Lamorte
-
Gesamte Inhalte
15 -
Registriert seit
-
Letzter Besuch
Beiträge erstellt von Lamorte
-
-
Hallo !
Ich habe leider immer noch folgendes Problem:
Wenn ich mit dem Cisco VPN Client auf meinen Cisco 836 ADSL Router verbinde wird zwar der Tunnel aufgebaut ich kann jedoch keine Pakete durchschicken, bzw. finden die Pakete nicht mehr in den Tunnel zurück.
Meine aktuelle Konfig:
ADSL#sh run
Building configuration...
Current configuration : 4360 bytes
!
! Last configuration change at 10:39:54 MEST Tue Oct 18 2005
! NVRAM config last updated at 10:39:56 MEST Tue Oct 18 2005
!
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname ADSL
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
logging buffered 100000 debugging
enable secret *****
!
username klaus password *****
clock timezone MEZ 1
clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00
aaa new-model
!
aaa authentication login default line
aaa authentication login VPN-Client local
aaa authorization network VPN-Client local
aaa session-id common
ip subnet-zero
!
ip dhcp pool clients
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 172.27.2.10 172.27.1.1
!
ip telnet source-interface Ethernet0
no ip domain lookup
ip name-server 172.27.2.10
ip name-server 172.27.1.1
ip cef
ip ips po max-events 100
ip reflexive-list timeout 180
no ftp-server write-enable
isdn switch-type basic-net3
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *****
key *****
dns 172.27.2.10 172.27.1.1
pool vpn
!
crypto ipsec transform-set Strong esp-3des esp-sha-hmac
!
crypto dynamic-map VPN-Client 10
set transform-set Strong
!
crypto map VPN client authentication list VPN-Client
crypto map VPN isakmp authorization list VPN-Client
crypto map VPN client configuration address respond
crypto map VPN 500 ipsec-isakmp dynamic VPN-Client
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
crypto map VPN
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/16 ilmi
!
!
interface ATM0.1 point-to-point
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Virtual-PPP1
no ip address
!
---> Fortsetzung
-
Ich habs nun geschafft das der Tunnel aufgebaut wird, es können jedoch keine Daten übertragen werden. Wenn ich z.b. meinen Router auf den internen Adresse 192.168.1.254 anpingen will kommen die Pakete zwar dort an, werden aber nicht an den VPN Client 192.168.2.xxx zurückgeschickt.
Auszüge aus meiner aktuelle Konfig:
aaa authentication login VPN-Client local
aaa authorization network VPN-Client local
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *****
key *****
dns 172.27.2.10 172.27.1.1
pool vpn
!
!
crypto ipsec transform-set Strong esp-3des esp-sha-hmac
!
crypto dynamic-map VPN-Client 10
set transform-set Strong
!
!
!
crypto map VPN client authentication list VPN-Client
crypto map VPN isakmp authorization list VPN-Client
crypto map VPN client configuration address respond
crypto map VPN 500 ipsec-isakmp dynamic VPN-Client
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip access-group untrust in
ip access-group trust out
ip accounting output-packets
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *****
ppp chap password *****
crypto map VPN
!
ip local pool vpn 192.168.2.1 192.168.2.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
ip nat inside source list 111 interface Dialer1 overload
!
!
ip access-list extended trust
permit tcp any any reflect TCP-Traffic
permit udp any any reflect UDP-Traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny tcp any any log
deny udp any any log
deny ip any any
ip access-list extended untrust
evaluate TCP-Traffic
evaluate UDP-Traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit udp any any eq ntp
permit tcp any eq ftp-data any
permit tcp any any eq telnet
permit udp any host >dialeradresse< eq isakmp
permit esp any host >dialeradresse<
permit udp any host >dialeradresse< eq non500-isakmp
access-list 101 remark *** Used for Split Tunnel ***
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 remark *** NAT ***
access-list 111 deny ip 192.168.2.0 0.0.0.255 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
!
Hat da jemand eine Idee ???
-
ich mach ja die verbindung nicht zwischen 2 routern sonder zwischen router und notebook mit ciscovpn client
-
wie kann ich sehen ob die policy ein gegenstück findent ?
der debug ist unter http://www.lamorte.at/debug.txt geht leider nicht anders zum posten
die konfig ist neu, hat noch nie funktioniert
-
ADSL#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 3
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 4
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
-
Anbei die aktuelle Konfig
http://www.lamorte.at/config.txt
Kennwörter stimmen alle
der vpn client verbindet auf dei adresse die am dialer zugewiesen wird.
LG Lamorte
-
Hallo !
Ich habe auf meinem Cisco 836 IPSec eingerichtet. Wenn ich mit dem Client verbinde wird Benutzername und Kennwort abgefragt, anschließend ist die Verbindung getrennt.
Im Routerlog steht folgede Meldung:
005594: Sep 28 12:30:31: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at ***IP-Adresse des Rechner***
Vielleicht kann mir wer helfen.
LG Lamorte
-
ADSL#
000436: Mar 25 14:44:27: IPSEC(key_engine): got a queue event with 1 kei messages
Dann kommt nach ca. 1min im client der fehler 412 Remote Peer is not longer responding
-
das kann ich leider nicht alles posten ... zuviele zeichen
kann ichs dir mailen ?
oder vielleicht icq ?
lg
-
Client:
Host = IP Adresse vom Dialer1
Group Authentication
Name: cisco
Password = Key
Ansonsten standard
-
Aktuelle Config:
ADSL#sh run
Building configuration...
Current configuration : 5632 bytes
!
! No configuration change since last restart
!
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname ADSL
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
logging buffered 100000 debugging
enable secret *****
!
username klausi password *****
username admin privilege 15 password 7 08744D4C581700
clock timezone MEZ 1
clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00
aaa new-model
!
!
aaa authentication login default line
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip subnet-zero
!
!
ip telnet source-interface Ethernet0
ip name-server *****
ip name-server *****
ip cef
ip ips po max-events 100
ip reflexive-list timeout 180
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key *****
dns 172.27.2.10 172.27.1.1
domain lamorte.at
pool green
!
crypto isakmp client configuration group default
key *****
dns 10.2.2.2 10.3.2.3
pool green
acl 199
!
!
crypto ipsec transform-set dessha esp-3des esp-md5-hmac
!
crypto dynamic-map mode 1
set transform-set dessha
!
!
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode
!
!
!
interface Ethernet0
ip address *****
ip accounting output-packets
crypto map mode
hold-queue 100 out
!
interface BRI0
no ip address
shutdown
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/16 ilmi
!
!
interface ATM0.1 point-to-point
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
ip address negotiated
no ip unreachables
ip accounting output-packets
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *****
ppp chap password *****
crypto map mode
!
ip local pool green 192.168.2.1 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
access-list 199 permit ip 192.168.2.0 0.0.0.255 any
access-list 199 permit ip 10.190.44.0 0.0.0.255 any
snmp-server community csty RO
snmp-server enable traps tty
!
control-plane
!
!
line con 0
password *****
no modem enable
line aux 0
line vty 0 4
password *****
!
scheduler max-task-time 5000
!
sntp server 131.130.1.11
end
ADSL#
-
hab jetzt nur encr 3des
nun kommt folgendes:
ADSL#debug crypto isakmp error
Crypto ISAKMP Error debugging is on
ADSL#
000229: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000230: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000231: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000232: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000233: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000234: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000235: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000236: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000237: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000238: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000239: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000240: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000241: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000242: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000243: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000244: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000245: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
000246: Mar 25 12:43:01: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
----- > abfrage der benutzerdaten am vpn client:
danach crasht er wieder,
folgende ios lauft: c836-k9o3y6-mz.123-8.T7.bin
-
hab nun die befehle
encr des und encr 3des eingegeben,
danach crashed der router sofort
-
Hallo !
Sobald ich mit dem einem VPN Client auf meinen Cisco 836 verbinden will erhalte ich beim debug folgenden Fehler:
ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
Hier ein auszug aus der VPN Konfig:
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key *******
dns 172.27.2.10 172.27.1.1
domain lamorte.at
pool green
!
crypto ipsec transform-set dessha esp-3des esp-md5-hmac
!
crypto dynamic-map mode 1
set transform-set dessha
!
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode
!
interface Dialer1
crypto map mode
Vielleicht hat jemand eine Idee
lg Klaus
Cisco 836 und Cisco VPN Client
in Cisco Forum — Allgemein
Geschrieben
---> Fortsetzung
interface Dialer1
ip address negotiated
ip access-group untrust in
ip access-group trust out
ip accounting output-packets
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *****
ppp chap password *****
crypto map VPN
!
ip local pool vpn 192.168.2.1 192.168.2.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
ip nat inside source list 111 interface Dialer1 overload
!
ip access-list extended trust
permit tcp any any reflect TCP-Traffic
permit udp any any reflect UDP-Traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny tcp any any log
deny udp any any log
deny ip any any
ip access-list extended untrust
evaluate TCP-Traffic
evaluate UDP-Traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit udp any any eq ntp
permit tcp any eq ftp-data any
permit tcp any any eq telnet
permit udp any host 10.221.199.16 eq isakmp
permit esp any host 10.221.199.16
permit udp any host 10.221.199.16 eq non500-isakmp
access-list 101 remark *** Used for Split Tunnel ***
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 192.168.2.0 0.0.0.255
access-list 111 remark *** NAT ***
access-list 111 deny ip 192.168.2.0 0.0.0.255 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community csty RO
snmp-server enable traps tty
!
control-plane
!
line con 0
password *****
no modem enable
line aux 0
line vty 0 4
password *****
!
scheduler max-task-time 5000
no rcapi server
!
sntp server 131.130.1.11
end
ADSL#
Bitte um Hilfe