04-25-2011 09:04 AM
Que tal a todos he estado buscando en muchos lados como configurar una VPN entre router Cisco SR520 y Cisco small bussines RVL200 existen varios escenarios pero hasta ahora ninguno parecido al mio. Al final esta es la configuracion que creo yo debe de ser
Les dejo informacion y espero me puedan ayudar
desde ya mil gracias
Tengo el siguiente escenario
dos puntos punto A y punto B
En el Punto A tengo un Router Cisco SR520 con IP dinamica mediante DSL
y DDNS
En el Punto B tengo un Router Cisco small bussines RVL200 con internet mediante DSL IP dinamica
y DDNS
Los dos funcionan correctamente
ya configure los dos equipos a modo de VPN pero no logro se establezaca la comunicacion
Para los dos Router son DES, Pre-Share, Group 1, MD5 y lifetime 28800
les dejo un poco mas de informacion del sh run
SR520# sh run | begin isakmp
crypto isakmp policy 12
authentication pre-share
lifetime 28800
crypto isakmp key 1234 hostname myhost.dyndns.org
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set velosa esp-des esp-md5-hmac
mode transport
!
crypto map velosa 1 ipsec-isakmp
set peer 189.152.X.X
set transform-set velosa
match address 110
!
archive
log config
logging enable
logging size 600
hidekeys
!
interface Dialer1
description $FW_OUTSIDE$
ip ddns update hostname myhost.dyndns.org
ip ddns update sdm_ddns1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname usuario@prodigy.net.mx
ppp chap password 7 0403595F5D791A1C584A5D
ppp pap sent-username usuario@prodigy.net.mx password 7 035C09525457771E1F5A41
ppp ipcp dns request
crypto map velosa
!
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 110 remark SDM_ACL Category=16
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 115
!
ademas debug
SR520#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
189.224.X.X 189.152.X.X MM_NO_STATE 0 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
SR520#
SR520#sh crypto ipsec sa
interface: Dialer1
Crypto map tag: velosa, local addr 189.224.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 189.152.X.X port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 792, #recv errors 0
local crypto endpt.: 189.224.X.X, remote crypto endpt.: 189.152.X.X
path mtu 1452, ip mtu 1452, ip mtu idb Dialer1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: velosa, local addr 0.0.0.0
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 189.152.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 0.0.0.0, remote crypto endpt.: 189.152.X.X
path mtu 1452, ip mtu 1452, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
SR520#
SR520#sh log | begin isakmp
*Mar 2 09:17:23.222: ISAKMP: Locking peer struct 0x83AA4190, refcount 1 for crypto_isakmp_process_block
*Mar 2 09:17:23.222: ISAKMP: local port 500, remote port 500
*Mar 2 09:17:23.222: insert sa successfully sa = 85C66720
*Mar 2 09:17:23.222: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 2 09:17:23.222: ISAKMP:(0): processing ID payload. message ID = 0
*Mar 2 09:17:23.222: ISAKMP (0:0): ID payload
next-payload : 0
type : 1
address : 189.152.X.X
protocol : 0
port : 0
length : 12
*Mar 2 09:17:23.226: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 2 09:17:23.226: ISAKMP: no pre-shared key based on address 189.152.X.X!
*Mar 2 09:17:23.226: ISAKMP:(0):No pre-shared key with 189.152.X.X!
*Mar 2 09:17:23.226: ISAKMP:(0): local preshared key found
*Mar 2 09:17:23.226: ISAKMP : Scanning profiles for xauth ...
*Mar 2 09:17:23.226: ISAKMP:(0):Checking ISAKMP transform 0 against priority 12 policy
*Mar 2 09:17:23.226: ISAKMP: life type in seconds
*Mar 2 09:17:23.226: ISAKMP: life duration (basic) of 28800
*Mar 2 09:17:23.226: ISAKMP: encryption DES-CBC
*Mar 2 09:17:23.226: ISAKMP: hash MD5
*Mar 2 09:17:23.226: ISAKMP: auth pre-share
*Mar 2 09:17:23.226: ISAKMP: default group 1
*Mar 2 09:17:23.226: ISAKMP:(0):Hash algorithm offered does not match policy!
*Mar 2 09:17:23.226: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 2 09:17:23.226: ISAKMP:(0):no offers accepted!
*Mar 2 09:17:23.226: ISAKMP:(0): phase 1 SA policy not acceptable! (local 189.224.X.X remote 189.152.X.X)
*Mar 2 09:17:23.226: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Mar 2 09:17:23.226: ISAKMP:(0): sending packet to 189.152.X.X my_port 500 peer_port 500 (R) AG_NO_STATE
*Mar 2 09:17:23.226: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 2 09:17:23.226: ISAKMP:(0):peer does not do paranoid keepalives.
*Mar 2 09:17:23.226: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 189.152.X.X)
*Mar 2 09:17:23.226: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 2 09:17:23.226: ISAKMP:(0): group size changed! Should be 0, is 96
*Mar 2 09:17:23.226: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Mar 2 09:17:23.226: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Mar 2 09:17:23.226: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar 2 09:17:23.226: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Mar 2 09:17:23.230: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 189.152.X.X
SR520#
04-27-2011 07:40 AM
Que tal nuevamente
espero me puedan ayudar
aun sigo en la misma situacion
Alguien con alguna sugeriencia?
de antemano mil gracias
Saludos
Felices Pascuas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide