1841: Site to Site VPN

[bookweb 10]

Hallo zusammen,

ich probiere gerade ein Site to Site VPN zwischen zwei 1841 einzurichten, aber es klappt nicht. Beide Geräte sind am FE0/0 mittels Crossover verbunden. An beiden FE0/1 hängt jeweils ein Notebook.

 

Die Verbindung zwischen den Geräten steht, aber es wird kein Tunnel aufgebaut.

 

 

Master, Cisco 1841

sh ver
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 22-Feb-06 21:47 by ccai

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Master uptime is 2 hours, 57 minutes
System returned to ROM by reload at 09:44:13 UTC Wed Dec 10 2008
System image file is "flash:c1841-advipservicesk9-mz.124-6.T.bin"


Cisco 1841 (revision 7.0) with 118784K/12288K bytes of memory.
Processor board ID FCZ1136318N
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

 

 

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Master
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXX
enable password XXX
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!         
!
!
!
!
username sdm privilege 15 password 0 XXX
!
! 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 192.168.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel to192.168.1.2
set peer 192.168.1.2
set transform-set ESP-3DES-SHA 
match address 100
!         
!
!
!
!
interface FastEthernet0/0
description wan
ip address 192.168.1.1 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description lan-master
ip address 10.10.12.140 255.0.0.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
!
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password XXX
login
transport input all
transport output all
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

[bookweb 10]

Slave, Cisco 1841:

sh vers
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 22-Feb-06 21:47 by ccai

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Slave uptime is 24 minutes
System returned to ROM by reload at 12:15:32 UTC Wed Dec 10 2008
System image file is "flash:c1841-advipservicesk9-mz.124-6.T.bin"


Cisco 1841 (revision 7.0) with 118784K/12288K bytes of memory.
Processor board ID FCZ1136317T
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

 

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Slave
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXX
enable password XXX
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!         
!
!
!
!
username sdm privilege 15 password 0 XXX
!
! 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 192.168.1.1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel to192.168.1.2
set peer 192.168.1.2
set transform-set ESP-3DES-SHA1 
match address 101
!
!
!
!
interface FastEthernet0/0
description wan
ip address 192.168.1.2 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description lan-slave
ip address 172.16.0.1 255.255.0.0
speed auto
half-duplex
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
!
!
!
!
!
!
control-plane
!
!
!         
line con 0
line aux 0
line vty 0 4
password XXX
login
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

[bookweb 10]

Debugging auf Slave

*Dec 10 12:39:24.019: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 192.168.1.2, remote= 192.168.1.2, 
   local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
   remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
   protocol= ESP, transform= NONE  (Tunnel), 
   lifedur= 3600s and 4608000kb, 
   spi= 0x83EB0117(2213216535), conn_id= 0, keysize= 0, flags= 0x0
*Dec 10 12:39:24.023: ISAKMP: local port 500, remote port 500
*Dec 10 12:39:24.023: ISAKMP: set new node 0 to QM_IDLE      
*Dec 10 12:39:24.023: insert sa successfully sa = 64289D80
*Dec 10 12:39:24.023: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Dec 10 12:39:24.023: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Dec 10 12:39:24.023: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Dec 10 12:39:24.023: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Dec 10 12:39:24.023: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Dec 10 12:39:24.023: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec 10 12:39:24.023: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

*Dec 10 12:39:24.023: ISAKMP:(0): beginning Main Mode exchange
*Dec 10 12:39:24.023: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 10 12:39:24.023: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Dec 10 12:39:24.027: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 10 12:39:24.027: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

*Dec 10 12:39:24.027: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 10 12:39:24.027: ISAKMP (0:0): vendor ID is NAT-T v7
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID is NAT-T v3
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 10 12:39:24.027: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Dec 10 12:39:24.027: ISAKMP:(0): local preshared key found
*Dec 10 12:39:24.027: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Dec 10 12:39:24.027: ISAKMP:      encryption 3DES-CBC
*Dec 10 12:39:24.027: ISAKMP:      hash SHA
*Dec 10 12:39:24.027: ISAKMP:      default group 2
*Dec 10 12:39:24.027: ISAKMP:      auth pre-share
*Dec 10 12:39:24.027: ISAKMP:      life type in seconds
*Dec 10 12:39:24.027: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
*Dec 10 12:39:24.027: ISAKMP:(0):atts are acceptable. Next payload is 0
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 10 12:39:24.027: ISAKMP (0:0): vendor ID is NAT-T v7
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Dec 10 12:39:24.027: ISAKMP:(0): vendor ID is NAT-T v3
*Dec 10 12:39:24.027: ISAKMP:(0): processing vendor id payload
*Dec 10 12:39:24.031: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 10 12:39:24.031: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 10 12:39:24.031: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 10 12:39:24.031: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

*Dec 10 12:39:24.031: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Dec 10 12:39:24.031: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 10 12:39:24.031: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

[bookweb 10]

*Dec 10 12:39:24.031: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Dec 10 12:39:24.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 10 12:39:24.035: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

*Dec 10 12:39:24.035: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 10 12:39:24.035: crypto_engine: Create DH shared secret 
*Dec 10 12:39:24.035: crypto_engine: Modular Exponentiation 
*Dec 10 12:39:24.103: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 10 12:39:24.103: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
*Dec 10 12:39:24.103: crypto_engine: Create IKE SA 
*Dec 10 12:39:24.103: crypto engine: deleting DH phase 2 SW:8 
*Dec 10 12:39:24.103: crypto_engine: Delete DH shared secret 
*Dec 10 12:39:24.103: ISAKMP:(1002): processing vendor id payload
*Dec 10 12:39:24.103: ISAKMP:(1002): vendor ID is Unity
*Dec 10 12:39:24.103: ISAKMP:(1002): processing vendor id payload
*Dec 10 12:39:24.103: ISAKMP:(1002): vendor ID is DPD
*Dec 10 12:39:24.103: ISAKMP:(1002): processing vendor id payload
*Dec 10 12:39:24.103: ISAKMP:(1002): speaking to another IOS box!
*Dec 10 12:39:24.103: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 10 12:39:24.103: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM4 

*Dec 10 12:39:24.107: ISAKMP:(1002):Send initial contact
*Dec 10 12:39:24.107: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Dec 10 12:39:24.107: ISAKMP (0:1002): ID payload 
       next-payload : 8
       type         : 1 
       address      : 192.168.1.2 
       protocol     : 17 
       port         : 500 
       length       : 12
*Dec 10 12:39:24.107: ISAKMP:(1002):Total payload length: 12
*Dec 10 12:39:24.107: crypto_engine: Generate IKE hash 
*Dec 10 12:39:24.107: crypto_engine: Encrypt IKE packet 
*Dec 10 12:39:24.107: ISAKMP:(1002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Dec 10 12:39:24.107: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 10 12:39:24.107: ISAKMP:(1002):Old State = IKE_I_MM4  New State = IKE_I_MM5 

[bookweb 10]

*Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.111: crypto_engine: Decrypt IKE packet 
*Dec 10 12:39:24.111: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.1.2 failed its sanity check or is malformed
*Dec 10 12:39:24.111: ISAKMP (0:1002): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED
*Dec 10 12:39:24.111: crypto_engine: Encrypt IKE packet 
*Dec 10 12:39:24.111: ISAKMP:(1002): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Dec 10 12:39:24.111: ISAKMP (0:1002): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.111: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.115: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:24.115: ISAKMP (0:1002): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 10 12:39:54.019: IPSEC(key_engine): request timer fired: count = 1,
 (identity) local= 192.168.1.2, remote= 192.168.1.2, 
   local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
   remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4)
*Dec 10 12:39:54.019: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 192.168.1.2, remote= 192.168.1.2, 
   local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), 
   remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
   protocol= ESP, transform= NONE  (Tunnel), 
   lifedur= 3600s and 4608000kb, 
   spi= 0xAAD7E82F(2866276399), conn_id= 0, keysize= 0, flags= 0x0
*Dec 10 12:39:54.019: ISAKMP: set new node 0 to QM_IDLE      
*Dec 10 12:39:54.019: ISAKMP:(1002):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote 192.168.1.2)

 

 

Hat jemand einen Tipp?

Danke,

Christian

 

PS: Sorry für die vielen Beiträge, aber diese 4000 Zeichen-Grenze erfordert das...

[Wordo 11]

Auf dem Slave ist kein VPN konfiguriert?

[bookweb 10]

Ich habe die Config im SDM gebaut, dort wie sie korrekt angezeigt. Hier jetzt nochmal

 

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Slave
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXX
enable password XXX
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!         
!
!
!
!
username sdm privilege 15 password 0 XXX
!
! 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 192.168.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel to192.168.1.2
set peer 192.168.1.2
set transform-set ESP-3DES-SHA1 
match address 101
!
!
!
!
interface FastEthernet0/0
description wan
ip address 192.168.1.2 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description lan-slave
ip address 172.16.0.1 255.255.0.0
speed auto
half-duplex
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
!
!
!
!
!
!
control-plane
!
!
!         
line con 0
line aux 0
line vty 0 4
password XXX
login
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

[Wordo 11]

Du hast bei Slave als Peer nicht die IP von Master

[bookweb 10]

Auch mit korrekter Peer IP ändert sich nichts.

[Wordo 11]

Und die IP im Key von Slave? Ah und die IP vom Key in Master muss auch die IP von Slave sein ...

[bookweb 10]

Auch das habe ich jetzt erfolglos geändert.

Selbst die Möglichkeit, sich eine Mirror-Config auf dem Master erzeugen zu lassen habe ich in Anspruch genommen und diese dann auf den Slave kopiert. Erfolglos...

 

Master: Key + IP von Slave

Slave: Key + IP von Master

[Wordo 11]

Post ma bitte von beiden nur die crypto parts, die betroffene ACL und das betroffene Interface.

[bookweb 10]

Master

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key KEY address 192.168.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Apply the crypto map on the peer router's interface having IP address 192.168.1.2 that connects to this router.
set peer 192.168.1.2
set transform-set ESP-3DES-SHA1 
match address SDM_1
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
!
!
ip access-list extended SDM_1
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

 

 

Slave

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key KEY  address 192.168.1.1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Apply the crypto map on the peer router's interface having IP address 192.168.1.2 that connects to this router.
set peer 192.168.1.1
set transform-set ESP-3DES-SHA 
match address SDM_1
!
!
!
!
interface FastEthernet0/0
description wan
ip address 192.168.1.2 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
!
!
ip access-list extended SDM_1
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255

[Wordo 11]

In ACL SDM_1 auf Slave muss statt " 192.168.1.0 0.0.0.255" -> "172.16.0.0 0.0.255.255" stehen ...

 

EDIT: Erster! ;)

[Otaku19 33]

die SDM_1 Rule auf dem Slave scheint mir nicht korrekt zu sein, 192.188.1.0/24 ist ja schon das "Linknetz" zwischen den beiden Routern.

 

ansonsten, gibts auch ne Route auf den beiden Routern um die beiden "LANs" dahinter zu erreichen ?