المساعد الشخصي الرقمي

مشاهدة النسخة كاملة : Gateway 2 Gateway VPN between Cisco 2921 & RV042 IPsec Tunnel Issue



Baligh.Bedewi
16-12-2015, 17:08
مساء الخير يا جماعه..

بدون ما أطول عليكم ياريت حد يفيدني لو تكرمتو

انا زي ما ذاكر عندي 2 راوتر كل واحد فيهم واخد Static IP من مزود الخدمه وعايز اعمل Gateway 2 Gateway IPSec VPN انا مشيت على خطوات من موقع سيسكو بس ماظبطت.. بمعنى IKE Phase 1 established بس IKE Phase 2 Not Establish

انا هحط البيانات والاعدادات لكلا الراوترين بالانجليزي وياريت الحل لاني بقالي 15 يوم ومش عارف ايه اللي بيحصل بجد

I have 2 physical locations as Main and Branch

Main
I've CISCO 2921 as a Gateway with 100.100.100.100 as a Static Public IP and 192.168.1.0/24 (https://192.168.1.0/24) as a Local Private IP

Branch
I've CISCO RV042 as a Gateway with 200.200.200.200 as a Static IP and 192.168.2.0/24 (https://192.168.2.0/24) as a Local Private IP

The plan is connecting both sites permanent so I can use and/or share IP phones, Cameras, Printers… etc



What I’ve done based on the Cisco practice in the Branch RV042 router is attached herewith RV042_1, RV042_2, RV042_3 and Access Rules


And In Main 2921 Router I have done the below

Router(config)#crypto isakmp policy 1
Router(config-isakmp)#authentication pre-share
Router(config)#crypto isakmp key ************** address 200.200.200.200
Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config)#crypto ipsec transform-set myset esp-aes esp-sha-hmac
Router(config)#crypto map Main_Branch 10 ipsec-isakmp
Router(config-crypto-map)#set transform-set myset
Router(config-crypto-map)#set peer 200.200.200.200
Router(config-crypto-map)#match address 100
Router(config-crypto-map)#set pfs group1
Router(config)#crypto map Main_Branch 10 ipsec-isakmp
Router(config-crypto-map)#set transform-set myset
Router(config-crypto-map)#set peer 200.200.200.200
Router(config-crypto-map)#match address 100
Router(config)#interface gigabitethernet 0/0 (THIS IS THE 100.100.100.100 interface)
Router(config-if)#crypto map Main_Branch
and I'm not able to ping from 192.168.1.0 to 192.168.2.0




----------------------------------

As a result from both sides I've tried



In Branch RV042 Router

Test VPN... If I click (Connect.... wait....Connect) nothing happen
Diagnostic Ping 192.168.1.0---> Packet drops
Log files indicate ---> VPN (g2gips0) #11081: [Tunnel Established] ISAKMP SA established
Log files indicate---->ACCESS_RULE 100.100.100.100:->200.200.200.200 (https://200.200.200.200): on eth1

Advancing Routing, Created the below routing
Destination IP: 192.168.1.0
Subnet Mask : 255.255.255.0
Default Gateway : 100.100.100.100
Hop Count: 1
Interface: WAN1 (WHICH IS 200.200.200.200)

In Main 2921 Router


Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
100.100.100.100 200.200.200.200 QM_IDLE 6405 ACTIVE







Router#show crypto ipsec sa

No SAs found




Router#show crypto map
Crypto Map IPv4 "Main_Branch" 10 ipsec-isakmp
Peer = 200.200.200.200
Extended IP access list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group1
Transform sets={
myset: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map Main_Branch:


Router#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 28800 seconds, no volume limit


بس اخر اعدار في الراوتر ال 2921 اللي هو Router(config-if)#crypto map Main_Branch كل ما اجي اعمل الخطوة دي الانترنت بيفصل واضطر اعمل reload without save configuration

هنا ده ال start configuration من الراوتر 2921



Using 4563 out of 262136 bytes
!
! Last configuration change at 11:26:09 UTC Wed Dec 9 2015 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!


!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool ccp-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server *.*.*.*
lease 0 2
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1234
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234
revocation-check none
rsakeypair TP-self-signed-1234
!
!
crypto pki certificate chain TP-self-signed-1234
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn ****
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
username admin privilege 15 secret 4 ***
username vpn secret 4 ****
username *** privilege 7 secret 4 ****
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key ***** address 200.200.200.200
!
crypto isakmp client configuration group vpn
key ******
dns 8.8.8.8
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set myset esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
crypto map Main_Branch 10 ipsec-isakmp
set peer 200.200.200.200
set transform-set myset
set pfs group1
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description "Connected to DU"
ip address 100.100.100.100 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "Connected to LAN"
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool SDM_POOL_1 192.168.10.100 192.168.10.125
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no ip nat service sip udp port 5060
ip nat pool Avaya 192.168.1.99 192.168.1.99 netmask 255.255.255.0 type rotary
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static udp 192.168.1.99 5060 100.100.100.100 5060 extendable
ip nat inside source static tcp 192.168.1.2 9011 100.100.100.100 9011 extendable
ip nat inside source static udp 192.168.1.2 9011 100.100.100.100 9011 extendable
ip nat inside destination list voip pool Avaya
ip route 0.0.0.0 0.0.0.0 100.100.100.100
!
ip access-list extended voip
permit udp any any range 49152 53247
permit udp any any eq 5060
permit tcp any any eq 5060
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end



ياريت يا جماعه حد يساعدني
تحياتي

Baligh.Bedewi
17-12-2015, 11:48
مساء الفل عليكم يا جماعه

47مشاهدة ولا في اي رد... يا جماعه الموضوع مهم وفعلا انا محتاج رد سريع

ارجو من لديه خبره برد عليا