Ankündigung

Einklappen
Keine Ankündigung bisher.

GW zu GW VPN Verbindung

Einklappen
X
 
  • Filter
  • Zeit
  • Anzeigen
Alles löschen
neue Beiträge

  • Frage: GW zu GW VPN Verbindung

    Muss eine GW zu GW VPN Verbindung einrichten. Habe darum mal einen Auszug verlangt, einen Auszug der Cisco ASA Firewall (Gegenstelle im anderen Land) betreffend den VPN Einstellungen, nun ist es die Kunst, diese richtig interpretieren zu entsprechend auf einer Zyxel USG 200 Firewall zu implementieren

    Hier die Konfig der Cisco ASA GW zu GW VPN Verbindung:
    --------------------------------------------------------------------------
    names
    name 10.100.0.0 xy-net

    access-list filter-LTL-Schweiz remark Allow any ICMP Traffic
    access-list filter-LTL-Schweiz extended permit icmp any any

    access-list split-VPN-Schweiz-LTL standard permit xy-net 255.255.0.0

    access-list l2l_schweiz extended permit ip 192.168.5.0 255.255.255.0 xy-net 255.255.0.0

    mtu External 1500

    group-policy Schweiz-LTL internal
    group-policy Schweiz-LTL attributes
    vpn-filter value filter-LTL-Schweiz
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-VPN-Schweiz-LTL
    webvpn

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000

    crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map External_dyn_map 20 set security-association lifetime seconds 28800
    crypto dynamic-map External_dyn_map 20 set security-association lifetime kilobytes 4608000
    crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto dynamic-map External_dyn_map 40 set security-association lifetime seconds 28800
    crypto dynamic-map External_dyn_map 40 set security-association lifetime kilobytes 4608000

    crypto map External_map 100 match address l2l_schweiz
    crypto map External_map 100 set peer 109.164.134.46
    crypto map External_map 100 set transform-set ESP-3DES-SHA
    crypto map External_map 100 set security-association lifetime seconds 28800
    crypto map External_map 100 set security-association lifetime kilobytes 4608000
    crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
    crypto map External_map interface External

    isakmp identity auto
    isakmp enable External
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp nat-traversal 20
    isakmp ipsec-over-tcp port 10000

    tunnel-group 109.164.134.46 type ipsec-l2l
    tunnel-group 109.164.134.46 general-attributes
    default-group-policy Schweiz-LTL
    tunnel-group 109.164.134.46 ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    --------------------------------------------------------------------------

    Hier meine Einstellungen auf der Zyxel USG 200

    Phase 1 (Punkt VPN/ IPSec VPN/ Reiter VPN Gateway)
    VPN Name = XY
    Gateway Settings/ My Address/ Interface = wan1 (DHCP client -- 109.164.134.46/255.255.255.128)

    Bemerkung dazu:
    Ist eine per DHCP zugewiesene IP von Swisscom, diese ist aber schon seit einem Monat oder so immer die gleiche Und: Habe auch einen DynDNS Namen hinterlegt, dessen Name ich aber in der obigen Konfiguration der Gegenstelle (konfiguriert auf der Cisco ASA Firewall) nirgends finde

    Peer Gateway Address/ Primary 195.50.134.66
    Secondory 0.0.0.0

    Authentication = PreShared Key = SchlüsselXY
    Phase 1 Settings/ SA LifeTime 28800

    Negotiation Mode = Main
    Proposal/ Encryption = 3DES Authentication = SHA1
    Key Group = DH2

    NAT Traversal = aktiviert


    Phase 2 (Punkt VPN/ IPSec VPN/ Reiter VPN Connections)
    VPN Gateway/ Application Szenario = Site-to-Site
    VPN Gateway = den GW angegeben, welche ich im Reiter VPN Gateway definiert habe

    Policy/ local Policy = SUBNET, 192.168.5.0/24
    Remote Policy = SUBNET, 10.100.0.0/16

    Phase 2 Setting/ SA Life Time = 86400
    Active Protocol = ESP
    Encapsulation = Tunnel
    Proposal = Encryption 3DES / Authentication = SHA1, MD5, SHA256

    Perfect Forward Secrecy (PFS) = DH2

    Related Settings/ Zone = IPSec_VPN

    Das Log sagt mit dieser Konfiguration bei Verbindungsaufbau folgendes:
    --------------------------------------------------------------------------
    # Time Priority Category Message Source Source Interface Destination Destination Interface Protocol Note
    1 2012-05-09 10:54:07 info IKE The cookie pair is : 0x1bf9b104824b3bfb / 0xd684ecc0e37cfa42 [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    2 2012-05-09 10:54:06 info IKE The cookie pair is : 0xd684ecc0e37cfa42 / 0x1bf9b104824b3bfb [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    3 2012-05-09 10:54:06 info IKE The cookie pair is : 0x1bf9b104824b3bfb / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    4 2012-05-09 10:54:00 info IKE The cookie pair is : 0x3b2171c4ed26b39c / 0x6c179b97f814123b [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    5 2012-05-09 10:54:00 info IKE The cookie pair is : 0x6c179b97f814123b / 0x3b2171c4ed26b39c [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    6 2012-05-09 10:54:00 info IKE The cookie pair is : 0x3b2171c4ed26b39c / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    7 2012-05-09 10:53:58 info IKE ISAKMP SA [Hess_DE_GW] is disconnected [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    8 2012-05-09 10:53:58 info IKE Received delete notification [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    9 2012-05-09 10:53:58 info IKE Recv:[HASH][DEL] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    10 2012-05-09 10:53:58 info IKE Recv:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    11 2012-05-09 10:53:58 info IKE Send:[HASH][SA][NONCE][KE][ID][ID] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    12 2012-05-09 10:53:58 info IKE Phase 1 IKE SA process done [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    13 2012-05-09 10:53:58 info IKE Recv:[ID][HASH][VID] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    14 2012-05-09 10:53:58 info IKE Send:[ID][HASH][NOTIFY:INITIAL_CONTACT] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    15 2012-05-09 10:53:58 info IKE Recv:[KE][NONCE][VID][VID][VID][VID][PRV][PRV] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    16 2012-05-09 10:53:58 info IKE Send:[KE][NONCE][PRV][PRV] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    17 2012-05-09 10:53:58 info IKE The cookie pair is : 0x3d63d827f68aea86 / 0xd0491afdd1ada1d8 [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    18 2012-05-09 10:53:57 info IKE Recv:[SA][VID][VID] [count=3] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    19 2012-05-09 10:53:57 info IKE The cookie pair is : 0xd0491afdd1ada1d8 / 0x3d63d827f68aea86 [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    20 2012-05-09 10:53:57 info IKE Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    21 2012-05-09 10:53:57 info IKE Send Main Mode request to [195.50.134.66] [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    22 2012-05-09 10:53:57 info IKE Tunnel [HessCH_zu_HessDE] Sending IKE request [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    23 2012-05-09 10:53:57 info IKE The cookie pair is : 0x3d63d827f68aea86 / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    25 2012-05-09 10:53:44 info IKE ISAKMP SA [Hess_DE_GW] is disconnected 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    26 2012-05-09 10:53:44 info IKE Received delete notification 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    27 2012-05-09 10:53:44 info IKE Recv:[HASH][DEL] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    28 2012-05-09 10:53:44 info IKE Recv:[HASH][NOTIFY:NO_PROPOSAL_CHOSEN] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    29 2012-05-09 10:53:44 info IKE Send:[HASH][SA][NONCE][KE][ID][ID] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    30 2012-05-09 10:53:44 info IKE Phase 1 IKE SA process done 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    31 2012-05-09 10:53:44 info IKE Recv:[ID][HASH][VID] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    32 2012-05-09 10:53:44 info IKE Send:[ID][HASH][NOTIFY:INITIAL_CONTACT] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    33 2012-05-09 10:53:44 info IKE Recv:[KE][NONCE][VID][VID][VID][VID][PRV][PRV] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    34 2012-05-09 10:53:43 info IKE Send:[KE][NONCE][PRV][PRV] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    35 2012-05-09 10:53:43 info IKE The cookie pair is : 0xc9d5c43097adfd61 / 0x19093c6e36a860d7 [count=5] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    36 2012-05-09 10:53:43 info IKE Recv:[SA][VID][VID] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    37 2012-05-09 10:53:43 info IKE The cookie pair is : 0x19093c6e36a860d7 / 0xc9d5c43097adfd61 [count=6] 195.50.134.66:500 109.164.134.46:500 IKE_LOG
    38 2012-05-09 10:53:43 info IKE Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    39 2012-05-09 10:53:43 info IKE Send Main Mode request to [195.50.134.66] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    40 2012-05-09 10:53:43 info IKE Tunnel [HessCH_zu_HessDE] Sending IKE request 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    41 2012-05-09 10:53:43 info IKE The cookie pair is : 0xc9d5c43097adfd61 / 0x0000000000000000 [count=3] 109.164.134.46:500 195.50.134.66:500 IKE_LOG
    --------------------------------------------------------------------------

    Die Verbindung kann nicht aufgebaut werden, läuft nach 30 Sekunden in ein TimeOut

    Danke euch 1000 mal für die Unterstützung :-)
    Grüsse Andrew - MCP 70- 210 & 70- 620 - man kann nicht alles Wissen, aber wenn man weiss wo nachschauen, ist die Lösung nicht mehr weit
Lädt...
X