cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
Avisos
¡Bienvenido a la nueva Comunidad de Soporte de Cisco! Nos encantaría conocer su opinión
New Member

vpn site to site (IP dinámica-frente-estática) con el NAT

Hola,

Tengo el siguiente escenario:

  LAN (192-168-1.x/24)----Router 887VAG--- Ce0 (IP dinámica) ---++++--- (IP estática)-- Router NAT---FW---Router 887 (VPN) --- LAN (195.168.2.x/24)

El túnel se establece entre ambos router 887 pero no consigo hacer ping a la LAN del router remoto.

Os muestro el estado y los debugs:

SPOKE (IP dinámina)

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

194.140.150.235 192.168.1.1     QM_IDLE           2001 ACTIVE

HUB (IP estática)

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

10.200.2.139    90.169.166.131  QM_IDLE           2001 ACTIVE

SPOKE (IP dinámina)

Router3G#sh crypto ipsec sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 192.168.1.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (194.140.150.235/255.255.255.255/47/0)

   current_peer 194.140.150.235 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 194.140.150.235

     path mtu 1500, ip mtu 1500, ip mtu idb Vlan1

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

HUB (IP estática)

RouterADSL#sh crypto ipsec sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 10.200.2.139

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.200.2.139/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)

   current_peer 172.16.0.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.200.2.139, remote crypto endpt.: 172.16.0.1

     path mtu 1500, ip mtu 1500, ip mtu idb Vlan250

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

SPOKE (IP dinámina)

Router3G#debug crypto ipsec

Crypto IPSEC debugging is on


Feb  7 17:35:23.747: IPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 192.168.1.1:0, remote= 194.140.150.235:0,

    local_proxy= 192.168.1.1/255.255.255.255/47/0 (type=1),

    remote_proxy= 194.140.150.235/255.255.255.255/47/0 (type=1)

Feb  7 17:35:23.747: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 192.168.1.1:500, remote= 194.140.150.235:500,

    local_proxy= 192.168.1.1/255.255.255.255/47/0 (type=1),

    remote_proxy= 194.140.150.235/255.255.255.255/47/0 (type=1),

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Feb  7 17:35:53.747: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= 192.168.1.1:0, remote= 194.140.150.235:0,

    local_proxy= 192.168.1.1/255.255.255.255/47/0 (type=1),

    remote_proxy= 194.140.150.235/255.255.255.255/47/0 (type=1)

Router3G#debug crypto isa

Crypto ISAKMP debugging is on

Feb  7 17:39:22.891: ISAKMP: set new node 0 to QM_IDLE

Feb  7 17:39:22.891: SA has outstanding requests  (local 135.187.67.220 port 4500, remote 135.187.67.192 port 4500)

Feb  7 17:39:22.891: ISAKMP:(2001): sitting IDLE. Starting QM immediately (QM_IDLE      )

Feb  7 17:39:22.891: ISAKMP:(2001):beginning Quick Mode exchange, M-ID of 220973181

Feb  7 17:39:22.891: ISAKMP:(2001):QM Initiator gets spi

Feb  7 17:39:22.891: ISAKMP:(2001): sending packet to 194.140.150.235 my_port 4500 peer_port 4500 (I) QM_IDLE

Feb  7 17:39:22.891: ISAKMP:(2001):Sending an IKE IPv4 Packet.

Feb  7 17:39:22.891: ISAKMP:(2001):Node 220973181, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Feb  7 17:39:22.891: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1.

Feb  7 17:39:25.831: ISAKMP (2001): received packet from 194.140.150.235 dport 4500 sport 4500 Global (I) QM_IDLE

Feb  7 17:39:25.831: ISAKMP: set new node -2016106009 to QM_IDLE

Feb  7 17:39:25.835: ISAKMP:(2001): processing HASH payload. message ID = 2278861287

Feb  7 17:39:25.835: ISAKMP:(2001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 2086699776, message ID = 2278861287, sa = 0x87BB4258

Feb  7 17:39:25.835: ISAKMP:(2001): deleting spi 2086699776 message ID = 220973181

Feb  7 17:39:25.835: ISAKMP:(2001):deleting node 220973181 error TRUE reason "Delete Larval".

Feb  7 17:39:25.835: ISAKMP:(2001):deleting node -2016106009 error FALSE reason "Informational (in) state 1"

Feb  7 17:39:25.835: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Feb  7 17:39:25.835: ISAKMP:(2001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

HUB (IP estática)

Feb  7 17:40:24.435: ISAKMP (2001): received packet from 90.169.166.131 dport 45

00 sport 4500 Global (R) QM_IDLE

Feb  7 17:40:24.435: ISAKMP: set new node 220973181 to QM_IDLE

Feb  7 17:40:24.435: ISAKMP:(2001): processing HASH payload. message ID = 220973

181

Feb  7 17:40:24.435: ISAKMP:(2001): processing SA payload. message ID = 22097318

1

Feb  7 17:40:24.435: ISAKMP:(2001):Checking IPSec proposal 1

Feb  7 17:40:24.435: ISAKMP: transform 1, ESP_AES

Feb  7 17:40:24.435: ISAKMP:   attributes in transform:

Feb  7 17:40:24.435: ISAKMP:      encaps is 3 (Tunnel-UDP)

Feb  7 17:40:24.435: ISAKMP:      SA life type in seconds

Feb  7 17:40:24.435: ISAKMP:      SA life duration (basic) of 3600

Feb  7 17:40:24.435: ISAKMP:      SA life type in kilobytes

Feb  7 17:40:24.435: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

Feb  7 17:40:24.435: ISAKMP:      authenticator is HMAC-SHA

Feb  7 17:40:24.435: ISAKMP:      key length is 128

Feb  7 17:40:24.435: ISAKMP:(2001):atts are acceptable.

Feb  7 17:40:24.435: IPSEC(validate_proposal_request): proposal part #1

Feb  7 17:40:24.435: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 10.200.2.139:0, remote= 90.169.166.131:0,

    local_proxy= 194.140.150.235/255.255.255.255/47/0 (type=1),

    remote_proxy= 192.168.1.1/255.255.255.255/47/0 (type=1),

    protocol= ESP, transform= NONE  (Tunnel-UDP),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Feb  7 17:40:24.435: map_db_find_best did not find matching map

Feb  7 17:40:24.439: IPSEC(ipsec_process_proposal): proxy identities not support

ed

Feb  7 17:40:24.439: ISAKMP:(2001): IPSec policy invalidated proposal with error

32

Feb  7 17:40:24.439: ISAKMP:(2001): phase 2 SA policy not acceptable! (local 10.200.2.139 remote 90.169.166.131)

Feb  7 17:40:24.439: ISAKMP: set new node -2016106009 to QM_IDLE

Feb  7 17:40:24.439: ISAKMP:(2001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2255848696, message ID = 2278861287

Feb  7 17:40:24.439: ISAKMP:(2001): sending packet to 90.169.166.131 my_port 4500 peer_port 4500 (R) QM_IDLE

Feb  7 17:40:24.439: ISAKMP:(2001):Sending an IKE IPv4 Packet.

Feb  7 17:40:24.439: ISAKMP:(2001):purging node -2016106009

Feb  7 17:40:24.439: ISAKMP:(2001):deleting node 220973181 error TRUE reason "QM rejected"

Feb  7 17:40:24.439: ISAKMP:(2001):Node 220973181, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Feb  7 17:40:24.439: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_READY

Feb  7 17:40:54.391: ISAKMP (2001): received packet from 90.169.166.131 dport 4500 sport 4500 Global (R) QM_IDLE

Feb  7 17:40:54.391: ISAKMP: set new node -2038977650 to QM_IDLE

Feb  7 17:40:54.391: ISAKMP:(2001): processing HASH payload. message ID = 2255989646

Feb  7 17:40:54.391: ISAKMP:(2001): processing SA payload. message ID = 2255989646

Feb  7 17:40:54.391: ISAKMP:(2001):Checking IPSec proposal 1

Feb  7 17:40:54.391: ISAKMP: transform 1, ESP_AES

Feb  7 17:40:54.391: ISAKMP:   attributes in transform:

Feb  7 17:40:54.391: ISAKMP:      encaps is 3 (Tunnel-UDP)

Feb  7 17:40:54.391: ISAKMP:      SA life type in seconds

Feb  7 17:40:54.391: ISAKMP:      SA life duration (basic) of 3600

Feb  7 17:40:54.391: ISAKMP:      SA life type in kilobytes

Feb  7 17:40:54.391: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

Feb  7 17:40:54.391: ISAKMP:      authenticator is HMAC-SHA

Feb  7 17:40:54.391: ISAKMP:      key length is 128

Feb  7 17:40:54.391: ISAKMP:(2001):atts are acceptable.

Feb  7 17:40:54.391: IPSEC(validate_proposal_request): proposal part #1

Feb  7 17:40:54.391: IPSEC(validate_proposal_request): proposal part #1,  (key eng. msg.) INBOUND local= 10.200.2.139:0, remote= 90.169.166.131:0,

    local_proxy= 194.140.150.235/255.255.255.255/47/0 (type=1),remote_proxy= 192.168.1.1/255.255.255.255/47/0 (type=1),

    protocol= ESP, transform= NONE  (Tunnel-UDP),lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Feb  7 17:40:54.391: map_db_find_best did not find matching map

Feb  7 17:40:54.391: IPSEC(ipsec_process_proposal): proxy identities not supported

Feb  7 17:40:54.391: ISAKMP:(2001): IPSec policy invalidated proposal with error 32

Feb  7 17:40:54.395: ISAKMP:(2001): phase 2 SA policy not acceptable! (local 10.200.2.139 remote 90.169.166.131)

Feb  7 17:40:54.395: ISAKMP: set new node -1655801467 to QM_IDLE

Feb  7 17:40:54.395: ISAKMP:(2001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2255848696, message ID = 2639165829

Feb  7 17:40:54.395: ISAKMP:(2001): sending packet to 90.169.166.131 my_port 4500 peer_port 4500 (R) QM_IDLE

Feb  7 17:40:54.395: ISAKMP:(2001):Sending an IKE IPv4 Packet.

Feb  7 17:40:54.395: ISAKMP:(2001):purging node -1655801467

Feb  7 17:40:54.395: ISAKMP:(2001):deleting node -2038977650 error TRUE reason "QM rejected"

Feb  7 17:40:54.395: ISAKMP:(2001):Node 2255989646, Input = IKE_MESG_FROM_PEER,IKE_QM_EXCH

Feb  7 17:40:54.395: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_READY

Feb  7 17:41:14.439: ISAKMP:(2001):purging node 220973181

Feb  7 17:41:44.395: ISAKMP:(2001):purging node -2038977650

¿A qué puede deberse?

Muchas gracias por la ayuda,

Saludos,

4 RESPUESTAS
Cisco Employee

vpn site to site (IP dinámica-frente-estática) con el NAT

Hola Lydia,

Según los debugs del Hub, este está rechazando el túnel.  Al revisar la configuración del Hub estas definiendo un tunnel-destination como la IP del túnel es dinámica no tendrías porque definir una IP. Me parece puedes intentar definir esto en el Hub en lugar del tunnel-destination

tunnel mode gre multipoint

Y en el spoke tienes el tunnel-source con la vlan1 que es tu red privada, ahí tendrías que utilizar como source la interface cellular0

En caso de que estos cambios no ayuden, lo que puedes intentar es un EasyVPN en el cliente y en el Hub DVTI con IPSec, esta página explica la configuración:

http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

Saludos,

Alejandro Rodriguez

New Member

vpn site to site (IP dinámica-frente-estática) con el NAT

Muchas gracias Alejandro.

Voy a probarlo y te comento.

Saludos,

New Member

vpn site to site (IP dinámica-frente-estática) con el NAT

Hola Alejandro,

He probado ambas soluciones y sigo con el problema.

Con la configuración que me planteas ni se me establece el túnel, ¿el NAT puede estar dando problemas de algún modo?

Muchas gracias.

Saludos,

Cisco Employee

vpn site to site (IP dinámica-frente-estática) con el NAT

Hola Lydia,

El NAT parece estar bien configurado, lo que puede ser el problema es el ruteo con la primera opción que te comente ya que habría que añadirle rutas para enviar el tráfico de las LAN por las interfaces túnel.

En todo caso que las rutas no ayuden, honestamente lo mejor será que nos apoyes abriendo un caso para que se puedan revisar las configuraciones y obtener algunos otros debugs.

Saludos.

Alejandro Rodriguez

1573
Visitas
0
ÚTIL
4
Respuestas