nimrod_ 11 Geschrieben 12. Januar 2009 Melden Teilen Geschrieben 12. Januar 2009 Hi, ich versuche gerade zwischen einem 7301 und einem 1841 einen ganz normalen ipsec tunnel aufzubauen. vielleicht kann ja mal jemand drüber schauen. 7301 - Loopback1: 10.5.5.5 crypto isakmp policy 1 group 2 encryption 3des authentication pre-share crypto isakmp key cisco1841 address 10.1.1.1 crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac ! crypto map cm_L1 17 ipsec-isakmp set peer 10.1.1.1 set transform-set ts_cisco_170 match address 170 ! interface Loopback1 crypto map cm_L1 ! access-list 170 permit ip any 192.168.1.0 0.0.0.255 1841 - LAN: 192.168.1.0 crypto isakmp policy 1 group 2 encryption 3des authentication pre-share crypto isakmp key cisco1841 address 10.5.5.5 crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac ! crypto map cm_D1 17 ipsec-isakmp set peer 10.5.5.5 set transform-set ts_cisco_170 match address 170 ! interface Dialer1 crypto map cm_D1 ! access-list 170 permit ip 192.168.1.0 0.0.0.255 any vor der bindung der crypto map auf die jeweiligen interface sind alle adressen von überall erreichbar. – hier noch die debugs Debug: 1841 *Jan 12 08:27:33: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xF3F67FC4(4093018052), conn_id= 0, keysize= 0, flags= 0x0 *Jan 12 08:27:33: ISAKMP:(0): SA request profile is (NULL) *Jan 12 08:27:33: ISAKMP: Created a peer struct for 10.5.5.5, peer port 500 *Jan 12 08:27:33: ISAKMP: New peer created peer = 0x652CE590 peer_handle = 0x80000013 *Jan 12 08:27:33: ISAKMP: Locking peer struct 0x652CE590, refcount 1 for isakmp_initiator *Jan 12 08:27:33: ISAKMP: local port 500, remote port 500 *Jan 12 08:27:33: ISAKMP: set new node 0 to QM_IDLE *Jan 12 08:27:33: insert sa successfully sa = 652CF07C *Jan 12 08:27:33: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Jan 12 08:27:33: ISAKMP:(0):found peer pre-shared key matching 10.5.5.5 *Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-07 ID *Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-03 ID *Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-02 ID *Jan 12 08:27:33: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Jan 12 08:27:33: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Jan 12 08:27:33: ISAKMP:(0): beginning Main Mode exchange *Jan 12 08:27:33: ISAKMP:(0): sending packet to 10.5.5.5 my_port 500 peer_port 500 (I) MM_NO_STATE *Jan 12 08:27:33: ISAKMP (0:0): received packet from 10.5.5.5 dport 500 sport 500 Global (I) MM_NO_STATE *Jan 12 08:27:33: ISAKMP:(0):Notify has no hash. Rejected. *Jan 12 08:27:33: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 *Jan 12 08:27:33: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jan 12 08:27:33: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 Zitieren Link zu diesem Kommentar
nimrod_ 11 Geschrieben 12. Januar 2009 Autor Melden Teilen Geschrieben 12. Januar 2009 *Jan 12 08:27:33: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.5.5.5 *Jan 12 08:28:03: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) *Jan 12 08:28:03: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x2AAA75D1(715814353), conn_id= 0, keysize= 0, flags= 0x0 *Jan 12 08:28:03: ISAKMP: set new node 0 to QM_IDLE *Jan 12 08:28:03: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.1.1.1, remote 10.5.5.5) *Jan 12 08:28:03: ISAKMP: Error while processing SA request: Failed to initialize SA *Jan 12 08:28:03: ISAKMP: Error while processing KMI message 0, error 2. *Jan 12 08:28:33: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) – Debug: 7301 Jan 12 07:25:25.354: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 vpngreen (N) NEW SA Jan 12 07:25:25.354: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500 Jan 12 07:25:25.354: ISAKMP: New peer created peer = 0x66DA103C peer_handle = 0x80000015 Jan 12 07:25:25.354: ISAKMP: Locking peer struct 0x66DA103C, refcount 1 for crypto_isakmp_process_block Jan 12 07:25:25.354: ISAKMP: local port 500, remote port 500 Jan 12 07:25:25.354: insert sa successfully sa = 66DAC3BC Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 Jan 12 07:25:25.354: ISAKMP:(0): processing SA payload. message ID = 0 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch Jan 12 07:25:25.354: ISAKMP (0:0): vendor ID is NAT-T v7 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v3 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v2 Jan 12 07:25:25.354: ISAKMP:(0):No pre-shared key with 10.1.1.1! Jan 12 07:25:25.354: ISAKMP : Scanning profiles for xauth ... Jan 12 07:25:25.354: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy Jan 12 07:25:25.354: ISAKMP: encryption 3DES-CBC Jan 12 07:25:25.354: ISAKMP: hash SHA Jan 12 07:25:25.354: ISAKMP: default group 2 Jan 12 07:25:25.354: ISAKMP: auth pre-share Jan 12 07:25:25.354: ISAKMP: life type in seconds Jan 12 07:25:25.354: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Jan 12 07:25:25.354: ISAKMP:(0):Preshared authentication offered but does not match policy! Jan 12 07:25:25.354: ISAKMP:(0):atts are not acceptable. Next payload is 0 Jan 12 07:25:25.354: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy Jan 12 07:25:25.354: ISAKMP: encryption 3DES-CBC Jan 12 07:25:25.354: ISAKMP: hash SHA Jan 12 07:25:25.354: ISAKMP: default group 2 Jan 12 07:25:25.354: ISAKMP: auth pre-share Jan 12 07:25:25.354: ISAKMP: life type in seconds Jan 12 07:25:25.354: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Jan 12 07:25:25.354: ISAKMP:(0):Encryption algorithm offered does not match policy! 1 Zitieren Link zu diesem Kommentar
nimrod_ 11 Geschrieben 12. Januar 2009 Autor Melden Teilen Geschrieben 12. Januar 2009 Jan 12 07:25:25.354: ISAKMP:(0):atts are not acceptable. Next payload is 0 Jan 12 07:25:25.354: ISAKMP:(0):no offers accepted! Jan 12 07:25:25.354: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.5.5.5 remote 10.1.1.1) Jan 12 07:25:25.354: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init Jan 12 07:25:25.354: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) MM_NO_STATE Jan 12 07:25:25.354: ISAKMP:(0):Sending an IKE IPv4 Packet. Jan 12 07:25:25.354: ISAKMP:(0):peer does not do paranoid keepalives. Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1) Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch Jan 12 07:25:25.354: ISAKMP (0:0): vendor ID is NAT-T v7 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v3 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v2 Jan 12 07:25:25.354: ISAKMP (0:0): FSM action returned error: 2 Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1) Jan 12 07:25:25.354: ISAKMP: Unlocking peer struct 0x66DA103C for isadb_mark_sa_deleted(), count 0 Jan 12 07:25:25.354: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: 66DA103C Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA Jan 12 07:25:25.354: IPSEC(key_engine): got a queue event with 1 KMI message(s) Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.1.1.1) Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA Jan 12 07:26:25.354: ISAKMP:(0):purging SA., sa=66DAC3BC, delme=66DAC3BC Jan 12 07:34:48.579: No peer struct to get peer description Zitieren Link zu diesem Kommentar
Wordo 11 Geschrieben 12. Januar 2009 Melden Teilen Geschrieben 12. Januar 2009 Das es schon an Phase1 scheitert und die Werte identisch sind gibts bestimmt ein Problem mit dem Loopback und der IP-Adresse. Zitieren Link zu diesem Kommentar
nimrod_ 11 Geschrieben 12. Januar 2009 Autor Melden Teilen Geschrieben 12. Januar 2009 hast du eventuell eine etwas genauere vermutung? sitze hier an diesem fehler schon etwas und bin wahrscheinlich schon betriebsblind. wie bereits geschrieben: zumindest ohne crypto kann ich von überall, nach überall (auch mit anderen source adressen) pingen, also ist zumindest das routing sauber. bin recht ratlos zur zeit. Zitieren Link zu diesem Kommentar
Wordo 11 Geschrieben 12. Januar 2009 Melden Teilen Geschrieben 12. Januar 2009 Du bindest die crypto map ans Loopback, welche IP ist auf dem konfiguriert? Ausserdem postest du keine NAT configs, es kann also alles sein. Zitieren Link zu diesem Kommentar
bookweb 10 Geschrieben 12. Januar 2009 Melden Teilen Geschrieben 12. Januar 2009 Nimrod ich machen kein NAT in diesme Versuchsaufbau. interface Loopback1 ip vrf forwarding vpngreen ip address 10.5.5.5 255.255.255.255 crypto map cm_L1 end Name Default RD Interfaces vpngreen 100:159 Lo1 Po1.159 Vi3 Vi2 vpnred 100:158 Lo2 Po1.158 Wir haben uns an diesem Beispiel von Cisco orientiert. Leider erfolglos. Zitieren Link zu diesem Kommentar
Wordo 11 Geschrieben 12. Januar 2009 Melden Teilen Geschrieben 12. Januar 2009 debug crypto ipsec error debug crypto isakmp error debug crypto engine error Auf dem 1800er eingeben und dann vom anderen Router einen Ping starten und Output posten ... Zitieren Link zu diesem Kommentar
bookweb 10 Geschrieben 12. Januar 2009 Melden Teilen Geschrieben 12. Januar 2009 Die einzige Ausgabe ist: c1841-eth#sh debugging Cryptographic Subsystem: Crypto ISAKMP Error debugging is on Crypto Engine Error debugging is on Crypto IPSEC Error debugging is on *Jan 12 09:49:20: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.1.1, src_addr= 10.5.5.5, prot= 1 Könnte dies an unserer ACL auf dem 7301 liegen? access-list 170 permit ip any 192.168.1.0 0.0.0.255 Zitieren Link zu diesem Kommentar
nimrod_ 11 Geschrieben 12. Januar 2009 Autor Melden Teilen Geschrieben 12. Januar 2009 ich hab ja so die vermutung, dass der 7301 die pakete nicht in den tunnel schiebt und somit auch nicht verschlüsselt... (aber was wei ein laie^^) wir hatten da auch schon einmal eine teilweise funktionierende konfiguration mit einer dynamischen crypto map... kann das evtl. auch ein anhaltspunkt sein? mit der konfiguration waren zumindest die crypto sessions up-active, ping ging nicht, weil wir da sehr viel, ich will mal sagen "müll" konfiguriert hatten, und dadurch wahrscheinlich das routing, bzw. die acl nicht mehr griffen in der aktuelle konfig finde ich das ISAKMP:(0):Notify has no hash. Rejected. <<<<< 1841 sehr bedenklich. soweit ich das verstehe, sollten beide geräte die informationen ja eigentlich haben. Zitieren Link zu diesem Kommentar
Wordo 11 Geschrieben 12. Januar 2009 Melden Teilen Geschrieben 12. Januar 2009 Also ohne die komplette Config beider Router kann man nicht viel mehr sagen. Zitieren Link zu diesem Kommentar
nimrod_ 11 Geschrieben 12. Januar 2009 Autor Melden Teilen Geschrieben 12. Januar 2009 puh, die ist ein wenig umfangreicher... wir ein wenig dauern, die zu bereinigen, setz mich da mal fix dran – Config 7301 version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service internal service compress-config ! hostname stan-cisco-cl-lab-90739504 ! boot-start-marker boot system flash c7301-advipservicesk9-mz.124-11.T4.bin boot-end-marker ! logging buffered 4096 no logging rate-limit enable secret 5 $1$rp31$1IBDSgPtGT45YGSq.tnzW0 ! aaa new-model ! ! aaa group server radius auth_server server 80.228.16.100 auth-port 1812 acct-port 1813 server 80.228.16.21 auth-port 1812 acct-port 1813 ! aaa group server radius auth_admin server 80.228.120.23 auth-port 1812 acct-port 1813 server 80.228.120.24 auth-port 1812 acct-port 1813 ! aaa group server radius acc_server server 212.6.123.100 auth-port 1812 acct-port 1813 ! aaa authentication login default group auth_admin aaa authentication login console local aaa authentication login ssh local group auth_admin aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication ppp default group auth_server aaa authorization network default group radius aaa authorization network vpdn group radius aaa authorization network sdm_vpn_group_ml_1 local aaa accounting delay-start aaa accounting delay-start all aaa accounting update periodic 60 aaa accounting network default start-stop group acc_server aaa accounting system default start-stop group acc_server ! aaa server radius dynamic-author client 212.6.120.4 client 212.6.120.1 server-key 7 0470020504 auth-type any ignore session-key ignore server-key ! aaa pod server clients 212.6.120.1 212.6.120.4 server-key Kick aaa session-id common clock timezone MET 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip cef ! ! ! ! ip vrf vpngreen rd 100:159 ! ip vrf vpnred rd 100:158 ! no ip domain lookup ip domain name XXXXXXXXXXXXXX <--anonymisiert von marka auf Wunsch des Users ip name-server 212.6.108.140 ip name-server 212.6.108.141 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! multilink virtual-template 1 multilink bundle-name authenticated vpdn enable vpdn logging vpdn logging local vpdn logging user vpdn logging tunnel-drop vpdn history failure table-size 30 vpdn session-limit 2000 vpdn search-order domain ! vpdn-group l2tp ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 source-ip 85.16.116.253 lcp renegotiation always no l2tp tunnel authentication l2tp tunnel password 7 l2tp tunnel receive-window 1024 ip mtu adjust ! vpdn-group pptp ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 2 source-ip 85.16.116.254 local name pptp lcp renegotiation always l2tp tunnel password 7 ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! ! controller ISA 1/1 ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 500 crypto isakmp key cisco1841 address 10.1.1.1 crypto isakmp key cisco878 address 10.1.1.4 ! ! crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac crypto ipsec transform-set ts_cisco_180 esp-des esp-md5-hmac ! ! ! ! ! ! ! crypto map cm_L1 17 ipsec-isakmp set peer 10.1.1.1 set transform-set ts_cisco_170 match address 170 crypto map cm_L1 18 ipsec-isakmp set peer 10.1.1.4 set transform-set ts_cisco_180 match address 180 Zitieren Link zu diesem Kommentar
nimrod_ 11 Geschrieben 12. Januar 2009 Autor Melden Teilen Geschrieben 12. Januar 2009 ! ! ! ! ! ! interface Loopback0 ip address 10.6.6.6 255.255.255.255 ! interface Loopback1 ip vrf forwarding vpngreen ip address 10.5.5.5 255.255.255.255 crypto map cm_L1 ! interface Loopback2 ip vrf forwarding vpnred ip address 10.7.7.7 255.255.255.255 ! interface Loopback148 no ip address ! interface Port-channel1 no ip address hold-queue 150 in ! interface Port-channel1.158 description VPNRED encapsulation dot1Q 158 ip vrf forwarding vpnred ip address 10.0.0.2 255.255.255.0 standby version 2 standby 158 ip 10.0.0.1 standby 158 follow access standby 158 priority 101 ! interface Port-channel1.159 description VPNGREEN encapsulation dot1Q 159 ip vrf forwarding vpngreen ip address 10.0.0.2 255.255.255.0 standby version 2 standby 159 ip 10.0.0.1 standby 159 follow access standby 159 priority 101 ! interface Port-channel1.160 encapsulation dot1Q 160 ip address 85.16.116.253 255.255.255.248 standby delay minimum 30 reload 60 standby version 2 standby 1 ip 85.16.116.254 standby 1 priority 101 standby 1 name access standby 1 track Port-channel1.159 100 standby 1 track Port-channel1.158 100 ! interface GigabitEthernet0/0 description gig0/0, QinQ-Trunk VL450, vtsw302-1-gi10/37 no ip address duplex full speed 1000 media-type rj45 no negotiation auto channel-group 1 standby version 2 ! interface GigabitEthernet0/1 description gig0/1, QinQ-Trunk VL450, vtsw302-1-gi10/38 no ip address duplex full speed 1000 media-type rj45 no negotiation auto channel-group 1 standby version 2 ! interface GigabitEthernet0/2 no ip address duplex auto speed auto media-type rj45 no negotiation auto ! interface Virtual-Template1 ip unnumbered Loopback0 ip tcp adjust-mss 1400 peer default ip address pool addresspool ppp authentication pap ppp authorization vpdn ppp multilink ppp multilink fragment disable ! interface Virtual-Template2 ip unnumbered Loopback0 ip tcp adjust-mss 1400 peer default ip address pool addresspool ppp authentication chap ppp authorization vpdn ! interface Dialer1 no ip address ! ip local pool vpnred 192.168.10.1 192.168.10.254 group vpnred ip local pool vpngreen-admin 192.168.10.1 192.168.10.127 group vpngreen ip local pool vpngreen-user 192.168.10.128 192.168.10.191 group vpngreen ip local pool vpngreen-extern 192.168.10.192 192.168.10.254 group vpngreen ip route 0.0.0.0 0.0.0.0 85.16.116.249 ip route vrf vpngreen 192.168.1.0 255.255.255.0 10.1.1.1 ip route vrf vpngreen 192.168.100.0 255.255.255.0 10.1.1.4 ip route vrf vpnred 0.0.0.0 0.0.0.0 10.0.0.10 no ip http server no ip http secure-server ! ! ! logging alarm informational logging trap warnings logging facility local6 logging source-interface Port-channel1.160 logging 80.228.31.129 access-list 170 permit ip any 192.168.1.0 0.0.0.255 access-list 180 permit ip any 192.168.100.0 0.0.0.255 ! ! ! ! ! radius-server attribute 44 include-in-access-req no radius-server attribute 77 include-in-access-req radius-server attribute 32 include-in-access-req format XXX <--anonymisiert radius-server attribute 32 include-in-accounting-req format XXX <--anonymisiert no radius-server attribute nas-port radius-server host 80.228.120.23 auth-port 1812 acct-port 1813 key 7 XXX radius-server host 80.228.120.24 auth-port 1812 acct-port 1813 key 7 XXX radius-server host 212.6.123.100 auth-port 1812 acct-port 1813 non-standard key 7 XXX radius-server host 212.6.120.1 auth-port 1812 acct-port 1813 non-standard key 7 XXX radius-server host 212.6.120.4 auth-port 1812 acct-port 1813 non-standard key 7 XXX radius-server host 85.16.255.39 auth-port 1812 acct-port 1813 key 7 XXX radius-server host 80.228.16.21 auth-port 1812 acct-port 1813 key 7 XXX radius-server host 80.228.16.100 auth-port 1812 acct-port 1813 key 7 XXX radius-server vsa send accounting radius-server vsa send authentication Zitieren Link zu diesem Kommentar
nimrod_ 11 Geschrieben 12. Januar 2009 Autor Melden Teilen Geschrieben 12. Januar 2009 ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 password 7 XXX logging synchronous login authentication local transport output all stopbits 1 line aux 0 transport output all stopbits 1 line vty 0 4 session-timeout 30 access-class 10 in exec-timeout 30 0 privilege level 15 login authentication ssh transport input ssh transport output all ! exception data-corruption buffer truncate ntp clock-period 17179886 ntp server 212.6.108.160 ntp server 212.6.108.161 ! webvpn cef ! end Config 1841 version 12.4 service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname c1841-eth ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable password 7 121A0C041104 ! no aaa new-model ! resource policy ! clock timezone MET 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip cef ! ! ! ! no ip domain lookup ! ! ! username cisco password 7 070C285F4D06 ! ! controller E1 0/0/0 channel-group 0 timeslots 1-31 description *** Backup *** ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key cisco1841 address 10.5.5.5 ! ! crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac ! crypto map cm_D1 17 ipsec-isakmp set peer 10.5.5.5 set transform-set ts_cisco_170 match address 170 ! ! ! ! interface FastEthernet0/0 description --> HAG 10Mbit/s no ip address speed 100 half-duplex pppoe enable pppoe-client dial-pool-number 1 traffic-shape rate 2048000 102400 102400 1000 ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto no keepalive no cdp enable ! interface Serial0/0/0:0 description --> Backup 2Mbit/s mtu 1448 ip address negotiated encapsulation ppp ip tcp adjust-mss 1400 traffic-shape rate 1024000 25600 25600 1000 no cdp enable ppp pap sent-username vpnline-test@fvr password 7 0402133F217668462A ! interface Dialer1 description 1Mbit/s-Verbindung ip address negotiated ip mtu 1492 encapsulation ppp ip tcp adjust-mss 1420 dialer pool 1 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username vpnline-test-eth@fvr-eth password 7 141610085D5679 crypto map cm_D1 ! ip route 0.0.0.0 0.0.0.0 192.168.2.100 ip route 10.1.1.0 255.255.255.0 Dialer1 ip route 192.168.2.0 255.255.255.0 Dialer1 ip route 192.168.3.0 255.255.255.0 Dialer1 ! ! ip http server no ip http secure-server ! access-list 170 permit ip 192.168.1.0 0.0.0.255 any disable-eadi no cdp run ! ! ! ! ! ! control-plane ! ! ! line con 0 exec-timeout 0 0 login local line aux 0 line vty 0 4 password 7 05080F1C2243 logging synchronous login local transport input all ! scheduler allocate 20000 1000 ntp clock-period 17178708 ntp server 10.1.1.250 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end Zitieren Link zu diesem Kommentar
Wordo 11 Geschrieben 12. Januar 2009 Melden Teilen Geschrieben 12. Januar 2009 Du routest auf 1841 Default durch 2.100 und den Rest durch Dialer1, crypto-map ist aber auf Dialer1 gebunden? Bekommst du die 2.100 auf Dialer1 zugewiesen? – Das transform-set bei beiden bitte mal auf 3DES und nicht DES wenns geht ... Zitieren Link zu diesem Kommentar
Empfohlene Beiträge
Schreibe einen Kommentar
Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.