Lamorte

---> Fortsetzung interface Dialer1 ip address negotiated ip access-group untrust in ip access-group trust out ip accounting output-packets ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname ***** ppp chap password ***** crypto map VPN ! ip local pool vpn 192.168.2.1 192.168.2.254 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ip nat inside source list 111 interface Dialer1 overload ! ip access-list extended trust permit tcp any any reflect TCP-Traffic permit udp any any reflect UDP-Traffic permit icmp any any echo permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any time-exceeded deny tcp any any log deny udp any any log deny ip any any ip access-list extended untrust evaluate TCP-Traffic evaluate UDP-Traffic permit icmp any any echo permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any time-exceeded permit udp any any eq ntp permit tcp any eq ftp-data any permit tcp any any eq telnet permit udp any host 10.221.199.16 eq isakmp permit esp any host 10.221.199.16 permit udp any host 10.221.199.16 eq non500-isakmp access-list 101 remark *** Used for Split Tunnel *** access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 102 permit ip any 192.168.2.0 0.0.0.255 access-list 111 remark *** NAT *** access-list 111 deny ip 192.168.2.0 0.0.0.255 any access-list 111 permit ip 192.168.1.0 0.0.0.255 any snmp-server community csty RO snmp-server enable traps tty ! control-plane ! line con 0 password ***** no modem enable line aux 0 line vty 0 4 password ***** ! scheduler max-task-time 5000 no rcapi server ! sntp server 131.130.1.11 end ADSL# Bitte um Hilfe

Hallo ! Ich habe leider immer noch folgendes Problem: Wenn ich mit dem Cisco VPN Client auf meinen Cisco 836 ADSL Router verbinde wird zwar der Tunnel aufgebaut ich kann jedoch keine Pakete durchschicken, bzw. finden die Pakete nicht mehr in den Tunnel zurück. Meine aktuelle Konfig: ADSL#sh run Building configuration... Current configuration : 4360 bytes ! ! Last configuration change at 10:39:54 MEST Tue Oct 18 2005 ! NVRAM config last updated at 10:39:56 MEST Tue Oct 18 2005 ! version 12.3 no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption service sequence-numbers ! hostname ADSL ! boot-start-marker boot-end-marker ! memory-size iomem 5 logging buffered 100000 debugging enable secret ***** ! username klaus password ***** clock timezone MEZ 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 aaa new-model ! aaa authentication login default line aaa authentication login VPN-Client local aaa authorization network VPN-Client local aaa session-id common ip subnet-zero ! ip dhcp pool clients network 192.168.1.0 255.255.255.0 default-router 192.168.1.254 dns-server 172.27.2.10 172.27.1.1 ! ip telnet source-interface Ethernet0 no ip domain lookup ip name-server 172.27.2.10 ip name-server 172.27.1.1 ip cef ip ips po max-events 100 ip reflexive-list timeout 180 no ftp-server write-enable isdn switch-type basic-net3 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group ***** key ***** dns 172.27.2.10 172.27.1.1 pool vpn ! crypto ipsec transform-set Strong esp-3des esp-sha-hmac ! crypto dynamic-map VPN-Client 10 set transform-set Strong ! crypto map VPN client authentication list VPN-Client crypto map VPN isakmp authorization list VPN-Client crypto map VPN client configuration address respond crypto map VPN 500 ipsec-isakmp dynamic VPN-Client ! interface Ethernet0 ip address 192.168.1.254 255.255.255.0 ip accounting output-packets ip nat inside ip virtual-reassembly crypto map VPN hold-queue 100 out ! interface ATM0 no ip address load-interval 30 no atm ilmi-keepalive dsl operating-mode auto pvc 0/16 ilmi ! ! interface ATM0.1 point-to-point pvc 8/48 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Virtual-PPP1 no ip address ! ---> Fortsetzung

Ich habs nun geschafft das der Tunnel aufgebaut wird, es können jedoch keine Daten übertragen werden. Wenn ich z.b. meinen Router auf den internen Adresse 192.168.1.254 anpingen will kommen die Pakete zwar dort an, werden aber nicht an den VPN Client 192.168.2.xxx zurückgeschickt. Auszüge aus meiner aktuelle Konfig: aaa authentication login VPN-Client local aaa authorization network VPN-Client local ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group ***** key ***** dns 172.27.2.10 172.27.1.1 pool vpn ! ! crypto ipsec transform-set Strong esp-3des esp-sha-hmac ! crypto dynamic-map VPN-Client 10 set transform-set Strong ! ! ! crypto map VPN client authentication list VPN-Client crypto map VPN isakmp authorization list VPN-Client crypto map VPN client configuration address respond crypto map VPN 500 ipsec-isakmp dynamic VPN-Client ! interface Ethernet0 ip address 192.168.1.254 255.255.255.0 ip accounting output-packets ip nat inside ip virtual-reassembly hold-queue 100 out ! interface Dialer1 ip address negotiated ip access-group untrust in ip access-group trust out ip accounting output-packets ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname ***** ppp chap password ***** crypto map VPN ! ip local pool vpn 192.168.2.1 192.168.2.254 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ip nat inside source list 111 interface Dialer1 overload ! ! ip access-list extended trust permit tcp any any reflect TCP-Traffic permit udp any any reflect UDP-Traffic permit icmp any any echo permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any time-exceeded deny tcp any any log deny udp any any log deny ip any any ip access-list extended untrust evaluate TCP-Traffic evaluate UDP-Traffic permit icmp any any echo permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any time-exceeded permit udp any any eq ntp permit tcp any eq ftp-data any permit tcp any any eq telnet permit udp any host >dialeradresse< eq isakmp permit esp any host >dialeradresse< permit udp any host >dialeradresse< eq non500-isakmp access-list 101 remark *** Used for Split Tunnel *** access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 111 remark *** NAT *** access-list 111 deny ip 192.168.2.0 0.0.0.255 any access-list 111 permit ip 192.168.1.0 0.0.0.255 any ! Hat da jemand eine Idee ???

ich mach ja die verbindung nicht zwischen 2 routern sonder zwischen router und notebook mit ciscovpn client

wie kann ich sehen ob die policy ein gegenstück findent ? der debug ist unter http://www.lamorte.at/debug.txt geht leider nicht anders zum posten die konfig ist neu, hat noch nie funktioniert

ADSL#sh crypto isakmp policy Global IKE policy Protection suite of priority 3 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Protection suite of priority 4 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit

Anbei die aktuelle Konfig http://www.lamorte.at/config.txt Kennwörter stimmen alle der vpn client verbindet auf dei adresse die am dialer zugewiesen wird. LG Lamorte

Hallo ! Ich habe auf meinem Cisco 836 IPSec eingerichtet. Wenn ich mit dem Client verbinde wird Benutzername und Kennwort abgefragt, anschließend ist die Verbindung getrennt. Im Routerlog steht folgede Meldung: 005594: Sep 28 12:30:31: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at ***IP-Adresse des Rechner*** Vielleicht kann mir wer helfen. LG Lamorte

ADSL# 000436: Mar 25 14:44:27: IPSEC(key_engine): got a queue event with 1 kei messages Dann kommt nach ca. 1min im client der fehler 412 Remote Peer is not longer responding

das kann ich leider nicht alles posten ... zuviele zeichen kann ichs dir mailen ? oder vielleicht icq ? lg

Client: Host = IP Adresse vom Dialer1 Group Authentication Name: cisco Password = Key Ansonsten standard

Aktuelle Config: ADSL#sh run Building configuration... Current configuration : 5632 bytes ! ! No configuration change since last restart ! version 12.3 no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption service sequence-numbers ! hostname ADSL ! boot-start-marker boot-end-marker ! memory-size iomem 5 logging buffered 100000 debugging enable secret ***** ! username klausi password ***** username admin privilege 15 password 7 08744D4C581700 clock timezone MEZ 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 aaa new-model ! ! aaa authentication login default line aaa authentication login userlist local aaa authorization network grouplist local aaa session-id common ip subnet-zero ! ! ip telnet source-interface Ethernet0 ip name-server ***** ip name-server ***** ip cef ip ips po max-events 100 ip reflexive-list timeout 180 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group cisco key ***** dns 172.27.2.10 172.27.1.1 domain lamorte.at pool green ! crypto isakmp client configuration group default key ***** dns 10.2.2.2 10.3.2.3 pool green acl 199 ! ! crypto ipsec transform-set dessha esp-3des esp-md5-hmac ! crypto dynamic-map mode 1 set transform-set dessha ! ! crypto map mode client authentication list userlist crypto map mode isakmp authorization list grouplist crypto map mode client configuration address respond crypto map mode 1 ipsec-isakmp dynamic mode ! ! ! interface Ethernet0 ip address ***** ip accounting output-packets crypto map mode hold-queue 100 out ! interface BRI0 no ip address shutdown ! interface ATM0 no ip address load-interval 30 no atm ilmi-keepalive dsl operating-mode auto pvc 0/16 ilmi ! ! interface ATM0.1 point-to-point pvc 8/48 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Dialer1 ip address negotiated no ip unreachables ip accounting output-packets encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname ***** ppp chap password ***** crypto map mode ! ip local pool green 192.168.2.1 192.168.2.10 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! ! access-list 199 permit ip 192.168.2.0 0.0.0.255 any access-list 199 permit ip 10.190.44.0 0.0.0.255 any snmp-server community csty RO snmp-server enable traps tty ! control-plane ! ! line con 0 password ***** no modem enable line aux 0 line vty 0 4 password ***** ! scheduler max-task-time 5000 ! sntp server 131.130.1.11 end ADSL#

hab jetzt nur encr 3des nun kommt folgendes: ADSL#debug crypto isakmp error Crypto ISAKMP Error debugging is on ADSL# 000229: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! 000230: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 000231: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! 000232: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 000233: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! 000234: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 000235: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! 000236: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 000237: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! 000238: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 000239: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! 000240: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 000241: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! 000242: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 000243: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! 000244: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 000245: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy! 000246: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 ----- > abfrage der benutzerdaten am vpn client: danach crasht er wieder, folgende ios lauft: c836-k9o3y6-mz.123-8.T7.bin

hab nun die befehle encr des und encr 3des eingegeben, danach crashed der router sofort

Hallo ! Sobald ich mit dem einem VPN Client auf meinen Cisco 836 verbinden will erhalte ich beim debug folgenden Fehler: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Hier ein auszug aus der VPN Konfig: crypto isakmp policy 3 hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group cisco key ******* dns 172.27.2.10 172.27.1.1 domain lamorte.at pool green ! crypto ipsec transform-set dessha esp-3des esp-md5-hmac ! crypto dynamic-map mode 1 set transform-set dessha ! crypto map mode client authentication list userlist crypto map mode isakmp authorization list grouplist crypto map mode client configuration address respond crypto map mode 1 ipsec-isakmp dynamic mode ! interface Dialer1 crypto map mode Vielleicht hat jemand eine Idee lg Klaus