Jump to content

nimrod_

Members
  • Gesamte Inhalte

    32
  • Registriert seit

  • Letzter Besuch

Profile Fields

  • Member Title
    Newbie

Fortschritt von nimrod_

Contributor

Contributor (5/14)

  • Erste Antwort
  • Engagiert
  • Erster eigener Beitrag
  • Eine Woche dabei
  • Einen Monat dabei

Neueste Abzeichen

11

Reputation in der Community

  1. ich hatte vorher schoneinmal folgendes versucht (ist noch die alte config und noch nicht entsprechend angepasst) crypto keyring l2tp vrf vpngreen pre-shared-key address 0.0.0.0 0.0.0.0 key ewetel ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key ewetel address 10.5.5.5 crypto isakmp keepalive 45 3 ! ! crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set l2tp esp-3des esp-sha-hmac ! crypto dynamic-map vpn-dyn 10 set transform-set l2tp ! ! ! ! ! ! ! crypto map vpn 6000 ipsec-isakmp dynamic vpn-dyn – mist, da warst du schneller... werd ich mir mal anschauen *lad* – ok, hab das nun mal eingespielt... bringt keine veränderung. ich konnte es nicht ganz so machen, wie es in der anleitung steht. hier meine änderungen [b]7301[/b] crypto keyring l2tp vrf vpngreen pre-shared-key address 0.0.0.0 0.0.0.0 key ewetel ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key ewetel address 10.1.1.1 crypto isakmp key ewetel address 10.1.1.4 crypto isakmp keepalive 45 3 ! ! crypto ipsec transform-set l2tp esp-3des esp-sha-hmac ! crypto dynamic-map vpn-dyn 10 set transform-set l2tp ! ! ! ! ! ! ! crypto map vpn 6000 ipsec-isakmp dynamic vpn-dyn ! ! ! interface Loopback1 crypto map vpn ! access-list 100 permit ip any 192.168.1.0 0.0.0.255 access-list 100 permit ip any 192.168.100.0 0.0.0.255 [b]1841[/b] crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 500 crypto isakmp key ewetel address 10.5.5.5 crypto ipsec transform-set ts_cisco_170 esp-3des esp-sha-hmac ! crypto map cm_D1 17 ipsec-isakmp set peer 10.5.5.5 set transform-set ts_cisco_170 match address 170 ! interface Dialer1 crypto map cm_D1 ! access-list 170 permit ip 192.168.1.0 0.0.0.255 any
  2. ok, dann werd ich das mal versuchen... ich werds schon mirbekommen, wenn irgendjemand probleme hat... telefon ist ja nicht so weit weg^^ *g* hier nochmal die einzelnen crypto config teile !======HUB======= crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 500 authentication pre-share crypto isakmp key cisco1841 address 10.1.1.1 crypto isakmp key cisco878 address 10.1.1.4 crypto ipsec transform-set ts_cisco_170 esp-3des esp-md5-hmac crypto ipsec transform-set ts_cisco_180 esp-3des esp-md5-hmac ! crypto map cm_L1 17 ipsec-isakmp set peer 10.1.1.1 set transform-set ts_cisco_170 match address 170 ! crypto map cm_L1 18 ipsec-isakmp set peer 10.1.1.4 set transform-set ts_cisco_180 match address 180 ! interface Loopback1 crypto map cm_L1 ! access-list 170 permit ip any 192.168.1.0 0.0.0.255 access-list 180 permit ip any 192.168.100.0 0.0.0.255 !=====SPOKE 2 1841====== crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 500 crypto isakmp key cisco1841 address 10.5.5.5 crypto ipsec transform-set ts_cisco_170 esp-3des esp-md5-hmac ! crypto map cm_D1 17 ipsec-isakmp set peer 10.5.5.5 set transform-set ts_cisco_170 match address 170 ! interface Dialer1 crypto map cm_D1 ! access-list 170 permit ip 192.168.1.0 0.0.0.255 any !=====SPOKE 2 878====== crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 500 crypto isakmp key cisco878 address 10.5.5.5 crypto ipsec transform-set ts_cisco_180 esp-3des esp-md5-hmac ! crypto map cm_D1 18 ipsec-isakmp set peer 10.5.5.5 set transform-set ts_cisco_180 match address 180 ! interface Dialer1 crypto map cm_D1 ! access-list 180 permit ip 192.168.100.0 0.0.0.255 any – mir ist da gerade noch etwas aufgefallen... es wird anscheinend nur eine der beiden crypto maps auf dem 7301 genutzt... das ist prinzipiell nicht so gewollt... realisiere ich das am besten mit einer dynamischen map?
  3. ist leider produktiv... hab nochmal meine änderungen rückgängig gemacht und versuch die config neu reinzuschreiben... ich bin nur verwirrt, warum das alles nicht so geht -.-
  4. ich muss gestehen, dass ich nur die hälfte verstanden habe. der 7301 ist in einem cluster (deswegen bin ich mir über das deaktivieren von hsrp unsicher). wenn du mir noch einen tipp gibts, was du mit ip unnumbered auf lo1 meinst, wär ich dir sehr dankbar
  5. ping vom 1841 *Jan 12 14:10:06: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x29949A0E(697604622), conn_id= 0, keysize= 0, flags= 0x0 *Jan 12 14:10:06: ISAKMP: set new node 0 to QM_IDLE *Jan 12 14:10:06: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.1.1.1, remote 10.5.5.5) *Jan 12 14:10:06: ISAKMP: Error while processing SA request: Failed to initialize SA *Jan 12 14:10:06: ISAKMP: Error while processing KMI message 0, error 2...... Success rate is 0 percent (0/5) c1841-eth# *Jan 12 14:10:32: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.1.1, src_addr= 10.5.5.5, prot= 1 *Jan 12 14:10:36: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) *Jan 12 14:10:36: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xAAFD1B70(2868714352), conn_id= 0, keysize= 0, flags= 0x0 *Jan 12 14:10:36: ISAKMP: set new node 0 to QM_IDLE *Jan 12 14:10:36: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.1.1.1, remote 10.5.5.5) *Jan 12 14:10:36: ISAKMP: Error while processing SA request: Failed to initialize SA *Jan 12 14:10:36: ISAKMP: Error while processing KMI message 0, error 2. *Jan 12 14:11:06: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) ping vom 7301 *Jan 12 14:18:19: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.1.1, src_addr= 10.5.5.5, prot= 1 beides outputs vom 1841
  6. Jan 12 12:44:13.022: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1) Jan 12 12:44:13.022: ISAKMP:(0): processing vendor id payload Jan 12 12:44:13.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch Jan 12 12:44:13.022: ISAKMP (0:0): vendor ID is NAT-T v7 Jan 12 12:44:13.022: ISAKMP:(0): processing vendor id payload Jan 12 12:44:13.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch Jan 12 12:44:13.022: ISAKMP:(0): vendor ID is NAT-T v3 Jan 12 12:44:13.022: ISAKMP:(0): processing vendor id payload Jan 12 12:44:13.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 12 12:44:13.022: ISAKMP:(0): vendor ID is NAT-T v2 Jan 12 12:44:13.022: ISAKMP (0:0): FSM action returned error: 2 Jan 12 12:44:13.022: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 12 12:44:13.022: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Jan 12 12:44:13.022: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1) Jan 12 12:44:13.022: ISAKMP: Unlocking peer struct 0x66F88A38 for isadb_mark_sa_deleted(), count 0 Jan 12 12:44:13.022: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: 66F88A38 Jan 12 12:44:13.022: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Jan 12 12:44:13.022: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA Jan 12 12:44:13.022: IPSEC(key_engine): got a queue event with 1 KMI message(s) Jan 12 12:44:13.022: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.1.1.1) Jan 12 12:44:13.022: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Jan 12 12:44:13.022: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
  7. ja, stimmt, die default route war noch ein relikt aus einem anderen aufbau, der zu dem thema gehört. ich habe die def-route nun auf den dialer gelegt. transform-set habe ich auf 3des geändert. Jan 12 12:44:13.022: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 vpngreen (N) NEW SA Jan 12 12:44:13.022: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500 Jan 12 12:44:13.022: ISAKMP: New peer created peer = 0x66F88A38 peer_handle = 0x80000020 Jan 12 12:44:13.022: ISAKMP: Locking peer struct 0x66F88A38, refcount 1 for crypto_isakmp_process_block Jan 12 12:44:13.022: ISAKMP: local port 500, remote port 500 Jan 12 12:44:13.022: insert sa successfully sa = 66F841E4 Jan 12 12:44:13.022: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 12 12:44:13.022: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 Jan 12 12:44:13.022: ISAKMP:(0): processing SA payload. message ID = 0 Jan 12 12:44:13.022: ISAKMP:(0): processing vendor id payload Jan 12 12:44:13.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch Jan 12 12:44:13.022: ISAKMP (0:0): vendor ID is NAT-T v7 Jan 12 12:44:13.022: ISAKMP:(0): processing vendor id payload Jan 12 12:44:13.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch Jan 12 12:44:13.022: ISAKMP:(0): vendor ID is NAT-T v3 Jan 12 12:44:13.022: ISAKMP:(0): processing vendor id payload Jan 12 12:44:13.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 12 12:44:13.022: ISAKMP:(0): vendor ID is NAT-T v2 Jan 12 12:44:13.022: ISAKMP:(0):No pre-shared key with 10.1.1.1! Jan 12 12:44:13.022: ISAKMP : Scanning profiles for xauth ... Jan 12 12:44:13.022: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy Jan 12 12:44:13.022: ISAKMP: encryption 3DES-CBC Jan 12 12:44:13.022: ISAKMP: hash SHA Jan 12 12:44:13.022: ISAKMP: default group 2 Jan 12 12:44:13.022: ISAKMP: auth pre-share Jan 12 12:44:13.022: ISAKMP: life type in seconds Jan 12 12:44:13.022: ISAKMP: life duration (basic) of 500 Jan 12 12:44:13.022: ISAKMP:(0):Hash algorithm offered does not match policy! Jan 12 12:44:13.022: ISAKMP:(0):atts are not acceptable. Next payload is 0 Jan 12 12:44:13.022: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy Jan 12 12:44:13.022: ISAKMP: encryption 3DES-CBC Jan 12 12:44:13.022: ISAKMP: hash SHA Jan 12 12:44:13.022: ISAKMP: default group 2 Jan 12 12:44:13.022: ISAKMP: auth pre-share Jan 12 12:44:13.022: ISAKMP: life type in seconds Jan 12 12:44:13.022: ISAKMP: life duration (basic) of 500 Jan 12 12:44:13.022: ISAKMP:(0):Encryption algorithm offered does not match policy! Jan 12 12:44:13.022: ISAKMP:(0):atts are not acceptable. Next payload is 0 Jan 12 12:44:13.022: ISAKMP:(0):no offers accepted! Jan 12 12:44:13.022: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.5.5.5 remote 10.1.1.1) Jan 12 12:44:13.022: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init Jan 12 12:44:13.022: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) MM_NO_STATE Jan 12 12:44:13.022: ISAKMP:(0):Sending an IKE IPv4 Packet. Jan 12 12:44:13.022: ISAKMP:(0):peer does not do paranoid keepalives.
  8. ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 password 7 XXX logging synchronous login authentication local transport output all stopbits 1 line aux 0 transport output all stopbits 1 line vty 0 4 session-timeout 30 access-class 10 in exec-timeout 30 0 privilege level 15 login authentication ssh transport input ssh transport output all ! exception data-corruption buffer truncate ntp clock-period 17179886 ntp server 212.6.108.160 ntp server 212.6.108.161 ! webvpn cef ! end Config 1841 version 12.4 service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname c1841-eth ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable password 7 121A0C041104 ! no aaa new-model ! resource policy ! clock timezone MET 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip cef ! ! ! ! no ip domain lookup ! ! ! username cisco password 7 070C285F4D06 ! ! controller E1 0/0/0 channel-group 0 timeslots 1-31 description *** Backup *** ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key cisco1841 address 10.5.5.5 ! ! crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac ! crypto map cm_D1 17 ipsec-isakmp set peer 10.5.5.5 set transform-set ts_cisco_170 match address 170 ! ! ! ! interface FastEthernet0/0 description --> HAG 10Mbit/s no ip address speed 100 half-duplex pppoe enable pppoe-client dial-pool-number 1 traffic-shape rate 2048000 102400 102400 1000 ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto no keepalive no cdp enable ! interface Serial0/0/0:0 description --> Backup 2Mbit/s mtu 1448 ip address negotiated encapsulation ppp ip tcp adjust-mss 1400 traffic-shape rate 1024000 25600 25600 1000 no cdp enable ppp pap sent-username vpnline-test@fvr password 7 0402133F217668462A ! interface Dialer1 description 1Mbit/s-Verbindung ip address negotiated ip mtu 1492 encapsulation ppp ip tcp adjust-mss 1420 dialer pool 1 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username vpnline-test-eth@fvr-eth password 7 141610085D5679 crypto map cm_D1 ! ip route 0.0.0.0 0.0.0.0 192.168.2.100 ip route 10.1.1.0 255.255.255.0 Dialer1 ip route 192.168.2.0 255.255.255.0 Dialer1 ip route 192.168.3.0 255.255.255.0 Dialer1 ! ! ip http server no ip http secure-server ! access-list 170 permit ip 192.168.1.0 0.0.0.255 any disable-eadi no cdp run ! ! ! ! ! ! control-plane ! ! ! line con 0 exec-timeout 0 0 login local line aux 0 line vty 0 4 password 7 05080F1C2243 logging synchronous login local transport input all ! scheduler allocate 20000 1000 ntp clock-period 17178708 ntp server 10.1.1.250 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end
  9. ! ! ! ! ! ! interface Loopback0 ip address 10.6.6.6 255.255.255.255 ! interface Loopback1 ip vrf forwarding vpngreen ip address 10.5.5.5 255.255.255.255 crypto map cm_L1 ! interface Loopback2 ip vrf forwarding vpnred ip address 10.7.7.7 255.255.255.255 ! interface Loopback148 no ip address ! interface Port-channel1 no ip address hold-queue 150 in ! interface Port-channel1.158 description VPNRED encapsulation dot1Q 158 ip vrf forwarding vpnred ip address 10.0.0.2 255.255.255.0 standby version 2 standby 158 ip 10.0.0.1 standby 158 follow access standby 158 priority 101 ! interface Port-channel1.159 description VPNGREEN encapsulation dot1Q 159 ip vrf forwarding vpngreen ip address 10.0.0.2 255.255.255.0 standby version 2 standby 159 ip 10.0.0.1 standby 159 follow access standby 159 priority 101 ! interface Port-channel1.160 encapsulation dot1Q 160 ip address 85.16.116.253 255.255.255.248 standby delay minimum 30 reload 60 standby version 2 standby 1 ip 85.16.116.254 standby 1 priority 101 standby 1 name access standby 1 track Port-channel1.159 100 standby 1 track Port-channel1.158 100 ! interface GigabitEthernet0/0 description gig0/0, QinQ-Trunk VL450, vtsw302-1-gi10/37 no ip address duplex full speed 1000 media-type rj45 no negotiation auto channel-group 1 standby version 2 ! interface GigabitEthernet0/1 description gig0/1, QinQ-Trunk VL450, vtsw302-1-gi10/38 no ip address duplex full speed 1000 media-type rj45 no negotiation auto channel-group 1 standby version 2 ! interface GigabitEthernet0/2 no ip address duplex auto speed auto media-type rj45 no negotiation auto ! interface Virtual-Template1 ip unnumbered Loopback0 ip tcp adjust-mss 1400 peer default ip address pool addresspool ppp authentication pap ppp authorization vpdn ppp multilink ppp multilink fragment disable ! interface Virtual-Template2 ip unnumbered Loopback0 ip tcp adjust-mss 1400 peer default ip address pool addresspool ppp authentication chap ppp authorization vpdn ! interface Dialer1 no ip address ! ip local pool vpnred 192.168.10.1 192.168.10.254 group vpnred ip local pool vpngreen-admin 192.168.10.1 192.168.10.127 group vpngreen ip local pool vpngreen-user 192.168.10.128 192.168.10.191 group vpngreen ip local pool vpngreen-extern 192.168.10.192 192.168.10.254 group vpngreen ip route 0.0.0.0 0.0.0.0 85.16.116.249 ip route vrf vpngreen 192.168.1.0 255.255.255.0 10.1.1.1 ip route vrf vpngreen 192.168.100.0 255.255.255.0 10.1.1.4 ip route vrf vpnred 0.0.0.0 0.0.0.0 10.0.0.10 no ip http server no ip http secure-server ! ! ! logging alarm informational logging trap warnings logging facility local6 logging source-interface Port-channel1.160 logging 80.228.31.129 access-list 170 permit ip any 192.168.1.0 0.0.0.255 access-list 180 permit ip any 192.168.100.0 0.0.0.255 ! ! ! ! ! radius-server attribute 44 include-in-access-req no radius-server attribute 77 include-in-access-req radius-server attribute 32 include-in-access-req format XXX <--anonymisiert radius-server attribute 32 include-in-accounting-req format XXX <--anonymisiert no radius-server attribute nas-port radius-server host 80.228.120.23 auth-port 1812 acct-port 1813 key 7 XXX radius-server host 80.228.120.24 auth-port 1812 acct-port 1813 key 7 XXX radius-server host 212.6.123.100 auth-port 1812 acct-port 1813 non-standard key 7 XXX radius-server host 212.6.120.1 auth-port 1812 acct-port 1813 non-standard key 7 XXX radius-server host 212.6.120.4 auth-port 1812 acct-port 1813 non-standard key 7 XXX radius-server host 85.16.255.39 auth-port 1812 acct-port 1813 key 7 XXX radius-server host 80.228.16.21 auth-port 1812 acct-port 1813 key 7 XXX radius-server host 80.228.16.100 auth-port 1812 acct-port 1813 key 7 XXX radius-server vsa send accounting radius-server vsa send authentication
  10. puh, die ist ein wenig umfangreicher... wir ein wenig dauern, die zu bereinigen, setz mich da mal fix dran – Config 7301 version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service internal service compress-config ! hostname stan-cisco-cl-lab-90739504 ! boot-start-marker boot system flash c7301-advipservicesk9-mz.124-11.T4.bin boot-end-marker ! logging buffered 4096 no logging rate-limit enable secret 5 $1$rp31$1IBDSgPtGT45YGSq.tnzW0 ! aaa new-model ! ! aaa group server radius auth_server server 80.228.16.100 auth-port 1812 acct-port 1813 server 80.228.16.21 auth-port 1812 acct-port 1813 ! aaa group server radius auth_admin server 80.228.120.23 auth-port 1812 acct-port 1813 server 80.228.120.24 auth-port 1812 acct-port 1813 ! aaa group server radius acc_server server 212.6.123.100 auth-port 1812 acct-port 1813 ! aaa authentication login default group auth_admin aaa authentication login console local aaa authentication login ssh local group auth_admin aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication ppp default group auth_server aaa authorization network default group radius aaa authorization network vpdn group radius aaa authorization network sdm_vpn_group_ml_1 local aaa accounting delay-start aaa accounting delay-start all aaa accounting update periodic 60 aaa accounting network default start-stop group acc_server aaa accounting system default start-stop group acc_server ! aaa server radius dynamic-author client 212.6.120.4 client 212.6.120.1 server-key 7 0470020504 auth-type any ignore session-key ignore server-key ! aaa pod server clients 212.6.120.1 212.6.120.4 server-key Kick aaa session-id common clock timezone MET 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip cef ! ! ! ! ip vrf vpngreen rd 100:159 ! ip vrf vpnred rd 100:158 ! no ip domain lookup ip domain name XXXXXXXXXXXXXX <--anonymisiert von marka auf Wunsch des Users ip name-server 212.6.108.140 ip name-server 212.6.108.141 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! multilink virtual-template 1 multilink bundle-name authenticated vpdn enable vpdn logging vpdn logging local vpdn logging user vpdn logging tunnel-drop vpdn history failure table-size 30 vpdn session-limit 2000 vpdn search-order domain ! vpdn-group l2tp ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 source-ip 85.16.116.253 lcp renegotiation always no l2tp tunnel authentication l2tp tunnel password 7 l2tp tunnel receive-window 1024 ip mtu adjust ! vpdn-group pptp ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 2 source-ip 85.16.116.254 local name pptp lcp renegotiation always l2tp tunnel password 7 ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! ! controller ISA 1/1 ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 500 crypto isakmp key cisco1841 address 10.1.1.1 crypto isakmp key cisco878 address 10.1.1.4 ! ! crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac crypto ipsec transform-set ts_cisco_180 esp-des esp-md5-hmac ! ! ! ! ! ! ! crypto map cm_L1 17 ipsec-isakmp set peer 10.1.1.1 set transform-set ts_cisco_170 match address 170 crypto map cm_L1 18 ipsec-isakmp set peer 10.1.1.4 set transform-set ts_cisco_180 match address 180
  11. ich hab ja so die vermutung, dass der 7301 die pakete nicht in den tunnel schiebt und somit auch nicht verschlüsselt... (aber was wei ein laie^^) wir hatten da auch schon einmal eine teilweise funktionierende konfiguration mit einer dynamischen crypto map... kann das evtl. auch ein anhaltspunkt sein? mit der konfiguration waren zumindest die crypto sessions up-active, ping ging nicht, weil wir da sehr viel, ich will mal sagen "müll" konfiguriert hatten, und dadurch wahrscheinlich das routing, bzw. die acl nicht mehr griffen in der aktuelle konfig finde ich das ISAKMP:(0):Notify has no hash. Rejected. <<<<< 1841 sehr bedenklich. soweit ich das verstehe, sollten beide geräte die informationen ja eigentlich haben.
  12. hast du eventuell eine etwas genauere vermutung? sitze hier an diesem fehler schon etwas und bin wahrscheinlich schon betriebsblind. wie bereits geschrieben: zumindest ohne crypto kann ich von überall, nach überall (auch mit anderen source adressen) pingen, also ist zumindest das routing sauber. bin recht ratlos zur zeit.
  13. Jan 12 07:25:25.354: ISAKMP:(0):atts are not acceptable. Next payload is 0 Jan 12 07:25:25.354: ISAKMP:(0):no offers accepted! Jan 12 07:25:25.354: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.5.5.5 remote 10.1.1.1) Jan 12 07:25:25.354: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init Jan 12 07:25:25.354: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) MM_NO_STATE Jan 12 07:25:25.354: ISAKMP:(0):Sending an IKE IPv4 Packet. Jan 12 07:25:25.354: ISAKMP:(0):peer does not do paranoid keepalives. Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1) Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch Jan 12 07:25:25.354: ISAKMP (0:0): vendor ID is NAT-T v7 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v3 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v2 Jan 12 07:25:25.354: ISAKMP (0:0): FSM action returned error: 2 Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1) Jan 12 07:25:25.354: ISAKMP: Unlocking peer struct 0x66DA103C for isadb_mark_sa_deleted(), count 0 Jan 12 07:25:25.354: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: 66DA103C Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA Jan 12 07:25:25.354: IPSEC(key_engine): got a queue event with 1 KMI message(s) Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.1.1.1) Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA Jan 12 07:26:25.354: ISAKMP:(0):purging SA., sa=66DAC3BC, delme=66DAC3BC Jan 12 07:34:48.579: No peer struct to get peer description
  14. *Jan 12 08:27:33: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.5.5.5 *Jan 12 08:28:03: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) *Jan 12 08:28:03: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x2AAA75D1(715814353), conn_id= 0, keysize= 0, flags= 0x0 *Jan 12 08:28:03: ISAKMP: set new node 0 to QM_IDLE *Jan 12 08:28:03: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.1.1.1, remote 10.5.5.5) *Jan 12 08:28:03: ISAKMP: Error while processing SA request: Failed to initialize SA *Jan 12 08:28:03: ISAKMP: Error while processing KMI message 0, error 2. *Jan 12 08:28:33: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) – Debug: 7301 Jan 12 07:25:25.354: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 vpngreen (N) NEW SA Jan 12 07:25:25.354: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500 Jan 12 07:25:25.354: ISAKMP: New peer created peer = 0x66DA103C peer_handle = 0x80000015 Jan 12 07:25:25.354: ISAKMP: Locking peer struct 0x66DA103C, refcount 1 for crypto_isakmp_process_block Jan 12 07:25:25.354: ISAKMP: local port 500, remote port 500 Jan 12 07:25:25.354: insert sa successfully sa = 66DAC3BC Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 Jan 12 07:25:25.354: ISAKMP:(0): processing SA payload. message ID = 0 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch Jan 12 07:25:25.354: ISAKMP (0:0): vendor ID is NAT-T v7 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v3 Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v2 Jan 12 07:25:25.354: ISAKMP:(0):No pre-shared key with 10.1.1.1! Jan 12 07:25:25.354: ISAKMP : Scanning profiles for xauth ... Jan 12 07:25:25.354: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy Jan 12 07:25:25.354: ISAKMP: encryption 3DES-CBC Jan 12 07:25:25.354: ISAKMP: hash SHA Jan 12 07:25:25.354: ISAKMP: default group 2 Jan 12 07:25:25.354: ISAKMP: auth pre-share Jan 12 07:25:25.354: ISAKMP: life type in seconds Jan 12 07:25:25.354: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Jan 12 07:25:25.354: ISAKMP:(0):Preshared authentication offered but does not match policy! Jan 12 07:25:25.354: ISAKMP:(0):atts are not acceptable. Next payload is 0 Jan 12 07:25:25.354: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy Jan 12 07:25:25.354: ISAKMP: encryption 3DES-CBC Jan 12 07:25:25.354: ISAKMP: hash SHA Jan 12 07:25:25.354: ISAKMP: default group 2 Jan 12 07:25:25.354: ISAKMP: auth pre-share Jan 12 07:25:25.354: ISAKMP: life type in seconds Jan 12 07:25:25.354: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Jan 12 07:25:25.354: ISAKMP:(0):Encryption algorithm offered does not match policy!
  15. Hi, ich versuche gerade zwischen einem 7301 und einem 1841 einen ganz normalen ipsec tunnel aufzubauen. vielleicht kann ja mal jemand drüber schauen. 7301 - Loopback1: 10.5.5.5 crypto isakmp policy 1 group 2 encryption 3des authentication pre-share crypto isakmp key cisco1841 address 10.1.1.1 crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac ! crypto map cm_L1 17 ipsec-isakmp set peer 10.1.1.1 set transform-set ts_cisco_170 match address 170 ! interface Loopback1 crypto map cm_L1 ! access-list 170 permit ip any 192.168.1.0 0.0.0.255 1841 - LAN: 192.168.1.0 crypto isakmp policy 1 group 2 encryption 3des authentication pre-share crypto isakmp key cisco1841 address 10.5.5.5 crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac ! crypto map cm_D1 17 ipsec-isakmp set peer 10.5.5.5 set transform-set ts_cisco_170 match address 170 ! interface Dialer1 crypto map cm_D1 ! access-list 170 permit ip 192.168.1.0 0.0.0.255 any vor der bindung der crypto map auf die jeweiligen interface sind alle adressen von überall erreichbar. – hier noch die debugs Debug: 1841 *Jan 12 08:27:33: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xF3F67FC4(4093018052), conn_id= 0, keysize= 0, flags= 0x0 *Jan 12 08:27:33: ISAKMP:(0): SA request profile is (NULL) *Jan 12 08:27:33: ISAKMP: Created a peer struct for 10.5.5.5, peer port 500 *Jan 12 08:27:33: ISAKMP: New peer created peer = 0x652CE590 peer_handle = 0x80000013 *Jan 12 08:27:33: ISAKMP: Locking peer struct 0x652CE590, refcount 1 for isakmp_initiator *Jan 12 08:27:33: ISAKMP: local port 500, remote port 500 *Jan 12 08:27:33: ISAKMP: set new node 0 to QM_IDLE *Jan 12 08:27:33: insert sa successfully sa = 652CF07C *Jan 12 08:27:33: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Jan 12 08:27:33: ISAKMP:(0):found peer pre-shared key matching 10.5.5.5 *Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-07 ID *Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-03 ID *Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-02 ID *Jan 12 08:27:33: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Jan 12 08:27:33: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Jan 12 08:27:33: ISAKMP:(0): beginning Main Mode exchange *Jan 12 08:27:33: ISAKMP:(0): sending packet to 10.5.5.5 my_port 500 peer_port 500 (I) MM_NO_STATE *Jan 12 08:27:33: ISAKMP (0:0): received packet from 10.5.5.5 dport 500 sport 500 Global (I) MM_NO_STATE *Jan 12 08:27:33: ISAKMP:(0):Notify has no hash. Rejected. *Jan 12 08:27:33: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 *Jan 12 08:27:33: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jan 12 08:27:33: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
×
×
  • Neu erstellen...