Jump to content

IPsec zwischen Cisco 7301 und Cisco 1841


Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Empfohlene Beiträge

Hi,

 

ich versuche gerade zwischen einem 7301 und einem 1841 einen ganz normalen ipsec tunnel aufzubauen. vielleicht kann ja mal jemand drüber schauen.

 

7301 - Loopback1: 10.5.5.5

crypto isakmp policy 1
group 2
encryption 3des
authentication pre-share
crypto isakmp key cisco1841 address 10.1.1.1 
crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac 
!
crypto map cm_L1 17 ipsec-isakmp 
set peer 10.1.1.1
set transform-set ts_cisco_170 
match address 170
!
interface Loopback1
crypto map cm_L1
!
access-list 170 permit ip any 192.168.1.0 0.0.0.255

 

1841 - LAN: 192.168.1.0

crypto isakmp policy 1
group 2
encryption 3des
authentication pre-share
crypto isakmp key cisco1841 address 10.5.5.5 
crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac
!
crypto map cm_D1 17 ipsec-isakmp 
set peer 10.5.5.5
set transform-set ts_cisco_170
match address 170
!
interface Dialer1
crypto map cm_D1
!
access-list 170 permit ip 192.168.1.0 0.0.0.255 any

 

vor der bindung der crypto map auf die jeweiligen interface sind alle adressen von überall erreichbar.

hier noch die debugs

 

Debug: 1841

*Jan 12 08:27:33: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5, 
   local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
   remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
   protocol= ESP, transform= NONE  (Tunnel), 
   lifedur= 3600s and 4608000kb, 
   spi= 0xF3F67FC4(4093018052), conn_id= 0, keysize= 0, flags= 0x0
*Jan 12 08:27:33: ISAKMP:(0): SA request profile is (NULL)
*Jan 12 08:27:33: ISAKMP: Created a peer struct for 10.5.5.5, peer port 500
*Jan 12 08:27:33: ISAKMP: New peer created peer = 0x652CE590 peer_handle = 0x80000013
*Jan 12 08:27:33: ISAKMP: Locking peer struct 0x652CE590, refcount 1 for isakmp_initiator
*Jan 12 08:27:33: ISAKMP: local port 500, remote port 500
*Jan 12 08:27:33: ISAKMP: set new node 0 to QM_IDLE      
*Jan 12 08:27:33: insert sa successfully sa = 652CF07C
*Jan 12 08:27:33: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 12 08:27:33: ISAKMP:(0):found peer pre-shared key matching 10.5.5.5
*Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 12 08:27:33: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 12 08:27:33: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

*Jan 12 08:27:33: ISAKMP:(0): beginning Main Mode exchange
*Jan 12 08:27:33: ISAKMP:(0): sending packet to 10.5.5.5 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 12 08:27:33: ISAKMP (0:0): received packet from 10.5.5.5 dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 12 08:27:33: ISAKMP:(0):Notify has no hash. Rejected.
*Jan 12 08:27:33: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Jan 12 08:27:33: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jan 12 08:27:33: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1 

Link zu diesem Kommentar

*Jan 12 08:27:33: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.5.5.5
*Jan 12 08:28:03: IPSEC(key_engine): request timer fired: count = 1,
 (identity) local= 10.1.1.1, remote= 10.5.5.5, 
   local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
   remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Jan 12 08:28:03: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5, 
   local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
   remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
   protocol= ESP, transform= NONE  (Tunnel), 
   lifedur= 3600s and 4608000kb, 
   spi= 0x2AAA75D1(715814353), conn_id= 0, keysize= 0, flags= 0x0
*Jan 12 08:28:03: ISAKMP: set new node 0 to QM_IDLE      
*Jan 12 08:28:03: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.1.1.1, remote 10.5.5.5)
*Jan 12 08:28:03: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 12 08:28:03: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 12 08:28:33: IPSEC(key_engine): request timer fired: count = 2,
 (identity) local= 10.1.1.1, remote= 10.5.5.5, 
   local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
   remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

Debug: 7301

Jan 12 07:25:25.354: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 vpngreen (N) NEW SA
Jan 12 07:25:25.354: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500
Jan 12 07:25:25.354: ISAKMP: New peer created peer = 0x66DA103C peer_handle = 0x80000015
Jan 12 07:25:25.354: ISAKMP: Locking peer struct 0x66DA103C, refcount 1 for crypto_isakmp_process_block
Jan 12 07:25:25.354: ISAKMP: local port 500, remote port 500
Jan 12 07:25:25.354: insert sa successfully sa = 66DAC3BC
Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 

Jan 12 07:25:25.354: ISAKMP:(0): processing SA payload. message ID = 0
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 12 07:25:25.354: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v3
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v2
Jan 12 07:25:25.354: ISAKMP:(0):No pre-shared key with 10.1.1.1!
Jan 12 07:25:25.354: ISAKMP : Scanning profiles for xauth ...
Jan 12 07:25:25.354: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Jan 12 07:25:25.354: ISAKMP:      encryption 3DES-CBC
Jan 12 07:25:25.354: ISAKMP:      hash SHA
Jan 12 07:25:25.354: ISAKMP:      default group 2
Jan 12 07:25:25.354: ISAKMP:      auth pre-share
Jan 12 07:25:25.354: ISAKMP:      life type in seconds
Jan 12 07:25:25.354: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
Jan 12 07:25:25.354: ISAKMP:(0):Preshared authentication offered but does not match policy!
Jan 12 07:25:25.354: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 12 07:25:25.354: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
Jan 12 07:25:25.354: ISAKMP:      encryption 3DES-CBC
Jan 12 07:25:25.354: ISAKMP:      hash SHA
Jan 12 07:25:25.354: ISAKMP:      default group 2
Jan 12 07:25:25.354: ISAKMP:      auth pre-share
Jan 12 07:25:25.354: ISAKMP:      life type in seconds
Jan 12 07:25:25.354: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
Jan 12 07:25:25.354: ISAKMP:(0):Encryption algorithm offered does not match policy!

Link zu diesem Kommentar
Jan 12 07:25:25.354: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 12 07:25:25.354: ISAKMP:(0):no offers accepted!
Jan 12 07:25:25.354: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.5.5.5 remote 10.1.1.1)
Jan 12 07:25:25.354: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jan 12 07:25:25.354: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) MM_NO_STATE
Jan 12 07:25:25.354: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jan 12 07:25:25.354: ISAKMP:(0):peer does not do paranoid keepalives.

Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1)
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 12 07:25:25.354: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v3
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v2
Jan 12 07:25:25.354: ISAKMP (0:0): FSM action returned error: 2
Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1) 
Jan 12 07:25:25.354: ISAKMP: Unlocking peer struct 0x66DA103C for isadb_mark_sa_deleted(), count 0
Jan 12 07:25:25.354: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: 66DA103C
Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA 

Jan 12 07:25:25.354: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.1.1.1) 
Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA 

Jan 12 07:26:25.354: ISAKMP:(0):purging SA., sa=66DAC3BC, delme=66DAC3BC
Jan 12 07:34:48.579: No peer struct to get peer description

Link zu diesem Kommentar

Die einzige Ausgabe ist:

c1841-eth#sh debugging 
Cryptographic Subsystem:
 Crypto ISAKMP Error debugging is on
 Crypto Engine Error debugging is on
 Crypto IPSEC Error debugging is on

*Jan 12 09:49:20: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
       (ip) vrf/dest_addr= /192.168.1.1, src_addr= 10.5.5.5, prot= 1

 

 

Könnte dies an unserer ACL auf dem 7301 liegen?

access-list 170 permit ip any 192.168.1.0 0.0.0.255

Link zu diesem Kommentar

ich hab ja so die vermutung, dass der 7301 die pakete nicht in den tunnel schiebt und somit auch nicht verschlüsselt... (aber was wei ein laie^^)

 

wir hatten da auch schon einmal eine teilweise funktionierende konfiguration mit einer dynamischen crypto map... kann das evtl. auch ein anhaltspunkt sein?

mit der konfiguration waren zumindest die crypto sessions up-active, ping ging nicht, weil wir da sehr viel, ich will mal sagen "müll" konfiguriert hatten, und dadurch wahrscheinlich das routing, bzw. die acl nicht mehr griffen

 

in der aktuelle konfig finde ich das

ISAKMP:(0):Notify has no hash. Rejected.

<<<<< 1841

sehr bedenklich. soweit ich das verstehe, sollten beide geräte die informationen ja eigentlich haben.

Link zu diesem Kommentar

puh, die ist ein wenig umfangreicher... wir ein wenig dauern, die zu bereinigen, setz mich da mal fix dran

Config 7301

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
!
hostname stan-cisco-cl-lab-90739504
!
boot-start-marker
boot system flash c7301-advipservicesk9-mz.124-11.T4.bin
boot-end-marker
!
logging buffered 4096
no logging rate-limit
enable secret 5 $1$rp31$1IBDSgPtGT45YGSq.tnzW0
!
aaa new-model
!
!
aaa group server radius auth_server
server 80.228.16.100 auth-port 1812 acct-port 1813
server 80.228.16.21 auth-port 1812 acct-port 1813
!
aaa group server radius auth_admin
server 80.228.120.23 auth-port 1812 acct-port 1813
server 80.228.120.24 auth-port 1812 acct-port 1813
!
aaa group server radius acc_server
server 212.6.123.100 auth-port 1812 acct-port 1813
!
aaa authentication login default group auth_admin
aaa authentication login console local
aaa authentication login ssh local group auth_admin
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication ppp default group auth_server
aaa authorization network default group radius 
aaa authorization network vpdn group radius 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa accounting delay-start 
aaa accounting delay-start all
aaa accounting update periodic 60
aaa accounting network default start-stop group acc_server
aaa accounting system default start-stop group acc_server
!
aaa server radius dynamic-author
client 212.6.120.4
client 212.6.120.1
server-key 7 0470020504
auth-type any
ignore session-key
ignore server-key
!
aaa pod server clients 212.6.120.1 212.6.120.4 server-key Kick
aaa session-id common
clock timezone MET 1
clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip cef
!
!
!
!         
ip vrf vpngreen
rd 100:159
!
ip vrf vpnred
rd 100:158
!
no ip domain lookup
ip domain name XXXXXXXXXXXXXX <--anonymisiert von marka auf Wunsch des Users
ip name-server 212.6.108.140
ip name-server 212.6.108.141
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip scp server enable
!
multilink virtual-template 1
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
vpdn logging tunnel-drop
vpdn history failure table-size 30
vpdn session-limit 2000
vpdn search-order domain  
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
 protocol l2tp
 virtual-template 1
source-ip 85.16.116.253
lcp renegotiation always
no l2tp tunnel authentication
l2tp tunnel password 7 
l2tp tunnel receive-window 1024
ip mtu adjust
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
 protocol pptp
 virtual-template 2
source-ip 85.16.116.254
local name pptp
lcp renegotiation always
l2tp tunnel password 7 
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
 hidekeys
!
!
controller ISA 1/1
!
!
! 
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 500
crypto isakmp key cisco1841 address 10.1.1.1
crypto isakmp key cisco878 address 10.1.1.4
!
!
crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac 
crypto ipsec transform-set ts_cisco_180 esp-des esp-md5-hmac 
!
!
!
!
!
!
!
crypto map cm_L1 17 ipsec-isakmp 
set peer 10.1.1.1
set transform-set ts_cisco_170 
match address 170
crypto map cm_L1 18 ipsec-isakmp 
set peer 10.1.1.4
set transform-set ts_cisco_180 
match address 180

Link zu diesem Kommentar
!
!
!
!
!
!
interface Loopback0
ip address 10.6.6.6 255.255.255.255
!
interface Loopback1
ip vrf forwarding vpngreen
ip address 10.5.5.5 255.255.255.255
crypto map cm_L1
!
interface Loopback2
ip vrf forwarding vpnred
ip address 10.7.7.7 255.255.255.255
!
interface Loopback148
no ip address
!
interface Port-channel1
no ip address
hold-queue 150 in
!
interface Port-channel1.158
description VPNRED
encapsulation dot1Q 158
ip vrf forwarding vpnred
ip address 10.0.0.2 255.255.255.0
standby version 2
standby 158 ip 10.0.0.1
standby 158 follow access
standby 158 priority 101
!
interface Port-channel1.159
description VPNGREEN
encapsulation dot1Q 159
ip vrf forwarding vpngreen
ip address 10.0.0.2 255.255.255.0
standby version 2
standby 159 ip 10.0.0.1
standby 159 follow access
standby 159 priority 101
!
interface Port-channel1.160
encapsulation dot1Q 160
ip address 85.16.116.253 255.255.255.248
standby delay minimum 30 reload 60
standby version 2
standby 1 ip 85.16.116.254
standby 1 priority 101
standby 1 name access
standby 1 track Port-channel1.159 100
standby 1 track Port-channel1.158 100
!
interface GigabitEthernet0/0
description gig0/0, QinQ-Trunk VL450, vtsw302-1-gi10/37
no ip address
duplex full
speed 1000
media-type rj45
no negotiation auto
channel-group 1
standby version 2
!
interface GigabitEthernet0/1
description gig0/1, QinQ-Trunk VL450, vtsw302-1-gi10/38
no ip address
duplex full
speed 1000
media-type rj45
no negotiation auto
channel-group 1
standby version 2
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface Virtual-Template1 
ip unnumbered Loopback0
ip tcp adjust-mss 1400
peer default ip address pool addresspool
ppp authentication pap
ppp authorization vpdn
ppp multilink
ppp multilink fragment disable
!
interface Virtual-Template2 
ip unnumbered Loopback0
ip tcp adjust-mss 1400
peer default ip address pool addresspool
ppp authentication chap
ppp authorization vpdn
!
interface Dialer1
no ip address
!
ip local pool vpnred 192.168.10.1 192.168.10.254 group vpnred
ip local pool vpngreen-admin 192.168.10.1 192.168.10.127 group vpngreen
ip local pool vpngreen-user 192.168.10.128 192.168.10.191 group vpngreen
ip local pool vpngreen-extern 192.168.10.192 192.168.10.254 group vpngreen
ip route 0.0.0.0 0.0.0.0 85.16.116.249
ip route vrf vpngreen 192.168.1.0 255.255.255.0 10.1.1.1
ip route vrf vpngreen 192.168.100.0 255.255.255.0 10.1.1.4
ip route vrf vpnred 0.0.0.0 0.0.0.0 10.0.0.10
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
logging trap warnings
logging facility local6
logging source-interface Port-channel1.160
logging 80.228.31.129
access-list 170 permit ip any 192.168.1.0 0.0.0.255
access-list 180 permit ip any 192.168.100.0 0.0.0.255
!
!
!
!
!
radius-server attribute 44 include-in-access-req
no radius-server attribute 77 include-in-access-req
radius-server attribute 32 include-in-access-req format XXX <--anonymisiert
radius-server attribute 32 include-in-accounting-req format XXX <--anonymisiert
no radius-server attribute nas-port
radius-server host 80.228.120.23 auth-port 1812 acct-port 1813 key 7 XXX
radius-server host 80.228.120.24 auth-port 1812 acct-port 1813 key 7 XXX
radius-server host 212.6.123.100 auth-port 1812 acct-port 1813 non-standard key 7 XXX
radius-server host 212.6.120.1 auth-port 1812 acct-port 1813 non-standard key 7 XXX
radius-server host 212.6.120.4 auth-port 1812 acct-port 1813 non-standard key 7 XXX
radius-server host 85.16.255.39 auth-port 1812 acct-port 1813 key 7 XXX
radius-server host 80.228.16.21 auth-port 1812 acct-port 1813 key 7 XXX
radius-server host 80.228.16.100 auth-port 1812 acct-port 1813 key 7 XXX
radius-server vsa send accounting
radius-server vsa send authentication

Link zu diesem Kommentar

!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!         
!
line con 0
password 7 XXX
logging synchronous
login authentication local
transport output all
stopbits 1
line aux 0
transport output all
stopbits 1
line vty 0 4
session-timeout 30 
access-class 10 in
exec-timeout 30 0
privilege level 15
login authentication ssh
transport input ssh
transport output all
!
exception data-corruption buffer truncate
ntp clock-period 17179886
ntp server 212.6.108.160
ntp server 212.6.108.161

!
webvpn cef
!
end

 

Config 1841

version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname c1841-eth
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password 7 121A0C041104
!
no aaa new-model
!
resource policy
!
clock timezone MET 1
clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip cef
!
!         
!
!
no ip domain lookup
!
!
!
username cisco password 7 070C285F4D06
!
!
controller E1 0/0/0
channel-group 0 timeslots 1-31
description *** Backup ***
! 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 500
crypto isakmp key cisco1841 address 10.5.5.5
!
!
crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac 
!
crypto map cm_D1 17 ipsec-isakmp 
set peer 10.5.5.5
set transform-set ts_cisco_170 
match address 170
!
!
!
!
interface FastEthernet0/0
description --> HAG 10Mbit/s
no ip address
speed 100
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
traffic-shape rate 2048000 102400 102400 1000
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
no keepalive
no cdp enable
!
interface Serial0/0/0:0
description --> Backup 2Mbit/s
mtu 1448
ip address negotiated
encapsulation ppp
ip tcp adjust-mss 1400
traffic-shape rate 1024000 25600 25600 1000
no cdp enable
ppp pap sent-username vpnline-test@fvr password 7 0402133F217668462A
!
interface Dialer1
description 1Mbit/s-Verbindung 
ip address negotiated
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username vpnline-test-eth@fvr-eth password 7 141610085D5679
crypto map cm_D1
!
ip route 0.0.0.0 0.0.0.0 192.168.2.100
ip route 10.1.1.0 255.255.255.0 Dialer1
ip route 192.168.2.0 255.255.255.0 Dialer1
ip route 192.168.3.0 255.255.255.0 Dialer1
!
!
ip http server
no ip http secure-server
!
access-list 170 permit ip 192.168.1.0 0.0.0.255 any
disable-eadi
no cdp run
!
!
!
!
!
!
control-plane
!
!         
!
line con 0
exec-timeout 0 0
login local
line aux 0
line vty 0 4
password 7 05080F1C2243
logging synchronous
login local
transport input all
!
scheduler allocate 20000 1000
ntp clock-period 17178708
ntp server 10.1.1.250
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Link zu diesem Kommentar
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Schreibe einen Kommentar

Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.

Gast
Auf dieses Thema antworten...

×   Du hast formatierten Text eingefügt.   Formatierung jetzt entfernen

  Only 75 emoji are allowed.

×   Dein Link wurde automatisch eingebettet.   Einbetten rückgängig machen und als Link darstellen

×   Dein vorheriger Inhalt wurde wiederhergestellt.   Editor-Fenster leeren

×   Du kannst Bilder nicht direkt einfügen. Lade Bilder hoch oder lade sie von einer URL.

×
×
  • Neu erstellen...