kacer99
Goto Top

2x Cisco 1841 VPN dynip

Hallo,
Ich weis dass es dazu schon mehrere Beiträge gab, nun habe ich diesbezüglich doch einen neuen Aufgemacht da mir bisher kein vorhandener Beitrag geholfen hat.

Hallo zusammen,

ich bin hier auf dem Board neu und habe schon ab und an ein paar nützliche Tips gefunden, erstmal vielen Dank an die Community dass es so ein Board gibt.

So nun zu meinem Anliegen:

Hat jemand eine funktionierende VPN config für 2 Cisco 1841 Site-to-Site Verbindung mit 2 dyn IP´s?


Bisher habe ich alle versuche durch, bekomme zwar einen Tunnel aufgebaut, aber hänge bei Phase2 und traffic zum anderen Netz ist nicht möglich.
Habe schon alle im Netz verfügbaren konstellationen versucht, aber nichts. Bin allerdings in Sachen Cisco Router noch recht frisch, Switche sind da eigendlich meine Stärke.

Also wäre für eine running-config mit dyn ip´s Dankbar

Content-ID: 151032

Url: https://administrator.de/contentid/151032

Ausgedruckt am: 22.11.2024 um 21:11 Uhr

aqui
aqui 15.09.2010 um 08:16:48 Uhr
Goto Top
Guckst du hier:
Vernetzung zweier Standorte mit Cisco 876 Router

Die DynDNS Konfig sieht dann so aus:
ip ddns update method dyndns
HTTP
add http://<username>:<pw>:@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
!

Unter deinem WAN Interface dann noch folgende Kommandos (Beispiel hier DSL PPPoE Dialer)
interface Dialer0
description DSL PPPoE Einwahl mit DynDNS Update
ip ddns update hostname <dyndns hostname>
ip ddns update dyndns
ip address negotiated
ip access-group 100 in
ip mtu 1492
ip nat outside
ip inspect FW out
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
no cdp enable
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password 0 beliebig
ppp ipcp dns request
ppp ipcp mask request
!

Fertisch ! Funktioniert problemlos !
Kacer99
Kacer99 15.09.2010 um 14:12:01 Uhr
Goto Top
Danke erstmal für die Antwort,

aber die Dyndns Config ist klar und funktioniert. VPN ist das Problem da hänge ich in P2 mit dem Fehler Purposel not Choosen, obwohl die ACL eingetragen ist.

Habe im Netz diverse Configs ohne Tunnel Interface gefunden, aber damit bekomme ich den VPN Tunnel an sich hin, aber Traffic drüber läuft nicht. Ist somit ein Tunnel immer erforderlich, denn es geht doch auch mit der CryptoMap dass er das direct macht oder?

Danke

hier mal config von einem router, der andere ist auch dementsprechen als gegenstelle configuriert.

! Last configuration change at 16:04:40 UTC Fri Jul 23 2010 by admin
! NVRAM config last updated at 16:04:40 UTC Fri Jul 23 2010 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service linenumber
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 102400
!
no aaa new-model
!
!
!
dot11 syslog
no ip source-route
!
!
!
!
ip cef
ip domain name xxx.local
ip ddns update method acc
HTTP
add http://acc:pass@members.dyndns.org/nic/update?system=dyndns&hostnam ...;
interval maximum 0 5 0 0
interval minimum 0 0 5 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-126358352
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-126358352
revocation-check none
rsakeypair TP-self-signed-126358352
!
!
crypto pki certificate chain TP-self-signed-126358352
certificate self-signed 01 nvram:IOS-Self-Sig#4.cer
!
!
license udi pid CISCO1841 sn FCZ104712RJ
archive
log config
hidekeys
username admin privilege 15 password 0 xxx
!
redundancy
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!
crypto dynamic-map dynmap 10
set peer xx.dyndns.org dynamic
set transform-set myset
match address 101
!
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface FastEthernet0/0.7
description ### ext. Modem VDSL ###
encapsulation dot1Q 7
pppoe enable group 1
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
description ### inside LAN ###
ip address 192.168.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
!
interface Dialer1
description ### Dialer DSL ###
bandwidth 25000
ip ddns update hostname xxx.dyndns.org
ip ddns update bistro
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
keepalive 20
ppp authentication pap callin
ppp pap sent-username xxx password 0 xxx
ppp ipcp dns request
no cdp enable
crypto map mymap
!
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip dns view default
dns forwarding source-interface FastEthernet0/1
ip dns server
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 3600
ip nat inside source static tcp 192.168.100.101 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.100.101 443 interface Dialer1 443
ip nat inside source static tcp 192.168.100.110 80 interface Dialer1 80
ip nat inside source static tcp 192.168.100.101 110 interface Dialer1 110
ip nat inside source static tcp 192.168.100.101 143 interface Dialer1 143
ip nat inside source static tcp 192.168.100.110 25 interface Dialer1 25
ip nat inside source static tcp 192.168.100.50 80 interface Dialer1 81
ip nat inside source static tcp 192.168.100.51 80 interface Dialer1 82
ip nat inside source route-map check->NAT interface Dialer1 overload
ip nat inside source route-map nonat interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.100.0 255.255.255.0 192.168.0.2
ip route 192.168.101.0 255.255.255.0 192.168.0.2
ip route 192.168.102.0 255.255.255.0 192.168.0.2
ip route 192.168.178.0 255.255.255.0 192.168.0.2
!
access-list 1 permit 192.168.101.10
access-list 1 permit 192.168.179.20
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 101 permit ip any host 192.168.179.1
access-list 123 permit ip 192.168.100.0 0.0.0.255 any
access-list 123 permit ip 192.168.101.0 0.0.0.255 any
access-list 123 permit ip 192.168.102.0 0.0.0.255 any
access-list 123 permit ip 192.168.0.0 0.0.0.3 any
access-list 123 deny ip 192.168.0.0 0.0.0.3 192.168.179.0 0.0.0.255
!
!
!
!
route-map check->NAT permit 10
match ip address 123
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 60 0
password xxx
logging synchronous
login
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
password xxx
logging synchronous
login local
transport input telnet ssh
line vty 5 15
access-class 1 in
login
!
scheduler allocate 20000 1000
ntp server 213.165.70.72
end
aqui
aqui 15.09.2010 um 16:09:20 Uhr
Goto Top
Nein, die Crypto Map mappt ja nur den spezifischen Traffic auf den Tunnel. Ohne Tunnel Interface geht es de facto nicht.
Die o.a. Beispielkonfig ist eine Live Konfig die seit Jahren problemlos rennt.
Sollte also auch bei dir der Fall sein wenn man alles richtig abtippt.
Ferner ist deine VPN Crypto ACL falsch ! Wenn das interne LAN bei Router-1 192.168.0.0 /24 ist und bei Router-2 192.168.170.0 /24 dann muss sie lauten:
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.179.0 0.0.0.255
analog auf Router 2 dann "umgedreht".
access-list 101 permit ip 192.168.179.0 0.0.0.255 192.168.0.0 0.0.0.255
Damit wird der ganze Traffic vom 192.168.0.0 /24 er Netz zum 192.168.179.0er Netz (bzw. vice versa) in den Tunnel gesendet, also der Traffic von beiden lokalen Netzen untereinander über den Tunnel !
Auch ein Problem warum es nicht klappt.
Gefährlich ist auch sowas wie ip nat inside source route-map nonat... wo es die route-,ap nonat gar nicht gibt. Dann gilt der Default "deny ip any any" also alles blocken. Solche "Leichen" in der Konfig sollte man besser löschen um sich nicht eigen Stolperfallen zu stellen !!
Hast du ferner den Tunnelaufbau mal "gedebugged" ?? Was bekommst du da für Meldungen ??
Kacer99
Kacer99 15.09.2010 um 17:14:22 Uhr
Goto Top
Habe auch schon mehrere ACL varienten getestet, das war noch die letzte.
192.168.0.0 /24 ist falsch es ist nur ein /30 Koppelnetz mit .1 und .2 Ip zwischen Router und L3 Switch.
Danke für die info über das nat, werde ich sofort ändern.

Tunnelaufbau habe ich debugged, dabei ist rausgekommen p1 "complete" p2 "purposal not choosen".

mit "show crypto isakmp sa" wird der tunnel mit conn-id und status active angezeigt.
nur mit "show crypto ipsec sa" wird mir keine active ipsec verbindung angezeigt, nur die routing regeln. Was daran liegen kann dass er in der P2 hängt.

Was auch tierisch störrt ist dass bei den howto´s von cisco die verbindung ohne tunnel interface funktionieren soll!????
Wahrscheinlich nur für die VPN Verbindung ohne zusätzlichen Zugriff aufs Internet....

Werde die Tage noch einen Versuch mit tunnel interface versuchen und wenn es nicht klappen sollte den debug posten.

Das dynmap ist aber so richtig für dyn ip oder?

crypto dynamic-map dynmap 10
set peer xx.dyndns.org dynamic
set transform-set myset
match address 101
!
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap

somit muss ich den preshared key auch auf
crypto isakmp key xxx address 0.0.0.0 0.0.0.0 no-xauth
setzen damit er egal für welche ip hergenommen wird?


Erst mal vielen dank an dich und das board
aqui
aqui 16.09.2010, aktualisiert am 18.10.2012 um 18:43:31 Uhr
Goto Top
Das Koppelnetz ist für die Crypto Map ACL völlig uninteressant. Die ACL muss ja nur die Kommunikation der lokalen netze filtern und in den Tunnel bringen. Deshalb müssen die lokalen Netze in die ACL:
Router-1:
access-list 101 permit ip <lok.Netz Router1> <Masken_Wildcard> <lok.Netz Router2> <Masken_Wildcard>
analog auf Router 2 dann "umgedreht".
access-list 101 permit ip <lok.Netz Router2> <Masken_Wildcard> <lok.Netz Router1> <Masken_Wildcard>
So wird ein Schuh draus !
Der Rest steht im o.a. Beispiel Thread wie z.B. auf diesen:
IPsec VPNs einrichten mit Cisco, Mikrotik, pfSense Firewall, FritzBox, Smartphone sowie Shrew Client Software
Das sind alles aktuell laufenden Konfigs !! Es muss also klappen !
Kacer99
Kacer99 17.09.2010 um 18:49:47 Uhr
Goto Top
hm also hab heute mal wieder getestet, p1 completet p2 hängt er:
irgendwie funktioniert das mit den 1841 nicht nach der config.

Probleme hatte ich auch mit der acl:
ip access-list extended xxx
permit gre host 192.168.179.1 host 192.168.0.1
permit ip 192.168.179.0 0.0.0.255 192.168.0.0 0.0.0.3

baut er keine verbindung auf, erst mit änderung auf

ip access-list extended xxx
permit gre host 192.168.179.1 host 192.168.0.1
permit ip any 192.168.0.0 0.0.0.3

baut er den tunnel auf!

Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
87.142.47.43 87.142.31.79 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA


Router#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: bistro, local addr 192.168.179.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.252/0/0)
current_peer (none) port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.179.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/47/0)
current_peer (none) port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

interface: Dialer1
Crypto map tag: bistro, local addr 87.142.31.79

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.252/0/0)
current_peer 87.142.47.43 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 0

local crypto endpt.: 87.142.31.79, remote crypto endpt.: 87.142.47.43
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.179.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/47/0)
current_peer (none) port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

interface: Virtual-Access2
Crypto map tag: bistro, local addr 0.0.0.0

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.252/0/0)
current_peer (none) port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.179.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/47/0)
current_peer (none) port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0


gegenseite natürlich dementsprechen auch konfiguriert

Also mir fällt bald nichts mehr ein warum es nicht gehen sollte!


hier der debug:

008144: Sep 17 16:41:15.202: ISAKMPface-sad0): SA request profile is (NULL)
008145: Sep 17 16:41:15.202: ISAKMP: Created a peer struct for 87.142.48.137, peer port 500
008146: Sep 17 16:41:15.202: ISAKMP: New peer created peer = 0x65E70250 peer_handle = 0x8000005A
008147: Sep 17 16:41:15.202: ISAKMP: Locking peer struct 0x65E70250, refcount 1 for isakmp_initiator
008148: Sep 17 16:41:15.202: ISAKMP: local port 500, remote port 500
008149: Sep 17 16:41:15.202: ISAKMP: set new node 0 to QM_IDLE
008150: Sep 17 16:41:15.202: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 674537C8
008151: Sep 17 16:41:15.206: ISAKMPface-sad0):Can not start Aggressive mode, trying Main mode.
008152: Sep 17 16:41:15.206: ISAKMPface-sad0):found peer pre-shared key matching 87.142.48.137
008153: Sep 17 16:41:15.206: ISAKMPface-sad0): constructed NAT-T vendor-rfc3947 ID
008154: Sep 17 16:41:15.206: ISAKMPface-sad0): constructed NAT-T vendor-07 ID
008155: Sep 17 16:41:15.206: ISAKMPface-sad0): constructed NAT-T vendor-03 ID
008156: Sep 17 16:41:15.206: ISAKMPface-sad0): constructed NAT-T vendor-02 ID
008157: Sep 17 16:41:15.206: ISAKMPface-sad0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
008158: Sep 17 16:41:15.206: ISAKMPface-sad0):Old State = IKE_READY New State = IKE_I_MM1

Router#
008159: Sep 17 16:41:15.206: ISAKMPface-sad0): beginning Main Mode exchange
008160: Sep 17 16:41:15.206: ISAKMPface-sad0): sending packet to 87.142.48.137 my_port 500 peer_port 500 (I) MM_NO_STATE
008161: Sep 17 16:41:15.206: ISAKMPface-sad0):Sending an IKE IPv4 Packet.
Router#
008162: Sep 17 16:41:25.205: ISAKMPface-sad0): retransmitting phase 1 MM_NO_STATE...
008163: Sep 17 16:41:25.205: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
008164: Sep 17 16:41:25.205: ISAKMPface-sad0): retransmitting phase 1 MM_NO_STATE
008165: Sep 17 16:41:25.205: ISAKMPface-sad0): sending packet to 87.142.48.137 my_port 500 peer_port 500 (I) MM_NO_STATE
008166: Sep 17 16:41:25.205: ISAKMPface-sad0):Sending an IKE IPv4 Packet.
Router#
008167: Sep 17 16:41:35.205: ISAKMPface-sad0): retransmitting phase 1 MM_NO_STATE...
008168: Sep 17 16:41:35.205: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
008169: Sep 17 16:41:35.205: ISAKMPface-sad0): retransmitting phase 1 MM_NO_STATE
008170: Sep 17 16:41:35.205: ISAKMPface-sad0): sending packet to 87.142.48.137 my_port 500 peer_port 500 (I) MM_NO_STATE
008171: Sep 17 16:41:35.205: ISAKMPface-sad0):Sending an IKE IPv4 Packet.
Router#
008172: Sep 17 16:41:45.200: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 87.142.47.43, remote= 87.142.48.137,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.179.0/255.255.255.0/0/0 (type=4)
008173: Sep 17 16:41:45.204: ISAKMPface-sad0): retransmitting phase 1 MM_NO_STATE...
008174: Sep 17 16:41:45.204: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
008175: Sep 17 16:41:45.204: ISAKMPface-sad0): retransmitting phase 1 MM_NO_STATE
008176: Sep 17 16:41:45.204: ISAKMPface-sad0): sending packet to 87.142.48.137 my_port 500 peer_port 500 (I) MM_NO_STATE
008177: Sep 17 16:41:45.204: ISAKMPface-sad0):Sending an IKE IPv4 Packet.
008178: Sep 17 16:41:45.212: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 87.142.47.43, remote= 87.142.48.137,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.179.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
008179: Sep 17 16:41:45.212: ISAKMP: set new node 0 to QM_IDLE
008180: Sep 17 16:41:45.212: ISAKMPface-sad0):SA is still budding. Attached new ipsec request to it. (local 87.142.47.43, remote 87.142.48.137)
Router#
008181: Sep 17 16:41:45.212: ISAKMP: Error while processing SA request: Failed to initialize SA
008182: Sep 17 16:41:45.212: ISAKMP: Error while processing KMI message 0, error 2.


hier die config die ich anhand des beispiels umgeschrieben habe.

Router#sh conf
Using 4521 out of 196600 bytes
!
! Last configuration change at 18:27:48 CEST Fri Sep 17 2010 by admin
! NVRAM config last updated at 18:31:09 CEST Fri Sep 17 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service linenumber
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash:c1841-advipservicesk9-mz.150-1.M.bin
boot-end-marker
!
logging buffered 102400
!
no aaa new-model
!
!
!
memory-size iomem 15
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
no ip source-route
!
!
!
!
ip cef
ip domain name xxx.local
ip name-server 217.0.43.161
ip name-server 217.0.43.177
ip port-map user-protocol--2 port tcp 62222
ip port-map user-protocol--3 port udp 62222
ip port-map user-protocol--1 port tcp 3389
ip ddns update method xxx
HTTP
add http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname ...;
interval minimum 0 1 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-126358352
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-126358352
revocation-check none
rsakeypair TP-self-signed-126358352
!
!
crypto pki certificate chain TP-self-signed-126358352
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
license udi pid CISCO1841 sn FCZ102711MK
archive
log config
hidekeys
username admin privilege 15 password 0 xxx
!
redundancy
!
!
controller E1 0/0/0
!
!
!
crypto isakmp policy 100
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key xxx address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set esp/des/md5 esp-des esp-md5-hmac
!
crypto map bistro 10 ipsec-isakmp
set peer xxx.homeip.net dynamic
set transform-set esp/des/md5
match address bistro
!
!
!
!
!
!
interface Tunnel0
description IPse VPN Tunnel Bistro
no ip address
ip mtu 1440
tunnel source FastEthernet0/1
tunnel destination 192.168.0.1
crypto map xxx
!
!
interface FastEthernet0/0
description ### ext. Modem - Fritzbox ###
no ip address
duplex auto
speed auto
pppoe enable group 1
pppoe-client dial-pool-number 1
no cdp enable
!
!
interface FastEthernet0/1
description ### inside LAN ###$FW_INSIDE$
ip address 192.168.179.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Dialer0
no ip address
!
!
interface Dialer1
description ### Dialer DSL ###$FW_OUTSIDE$
bandwidth 16000
ip ddns update hostname xxx.homeip.net
ip ddns update xxx
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
keepalive 20
ppp authentication pap callin
ppp pap sent-username xxx password 0 xxx
ppp ipcp dns request
no cdp enable
crypto map bistro
!
!
no ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip dns view default
dns forwarding source-interface FastEthernet0/1
ip dns server
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 3600
ip nat inside source static tcp 192.168.179.20 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.179.20 62222 interface Dialer1 62222
ip nat inside source static udp 192.168.179.20 62222 interface Dialer1 62222
ip nat inside source list 123 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended xxx
permit gre host 192.168.179.1 host 192.168.0.1
permit ip any 192.168.0.0 0.0.0.3
!
access-list 1 permit 192.168.179.20
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 123 permit ip 192.168.179.0 0.0.0.255 any
access-list 123 deny ip any any
access-list 123 deny ip 192.168.179.0 0.0.0.255 192.168.0.0 0.0.0.3
disable-eadi
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 60 0
password xxx
logging synchronous
login
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 60 0
privilege level 15
password xxx
logging synchronous
login local
transport input telnet ssh
line vty 5 15
access-class 1 in
login
!
scheduler allocate 20000 1000
ntp server 213.165.70.72
end


hm gerade was gesehen, da das mit der acl nicht richtig funktioniert kann es sein dass er die rückroute garnicht kennt
(identity) local= 87.142.31.79, remote= 87.142.47.43,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.255.252/0/0 (type=4)
aus dem debug - local_proxy müsste mein local net sein.

aber wie oben geschrieben wenn ich anstatt "any" mein richtiges netz eintrage baut er garnicht erst den tunnel auf!!!!!!
aqui
aqui 18.09.2010 um 12:55:29 Uhr
Goto Top
Du postest immer nur einen Router face-sad
Wie lauten die lokalen IP Netze der beiden Router bzw. die lokalen IP Adressen der LAN Interfaces auf den Routern ??
Kacer99
Kacer99 18.09.2010 um 13:32:52 Uhr
Goto Top
Hier ist die conf der gegenseite zu oben.

die lokalen netze hier sind 192.168.178.0/24, 192.168.100.0/24, 192.168.101.0/24, 192.168.102.0/24 und 192.168.0.0/30
vom router oben ist das lokale netz 192.168.179.0/24

ich habe derzeit nur versucht das 192.168.0.0/30 in der conf zu lassen um überhaupt erstmal den tunnel ans laufen zu bekommen.


Router#sh conf
Using 5028 out of 196600 bytes
!
! Last configuration change at 19:15:55 UTC Fri Sep 17 2010 by admin
! NVRAM config last updated at 19:15:56 UTC Fri Sep 17 2010 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service linenumber
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 102400
!
no aaa new-model
!
!
!
dot11 syslog
no ip source-route
!
!
!
!
ip cef
ip domain name xxx.local
ip ddns update method xxx
HTTP
add http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname ...;
interval maximum 0 5 0 0
interval minimum 0 0 5 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-126358352
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-126358352
revocation-check none
rsakeypair TP-self-signed-126358352
!
!
crypto pki certificate chain TP-self-signed-126358352
certificate self-signed 01 nvram:IOS-Self-Sig#4.cer
!
!
license udi pid CISCO1841 sn FCZ104712RJ
archive
log config
hidekeys
username admin privilege 15 password 0 evolution99
!
redundancy
!
!
!
!
crypto isakmp policy 100
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key xxx address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set esp/des/md5 esp-des esp-md5-hmac
!
!
!
crypto map xxx 10 ipsec-isakmp
set peer xxx.homeip.net dynamic
set transform-set esp/des/md5
match address xxx
!
!
!
!
!
!
!
interface Tunnel0
description IPse VPN Tunnel Home
no ip address
ip mtu 1440
tunnel source FastEthernet0/1
tunnel destination 192.168.179.1
crypto map xxx
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface FastEthernet0/0.7
description ### ext. Modem VDSL ###
encapsulation dot1Q 7
pppoe enable group 1
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
description ### inside LAN ###
ip address 192.168.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
!
interface Dialer1
description ### Dialer DSL ###
bandwidth 25000
ip ddns update hostname xxx.homeip.net
ip ddns update xxx
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
keepalive 20
ppp authentication pap callin
ppp pap sent-username xxx password 0 xxx
ppp ipcp dns request
no cdp enable
crypto map xxx
!
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip dns view default
dns forwarding source-interface FastEthernet0/1
ip dns server
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 3600
ip nat inside source static tcp 192.168.100.101 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.100.101 443 interface Dialer1 443
ip nat inside source static tcp 192.168.100.110 80 interface Dialer1 80
ip nat inside source static tcp 192.168.100.101 110 interface Dialer1 110
ip nat inside source static tcp 192.168.100.101 143 interface Dialer1 143
ip nat inside source static tcp 192.168.100.110 25 interface Dialer1 25
ip nat inside source static tcp 192.168.100.50 80 interface Dialer1 81
ip nat inside source static tcp 192.168.100.51 80 interface Dialer1 82
ip nat inside source list 123 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.100.0 255.255.255.0 192.168.0.2
ip route 192.168.101.0 255.255.255.0 192.168.0.2
ip route 192.168.102.0 255.255.255.0 192.168.0.2
ip route 192.168.178.0 255.255.255.0 192.168.0.2
!
ip access-list extended xxx
permit gre host 192.168.0.1 host 192.168.179.1
permit ip any 192.168.179.0 0.0.0.255
!
access-list 1 permit 192.168.179.20
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 123 permit ip 192.168.100.0 0.0.0.255 any
access-list 123 permit ip 192.168.101.0 0.0.0.255 any
access-list 123 permit ip 192.168.102.0 0.0.0.255 any
access-list 123 permit ip 192.168.0.0 0.0.0.3 any
access-list 123 permit ip 192.168.178.0 0.0.0.255 any
access-list 123 deny ip any any
access-list 123 deny ip 192.168.0.0 0.0.0.3 192.168.179.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 60 0
password xxx
logging synchronous
login
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
password xxx
logging synchronous
login local
transport input telnet ssh
line vty 5 15
access-class 1 in
login
!
scheduler allocate 20000 1000
ntp server 213.165.70.72
end
Kacer99
Kacer99 20.09.2010 um 16:18:10 Uhr
Goto Top
GELÖST,

hier eine Running-Config IPSEC-GRE-Tunnel mit 2 dynIP´s auf einem C1841 Router.


SITE A
dsl dynip
locales netz: 192.168.179.0/24

SITE B
vdsl dynip
locales netz 192.168.0.0/30; 192.168.178.0/24


Hier conf SITE A


Building configuration...


Current configuration : 6328 bytes
!
! Last configuration change at 16:04:28 CEST Mon Sep 20 2010 by admin
! NVRAM config last updated at 16:06:34 CEST Mon Sep 20 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service linenumber
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash:c1841-advipservicesk9-mz.150-1.M.bin
boot-end-marker
!
logging buffered 102400
!
no aaa new-model
!
!
!
memory-size iomem 15
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
ip source-route
!
!
!
!
no ip cef
ip domain name xxx.local
ip name-server 217.0.43.161
ip name-server 217.0.43.177
ip ddns update method rademske
HTTP
add http://xyzusername:passwort@members.dyndns.org/nic/update?system=dyndns ...;
interval minimum 0 1 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-126358352
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-126358352
revocation-check none
rsakeypair TP-self-signed-126358352
!
!
crypto pki certificate chain TP-self-signed-126358352
certificate self-signed 01
xxx
quit
!
!
license udi pid CISCO1841 sn FCZ102711MK
archive
log config
hidekeys
username admin privilege 15 password 0 xxx
!
redundancy
!
!
controller E1 0/0/0
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key xxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to 192.168.0.1
set peer xxx.dyndns.org dynamic
set transform-set ESP-DES-SHA1
match address 101
reverse-route
!
!
!
!
!
interface Loopback1
ip address 10.5.5.5 255.255.255.255
!
!
!
interface Tunnel1
ip address 192.168.0.5 255.255.255.252
ip mtu 1420
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.5.5.6
tunnel path-mtu-discovery
crypto map SDM_CMAP_2
!
!
interface FastEthernet0/0
description ### ext. Modem - Fritzbox ###
no ip address
duplex auto
speed auto
pppoe enable group 1
pppoe-client dial-pool-number 1
no cdp enable
!
!
interface FastEthernet0/1
description ### inside LAN ###$FW_INSIDE$
ip address 192.168.179.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Dialer0
no ip address
shutdown
!
!
interface Dialer1
description ### Dialer DSL ###$FW_OUTSIDE$
bandwidth 16000
ip ddns update hostname xxx.dyndns.org
ip ddns update xxx
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
keepalive 20
ppp authentication pap callin
ppp pap sent-username xxx password 0 xxx
ppp ipcp dns request
no cdp enable
crypto map SDM_CMAP_2
!
!
no ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip dns view default
dns forwarding source-interface FastEthernet0/1
ip dns server
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 3600
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.252 Tunnel1
ip route 192.168.178.0 255.255.255.0 Tunnel1
!
access-list 1 permit 192.168.179.20
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit gre host 10.5.5.5 host 10.5.5.6
access-list 123 remark CCP_ACL Category=16
access-list 123 permit ip 192.168.179.0 0.0.0.255 any
access-list 123 deny ip any any
disable-eadi
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 123
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 60 0
password xxx
logging synchronous
login
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 60 0
privilege level 15
password xxx
logging synchronous
login local
transport input telnet ssh
line vty 5 15
access-class 1 in
login
!
scheduler allocate 20000 1000
ntp server 213.165.70.72
end

__________________________________________________________________


SITE B


Building configuration...

Current configuration : 6302 bytes

!
! Last configuration change at 14:06:26 UTC Mon Sep 20 2010 by admin
! NVRAM config last updated at 14:05:21 UTC Mon Sep 20 2010 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service linenumber
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 102400
!
no aaa new-model
!
!
!
dot11 syslog
ip source-route
!
!
!
!
no ip cef
ip domain name xxx.local
ip ddns update method xxx
HTTP
add http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname ...;
interval maximum 0 5 0 0
interval minimum 0 0 5 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-126358352
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-126358352
revocation-check none
rsakeypair TP-self-signed-126358352
!
!
crypto pki certificate chain TP-self-signed-126358352
certificate self-signed 01
xxx
quit
!
!
license udi pid CISCO1841 sn FCZ104712RJ
archive
log config
hidekeys
username admin privilege 15 password 0 xxx
!
redundancy
!
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key xxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel xxx
set peer xxx.dyndns.org dynamic
set transform-set ESP-DES-SHA1
match address 101
reverse-route
!
!
!
!
!
interface Loopback1
ip address 10.5.5.6 255.255.255.255
!
!
interface Tunnel1
ip address 192.168.0.6 255.255.255.252
ip mtu 1420
tunnel source Loopback1
tunnel destination 10.5.5.5
tunnel path-mtu-discovery
crypto map SDM_CMAP_2
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface FastEthernet0/0.7
description ### ext. Modem VDSL ###
encapsulation dot1Q 7
pppoe enable group 1
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
description ### inside LAN ###
ip address 192.168.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
!
interface Dialer1
description ### Dialer DSL ###
bandwidth 25000
ip ddns update hostname xxx.dyndns.org
ip ddns update xxx
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
keepalive 20
ppp authentication pap callin
ppp pap sent-username xxx password 0 xxx
ppp ipcp dns request
no cdp enable
crypto map SDM_CMAP_2
!
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip dns view default
dns forwarding source-interface FastEthernet0/1
ip dns server
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 3600
ip nat inside source list 123 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.178.0 255.255.255.0 192.168.0.2
ip route 192.168.179.0 255.255.255.0 Tunnel1
!
access-list 1 permit 192.168.179.20
access-list 101 remark CCP_ACL Category=4
access-list 101 permit gre host 10.5.5.6 host 10.5.5.5
access-list 123 permit ip 192.168.0.0 0.0.0.3 any
access-list 123 permit ip 192.168.178.0 0.0.0.255 any
access-list 123 deny ip any any
access-list 123 deny ip 192.168.0.0 0.0.0.3 192.168.179.0 0.0.0.255
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 123
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 60 0
password xxx
logging synchronous
login
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
password xxx
logging synchronous
login local
transport input telnet ssh
line vty 5 15
access-class 1 in
login
!
scheduler allocate 20000 1000
ntp server 213.165.70.72
end