Титла: Проблем с настройката на Cisco 1760 VPN Server
Публикувано от: rcbandit в Oct 12, 2011, 21:44
Здравейте, Трети ден се мъча да подкарам един стар Cisco 1760 с crypto module. като VPN server. Ето конфигурацията. Версията на IOS e c1700-advsecurityk9-mz.124-3b.bin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
!--- In order to set AAA authentication at login, use the aaa authentication login
!--- command in global configuration mode
.
aaa authentication login default local
!--- Here, list name "sdm_vpn_xauth_ml_1" is specified for
!--- the authentication of the clients.
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
!
!
!--- The RSA certificate generates after the
!--- ip http secure-server command is enabled.
crypto pki trustpoint TP-self-signed-392370502
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-392370502
revocation-check none
rsakeypair TP-self-signed-392370502
!
!
crypto pki certificate chain TP-self-signed-392370502
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393233 37303530 32301E17 0D303530 39323130 30323135
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 32333730
35303230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
ED61BD43 0AD90559 2C7D7DB1 BB3147AA 784F3B46 9E63E63C 5CD61976 6BC46596
DB1AEB44 46644B18 8A890604 489B0447 B4B5C702 98272464 FFFD5511 A4BA79EC
239BCEA2 823F94EE 438B2E0A 5D90E9ED 8158BC8D 04F67C21 AEE1DB6F 046A0EF3
4C8798BE 0A171421 3FD5A690 7C735751 E7C58AA3 FB4CCE4F 5930212D 90EB4A33
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 8014B278 183F02DF
5000A124 124FEF08 8B704656 15CD301D 0603551D 0E041604 14B27818 3F02DF50
00A12412 4FEF088B 70465615 CD300D06 092A8648 86F70D01 01040500 03818100
C12AB266 0E85DAF6 264AC86F 27761351 E31DF628 BE7792B2 991725ED AAB3BABE
B1F1C6CA 7E5C0D19 B9793439 E5AECC78 C5ECBE56 871EB4D3 39B60AD1 AB0B97FE
515B4CC6 81BEE802 DC02BD1B A0D10EE9 0FD79D72 B44C0143 6E39C06B D9178590
57D02A8F 750DA100 ABEEB1F1 B02A8B1F B746942B 892D1514 B2CC9D58 A28F08E2
quit
!
!
!
!
!
!
!
!
!
!
!--- Creates a user account with all privileges.
username sdmsdm privilege 15 password 0 sdmsdm
!
!
!--- Creates an isakmp policy 1 with parameters like
!--- 3des encryption, pre-share key authentication, and DH group 2.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpn
!--- Defines the pre-shared key as sdmsdm.
key sdmsdm
pool SDM_POOL_1
netmask 255.255.255.0
!
!--- Defines transform set parameters.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!--- Specifies the crypto map parameters.
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
interface FastEthernet0/0
ip address 192.168.1.114 255.255.255.0
duplex auto
speed auto
!
!--- Applies the crypto map SDM_CMAP1 to the interface.
crypto map SDM_CMAP_1
!
!--- Creates a local pool named SDM_POOL_1 for issuing IP
!--- addresses to clients.
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
!--- Commands for enabling http and https required to launch SDM.
ip http server
ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
!
!
end
като пробвам с cisco vpn client нищо не става. Средвах тeзи tutorial-и http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml ($2) Много моля за съдействие как да реша проблема.
Титла: Re: Проблем с настройката на Cisco 1760 VPN Server
Публикувано от: 10101 в Oct 12, 2011, 22:25
conf t
interface fa0/0
crypto map SDM_CMAP_1
wr m
:)
Титла: Re: Проблем с настройката на Cisco 1760 VPN Server
Публикувано от: rcbandit в Oct 12, 2011, 22:35
Ето до тук какво стана: Взех готовата конфигурация от този сайт и го пейстнах в рутера.
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Y37y$zGFqGbcinUvkQ617lA5HL0
enable password cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network groupauthor local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip routing
no ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1747916323
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1747916323
revocation-check none
rsakeypair TP-self-signed-1747916323
!
crypto pki trustpoint TP-self-signed-392370502
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-392370502
revocation-check none
rsakeypair TP-self-signed-392370502
!
!
crypto pki certificate chain TP-self-signed-1747916323
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373437 39313633 3233301E 170D3032 30333031 31333136
34385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37343739
31363332 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D9A5 4FA2C65A 9EA38EC4 27755539 690A23D3 21BECCBF 8983C305 F64C7D37
785E313B 95F56346 552746E2 FFF49019 27F96677 2FBC784B AAF95ABA 2BE6CD4B
E005732B 0B1D500F F6D2B329 4D2F5207 E4C3A5B0 128B1367 E5A7E88F C9308149
6F799A73 09B6C56E 0FD08A81 CD6652E5 1450D5CC 5A014405 B8184152 EA02F280
AA230203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 14BB466B
34733643 DD0AA1D1 02A64A89 7A98303A 1E301D06 03551D0E 04160414 BB466B34
733643DD 0AA1D102 A64A897A 98303A1E 300D0609 2A864886 F70D0101 04050003
818100AE 3AAD0E6E 8A4C47A7 13A2A324 481DD47F 707F8BC9 A44750D3 0A4C9A89
C1065492 A6756B06 44C5E5DF 70F54CCB 68A7BDEF 648D25B7 21E1F556 029E9533
CFE820D5 0FF35431 1ABF41AE 8B31CAA1 C87DEF53 A056672E F12FD745 B06B3FAF
9CF5F9E2 C18431AA 8F8B5D5A AE2069D1 0592A6A8 B8ED2C99 CFD4BC1A 51A80D1D 8FFCB9
quit
crypto pki certificate chain TP-self-signed-392370502
username admin privilege 15 password 0 6y5t4r3e2w1q
username user password 0 cisco
username sdmsdm privilege 15 password 0 sdmsdm
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
crypto isakmp client configuration group vpn
key sdmsdm
pool SDM_POOL_1
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set myset
reverse-route
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list ciscocp_vpn_xauth_ml_2
crypto map SDM_CMAP_2 isakmp authorization list ciscocp_vpn_group_ml_2
crypto map SDM_CMAP_2 client configuration address respond
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
ip address 192.168.1.114 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
speed auto
full-duplex
crypto map SDM_CMAP_1
!
ip local pool ippool 192.168.1.1 192.168.1.2
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
transport input telnet ssh
!
end
Следкато го качих изплю много грешки но като го рестартирах изглежда че се сам дебъгна и сега мога да се свържа с windows cisco vpn client. Но със cvpn на ubuntu не става.
Титла: Re: Проблем с настройката на Cisco 1760 VPN Server
Публикувано от: rcbandit в Oct 13, 2011, 09:52
Възможно ли е да се конфигурира рутера по конфигурацията показана тук:
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml
Но само да се ползва един FastEthernet 0/0 порт за всичкия трафик.
Титла: Re: Проблем с настройката на Cisco 1760 VPN Server
Публикувано от: rcbandit в Oct 16, 2011, 16:11
Здравейте, пак проблем.
Подкарах VPN клиентите, сега обаче VPN сървъра не пуска повече от двама клиента да се свържат едновременно със сървъра. Щом изключа някои от логнатите агенти този който не е могъл успява. Явно има лимит от 2-ма клиенти които да могат да се свързват. Някаква идея как да го оправя?
|