Jump to content
Sign in to follow this  
bookweb

1841: Site to Site VPN

Recommended Posts

Hallo zusammen,

ich probiere gerade ein Site to Site VPN zwischen zwei 1841 einzurichten, aber es klappt nicht. Beide Geräte sind am FE0/0 mittels Crossover verbunden. An beiden FE0/1 hängt jeweils ein Notebook.

 

Die Verbindung zwischen den Geräten steht, aber es wird kein Tunnel aufgebaut.

 

 

Master, Cisco 1841

sh ver
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 22-Feb-06 21:47 by ccai

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Master uptime is 2 hours, 57 minutes
System returned to ROM by reload at 09:44:13 UTC Wed Dec 10 2008
System image file is "flash:c1841-advipservicesk9-mz.124-6.T.bin"


Cisco 1841 (revision 7.0) with 118784K/12288K bytes of memory.
Processor board ID FCZ1136318N
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

 

 

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Master
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXX
enable password XXX
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!         
!
!
!
!
username sdm privilege 15 password 0 XXX
!
! 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 192.168.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel to192.168.1.2
set peer 192.168.1.2
set transform-set ESP-3DES-SHA 
match address 100
!         
!
!
!
!
interface FastEthernet0/0
description wan
ip address 192.168.1.1 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description lan-master
ip address 10.10.12.140 255.0.0.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
!
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password XXX
login
transport input all
transport output all
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Share this post


Link to post

Slave, Cisco 1841:

sh vers
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 22-Feb-06 21:47 by ccai

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Slave uptime is 24 minutes
System returned to ROM by reload at 12:15:32 UTC Wed Dec 10 2008
System image file is "flash:c1841-advipservicesk9-mz.124-6.T.bin"


Cisco 1841 (revision 7.0) with 118784K/12288K bytes of memory.
Processor board ID FCZ1136317T
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

 

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Slave
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXX
enable password XXX
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!         
!
!
!
!
username sdm privilege 15 password 0 XXX
!
! 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 192.168.1.1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel to192.168.1.2
set peer 192.168.1.2
set transform-set ESP-3DES-SHA1 
match address 101
!
!
!
!
interface FastEthernet0/0
description wan
ip address 192.168.1.2 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description lan-slave
ip address 172.16.0.1 255.255.0.0
speed auto
half-duplex
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
!
!
!
!
!
!
control-plane
!
!
!         
line con 0
line aux 0
line vty 0 4
password XXX
login
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Share this post


Link to post

Debugging auf Slave

*Dec 10 12:39:24.019: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 192.168.1.2, remote= 192.168.1.2, 
   local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
   remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
   protocol= ESP, transform= NONE  (Tunnel), 
   lifedur= 3600s and 4608000kb, 
   spi= 0x83EB0117(2213216535), conn_id= 0, keysize= 0, flags= 0x0
*Dec 10 12:39:24.023: ISAKMP: local port 500, remote port 500
*Dec 10 12:39:24.023: ISAKMP: set new node 0 to QM_IDLE      
*Dec 10 12:39:24.023: insert sa successfully sa = 64289D80
*Dec 10 12:39:24.023: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Dec 10 12:39:24.023: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Dec 10 12:39:24.023: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Dec 10 12:39:24.023: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Dec 10 12:39:24.023: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Dec 10 12:39:24.023: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec 10 12:39:24.023: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

*Dec 10 12:39:24.023: ISAKMP:(0): beginning Main Mode exchange
*Dec 10 12:39:24.023: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 10 12:39:24.023: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Dec 10 12:39:24.027: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 10 12:39:24.027: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

*Dec 10 12:39:24.027: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 10 12:39:24.027: ISAKMP (0:0): vendor ID is NAT-T v7
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID is NAT-T v3
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 10 12:39:24.027: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Dec 10 12:39:24.027: ISAKMP:(0): local preshared key found
*Dec 10 12:39:24.027: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Dec 10 12:39:24.027: ISAKMP:      encryption 3DES-CBC
*Dec 10 12:39:24.027: ISAKMP:      hash SHA
*Dec 10 12:39:24.027: ISAKMP:      default group 2
*Dec 10 12:39:24.027: ISAKMP:      auth pre-share
*Dec 10 12:39:24.027: ISAKMP:      life type in seconds
*Dec 10 12:39:24.027: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
*Dec 10 12:39:24.027: ISAKMP:(0):atts are acceptable. Next payload is 0
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 10 12:39:24.027: ISAKMP (0:0): vendor ID is NAT-T v7
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID is NAT-T v3
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.031: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 10 12:39:24.031: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 10 12:39:24.031: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 10 12:39:24.031: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

*Dec 10 12:39:24.031: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Dec 10 12:39:24.031: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 10 12:39:24.031: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

Share this post


Link to post
*Dec 10 12:39:24.031: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Dec 10 12:39:24.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 10 12:39:24.035: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

*Dec 10 12:39:24.035: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 10 12:39:24.035: crypto_engine: Create DH shared secret 
*Dec 10 12:39:24.035: crypto_engine: Modular Exponentiation 
*Dec 10 12:39:24.103: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 10 12:39:24.103: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Dec 10 12:39:24.103: crypto_engine: Create IKE SA 
*Dec 10 12:39:24.103: crypto engine: deleting DH phase 2 SW:8 
*Dec 10 12:39:24.103: crypto_engine: Delete DH shared secret 
*Dec 10 12:39:24.103: ISAKMP:(1002): processing vendor id payload
*Dec 10 12:39:24.103: ISAKMP:(1002): vendor ID is Unity
*Dec 10 12:39:24.103: ISAKMP:(1002): processing vendor id payload
*Dec 10 12:39:24.103: ISAKMP:(1002): vendor ID is DPD
*Dec 10 12:39:24.103: ISAKMP:(1002): processing vendor id payload
*Dec 10 12:39:24.103: ISAKMP:(1002): speaking to another IOS box!
*Dec 10 12:39:24.103: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 10 12:39:24.103: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM4 

*Dec 10 12:39:24.107: ISAKMP:(1002):Send initial contact
*Dec 10 12:39:24.107: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Dec 10 12:39:24.107: ISAKMP (0:1002): ID payload 
       next-payload : 8
       type         : 1 
       address      : 192.168.1.2 
       protocol     : 17 
       port         : 500 
       length       : 12
*Dec 10 12:39:24.107: ISAKMP:(1002):Total payload length: 12
*Dec 10 12:39:24.107: crypto_engine: Generate IKE hash 
*Dec 10 12:39:24.107: crypto_engine: Encrypt IKE packet 
*Dec 10 12:39:24.107: ISAKMP:(1002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Dec 10 12:39:24.107: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 10 12:39:24.107: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM5 

Share this post


Link to post

*Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.111: crypto_engine: Decrypt IKE packet 
*Dec 10 12:39:24.111: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.1.2 failed its sanity check or is malformed
*Dec 10 12:39:24.111: ISAKMP (0:1002): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED
*Dec 10 12:39:24.111: crypto_engine: Encrypt IKE packet 
*Dec 10 12:39:24.111: ISAKMP:(1002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Dec 10 12:39:24.111: ISAKMP (0:1002): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.115: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.115: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:54.019: IPSEC(key_engine): request timer fired: count = 1,
 (identity) local= 192.168.1.2, remote= 192.168.1.2, 
   local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
   remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4)
*Dec 10 12:39:54.019: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 192.168.1.2, remote= 192.168.1.2, 
   local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
   remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
   protocol= ESP, transform= NONE  (Tunnel), 
   lifedur= 3600s and 4608000kb, 
   spi= 0xAAD7E82F(2866276399), conn_id= 0, keysize= 0, flags= 0x0
*Dec 10 12:39:54.019: ISAKMP: set new node 0 to QM_IDLE      
*Dec 10 12:39:54.019: ISAKMP:(1002):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote 192.168.1.2)

 

 

Hat jemand einen Tipp?

Danke,

Christian

 

PS: Sorry für die vielen Beiträge, aber diese 4000 Zeichen-Grenze erfordert das...

Share this post


Link to post

Ich habe die Config im SDM gebaut, dort wie sie korrekt angezeigt. Hier jetzt nochmal

 

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Slave
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXX
enable password XXX
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!         
!
!
!
!
username sdm privilege 15 password 0 XXX
!
! 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 192.168.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel to192.168.1.2
set peer 192.168.1.2
set transform-set ESP-3DES-SHA1 
match address 101
!
!
!
!
interface FastEthernet0/0
description wan
ip address 192.168.1.2 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description lan-slave
ip address 172.16.0.1 255.255.0.0
speed auto
half-duplex
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
!
!
!
!
!
!
control-plane
!
!
!         
line con 0
line aux 0
line vty 0 4
password XXX
login
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Share this post


Link to post

Auch das habe ich jetzt erfolglos geändert.

Selbst die Möglichkeit, sich eine Mirror-Config auf dem Master erzeugen zu lassen habe ich in Anspruch genommen und diese dann auf den Slave kopiert. Erfolglos...

 

Master: Key + IP von Slave

Slave: Key + IP von Master

Share this post


Link to post

Master

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key KEY address 192.168.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Apply the crypto map on the peer router's interface having IP address 192.168.1.2 that connects to this router.
set peer 192.168.1.2
set transform-set ESP-3DES-SHA1 
match address SDM_1
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
!
!
ip access-list extended SDM_1
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

 

 

Slave

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key KEY  address 192.168.1.1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Apply the crypto map on the peer router's interface having IP address 192.168.1.2 that connects to this router.
set peer 192.168.1.1
set transform-set ESP-3DES-SHA 
match address SDM_1
!
!
!
!
interface FastEthernet0/0
description wan
ip address 192.168.1.2 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
!
!
ip access-list extended SDM_1
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255

Share this post


Link to post

die SDM_1 Rule auf dem Slave scheint mir nicht korrekt zu sein, 192.188.1.0/24 ist ja schon das "Linknetz" zwischen den beiden Routern.

 

ansonsten, gibts auch ne Route auf den beiden Routern um die beiden "LANs" dahinter zu erreichen ?

Share this post


Link to post
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte überlege Dir, ob es nicht sinnvoller ist ein neues Thema zu erstellen.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

Werbepartner:



×
×
  • Create New...