mels 10 Geschrieben 21. Juli 2006 Melden Teilen Geschrieben 21. Juli 2006 Hallo Leute! Ich habe einen Cisco C831 Router. IOS Version 12.3(11)T3 habe eine VPN-Verbindung eingerichtet. Wenn ich mich jetzt mit dem Cisco VPN-Client zu verbinden versuche, bekomme ich auf dem Router überhaupt keine Reaktion und im Client Log kommt Folgende Fehlermeldung: 176 08:13:12.296 07/13/06 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "85.xxx.xx.xx" because of "DEL_REASON_PEER_NOT_RESPONDING" Was kann ich machen oder ausprobieren! Bin für jeden Tip Dankbar mfg mels Nachstehend das ganze Log: Cisco Systems VPN Client Version 4.7.00.0533 Copyright © 1998-2005 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2 171 08:12:51.531 07/13/06 Sev=Info/4 CM/0x63100002 Begin connection process 172 08:12:51.546 07/13/06 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet 173 08:12:51.546 07/13/06 Sev=Info/4 CM/0x63100024 Attempt connection with server "80.120.35.26" 174 08:12:51.796 07/13/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started 175 08:12:51.796 07/13/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 176 08:13:12.296 07/13/06 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "85.xxx.xx.xx" because of "DEL_REASON_PEER_NOT_RESPONDING" 177 08:13:12.296 07/13/06 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv 178 08:13:12.328 07/13/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 179 08:13:12.328 07/13/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 180 08:13:12.328 07/13/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 181 08:13:12.328 07/13/06 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped Zitieren Link zu diesem Kommentar
Wordo 11 Geschrieben 21. Juli 2006 Melden Teilen Geschrieben 21. Juli 2006 Am besten du postest mal die Konfiguration von der 831. Und dann kannste auf der ja noch noch debuggen (deb crypto blabla). Wenn das Peer nicht antwortet kanns echt an allem liegen. Zitieren Link zu diesem Kommentar
mels 10 Geschrieben 23. Juli 2006 Autor Melden Teilen Geschrieben 23. Juli 2006 Hallo Wordo! Danke für Deine Hilfe! Anbei die Konfig 1 Teil! !This is the running config of the router: 192.168.40.3 !---------------------------------------------------------------------------- !version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname fw ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 warnings ! clock timezone UTC1 1 clock summer-time UTC1sum recurring last Sun Mar 2:00 last Sun Oct 3:00 aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa session-id common ip subnet-zero no ip source-route ! ! ip cef ip domain name domain.com ip name-server xxx.xx.xxx.xx ip name-server xxx.xx.xx.xx no ip bootp server ip inspect name MyFW cuseeme ip inspect name MyFW ftp ip inspect name MyFW h323 ip inspect name MyFW netshow ip inspect name MyFW rcmd ip inspect name MyFW realaudio ip inspect name MyFW rtsp ip inspect name MyFW smtp ip inspect name MyFW sqlnet ip inspect name MyFW streamworks ip inspect name MyFW tftp ip inspect name MyFW tcp ip inspect name MyFW udp ip inspect name MyFW vdolive ip inspect name MyFW icmp ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 lifetime 7800 ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpn-grp1 key $vpn dns xx.xxx.xxx.xx domain win.domain.com pool SDM_POOL_1 ! ! crypto ipsec transform-set c-3des-md5 esp-3des esp-md5-hmac crypto ipsec transform-set c-3des-sha esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set c-3des-sha match address VPN-Land crypto dynamic-map SDM_DYNMAP_1 2 set transform-set c-3des-sha reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 2 ipsec-isakmp description VPN-b set peer xx.xx.xx.xx set transform-set c-3des-sha match address VPN-B crypto map SDM_CMAP_1 3 ipsec-isakmp description Tunnel to V mit set peer xx.xx.xxx.xx set transform-set c-3des-md5 set pfs group2 match address VPN-V crypto map SDM_CMAP_1 5 ipsec-isakmp description VPN-M set peer xx.xxx.xx.xx.xx set transform-set c-3des-sha match address VPN-M crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! Zitieren Link zu diesem Kommentar
mels 10 Geschrieben 23. Juli 2006 Autor Melden Teilen Geschrieben 23. Juli 2006 2. Teil interface Null0 no ip unreachables ! interface Ethernet0 description ip address 192.168.40.3 255.255.255.0 ip access-group LAN_in in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow no cdp enable ! interface Ethernet1 description ip address xx.xxx.xxx.xx 255.255.255.240 ip access-group WAN_in in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect MyFW out ip virtual-reassembly no ip route-cache cef no ip route-cache no ip mroute-cache duplex auto no cdp enable crypto map SDM_CMAP_1 ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! ip local pool SDM_POOL_1 192.168.41.1 ip local pool SDM_POOL_2 192.168.41.2 192.168.41.254 ip classless ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx ip http server ip http access-class 1 ip http authentication local ip http secure-server ! ip nat inside source route-map NAT-RMAP interface Ethernet1 overload ip nat inside source static tcp 192.168.40.2 25 interface Ethernet1 25 ! ! ip access-list extended CFG_vty remark SDM_ACL Category=1 permit ip host xx.xxx.xxx.xx any permit ip 192.168.40.0 0.0.0.255 any ip access-list extended LAN_in remark Verbindung LAN Stadt remark SDM_ACL Category=1 deny ip xxx.xxx.xxx.xx 0.0.0.3 any deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any permit tcp host 192.168.40.2 any permit udp host 192.168.40.2 any eq domain permit udp host 192.168.40.2 any eq ntp permit tcp host 192.168.40.4 any permit udp host 192.168.40.4 any eq domain permit udp host 192.168.40.4 any eq ntp permit tcp host 192.168.40.5 any permit udp host 192.168.40.5 any eq domain permit udp host 192.168.40.5 any eq ntp permit tcp host 192.168.40.108 any permit udp host 192.168.40.108 any eq domain permit udp host 192.168.40.108 any eq ntp permit ip 192.168.40.0 0.0.0.255 host xxx.xxx.xx.xx.xx permit ip 192.168.40.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255 permit tcp 192.168.40.0 0.0.0.255 host 192.168.40.3 eq telnet permit tcp 192.168.40.0 0.0.0.255 host 192.168.40.3 eq 22 permit tcp 192.168.40.0 0.0.0.255 host 192.168.40.3 eq www permit tcp 192.168.40.0 0.0.0.255 host 192.168.40.3 eq 443 deny ip any any log ip access-list extended NO-NAT1 remark SDM_ACL Category=2 deny ip 192.168.40.0 0.0.0.255 xx.xx.xxx.xx 0.0.0.3 deny ip 192.168.40.0 0.0.0.255 host xx.xxx.xx.xx.xx deny ip 192.168.40.0 0.0.0.255 host xx.xx.xx.xx.xx deny ip 192.168.40.0 0.0.0.255 192.168.1.0 0.0.0.255 deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255 deny ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 any ip access-list extended VPN-B remark VPN b remark SDM_ACL Category=4 permit ip 192.168.40.0 0.0.0.255 host xx.xx.xx.xx.x ip access-list extended VPN-L remark SDM_ACL Category=4 permit ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255 ip access-list extended VPN-M remark VPN M remark SDM_ACL Category=4 permit ip 192.168.40.0 0.0.0.255 host xx.xx.xx.xx ip access-list extended VPN-V remark VPN zu V remark SDM_ACL Category=4 permit ip 192.168.40.0 0.0.0.255 192.168.1.0 0.0.0.255 Zitieren Link zu diesem Kommentar
mels 10 Geschrieben 23. Juli 2006 Autor Melden Teilen Geschrieben 23. Juli 2006 3. Teil ip access-list extended WAN_in remark Verbindung vom Internet remark SDM_ACL Category=1 permit udp any host xx.xx.xx.xx eq non500-isakmp permit udp any host xx.xx.xx.xx eq isakmp permit esp any host xx.xx.xx.xx permit ahp any host xx.xx.xx.xx permit udp host xx.xx.xx.xx eq domain 192.168.40.0 0.0.0.255 permit udp host xx.xx.xx.xx eq domain 192.168.40.0 0.0.0.255 permit udp host xx.xx.xx.xx eq domain 192.168.40.0 0.0.0.255 permit udp host xx.xx.xx.xx eq ntp host xx.xx.xx.xx eq ntp permit udp host xx.xx.xx.xx eq ntp host xx.xx.xx.xx eq ntp permit ahp host xx.xx.xx.xx host xx.xx.xx.xx permit esp host xx.xx.xx.xx host xx.xx.xx.xx permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq isakmp permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq non500-isakmp permit ahp host xx.xx.xx.xx host xx.xx.xx.xx permit esp host xx.xx.xx.xx host xx.xx.xx.xx permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq isakmp permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq non500-isakmp permit icmp any host xx.xx.xx.xx echo-reply permit icmp any host xx.xx.xx.xx time-exceeded permit icmp any host xx.xx.xx.xx unreachable permit tcp any host xx.xx.xx.xx eq smtp permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255 permit ip 192.168.41.0 0.0.0.255 192.168.40.0 0.0.0.255 permit ip 192.168.42.0 0.0.0.255 192.168.40.0 0.0.0.255 permit ip host xx.xx.xx.xx any deny ip 192.168.40.0 0.0.0.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any deny ip any any log access-list 1 permit xx.xx.xx.xx access-list 1 remark HTTP Access-class list access-list 1 remark SDM_ACL Category=1 access-list 1 permit 192.168.40.0 0.0.0.255 access-list 1 deny any no cdp run route-map NAT-RMAP permit 10 match ip address NO-NAT1 ! ! control-plane ! banner login ^CCCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport preferred all transport output telnet line aux 0 transport preferred all transport output telnet line vty 0 4 access-class CFG_vty in privilege level 15 transport preferred all transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler interval 500 sntp server 192.5.41.41 sntp server 192.5.41.209 end Zitieren Link zu diesem Kommentar
Empfohlene Beiträge
Schreibe einen Kommentar
Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.