Baligh.Bedewi
16-12-2015, 17:08
مساء الخير يا جماعه..
بدون ما أطول عليكم ياريت حد يفيدني لو تكرمتو
انا زي ما ذاكر عندي 2 راوتر كل واحد فيهم واخد Static IP من مزود الخدمه وعايز اعمل Gateway 2 Gateway IPSec VPN انا مشيت على خطوات من موقع سيسكو بس ماظبطت.. بمعنى IKE Phase 1 established بس IKE Phase 2 Not Establish
انا هحط البيانات والاعدادات لكلا الراوترين بالانجليزي وياريت الحل لاني بقالي 15 يوم ومش عارف ايه اللي بيحصل بجد
I have 2 physical locations as Main and Branch
Main
I've CISCO 2921 as a Gateway with 100.100.100.100 as a Static Public IP and 192.168.1.0/24 (https://192.168.1.0/24) as a Local Private IP
Branch
I've CISCO RV042 as a Gateway with 200.200.200.200 as a Static IP and 192.168.2.0/24 (https://192.168.2.0/24) as a Local Private IP
The plan is connecting both sites permanent so I can use and/or share IP phones, Cameras, Printers… etc
What I’ve done based on the Cisco practice in the Branch RV042 router is attached herewith RV042_1, RV042_2, RV042_3 and Access Rules
And In Main 2921 Router I have done the below
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#authentication pre-share
Router(config)#crypto isakmp key ************** address 200.200.200.200
Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config)#crypto ipsec transform-set myset esp-aes esp-sha-hmac
Router(config)#crypto map Main_Branch 10 ipsec-isakmp
Router(config-crypto-map)#set transform-set myset
Router(config-crypto-map)#set peer 200.200.200.200
Router(config-crypto-map)#match address 100
Router(config-crypto-map)#set pfs group1
Router(config)#crypto map Main_Branch 10 ipsec-isakmp
Router(config-crypto-map)#set transform-set myset
Router(config-crypto-map)#set peer 200.200.200.200
Router(config-crypto-map)#match address 100
Router(config)#interface gigabitethernet 0/0 (THIS IS THE 100.100.100.100 interface)
Router(config-if)#crypto map Main_Branch
and I'm not able to ping from 192.168.1.0 to 192.168.2.0
----------------------------------
As a result from both sides I've tried
In Branch RV042 Router
Test VPN... If I click (Connect.... wait....Connect) nothing happen
Diagnostic Ping 192.168.1.0---> Packet drops
Log files indicate ---> VPN (g2gips0) #11081: [Tunnel Established] ISAKMP SA established
Log files indicate---->ACCESS_RULE 100.100.100.100:->200.200.200.200 (https://200.200.200.200): on eth1
Advancing Routing, Created the below routing
Destination IP: 192.168.1.0
Subnet Mask : 255.255.255.0
Default Gateway : 100.100.100.100
Hop Count: 1
Interface: WAN1 (WHICH IS 200.200.200.200)
In Main 2921 Router
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
100.100.100.100 200.200.200.200 QM_IDLE 6405 ACTIVE
Router#show crypto ipsec sa
No SAs found
Router#show crypto map
Crypto Map IPv4 "Main_Branch" 10 ipsec-isakmp
Peer = 200.200.200.200
Extended IP access list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group1
Transform sets={
myset: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map Main_Branch:
Router#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 28800 seconds, no volume limit
بس اخر اعدار في الراوتر ال 2921 اللي هو Router(config-if)#crypto map Main_Branch كل ما اجي اعمل الخطوة دي الانترنت بيفصل واضطر اعمل reload without save configuration
هنا ده ال start configuration من الراوتر 2921
Using 4563 out of 262136 bytes
!
! Last configuration change at 11:26:09 UTC Wed Dec 9 2015 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool ccp-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server *.*.*.*
lease 0 2
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1234
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234
revocation-check none
rsakeypair TP-self-signed-1234
!
!
crypto pki certificate chain TP-self-signed-1234
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn ****
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
username admin privilege 15 secret 4 ***
username vpn secret 4 ****
username *** privilege 7 secret 4 ****
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key ***** address 200.200.200.200
!
crypto isakmp client configuration group vpn
key ******
dns 8.8.8.8
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set myset esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
crypto map Main_Branch 10 ipsec-isakmp
set peer 200.200.200.200
set transform-set myset
set pfs group1
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description "Connected to DU"
ip address 100.100.100.100 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "Connected to LAN"
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool SDM_POOL_1 192.168.10.100 192.168.10.125
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no ip nat service sip udp port 5060
ip nat pool Avaya 192.168.1.99 192.168.1.99 netmask 255.255.255.0 type rotary
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static udp 192.168.1.99 5060 100.100.100.100 5060 extendable
ip nat inside source static tcp 192.168.1.2 9011 100.100.100.100 9011 extendable
ip nat inside source static udp 192.168.1.2 9011 100.100.100.100 9011 extendable
ip nat inside destination list voip pool Avaya
ip route 0.0.0.0 0.0.0.0 100.100.100.100
!
ip access-list extended voip
permit udp any any range 49152 53247
permit udp any any eq 5060
permit tcp any any eq 5060
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
ياريت يا جماعه حد يساعدني
تحياتي
بدون ما أطول عليكم ياريت حد يفيدني لو تكرمتو
انا زي ما ذاكر عندي 2 راوتر كل واحد فيهم واخد Static IP من مزود الخدمه وعايز اعمل Gateway 2 Gateway IPSec VPN انا مشيت على خطوات من موقع سيسكو بس ماظبطت.. بمعنى IKE Phase 1 established بس IKE Phase 2 Not Establish
انا هحط البيانات والاعدادات لكلا الراوترين بالانجليزي وياريت الحل لاني بقالي 15 يوم ومش عارف ايه اللي بيحصل بجد
I have 2 physical locations as Main and Branch
Main
I've CISCO 2921 as a Gateway with 100.100.100.100 as a Static Public IP and 192.168.1.0/24 (https://192.168.1.0/24) as a Local Private IP
Branch
I've CISCO RV042 as a Gateway with 200.200.200.200 as a Static IP and 192.168.2.0/24 (https://192.168.2.0/24) as a Local Private IP
The plan is connecting both sites permanent so I can use and/or share IP phones, Cameras, Printers… etc
What I’ve done based on the Cisco practice in the Branch RV042 router is attached herewith RV042_1, RV042_2, RV042_3 and Access Rules
And In Main 2921 Router I have done the below
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#authentication pre-share
Router(config)#crypto isakmp key ************** address 200.200.200.200
Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config)#crypto ipsec transform-set myset esp-aes esp-sha-hmac
Router(config)#crypto map Main_Branch 10 ipsec-isakmp
Router(config-crypto-map)#set transform-set myset
Router(config-crypto-map)#set peer 200.200.200.200
Router(config-crypto-map)#match address 100
Router(config-crypto-map)#set pfs group1
Router(config)#crypto map Main_Branch 10 ipsec-isakmp
Router(config-crypto-map)#set transform-set myset
Router(config-crypto-map)#set peer 200.200.200.200
Router(config-crypto-map)#match address 100
Router(config)#interface gigabitethernet 0/0 (THIS IS THE 100.100.100.100 interface)
Router(config-if)#crypto map Main_Branch
and I'm not able to ping from 192.168.1.0 to 192.168.2.0
----------------------------------
As a result from both sides I've tried
In Branch RV042 Router
Test VPN... If I click (Connect.... wait....Connect) nothing happen
Diagnostic Ping 192.168.1.0---> Packet drops
Log files indicate ---> VPN (g2gips0) #11081: [Tunnel Established] ISAKMP SA established
Log files indicate---->ACCESS_RULE 100.100.100.100:->200.200.200.200 (https://200.200.200.200): on eth1
Advancing Routing, Created the below routing
Destination IP: 192.168.1.0
Subnet Mask : 255.255.255.0
Default Gateway : 100.100.100.100
Hop Count: 1
Interface: WAN1 (WHICH IS 200.200.200.200)
In Main 2921 Router
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
100.100.100.100 200.200.200.200 QM_IDLE 6405 ACTIVE
Router#show crypto ipsec sa
No SAs found
Router#show crypto map
Crypto Map IPv4 "Main_Branch" 10 ipsec-isakmp
Peer = 200.200.200.200
Extended IP access list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group1
Transform sets={
myset: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map Main_Branch:
Router#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 28800 seconds, no volume limit
بس اخر اعدار في الراوتر ال 2921 اللي هو Router(config-if)#crypto map Main_Branch كل ما اجي اعمل الخطوة دي الانترنت بيفصل واضطر اعمل reload without save configuration
هنا ده ال start configuration من الراوتر 2921
Using 4563 out of 262136 bytes
!
! Last configuration change at 11:26:09 UTC Wed Dec 9 2015 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool ccp-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server *.*.*.*
lease 0 2
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1234
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234
revocation-check none
rsakeypair TP-self-signed-1234
!
!
crypto pki certificate chain TP-self-signed-1234
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn ****
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
username admin privilege 15 secret 4 ***
username vpn secret 4 ****
username *** privilege 7 secret 4 ****
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key ***** address 200.200.200.200
!
crypto isakmp client configuration group vpn
key ******
dns 8.8.8.8
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set myset esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
crypto map Main_Branch 10 ipsec-isakmp
set peer 200.200.200.200
set transform-set myset
set pfs group1
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description "Connected to DU"
ip address 100.100.100.100 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "Connected to LAN"
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool SDM_POOL_1 192.168.10.100 192.168.10.125
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no ip nat service sip udp port 5060
ip nat pool Avaya 192.168.1.99 192.168.1.99 netmask 255.255.255.0 type rotary
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static udp 192.168.1.99 5060 100.100.100.100 5060 extendable
ip nat inside source static tcp 192.168.1.2 9011 100.100.100.100 9011 extendable
ip nat inside source static udp 192.168.1.2 9011 100.100.100.100 9011 extendable
ip nat inside destination list voip pool Avaya
ip route 0.0.0.0 0.0.0.0 100.100.100.100
!
ip access-list extended voip
permit udp any any range 49152 53247
permit udp any any eq 5060
permit tcp any any eq 5060
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
ياريت يا جماعه حد يساعدني
تحياتي