-ul:
>
hey
> 1. ----linux-------
> conn ipsec01-cisco6500
> type=tunnel
> left=19.1.255.254
> leftsubnet=19.2.0.0/16
> leftfirewall=yes //asta a fost adaugat, insa
> rezultatul e la fel cu sau fara linia asta
> right=19.1.255.253
> rightsubnet=66.6.0.0/16
> auto=add
> authby=secret
> auth=esp
> compress=no
> pfs=yes
> esp=3des-md5-modp1024
> ike=3des-md5-modp1024
> keyexchange=ikev1
> mobike=no
>
>
> cvintila-ipsec01:/etc# route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 10.205.16.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 66.6.0.0 19.1.255.253 255.255.0.0 UG 0 0 0
> eth1
> 19.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0
> eth1
> 19.2.0.0 0.0.0.0 255.255.0.0 U 0 0 0
> eth4
> 0.0.0.0 10.205.16.1 0.0.0.0 UG 0 0 0
> eth0
>
>
> am allow all in iptables
>
> si
>
> net.ipv4.ip_forward=1
> in sysctl.conf
>
>
> --------------
>
Iptables -nL -t nat zice ceva ?
...............
cvintila-ipsec01:/etc# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
asa a zis mereu
...............
--------------
> >
> > access-list 100 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255
> > -- aici e in access-list 100 permit ip 66.6.0.0 0.0.255.255 19.2.0.0
> > 0.0.255.255 -- aici e out
> >
>
> 2. ----cisco-------
> asa sunt si la mine pe cisco:
>
> 6500#sh access-lists
> Extended IP access list 100
> 10 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255
> 20 permit ip 66.6.0.0 0.0.255.255 19.2.0.0 0.0.255.255 (23 matches)
>
>
> deasemenea
>
> 6500#sh crypto map
> Crypto Map "IL" 20 ipsec-isakmp
> Peer = 19.1.255.254
> Extended IP access list 100
> access-list 100 permit ip 19.2.0.0 0.0.255.255 66.6.0.0
> 0.0.255.255
> access-list 100 permit ip 66.6.0.0 0.0.255.255 19.2.0.0
> 0.0.255.255
> Current peer: 19.1.255.254
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): Y
> DH group: group2
> Transform sets={
> IL,
> }
> Interfaces using crypto map IL:
> GigabitEthernet4/27
>
> 6500#sh ip route
> Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
> E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
> i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
> level-2
> ia - IS-IS inter area, * - candidate default, U - per-user static
> route
> o - ODR, P - periodic downloaded static route
>
> Gateway of last resort is not set
>
> 19.0.0.0/16 is subnetted, 2 subnets
> S 19.2.0.0 [1/0] via 19.1.255.254
> C 19.1.0.0 is directly connected, GigabitEthernet4/27
> C 21.0.0.0/8 is directly connected, GigabitEthernet4/11.1
> C 20.0.0.0/8 is directly connected, GigabitEthernet4/10.1
> 66.0.0.0/16 is subnetted, 1 subnets
> C 66.6.0.0 is directly connected, GigabitEthernet4/28
>
>
> am activat debugging verbose pe ipsec
>
....................................
era activat 'term mon'
....................................
> #debug crypto verbose
>
>
> 3.------subnet-uri------
>
> a) o masina in spatele linuxului, cu IP 19.2.0.1/16 care are ca default
> gateway masina de linux (interfata interna este 19.2.0.254)
> b) o masina in spatele cisco-ului, cu IP 66.6.0.10/16 care are ca
> default gateway masina cisco (interfata interna este 66.6.0.1)
>
>
> 4.----scenarii incercate----
> a) ping de pe linux catre cisco-interfata-externa 19.1.255.253 =>
> succes, fara ipsec
> b) ping de la linux catre cisco-interfata-interna 66.6.0.1 => succes,
> fara ipsec
> c) ping de la cisco catre linux-interfata-externa 19.1.255.254 =>
> succes, fara ipsec
> d) ping de la cisco catre linux-interfata-interna 19.2.0.254 => succes,
> fara ipsec
> e) ping de la masina 19.2.0.1 catre cisco-interfata-externa 19.1.255.253
> => succes, fara ipsec
> f) ping de la masina 19.2.0.1 catre cisco-interfata-interna 66.6.0.1 =>
> niciun raspuns, logul de crypto de pe cisco nu arata nicio negociere !
> g) ping de la masina 19.2.0.1 catre masina 66.6.0.10 => niciun raspuns,
> logul de crypto de pe cisco nu arata nicio negociere !
> h) ping de la masina 66.6.0.10 catre linux-interfata-externa
> 19.1.255.254 => succes, fara ipsec
> i) ping de la masina 66.6.0.10 catre linux-interfata-interna 19.2.0.254
> => succes, fara ipsec !
> j) ping de la masina 66.6.0.10 catre masina 19.2.0.1 => niciun raspuns,
> logul de crypto de pe cisco nu arata nicio negociere !
>
>
> In cazurile in care nu am niciun raspuns la ping (f, g, j) observ ca se
> incrementeaza nr. de 'matches' din access-list 100
>
> (
> 6500#sh access-lists
> Extended IP access list 100
> 10 permit ip 19.2.0.0 0.0.255.255 66.6.0.0 0.0.255.255
> 20 permit ip 66.6.0.0 0.0.255.255 19.2.0.0 0.0.255.255 (23 matches)
> )
>
>
---------------------
Toate scenariile pe care le ai exceptie cele care nu rapsund la ping nu
se aplica la ce vrei sa faci
Access-listul iti spune ca numai din 66.6. catre 19.2. si in reverse sa
incerce sa faca ipsec.
Ce e ciudat este faptul ca numai 66.6 incearca sa trimita traffic si nu
si 19.2 - la g in mod sigur trebuia
Sa vada ceva in prima line de access-list si sa incrementeze matches.
--------------------------
---------------------------
>
> insa nu are loc nicio negociere
>
>
> Deasemenea, daca
> - access-list-ul 100 nu este definit pe subnet-uri, ci are numai permit
> ip any any si
> - dau ping de pe cisco pe linux
>
> logurile de pe cisco incep sa arate negociere (logul este cel atasat in
> mailul anterior): se realizeaza Phase1, dar nu si Phase 2 (
> 7w3d: ISAKMP:(0:1:SW:1):deleting SA reason "recevied fatal
> informational" state (I) QM_IDLE (peer 19.1.255.254) input queue
> 0
> 7w3d: ISAKMP:(0:1:SW:1):deleting node -2036547555 error FALSE reason
> "informational (in) state 1"
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State =
> IKE_P1_COMPLETE
>
> )
>
>
>
>
Incearca sa dai un clear pe ipsec
clear crypto isakmp
clear crypto sa
...............
am vazut comenzile astea prin tutoriale pe net...am dat de cateva ori si
comenzile astea, nu inainte de fiecare scenariu, insa
...............
-------------------
>
> Sper sa fie utile info astea si sa ma puteti ajuta.
>
>
> Mersi frumos,
> Cristina
>
---------------------
Ce version de IOS ai pe supervisor ?
...............
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF,
RELEASE SOFTWARE (fc1)
...............
Inteleg ca switchul merge cu ipsec cu alti peers ?
...............
da, am mai testat cu alt cisco si cu un simulator intern
...............
--------------------
Am facut tunnel(intre subnet-uri) si transport intre cisco si ruter. Acum pare
totul in regula, trebuie sa configurez cateva scenarii de baza. Scopul final
este sa folosesc ikev2, autentificare cu certificate, xauth...etc...mai am de
invatat :).
Mersi pt. tutorialul ala, mi-a pus ordine in config.
Cristina
> Daca ai alte access-list pe interfate trebuie sa ii dai access intre
> cele doua capete de tunnel 19.1.255.254 19.1.255.253 Sa communice de
> genul permit ip 19.1.255.254 19.1.255.253 . Daca vrei sa fii mai
> specifica ca exemplu
>
> access-list 110 permit udp any host IPSec headend device eq 500
> access-list 110 permit udp any host IPSec headend device eq 4500
> access-list 110 permit 50 any host IPSec headend device access-list
> 110 permit 51 any host IPSec headend device access-list 110 deny ip
> any host IPSec headend device
>
>
> Depinde de ce rute ai prin retea poate e necesar sa le spui celor doua
> capete cum sa ajunga unul la altul pentru reteau pe Care o protejezi
>
> Ca exemplu
>
> Router(config)# ip route 19.2.0.0 255.255.0.0 19.1.255.254
>
> In cisco pe crypto map IL 10 pune 'set pfs group2' - asta se aplica
> numai pentru peerul 19.1.255.254 daca ai alte tunele nu au acelasi
> Settings.
>
>
> Daca faci tunnel intre cele doua capete in mod normal poti sa dai un
> ping din reteau 19.2.0.0/16 pe 66.6.0.0/16 dar nu inseamna Ca daca
> faci ping de pe linux gateway pe cisco automat o sa ai ipsec creat
> (traficul a fost definit in access-list 100 !) Daca e in mod Transport
> poti sa faci ipsec numai intre cele doua capete - linux-cisco
> (access-list trebuie sa fie diferita)
>
> Silviu
>
> Ps: uite un exemplu de ipsec facut intre doua IOS e destul de
> explicatoriu http://www.vpnc.org/InteropProfiles/cisco-ios.txt
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
___________________________________________________________
Yahoo! Answers - Got a question? Someone out there knows the answer. Try it
now.
http://uk.answers.yahoo.com/
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
