bookweb
-
Gesamte Inhalte
113 -
Registriert seit
-
Letzter Besuch
Alle erstellten Inhalte von bookweb
-
Uranus, kannst du mal die Ausgabe von einem traceroute athmg.com posten? Bei mir siehts wie folgt aus: 1 2 ms 1 ms 1 ms 192.168.1.1 2 * * * Zeitüberschreitung der Anforderung. 3 13 ms 12 ms 13 ms 80.228.232.26 4 14 ms 13 ms 14 ms bbrt.ol-0-ge-6-0-5.ewe-ip-backbone.de [212.6.114 .186] 5 15 ms 15 ms 14 ms xe-1-1-0-bbrt.hb-2.ewe-ip-backbone.de [80.228.90 .34] 6 24 ms 23 ms 24 ms bbrt.ffm-0-10ge-6-0-0.ewe-ip-backbone.de [212.6. 114.14] 7 24 ms 23 ms 23 ms decix1.mpr1.fra1.de.above.net [80.81.192.226] 8 23 ms 23 ms 24 ms po60.mpr2.fra1.de.above.net [64.125.23.233] 9 32 ms 32 ms 32 ms te1-3.er1.ams1.nl.above.net [64.125.23.193] 10 34 ms 35 ms 34 ms ge-3-1-0.mpr1.ams1.nl.above.net [64.125.25.13] 11 50 ms 42 ms 42 ms xe-3-2-0.mpr1.lhr2.uk.above.net [64.125.31.246] 12 111 ms 112 ms 111 ms so-1-1-0.mpr1.dca2.us.above.net [64.125.31.186] 13 141 ms 144 ms 142 ms ge-2-0-0.mpr3.iah1.us.above.net [64.125.25.114] 14 136 ms 139 ms 138 ms xe-1-1-0.er1.iah1.above.net [64.125.26.222] 15 139 ms 138 ms 141 ms 209.66.99.94.available.above.net [209.66.99.94] 16 151 ms 152 ms 153 ms po2.car05.hstntx1.theplanet.com [207.218.245.18] 17 * * * Zeitüberschreitung der Anforderung. 18 * * * Zeitüberschreitung der Anforderung. Kannst du alternativ mal an der PIX vorbei gehen?
-
Nein, ich hänge direkt an einem Linksys-Router, keine aufwendige Firewall oder ähnliches. Sind sowohl der Anschluss, von dem aus du die Seite erreichst als auch der Anschluss mit der PIX beim selben Provider (welcher?)? Vielleicht liegt es am Peering/Routing des Providers oder gewisse IP-Kreise stehen auf Blacklists des entfernten Servers. Ich habe schon mehrfach mit dieser Problemstellung zu tun gehabt und kann daher sagen: es gibt mindestens 100 mögliche Ursachen und keine ist so abwegig, dass man sie nicht in Betracht ziehen sollte.
-
Hi, kann es sein, dass es nicht an deiner Ausrüstung liegt, sondern an der Gegenstelle liegt? Ich kann weder http noch icmp auf auf athmg.com durchführen, ein DNS-Lookup gibt die IP 75.125.185.178 zurück. Aber auch die ist nicht erreichbar...
-
Ich habe das Crossover-Kabel durch einen HUB ausgetauscht, damit ich sniffen kann. Es funktioniert alles so, wie es soll. Danke!
-
Ich habe mal einen Sniffer in das Transfernetz gehangen und habe dann im SDM ein Tunnel Check durchgeführt. SDM meldet: Tunnel ok. Im Sniffer sehe ich aber ICMP-Pakete zwischen den Routern, kein ESP. Kann es sein, dass der Traffic am Tunnel vorbei geschoben wird? – Kommando zurück: Wenn ich zwischen den beiden Notebooks in den LANs pinge, ist der Verkehr verschlüsselt. Pinge ich von einem Router zum anderen, ist es unterschlüsselt. Aber das habe ich ja in der Access-List selbst so definiert. Danke für eure Hilfe!
-
Das Notebook bekommt Antwort-Pakete vom gegenüberliegenden Notebook. Das Debugging ist aktiviert, liefert aber keinen Output. Master#sh debugging Cryptographic Subsystem: Crypto ISAKMP Error debugging is on Crypto IPSEC Error debugging is on
-
ip access-list extended SDM_1 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255 remark SDM_ACL Category=4 remark IPSec Rule Nun sagt ein Debug "Tunnel-Test" im SDM "no response"... Vorher gab es Response, aber der Tunnel konnte nicht etabliert werden. Beide Router haben als Standardroute den jeweils anderen Router.
-
Master crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key KEY address 192.168.1.2 ! ! crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Apply the crypto map on the peer router's interface having IP address 192.168.1.2 that connects to this router. set peer 192.168.1.2 set transform-set ESP-3DES-SHA1 match address SDM_1 ! ! ! ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 speed auto full-duplex no mop enabled crypto map SDM_CMAP_1 ! ! ! ip access-list extended SDM_1 remark SDM_ACL Category=4 remark IPSec Rule permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255 ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 Slave crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key KEY address 192.168.1.1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Apply the crypto map on the peer router's interface having IP address 192.168.1.2 that connects to this router. set peer 192.168.1.1 set transform-set ESP-3DES-SHA match address SDM_1 ! ! ! ! interface FastEthernet0/0 description wan ip address 192.168.1.2 255.255.255.0 speed auto full-duplex no mop enabled crypto map SDM_CMAP_1 ! ! ! ip access-list extended SDM_1 remark SDM_ACL Category=4 remark IPSec Rule permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255 ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
-
Auch das habe ich jetzt erfolglos geändert. Selbst die Möglichkeit, sich eine Mirror-Config auf dem Master erzeugen zu lassen habe ich in Anspruch genommen und diese dann auf den Slave kopiert. Erfolglos... Master: Key + IP von Slave Slave: Key + IP von Master
-
Auch mit korrekter Peer IP ändert sich nichts.
-
Ich habe die Config im SDM gebaut, dort wie sie korrekt angezeigt. Hier jetzt nochmal version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Slave ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 XXX enable password XXX ! no aaa new-model ! resource policy ! ip cef ! ! ! ! ! ! ! username sdm privilege 15 password 0 XXX ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxx address 192.168.1.2 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to192.168.1.2 set peer 192.168.1.2 set transform-set ESP-3DES-SHA1 match address 101 ! ! ! ! interface FastEthernet0/0 description wan ip address 192.168.1.2 255.255.255.0 speed auto full-duplex no mop enabled crypto map SDM_CMAP_1 ! interface FastEthernet0/1 description lan-slave ip address 172.16.0.1 255.255.0.0 speed auto half-duplex ! interface Serial0/0/0 no ip address shutdown no fair-queue clock rate 2000000 ! ip route 0.0.0.0 0.0.0.0 192.168.1.1 ! ! ip http server no ip http secure-server ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 101 remark SDM_ACL Category=4 access-list 101 remark IPSec Rule access-list 101 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255 ! ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 password XXX login ! scheduler allocate 20000 1000 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end
-
*Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH *Dec 10 12:39:24.111: crypto_engine: Decrypt IKE packet *Dec 10 12:39:24.111: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.1.2 failed its sanity check or is malformed *Dec 10 12:39:24.111: ISAKMP (0:1002): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED *Dec 10 12:39:24.111: crypto_engine: Encrypt IKE packet *Dec 10 12:39:24.111: ISAKMP:(1002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Dec 10 12:39:24.111: ISAKMP (0:1002): incrementing error counter on sa, attempt 2 of 5: reset_retransmission *Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH *Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH *Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH *Dec 10 12:39:24.115: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH *Dec 10 12:39:24.115: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH *Dec 10 12:39:54.019: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 192.168.1.2, remote= 192.168.1.2, local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4) *Dec 10 12:39:54.019: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 192.168.1.2, remote= 192.168.1.2, local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xAAD7E82F(2866276399), conn_id= 0, keysize= 0, flags= 0x0 *Dec 10 12:39:54.019: ISAKMP: set new node 0 to QM_IDLE *Dec 10 12:39:54.019: ISAKMP:(1002):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote 192.168.1.2) Hat jemand einen Tipp? Danke, Christian PS: Sorry für die vielen Beiträge, aber diese 4000 Zeichen-Grenze erfordert das...
-
*Dec 10 12:39:24.031: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP *Dec 10 12:39:24.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Dec 10 12:39:24.035: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Dec 10 12:39:24.035: ISAKMP:(0): processing KE payload. message ID = 0 *Dec 10 12:39:24.035: crypto_engine: Create DH shared secret *Dec 10 12:39:24.035: crypto_engine: Modular Exponentiation *Dec 10 12:39:24.103: ISAKMP:(0): processing NONCE payload. message ID = 0 *Dec 10 12:39:24.103: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2 *Dec 10 12:39:24.103: crypto_engine: Create IKE SA *Dec 10 12:39:24.103: crypto engine: deleting DH phase 2 SW:8 *Dec 10 12:39:24.103: crypto_engine: Delete DH shared secret *Dec 10 12:39:24.103: ISAKMP:(1002): processing vendor id payload *Dec 10 12:39:24.103: ISAKMP:(1002): vendor ID is Unity *Dec 10 12:39:24.103: ISAKMP:(1002): processing vendor id payload *Dec 10 12:39:24.103: ISAKMP:(1002): vendor ID is DPD *Dec 10 12:39:24.103: ISAKMP:(1002): processing vendor id payload *Dec 10 12:39:24.103: ISAKMP:(1002): speaking to another IOS box! *Dec 10 12:39:24.103: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Dec 10 12:39:24.103: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4 *Dec 10 12:39:24.107: ISAKMP:(1002):Send initial contact *Dec 10 12:39:24.107: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Dec 10 12:39:24.107: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : 192.168.1.2 protocol : 17 port : 500 length : 12 *Dec 10 12:39:24.107: ISAKMP:(1002):Total payload length: 12 *Dec 10 12:39:24.107: crypto_engine: Generate IKE hash *Dec 10 12:39:24.107: crypto_engine: Encrypt IKE packet *Dec 10 12:39:24.107: ISAKMP:(1002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Dec 10 12:39:24.107: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Dec 10 12:39:24.107: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5
-
Debugging auf Slave *Dec 10 12:39:24.019: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 192.168.1.2, remote= 192.168.1.2, local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x83EB0117(2213216535), conn_id= 0, keysize= 0, flags= 0x0 *Dec 10 12:39:24.023: ISAKMP: local port 500, remote port 500 *Dec 10 12:39:24.023: ISAKMP: set new node 0 to QM_IDLE *Dec 10 12:39:24.023: insert sa successfully sa = 64289D80 *Dec 10 12:39:24.023: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Dec 10 12:39:24.023: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2 *Dec 10 12:39:24.023: ISAKMP:(0): constructed NAT-T vendor-07 ID *Dec 10 12:39:24.023: ISAKMP:(0): constructed NAT-T vendor-03 ID *Dec 10 12:39:24.023: ISAKMP:(0): constructed NAT-T vendor-02 ID *Dec 10 12:39:24.023: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Dec 10 12:39:24.023: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Dec 10 12:39:24.023: ISAKMP:(0): beginning Main Mode exchange *Dec 10 12:39:24.023: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE *Dec 10 12:39:24.023: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE *Dec 10 12:39:24.027: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Dec 10 12:39:24.027: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Dec 10 12:39:24.027: ISAKMP:(0): processing SA payload. message ID = 0 *Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload *Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch *Dec 10 12:39:24.027: ISAKMP (0:0): vendor ID is NAT-T v7 *Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload *Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch *Dec 10 12:39:24.027: ISAKMP:(0): vendor ID is NAT-T v3 *Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload *Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Dec 10 12:39:24.027: ISAKMP:(0): vendor ID is NAT-T v2 *Dec 10 12:39:24.027: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2 *Dec 10 12:39:24.027: ISAKMP:(0): local preshared key found *Dec 10 12:39:24.027: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy *Dec 10 12:39:24.027: ISAKMP: encryption 3DES-CBC *Dec 10 12:39:24.027: ISAKMP: hash SHA *Dec 10 12:39:24.027: ISAKMP: default group 2 *Dec 10 12:39:24.027: ISAKMP: auth pre-share *Dec 10 12:39:24.027: ISAKMP: life type in seconds *Dec 10 12:39:24.027: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Dec 10 12:39:24.027: ISAKMP:(0):atts are acceptable. Next payload is 0 *Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload *Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch *Dec 10 12:39:24.027: ISAKMP (0:0): vendor ID is NAT-T v7 *Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload *Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch *Dec 10 12:39:24.027: ISAKMP:(0): vendor ID is NAT-T v3 *Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload *Dec 10 12:39:24.031: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Dec 10 12:39:24.031: ISAKMP:(0): vendor ID is NAT-T v2 *Dec 10 12:39:24.031: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Dec 10 12:39:24.031: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Dec 10 12:39:24.031: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP *Dec 10 12:39:24.031: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Dec 10 12:39:24.031: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
-
Slave, Cisco 1841: sh vers Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Wed 22-Feb-06 21:47 by ccai ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Slave uptime is 24 minutes System returned to ROM by reload at 12:15:32 UTC Wed Dec 10 2008 System image file is "flash:c1841-advipservicesk9-mz.124-6.T.bin" Cisco 1841 (revision 7.0) with 118784K/12288K bytes of memory. Processor board ID FCZ1136317T 2 FastEthernet interfaces 1 Serial(sync/async) interface 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity disabled. 191K bytes of NVRAM. 31360K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Slave ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 XXX enable password XXX ! no aaa new-model ! resource policy ! ip cef ! ! ! ! ! ! ! username sdm privilege 15 password 0 XXX ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxx address 192.168.1.1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to192.168.1.2 set peer 192.168.1.2 set transform-set ESP-3DES-SHA1 match address 101 ! ! ! ! interface FastEthernet0/0 description wan ip address 192.168.1.2 255.255.255.0 speed auto full-duplex no mop enabled crypto map SDM_CMAP_1 ! interface FastEthernet0/1 description lan-slave ip address 172.16.0.1 255.255.0.0 speed auto half-duplex ! interface Serial0/0/0 no ip address shutdown no fair-queue clock rate 2000000 ! ip route 0.0.0.0 0.0.0.0 192.168.1.1 ! ! ip http server no ip http secure-server ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 101 remark SDM_ACL Category=4 access-list 101 remark IPSec Rule access-list 101 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255 ! ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 password XXX login ! scheduler allocate 20000 1000 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end
-
Hallo zusammen, ich probiere gerade ein Site to Site VPN zwischen zwei 1841 einzurichten, aber es klappt nicht. Beide Geräte sind am FE0/0 mittels Crossover verbunden. An beiden FE0/1 hängt jeweils ein Notebook. Die Verbindung zwischen den Geräten steht, aber es wird kein Tunnel aufgebaut. Master, Cisco 1841 sh ver Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Wed 22-Feb-06 21:47 by ccai ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Master uptime is 2 hours, 57 minutes System returned to ROM by reload at 09:44:13 UTC Wed Dec 10 2008 System image file is "flash:c1841-advipservicesk9-mz.124-6.T.bin" Cisco 1841 (revision 7.0) with 118784K/12288K bytes of memory. Processor board ID FCZ1136318N 2 FastEthernet interfaces 1 Serial(sync/async) interface 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity disabled. 191K bytes of NVRAM. 31360K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Master ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 XXX enable password XXX ! no aaa new-model ! resource policy ! ip cef ! ! ! ! ! ! ! username sdm privilege 15 password 0 XXX ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxx address 192.168.1.2 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to192.168.1.2 set peer 192.168.1.2 set transform-set ESP-3DES-SHA match address 100 ! ! ! ! ! interface FastEthernet0/0 description wan ip address 192.168.1.1 255.255.255.0 speed auto full-duplex no mop enabled crypto map SDM_CMAP_1 ! interface FastEthernet0/1 description lan-master ip address 10.10.12.140 255.0.0.0 duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown no fair-queue clock rate 2000000 ! ! ! ip http server no ip http secure-server ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 ! ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 password XXX login transport input all transport output all ! scheduler allocate 20000 1000 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end
-
Genau, das ist der Plan!
-
Es handelt sich um einen Testaufbau, bei dem ich alle Geräte konfigurieren kann.
-
Genau, du hast die Thematik erkannt! Mal angenommen, man würde das so unprofessionell machen wollen (warum auch immer...), hast du da einen Tipp oder gar eine Config, wie man sowas anstellen könnte? Danke, Christian
-
Moin Jörg, so wie ich das sehe, ist GET VPN hier nicht geeignet, da wir kein Any-to-Any-VPN haben möchten, sondern weiterhin tunnelbasiert, quasi Hub and Spoke, arbeiten möchten. Mit GET würden wir den Grund des zentralen Ansatzes aushebeln: die zentrale Firewall am Hauptstandort. Beste Grüße Christian
-
Habe leider keinen Zugriff auf das andere Gerät, kam mit einem Techniker, der die Leitung prüfen sollte. vpnsdsl-test#sh flash System flash directory: File Length Name/status 1 3622860 soho78-y1-mz.123-8.T8.bin [3622924 bytes used, 4765680 available, 8388604 total] 8192K bytes of processor board System flash (Read/Write)
-
vpnsdsl-test#sh conf Using 1859 out of 131072 bytes ! version 12.3 no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname vpnsdsl-test ! boot-start-marker boot-end-marker ! enable password 7 XXX ! username XXX password 7 XXX clock timezone MET 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 no aaa new-model ip subnet-zero ! ! ! ! ! interface Ethernet0 ip address 192.168.5.254 255.255.255.0 no keepalive no cdp enable hold-queue 100 out ! interface ATM0 no ip address no ip route-cache no atm auto-configuration atm ilmi-keepalive 30 no atm address-registration dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate 2312 ! interface ATM0.1 point-to-point no ip redirects no ip route-cache timeout absolute 71582787 0 pvc 1/32 pppoe-client dial-pool-number 1 ! ! interface Dialer1 ip address negotiated no ip redirects ip mtu 1492 encapsulation ppp no ip route-cache ip tcp adjust-mss 1400 load-interval 30 dialer pool 1 dialer idle-timeout 0 dialer enable-timeout 2 dialer hold-queue 100 dialer persistent dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username XXX password 7 XXX ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server ! dialer-list 1 protocol ip permit no cdp run ! control-plane ! ! line con 0 login local stopbits 1 line vty 0 4 password 7 XXX login local ! scheduler max-task-time 5000 end Hat jemand eine Idee oder sollte ich das Gerät austauschen? Danke, Christian
-
Hallo, ich habe ein akutes Problem: an einem SDSL-Anschluss möchte ich einen Cisco SOHO78 betreiben. Wenn ich diesen Anschließe, synchronisiert dieser sich jedoch nicht. Mit einem anderen Gerät (ebenfalls SOHO78) tritt dieses Problem nicht auf. vpnsdsl-test#sh ver Cisco IOS Software, SOHO78 Software (SOHO78-Y1-M), Version 12.3(8)T8, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Wed 06-Apr-05 14:07 by yiyan ROM: System Bootstrap, Version 12.2(1r)XE2, RELEASE SOFTWARE (fc1) vpnsdsl-test uptime is 1 hour, 16 minutes System returned to ROM by reload System image file is "flash:soho78-y1-mz.123-8.T8.bin" Cisco C828 (MPC855T) processor (revision 0x401) with 15360K/1024K bytes of memory. Processor board ID FOC08082CW4 (3713772053), with hardware revision 0000 CPU rev number 5 1 Ethernet interface 1 ATM interface 128K bytes of NVRAM. 8192K bytes of processor board System flash (Read/Write) 2048K bytes of processor board Web flash (Read/Write) Configuration register is 0x2102 vpnsdsl-test#sh dsl interface aTM 0 Globespan G.SHDSL/SDSL Chipset Information Equipment Type: Customer Premise Operating Mode: G.SHDSL Annex B Clock Rate Mode: Fixed rate Mode Reset Count: 2 Requested rate: 2312 Kbps Actual rate: 2312 Kbps Modem Status: Data (0x1) Received SNR: 38 dB SNR Threshold: 23 dB Loop Attenuation: 2.1600 dB Transmit Power: 8.5 dBm Receiver Gain: 5.7840 dB Last Activation Status: Failed during Carrier Detect (0x4) CRC Errors: 12 Chipset Version: 1 Firmware Version: R1.5 Far End Country Code: 0x0 Far End Provider Code: 0x4D544C4B Far End Vendor Data: 0x0 0x0 0x0 0x1 0x0 0x0 0x0 0x0 Performance statistics since reload: Number of LOS failures: 0 Number of LOSQ failures: 0 Number of code violations: 12 Number of errored seconds: 2 Number of severely errored seconds: 0 Number of unavailable seconds: 48 Performance statistics for: Current 15 mins Current 24 Hours Time elapsed since beginning of interval: 9Min 1Hr 9Min Number of LOS seconds: 0 21 Number of LOSQ seconds: 0 0 Number of code violations: 0 12 Number of errored seconds: 0 2 Number of severely errored seconds: 0 0 Number of unavailable seconds: 0 48 vpnsdsl-test#debug pppoe events PPPoE protocol events debugging is on vpnsdsl-test# *Mar 23 05:33:05: Sending PADI: vc=1/32 *Mar 23 05:33:05: padi timer expired *Mar 23 05:33:37: Sending PADI: vc=1/32 *Mar 23 05:33:37: padi timer expired *Mar 23 05:34:10: Sending PADI: vc=1/32 *Mar 23 05:34:10: padi timer expired *Mar 23 05:34:42: Sending PADI: vc=1/32 *Mar 23 05:34:42: padi timer expired *Mar 23 05:35:14: Sending PADI: vc=1/32 *Mar 23 05:35:14: padi timer expired *Mar 23 05:35:47: Sending PADI: vc=1/32 *Mar 23 05:35:47: padi timer expired *Mar 23 05:36:19: Sending PADI: vc=1/32 *Mar 23 05:36:19: padi timer expired *Mar 23 05:36:51: Sending PADI: vc=1/32
-
Hallo zusammen, ich habe ihr ein Netzwerk, dass aus mehreren Standorten besteht. Alle Außenstellen verbinden sich derzeit über L2TP-Tunnel zur Zentrale. Genauer gesagt wählen sich die Router (div. Cisco-Modelle) an den Standorten mittels PPPoE in das Internet ein. Der BRAS des Providers initiiert dann den L2TP-Tunnel zwischen sich selbst und dem Tunnelterminierungsrouter (Cisco 7300). Nun würde ich zwischen den Standort-Router und dem Tunnelterminierungsrouter gerne IPSec einsetzen, um die Kommunikation zu verschlüsseln. Gleichzeitig soll sich auf Seiten des Providers möglichst wenig ändern, sodass nach wie vor der L2TP-Tunnel genutzt werden soll, um darin IP-SEC zu übertragen. Ist das so verständlich? Wie realisiere ich das am einfachsten? Bisher habe ich nur Informationen gefunden, wie man innerhalb von IP SEC L2TP überträgt. Ich wäre für jeden Tipp dankbar! Danke, Christian
-
Super, danke wir Wordo. Ich werde dass am Montag mal ausprobieren und melde mich nochmal, wenn ich noch Fragen habe. Danke und Gruß Christian