dupa lupte seculare… Cisco

Posted: June 17, 2009 in technical
Tags:

…care au durat 2 zile, am schimbat string-ul numelui de authentication group, pe 6500-le meu cu VPN SPA si…mergeee! iuhuuu :d/

Morala este: configele pe VPN SPA se fac cu profile, altfel mai bine te apuci de gatit, ca la Cisco fiecare config se face in functie de platforma, chit ca in esenta faci acelasi lucru.

Ce-am mai “descoperit” incercand sa-mi pun si eu, ca omul, vreo 5000 de ip-uri in pool-ul de remote access, este ca (cel putin pe imaginea mea) nu pot pune mai mult de 3810 ip-uri in pool, Ciscanul tipand ca din gura de sarpe ca range-ul meu e prost:

231-6500IPSec(config)#ip local pool test 172.16.0.1 172.16.10.254

231-6500IPSec(config)#no ip local pool test 172.16.0.1 172.16.10.254

231-6500IPSec(config)#ip local pool test 172.16.0.1 172.16.20.254

%Bad IP range, 172.16.0.1-172.16.20.254

Si alta chestie faina e ca accepta sa-i dau in pool-ul de remote access adrese de tip network address si le mai si trimite host-ului de RA. Ce mare lucru? Nu poate si VPN-Clientul meu sa aiba IP-ul 91.91.0.0 /16?  😛
231-6500IPSec(config)#ip local pool test2 91.91.0.0 91.91.0.0
231-6500IPSec(config)#
——————————
username cisco password 0 cisco

username cisco password 0 cisco

!

aaa new-model

aaa authentication login default local
aaa authentication login ra_xauth local
aaa authentication ppp default local
aaa authentication eou default group radius
aaa authorization network ragroup local
aaa accounting network default start-stop group radius
!
crypto pki trustpoint VPN
enrollment retry period 5
enrollment mode ra
usage ike
serial-number
subject-name CN=231-6500IPSec
revocation-check none
rsakeypair ra_key
auto-enroll regenerate
!
crypto pki certificate map cert_map 10
subject-name co cn = peer
!
crypto isakmp policy 4
encr 3des
hash md5
group 2
lifetime 46800
!
crypto isakmp key ra_key address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 30
crypto isakmp client configuration address-pool local ra_ipsecpool
!
crypto isakmp client configuration group ragroup_test
key ra_key
pool ra_ipsecpool
max-users 5000
netmask 255.255.0.0
!
crypto isakmp profile test
keyring default
ca trust-point VPN
match certificate cert_map
client authentication list ra_xauth
client configuration address respond
client configuration group ragroup_test
!
crypto ipsec security-association lifetime seconds 43200
!
crypto ipsec transform-set general_transform esp-3des esp-md5-hmac
!
crypto dynamic-map ra_dynamic_map 10
set transform-set general_transform
!
!
crypto map general_map client authentication list ra_xauth
crypto map general_map isakmp authorization list ragroup
crypto map general_map client configuration address respond
crypto map general_map 30 ipsec-isakmp dynamic ra_dynamic_map
!
interface GigabitEthernet3/3
switchport
switchport access vlan 111
switchport mode access
!
interface GigabitEthernet3/4
ip address 61.211.0.1 255.255.0.0
!
interface GigabitEthernet8/1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,110,1002-1005
switchport mode trunk
mtu 9216
flowcontrol receive on
flowcontrol send off
spanning-tree portfast trunk
!
interface GigabitEthernet8/1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,111,1002-1005
switchport mode trunk
mtu 9216
flowcontrol receive on
flowcontrol send off
spanning-tree portfast trunk
!
interface Vlan110
ip address 170.2.0.6 255.255.255.0
no mop enabled
crypto map general_map
crypto engine slot 8/1
!
interface Vlan111
no ip address
crypto connect vlan 110
!
ip local pool ra_ipsecpool 94.94.0.0 94.94.0.254

Asa am scapat de eroarea nenorocita de la modecfg:

00:50:10: AAA/AUTHOR/IKMP/LOCAL: group does not exist

%CRYPTO-6-VPN_TUNNEL_STATUS: Group: does not exist

Singura problema e ca in felul asta, un singur tunel se face intr-un minut jumate!!!??. Ce sa mai cer la 3000 de tunele cu certificate de 1024? ….. 😦 😦 😦

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s