nona
16-04-2004, 05:38 PM
1 VPN từ Router to Singgapore thì ok, còn đường VPN thứ 2 từ Router to PIX (site-to-site) thì không thiết lập được VPN
Không biết ai đã làm như vậy chưa nhỉ?
Router { -----VPN----- Singapore
{ -----VPN------ branch office
Minh paste cau hình Router và PIX, khong biết sai ở chỗ nào, các key, ip thực. remote ip mình đã remove hết và chắc chắn đúng:
Router:
Password:
icivn01>en
!
!
memory-size iomem 25
ip subnet-zero
!
!!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key a address 111
crypto isakmp key b address 222
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set d esp-3des esp-md5-hmac
crypto ipsec transform-set e esp-3des esp-md5-hmac
!
crypto map 1 local-address Serial0
crypto map 1 10 ipsec-isakmp
set peer
set transform-set d
match address 102
crypto map 1 100 ipsec-isakmp
set peer
set transform-set e
match address 110
!
!!
interface Tunnel1
description
bandwidth 64
ip address 145.82.137.69 255.255.255.252
ip broadcast-address
ip mtu 1420
load-interval 60
delay 5000
tunnel source Serial0
tunnel destination
crypto map 1
!
!
interface FastEthernet0
ip address 145.82.138.129 255.255.255.128
ip policy route-map clear-df
speed 100
!
interface Serial0
ip address
crypto map 1
!
router eigrp 1000
redistribute static
network 145.82.0.0
distribute-list 1 out Tunnel1
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 203.210.0.0 255.255.0.0 Serial0
no ip http server
no ip http secure-server
!
!
!
access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit any
access-list 102 permit gre host host
access-list 105 permit esp host host
access-list 105 permit udp host host eq isakmp
access-list 105 permit gre host host
access-list 105 permit tcp host host eq telnet
access-list 105 permit tcp any any eq telnet
access-list 110 permit ip
access-list 199 remark ** route-map clear-df **
access-list 199 permit ip any any
access-list 199 permit tcp any any
access-list 199 permit udp any any
access-list 199 permit icmp any any
access-list 199 permit esp any any
access-list 199 permit gre any any
!
route-map clear-df permit 10
match ip address 199
set ip df 0
!
banner motd ^CCC
^C
!
line con 0
password
line aux 0
exec-timeout 20 0
password
login
modem InOut
modem autoconfigure discovery
transport input all
speed 2400
flowcontrol hardware
line vty 0 4
password
login
line vty 5
login
!
no scheduler allocate
end
PIX
Password:
pixfirewall# sh ru
: Saved
:
PIX Version 6.3(1)
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name remote_router
access-list 100 permit icmp any any
access-list vpn_bacninh permit ip 192.168.130.0 255.255.255.0 remote_router 255.255.255.0
access-list vpn_bacninh_crypto permit ip 192.168.130.0 255.255.255.0 remote_router 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside 192.168.130.25 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.0.0 inside
pdm location remote_router 255.255.255.0 outside
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 0 access-list vpn_bacninh
nat (inside) 1 192.168.130.0 255.255.255.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set b esp-3des esp-sha-hmac
crypto ipsec transform-set d esp-3des esp-md5-hmac
crypto map to_ici_hcm 20 ipsec-isakmp
crypto map to_ici_hcm 20 match address vpn_bacninh_crypto
crypto map to_ici_hcm 20 set peer e
crypto map to_ici_hcm 20 set transform-set e
crypto map to_ici_hcm interface outside
isakmp enable outside
isakmp key ** address netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 600
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
THKS ALL
Không biết ai đã làm như vậy chưa nhỉ?
Router { -----VPN----- Singapore
{ -----VPN------ branch office
Minh paste cau hình Router và PIX, khong biết sai ở chỗ nào, các key, ip thực. remote ip mình đã remove hết và chắc chắn đúng:
Router:
Password:
icivn01>en
!
!
memory-size iomem 25
ip subnet-zero
!
!!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key a address 111
crypto isakmp key b address 222
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set d esp-3des esp-md5-hmac
crypto ipsec transform-set e esp-3des esp-md5-hmac
!
crypto map 1 local-address Serial0
crypto map 1 10 ipsec-isakmp
set peer
set transform-set d
match address 102
crypto map 1 100 ipsec-isakmp
set peer
set transform-set e
match address 110
!
!!
interface Tunnel1
description
bandwidth 64
ip address 145.82.137.69 255.255.255.252
ip broadcast-address
ip mtu 1420
load-interval 60
delay 5000
tunnel source Serial0
tunnel destination
crypto map 1
!
!
interface FastEthernet0
ip address 145.82.138.129 255.255.255.128
ip policy route-map clear-df
speed 100
!
interface Serial0
ip address
crypto map 1
!
router eigrp 1000
redistribute static
network 145.82.0.0
distribute-list 1 out Tunnel1
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 203.210.0.0 255.255.0.0 Serial0
no ip http server
no ip http secure-server
!
!
!
access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit any
access-list 102 permit gre host host
access-list 105 permit esp host host
access-list 105 permit udp host host eq isakmp
access-list 105 permit gre host host
access-list 105 permit tcp host host eq telnet
access-list 105 permit tcp any any eq telnet
access-list 110 permit ip
access-list 199 remark ** route-map clear-df **
access-list 199 permit ip any any
access-list 199 permit tcp any any
access-list 199 permit udp any any
access-list 199 permit icmp any any
access-list 199 permit esp any any
access-list 199 permit gre any any
!
route-map clear-df permit 10
match ip address 199
set ip df 0
!
banner motd ^CCC
^C
!
line con 0
password
line aux 0
exec-timeout 20 0
password
login
modem InOut
modem autoconfigure discovery
transport input all
speed 2400
flowcontrol hardware
line vty 0 4
password
login
line vty 5
login
!
no scheduler allocate
end
PIX
Password:
pixfirewall# sh ru
: Saved
:
PIX Version 6.3(1)
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name remote_router
access-list 100 permit icmp any any
access-list vpn_bacninh permit ip 192.168.130.0 255.255.255.0 remote_router 255.255.255.0
access-list vpn_bacninh_crypto permit ip 192.168.130.0 255.255.255.0 remote_router 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside 192.168.130.25 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.0.0 inside
pdm location remote_router 255.255.255.0 outside
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 0 access-list vpn_bacninh
nat (inside) 1 192.168.130.0 255.255.255.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set b esp-3des esp-sha-hmac
crypto ipsec transform-set d esp-3des esp-md5-hmac
crypto map to_ici_hcm 20 ipsec-isakmp
crypto map to_ici_hcm 20 match address vpn_bacninh_crypto
crypto map to_ici_hcm 20 set peer e
crypto map to_ici_hcm 20 set transform-set e
crypto map to_ici_hcm interface outside
isakmp enable outside
isakmp key ** address netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 600
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
THKS ALL