01-23-2012 04:50 AM - editado 03-21-2019 06:46 PM
Olá,
Será possível configurar o router ISR 1802 com VPN, em que este equipamento possa autenticar e autorizar os utilizador sem necessitar de um elemento como por exemplo Cisco VPN 3000?
Será possível usar AD (Windows Autthentication) ou RADIUS para autenticar os utilizadores por VPN em vez do Cisco VPN 3000? E neste caso como configurar o router?
Obrigado,
António
Solucionado! Ir para a Solução.
em 01-24-2012 06:11 AM
"I’m sorry to be annoying, but where is the code that represents the variable ANTONIO-RADIUS-AUTHENTICATION and ANTONIO-router-ADMIN?"
Read my 4th posting from the top, they are defined in the very first and second line.
Port is 1812, not 1813.
radius-server host 192.168.30.1 auth-port 1812 acct-port 1812 key your-password-goes-here
Thanks
Rizwan Rafeek
em 01-25-2012 06:36 AM
at last please rate any help post on this thread.
em 01-25-2012 03:17 PM
Hi,
I didn’t have the time to apply the solution that you gave me.
However, I thank you to the availability and all enlightenment.
António
em 01-31-2012 10:49 AM
Hi,
With the scenario in the image, the PC with 172.16.50.1 is windows 7, with windows VPN set up, and the above configuration (by Rizwan Rafeek)
When I try to connect to the router through VPN the follow message appears.
On the router the message is
001002: *Jan 31 18:31:57.609: %CRYPTO-4-IKMP_NO_SA: IKE message from 172.16.50.1 has no SA and is not an initialization offer
I have a w2k8 with NPS configuration to accept connect to VPN. And with the user used no logging appears on security logs.
Can I use the windows configuration to connect via VPN?
If so, what is missing to complete the connection?
If not, what can I do?
Thanks,
António
em 01-31-2012 11:56 AM
Please use, Cisco VPN client.
em 02-01-2012 04:51 AM
Hi,
I download the version 5.0.07.0290 Cisco System VPN Client 64bit, and install without firewall.
I configure the F0 of router ISR 1802 with IP address 172.16.50.1/24.
I configure the local interface of my laptop with 172.16.50.200/24 and no gateway (and later more with gateway 172.16.50.1).
The configurations of VPN client are
I suppose that the Group Authentication is the user and password in RADIUS in my w2k8.
And after a one minute the results is this message:
What is missing?
Thank you,
António
em 02-01-2012 05:50 AM
Well, use login name without FQDN, i.e. just a username without @srv-teste.local
that doesn't help, copy your config on the forum.
em 02-01-2012 08:11 AM
em 02-01-2012 08:52 AM
Please remove highlighted line:
no ip nat inside source list ACL_de_Rede_Interna interface FastEthernet0 overload
Please fix this ACL, the PAT_ACL only for pat overload but nothing else it does. So, you will have network 30, 31, 33, 34 will be pat overloaded to interface Fa/0
ip access-list extended PAT_ACL
deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 any
permit ip 192.168.31.0 0.0.0.255 any
permit ip 192.168.33.0 0.0.0.255 any
permit ip 192.168.34.0 0.0.0.255 any
Be sure to have a static route on your inside network to push "192.168.0.0 255.255.255.0" to router's inside ip address.
Thanks
Rizwan Rafeek
em 02-08-2012 03:56 PM
Hi,
I try to configure the router with all the change that is indicated, but there was no success to configure the router to be a VPN Server with RADIUS.
Then I tried a different thing, i.e., configure the router with VPN server with authentication an authorization local.
Inside everything is operational, but when I try to connect to my VPN server there is no answer (with the same configuration of VPN client, outside gateway 172.16.50.1).
What is missing?
Thanks,
António
The configuration is :
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname MyLab-router
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
!
username admin privilege 15 password 7
username x1x secret 5
clock summer-time WET recurring last Sun Mar 2:00 last Sun Oct 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPNclient local
aaa authorization exec default local
aaa authorization network LOCALgroups local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip dhcp excluded-address 192.168.30.254
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.30.220 192.168.30.229
!
ip dhcp pool DHCP-vlan1
network 192.168.30.0 255.255.255.0
domain-name dados-MyLab.pt
dns-server 192.168.30.254
default-router 192.168.30.254
lease 1 0 1
!
!
ip domain name MyLab.pt
ip ips po max-events 100
login block-for 60 attempts 3 within 15
login on-failure
login on-success
no ftp-server write-enable
!
!
!
spanning-tree portfast bpduguard
archive
log config
logging enable
logging size 1000
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
!
crypto isakmp client configuration group engineering
key engine123
pool MyPool
!
!
crypto ipsec transform-set ClientTransform esp-aes esp-sha-hmac
!
crypto dynamic-map dyn_map 10
set transform-set ClientTransform
reverse-route
!
!
crypto map MyMap client authentication list VPNclient
crypto map MyMap isakmp authorization list LOCALgroups
crypto map MyMap client configuration address respond
crypto map MyMap 1000 ipsec-isakmp dynamic dyn_map
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
description Internet Connection
ip address 172.16.50.1 255.255.255.0
no ip unreachables
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map MyMap
!
interface FastEthernet1
description Dados+Wifi
switchport access vlan 1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
description Trunk-Rede Interna
switchport mode trunk
no ip address
!
interface Vlan1
description Local LAN
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool MyPool 192.168.30.200 192.168.30.219
ip classless
!
ip dns server
!
ip http server
no ip http secure-server
ip nat inside source list SPLITEremote interface FastEthernet0 overload
!
ip access-list extended SPLITEremote
permit ip 192.168.30.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
banner motd ^C
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
| * \
* MyLab / Portugal | *
| ---------------------------------------------- * |
* Router | *
| Cisco 1802 * |
* ---------------------------------------------- | *
| --- UNAUTHORIZED ACCESS DENIED! --- * |
* --- Entradas nao autorizadas sao punidas por lei --- | *
| * |
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* *
\ \ |
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-^C
!
line con 0
line aux 0
line vty 0 4
exec-timeout 5 0
password 7
line vty 5 15
exec-timeout 5 0
password 7
!
no scheduler allocate
end
em 02-08-2012 05:41 PM
Well, there are number of things you did not pay attention. Things I mentioned on my 4th and 5th post.
If I were you, I would put Remote VPN users' IP range into a separate subnet rather than making VPN users’ subnet same as internal network segment.
Just make it simple, so put your Remote VPN users’ subnet into a separate subnet different from your internal network, I break it into subnets.
ip access-list extended PAT_ACL
deny ip 192.168.30.128 0.0.0.31 any
permit ip 192.168.30.0 0.0.0.127 any
ip nat inside source list PAT_ACL interface FastEthernet0 overload
ip radius source-interface FastEthernet0/1
interface Vlan1
ip address 192.168.30.1 255.255.255.128
ip local pool MyPool 192.168.30.129 192.168.30.158
ip dhcp pool DHCP-vlan1
network 192.168.30.0 255.255.255.128
domain-name dados-MyLab.pt
dns-server 192.168.30.126
default-router 192.168.30.1
lease 1 0 1
ip access-list extended SPLITEremote
permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31
ip dhcp excluded-address 192.168.30.1
no ip dhcp excluded-address 192.168.30.254
no ip dhcp excluded-address 192.168.30.220 192.168.30.229
Ask questions and please understand syntax.
thanks
Rizwan Rafeek
em 02-09-2012 01:28 AM
Hi Rizwan Rafeek,
First all, thank you for your response.
OK, I will put the VPN user’s in different IP rang (another IP address).
But with the syntax (see below)
ip access-list extended SPLITEremote
deny ip 192.168.30.128 0.0.0.31 any ! here deny all traffic from 192.168.30.129 to 254 to anywhere, because this is the VPN user’s poll address
permit ip 192.168.30.0 0.0.0.127 any ! here permit all traffic from 192.168.30.1 to 126 to anywhere, because this is the inside user’s poll address
ip access-list extended SPLITEremote
permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31 ! here permit the traffic between then 192.168.30.1 to 126 to 192.168.30.129 to 254, but this line this is implicit in line above, correct?
However, with all of this configuration I have no RADIUS to authentication and authorization, this will be locally.
So what is wrong? Because I cannot have connection when I’m outside.
Thanks,
António
em 02-09-2012 10:00 AM
ip access-list extended SPLITEremote
permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31
The ACL "SPLITEremote" is only used for spliting the tunnel, otherwise all traffic internal network traffic (and including internet web-browsing) from vpn client will fall into vpn tunnel. By spliting the tunnel, only internal network traffic will fall into vpn tunnel.
Now PAT_ACL.
ip access-list extended PAT_ACL
deny ip 192.168.30.128 0.0.0.31 any
permit ip 192.168.30.0 0.0.0.127 any
This PAT_ACL used only for PAT overload, it is forcing VPN tunnel bound traffic to go via the crypto engine instead of being PAT overloaded for accessing internet.
So, please stick with this ACL one below.
ip access-list extended PAT_ACL
deny ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31
permit ip 192.168.30.0 0.0.0.127 any
thanks
Rizwan Rafeek
em 02-09-2012 11:50 AM
Hi,
The follow picture illustrates the scenario.
And with this configuration
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname MyLab-router
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
!
username admin privilege 15 password 7
username x1x secret 5
clock summer-time WET recurring last Sun Mar 2:00 last Sun Oct 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPNclient local
aaa authorization exec default local
aaa authorization network LOCALgroups local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool DHCP-vlan1
network 192.168.30.0 255.255.255.128
domain-name dados-MyLab.pt
dns-server 192.168.30.126
default-router 192.168.30.1
lease 1 0 1
!
!
ip domain name MyLab.pt
ip ips po max-events 100
login block-for 60 attempts 3 within 15
login on-failure
login on-success
no ftp-server write-enable
!
!
!
spanning-tree portfast bpduguard
archive
log config
logging enable
logging size 1000
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
!
crypto isakmp client configuration group engineering
key engine123
pool MyPool
!
!
crypto ipsec transform-set ClientTransform esp-aes esp-sha-hmac
!
crypto dynamic-map dyn_map 10
set transform-set ClientTransform
reverse-route
!
!
crypto map MyMap client authentication list VPNclient
crypto map MyMap isakmp authorization list LOCALgroups
crypto map MyMap client configuration address respond
crypto map MyMap 1000 ipsec-isakmp dynamic dyn_map
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
description Internet Connection
ip address 172.16.50.1 255.255.255.0
no ip unreachables
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map MyMap
!
interface FastEthernet1
description Dados+Wifi
switchport access vlan 1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
description Trunk-Rede Interna
switchport mode trunk
no ip address
!
interface Vlan1
description Local LAN
ip address 192.168.30.1 255.255.255.128
ip nat inside
ip virtual-reassembly
!
ip local pool MyPool 192.168.30.129 192.168.30.158
ip classless
!
ip dns server
!
ip http server
no ip http secure-server
ip nat inside source list PAT_ACL interface FastEthernet0 overload
!
ip access-list extended PAT_ACL
deny ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31
permit ip 192.168.30.0 0.0.0.127 any
ip access-list extended SPLITEremote
permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31
!
!
!
!
!
control-plane
!
banner motd ^C
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
| * \
* MyLab / Portugal | *
| ---------------------------------------------- * |
* Router | *
| Cisco 1802 * |
* ---------------------------------------------- | *
| --- UNAUTHORIZED ACCESS DENIED! --- * |
* --- Entradas nao autorizadas sao punidas por lei --- | *
| * |
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* *
\ \ |
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
^C
!
line con 0
line aux 0
line vty 0 4
exec-timeout 5 0
password 7
line vty 5 15
exec-timeout 5 0
password 7
!
no scheduler allocate
end
The results it’s the same, as before. Outside of router (through the fastEthernet 0) I cannot connect the VPN, with the configuration of Feb 1, 2012 post (but with different user and subnet mask of course).
What’s missing? Can you help me solve this?
Thnaks,
António
em 02-09-2012 12:14 PM
"What’s missing?" one below is...
ip radius source-interface FastEthernet0/1
Are you able to access the internet from inside the network, you answer is "yes" ?
then add the above line (ip radius source-interface FastEthernet0/1) and try it.
If you cannot access the internet from inside, then there is a NAT is missing in the "Dados+Wifi" cloud.
Or you can try this instead.
try this, connect your router interface to a switch "interface FastEthernet0" and connect a PC with a VPN client to same switch and give the PC an IP address from same range 172.16.50.100 /24 and then try VPN in from outside while connected the same switch.
Let me know.
thanks
Descubra e salve suas ideias favoritas. Volte para ver respostas de especialistas, passo a passo, tópicos recentes e muito mais.
Novo por aqui? Comece com estas dicas. Como usar a Comunidade Guia do novo membro
Navegue pelos links rápidos da Comunidade e usufrua de um conteúdo personalizado e em seu idioma nativo: