Besoin d'aide pour faire un VPN sur CISCO !

Besoin d'aide pour faire un VPN sur CISCO ! - Réseaux - Systèmes & Réseaux Pro

Marsh Posté le 22-11-2008 à 19:23:11    

Bonjour,
 
Voila depuis quelques temps j'ai mis en place un réseaux avec routeur CISCO 871, comprenant le service VPN.
 
Mon problème est que je n'arrive désespérément pas à configurer mon VPN (avec Easy VPN Server) pour qu'un utilisateur Nomade puisse accéder au réseaux de l'entreprise.
 
Es que qu'une personne charitable ayant déjà effectuer se genre de manip pourrait me mp ou m'aide à résoudre mon problème ?
 
Merci
 
Je vous poste la conf de mon routeur :
 

Code :
  1. Building configuration...
  2. Current configuration : 14704 bytes
  3. !
  4. ! Last configuration change at 19:18:12 PCTime Sat Nov 22 2008 by admin
  5. ! NVRAM config last updated at 19:16:33 PCTime Sat Nov 22 2008 by admin
  6. !
  7. version 12.4
  8. no service pad
  9. service tcp-keepalives-in
  10. service tcp-keepalives-out
  11. service timestamps debug datetime msec localtime show-timezone
  12. service timestamps log datetime msec localtime show-timezone
  13. service password-encryption
  14. service sequence-numbers
  15. !
  16. hostname Cisco
  17. !
  18. boot-start-marker
  19. boot-end-marker
  20. !
  21. logging buffered 51200
  22. logging console critical
  23. enable secret 5 ****.
  24. !
  25. aaa new-model
  26. !
  27. !
  28. aaa authentication login local_authen local
  29. aaa authentication login sdm_vpn_xauth_ml_1 local
  30. aaa authorization exec local_author local
  31. aaa authorization network sdm_vpn_group_ml_1 local
  32. !
  33. !
  34. aaa session-id common
  35. clock timezone PCTime 1
  36. clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
  37. !
  38. crypto pki trustpoint TP-self-signed-2409708405
  39. enrollment selfsigned
  40. subject-name cn=IOS-Self-Signed-Certificate-2409708405
  41. revocation-check none
  42. rsakeypair TP-self-signed-2409708405
  43. !
  44. crypto pki trustpoint tti
  45. revocation-check crl
  46. rsakeypair tti
  47. !
  48. !
  49. crypto pki certificate chain TP-self-signed-2409708405
  50. certificate self-signed 01
  51.   3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  52.   31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  53.   69666963 6174652D 32343039 37303834 3035301E 170D3038 31313038 31363132
  54.   33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  55.   4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34303937
  56.   30383430 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  57.   8100A08A 9AAE6DFB D291C0FB 3912AA27 A39F9EA1 B5F69989 4975E03F 71EFDDDE
  58.   8B3F2DAF 72566D66 29D0D425 BF9A926B 4CB68103 75254496 9D1A5F2E FB54C461
  59.   E2ADFA17 7ED55223 0585F3D7 B58A088E 7612B369 F096A94A F35F254D 957AE36B
  60.   AC7AE2EB EBCC81EB 14C3165A 08C1D148 9020398C E05D831D A3A05B31 0E956C2F
  61.   70ED0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  62.   551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  63.   301F0603 551D2304 18301680 142B372E 7D0334DB 44E1E656 A6C1DD1C 36335333
  64.   46301D06 03551D0E 04160414 2B372E7D 0334DB44 E1E656A6 C1DD1C36 33533346
  65.   300D0609 2A864886 F70D0101 04050003 8181008C 2768B337 8A59F6C9 C6B258FD
  66.   3650E6DE 27A5D3B7 82FAD9F6 B3928829 0F133808 B8740B83 62154A1F DF182898
  67.   CEF49456 70596A6C E055CE3D 3FB59C62 E68C2FC7 118E673E 3D9735A3 B093EA95
  68.   F3B2269F DA0167FE 4849BD0E CBAEA3B0 5BCA48B5 C9444725 A5A3CE6E 8A07D737
  69.   E89B15C6 1586BB44 ABE6A26D 8B55FD45 28DE18
  70.    quit
  71. crypto pki certificate chain tti
  72. dot11 syslog
  73. no ip source-route
  74. ip cef
  75. no ip dhcp use vrf connected
  76. ip dhcp excluded-address 192.168.1.1 192.168.1.9
  77. ip dhcp excluded-address 192.168.1.51 192.168.1.254
  78. !
  79. ip dhcp pool sdm-pool1
  80.    import all
  81.    network 192.168.1.0 255.255.255.0
  82.    default-router 192.168.1.254
  83.    domain-name fasiladom
  84.    dns-server 192.168.1.1 192.168.10.254
  85. !
  86. !
  87. no ip bootp server
  88. ip domain name fasiladom.dom
  89. ip name-server 192.168.10.254
  90. ip name-server 192.168.1.1
  91. !
  92. !
  93. !
  94. username admin privilege 15 secret 5 pass_admin
  95. username nomade privilege 15 view SDM_EasyVPN_Remote secret 5 $pass_nomade
  96. !
  97. !
  98. crypto isakmp policy 1
  99. encr 3des
  100. authentication pre-share
  101. group 2
  102. !
  103. crypto isakmp client configuration group nomade
  104. key nomade
  105. dns 192.168.10.254
  106. domain fasiladom
  107. pool SDM_POOL_1
  108. include-local-lan
  109. netmask 255.255.255.0
  110. crypto isakmp profile sdm-ike-profile-1
  111.    match identity group nomade
  112.    client authentication list sdm_vpn_xauth_ml_1
  113.    isakmp authorization list sdm_vpn_group_ml_1
  114.    client configuration address initiate
  115.    client configuration address respond
  116.    virtual-template 1
  117. !
  118. !
  119. crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  120. !
  121. crypto ipsec profile SDM_Profile1
  122. set transform-set ESP-3DES-SHA
  123. set isakmp-profile sdm-ike-profile-1
  124. !
  125. !
  126. archive
  127. log config
  128.   hidekeys
  129. !
  130. !
  131. ip tcp synwait-time 10
  132. ip ssh time-out 60
  133. ip ssh authentication-retries 2
  134. !
  135. class-map type inspect match-any SDM_AH
  136. match access-group name SDM_AH
  137. class-map type inspect match-any sdm-cls-insp-traffic
  138. match protocol cuseeme
  139. match protocol dns
  140. match protocol ftp
  141. match protocol h323
  142. match protocol https
  143. match protocol icmp
  144. match protocol imap
  145. match protocol pop3
  146. match protocol netshow
  147. match protocol shell
  148. match protocol realmedia
  149. match protocol rtsp
  150. match protocol smtp extended
  151. match protocol sql-net
  152. match protocol streamworks
  153. match protocol tftp
  154. match protocol vdolive
  155. match protocol tcp
  156. match protocol udp
  157. class-map type inspect match-all sdm-insp-traffic
  158. match class-map sdm-cls-insp-traffic
  159. class-map type inspect match-any SDM_IP
  160. match access-group name SDM_IP
  161. class-map type inspect match-any SDM_ESP
  162. match access-group name SDM_ESP
  163. class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
  164. match protocol isakmp
  165. match protocol ipsec-msft
  166. match class-map SDM_AH
  167. match class-map SDM_ESP
  168. class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
  169. match class-map SDM_EASY_VPN_SERVER_TRAFFIC
  170. class-map type inspect match-any sdm-cls-icmp-access
  171. match protocol icmp
  172. match protocol tcp
  173. match protocol udp
  174. class-map type inspect match-all sdm-invalid-src
  175. match access-group 100
  176. class-map type inspect match-all sdm-icmp-access
  177. match class-map sdm-cls-icmp-access
  178. class-map type inspect match-all sdm-protocol-http
  179. match protocol http
  180. !
  181. !
  182. policy-map type inspect sdm-permit-icmpreply
  183. class type inspect sdm-icmp-access
  184.   inspect
  185. class class-default
  186.   pass
  187. policy-map type inspect sdm-inspect
  188. class type inspect sdm-invalid-src
  189.   drop log
  190. class type inspect sdm-insp-traffic
  191.   inspect
  192. class type inspect sdm-protocol-http
  193.   inspect
  194. class class-default
  195. policy-map type inspect sdm-permit
  196. class type inspect SDM_EASY_VPN_SERVER_PT
  197.   pass
  198. class class-default
  199. policy-map type inspect sdm-permit-ip
  200. class type inspect SDM_IP
  201.   pass
  202. class class-default
  203.   drop log
  204. !
  205. zone security out-zone
  206. zone security in-zone
  207. zone security ezvpn-zone
  208. zone-pair security sdm-zp-self-out source self destination out-zone
  209. service-policy type inspect sdm-permit-icmpreply
  210. zone-pair security sdm-zp-out-self source out-zone destination self
  211. service-policy type inspect sdm-permit
  212. zone-pair security sdm-zp-in-out source in-zone destination out-zone
  213. service-policy type inspect sdm-inspect
  214. zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
  215. service-policy type inspect sdm-permit-ip
  216. zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
  217. service-policy type inspect sdm-permit-ip
  218. zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
  219. service-policy type inspect sdm-permit-ip
  220. zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
  221. service-policy type inspect sdm-permit-ip
  222. !
  223. !
  224. !
  225. interface Null0
  226. no ip unreachables
  227. !
  228. interface FastEthernet0
  229. !
  230. interface FastEthernet1
  231. !
  232. interface FastEthernet2
  233. !
  234. interface FastEthernet3
  235. !
  236. interface FastEthernet4
  237. description $ES_WAN$$FW_OUTSIDE$
  238. ip address 192.168.10.1 255.255.255.0
  239. ip verify unicast reverse-path
  240. no ip redirects
  241. no ip unreachables
  242. no ip proxy-arp
  243. ip nat outside
  244. ip virtual-reassembly
  245. zone-member security out-zone
  246. ip route-cache flow
  247. duplex auto
  248. speed auto
  249. !
  250. interface Virtual-Template1 type tunnel
  251. ip unnumbered FastEthernet4
  252. zone-member security ezvpn-zone
  253. tunnel mode ipsec ipv4
  254. tunnel protection ipsec profile SDM_Profile1
  255. !
  256. interface Vlan1
  257. description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  258. ip address 192.168.1.254 255.255.255.0
  259. no ip redirects
  260. no ip unreachables
  261. no ip proxy-arp
  262. ip nat inside
  263. ip virtual-reassembly
  264. zone-member security in-zone
  265. ip route-cache flow
  266. ip tcp adjust-mss 1452
  267. !
  268. ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
  269. ip forward-protocol nd
  270. ip route 0.0.0.0 0.0.0.0 192.168.10.254
  271. !
  272. ip http server
  273. ip http access-class 2
  274. ip http authentication local
  275. ip http secure-server
  276. ip http timeout-policy idle 60 life 86400 requests 10000
  277. ip nat inside source list 1 interface FastEthernet4 overload
  278. !
  279. ip access-list extended SDM_AH
  280. remark SDM_ACL Category=1
  281. permit ahp any any
  282. ip access-list extended SDM_ESP
  283. remark SDM_ACL Category=1
  284. permit esp any any
  285. ip access-list extended SDM_IP
  286. remark SDM_ACL Category=1
  287. permit ip any any
  288. !
  289. logging trap debugging
  290. access-list 1 remark INSIDE_IF=Vlan1
  291. access-list 1 remark SDM_ACL Category=2
  292. access-list 1 permit 192.168.1.0 0.0.0.255
  293. access-list 2 remark HTTP Access-class list
  294. access-list 2 remark SDM_ACL Category=1
  295. access-list 2 permit 192.168.1.0 0.0.0.255
  296. access-list 2 deny   any
  297. access-list 100 remark SDM_ACL Category=128
  298. access-list 100 permit ip host 255.255.255.255 any
  299. access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  300. access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  301. access-list 101 remark VTY Access-class list
  302. access-list 101 remark SDM_ACL Category=1
  303. access-list 101 permit ip 192.168.1.0 0.0.0.255 any
  304. access-list 101 deny   ip any any
  305. access-list 105 remark SSH ACL
  306. access-list 105 remark SDM_ACL Category=1
  307. access-list 105 remark ss
  308. access-list 105 permit udp any any
  309. access-list 105 remark connexion externe
  310. access-list 105 permit ip any any
  311. no cdp run
  312. !
  313. !
  314. !
  315. control-plane
  316. !
  317. banner exec ^C
  318. % Password expiration warning.
  319. ------------------------------------------------------------­-----------
  320. Cisco Router and Security Device Manager (SDM) is installed on this device and
  321. it provides the default username "cisco" for  one-time use. If you have already
  322. used the username "cisco" to login to the router and your IOS image supports the
  323. "one-time" user option, then this username has already expired. You will not be
  324. able to login to the router with this username after you exit this session.
  325. It is strongly suggested that you create a new username with a privilege level
  326. of 15 using the following command.
  327. username <myuser> privilege 15 secret 0 <mypassword>
  328. Replace <myuser> and <mypassword> with the username and password you want to
  329. use.
  330. -----------------------------------------------------------------------
  331. ^C
  332. banner login ^CAuthorized access only!
  333. Disconnect IMMEDIATELY if you are not an authorized user!^C
  334. !
  335. line con 0
  336. login authentication local_authen
  337. no modem enable
  338. transport output telnet
  339. line aux 0
  340. login authentication local_authen
  341. transport output telnet
  342. line vty 0 3
  343. access-class 101 in
  344. access-class 105 out
  345. authorization exec local_author
  346. login authentication local_authen
  347. length 0
  348. transport input telnet ssh
  349. transport output ssh
  350. line vty 4
  351. access-class 101 in
  352. access-class 105 out
  353. authorization exec local_author
  354. login authentication local_authen
  355. length 0
  356. transport input telnet ssh
  357. transport output ssh
  358. parser view SDM_EasyVPN_Remote
  359. secret 5 ****.
  360. ! Last configuration change at 19:18:12 PCTime Sat Nov 22 2008 by admin
  361. ! NVRAM config last updated at 19:16:33 PCTime Sat Nov 22 2008 by admin
  362. !
  363. ! Last configuration change at 19:18:12 PCTime Sat Nov 22 2008 by admin
  364. ! NVRAM config last updated at 19:16:33 PCTime Sat Nov 22 2008 by admin
  365. !
  366. ! Last configuration change at 19:18:12 PCTime Sat Nov 22 2008 by admin
  367. ! NVRAM config last updated at 19:16:33 PCTime Sat Nov 22 2008 by admin
  368. !
  369. commands interface include all crypto
  370. commands interface include all no crypto
  371. commands interface include no
  372. commands configure include end
  373. commands configure include all radius-server
  374. commands configure include all access-list
  375. commands configure include ip radius source-interface
  376. commands configure include ip radius
  377. commands configure include all ip nat
  378. commands configure include ip dns server
  379. commands configure include ip dns
  380. commands configure include all interface
  381. commands configure include all identity policy
  382. commands configure include identity profile
  383. commands configure include identity
  384. commands configure include all dot1x
  385. commands configure include all ip domain lookup
  386. commands configure include ip domain
  387. commands configure include ip
  388. commands configure include all crypto
  389. commands configure include all aaa
  390. commands configure include default end
  391. commands configure include all default radius-server
  392. commands configure include all default access-list
  393. commands configure include default ip radius source-interface
  394. commands configure include default ip radius
  395. commands configure include all default ip nat
  396. commands configure include default ip dns server
  397. commands configure include default ip dns
  398. commands configure include all default interface
  399. commands configure include all default identity policy
  400. commands configure include default identity profile
  401. commands configure include default identity
  402. commands configure include all default dot1x
  403. commands configure include all default ip domain lookup
  404. commands configure include default ip domain
  405. commands configure include default ip
  406. commands configure include all default crypto
  407. commands configure include all default aaa
  408. commands configure include default
  409. commands configure include no end
  410. commands configure include all no radius-server
  411. commands configure include all no access-list
  412. commands configure include no ip radius source-interface
  413. commands configure include no ip radius
  414. commands configure include all no ip nat
  415. commands configure include no ip dns server
  416. commands configure include no ip dns
  417. commands configure include all no interface
  418. commands configure include all no identity policy
  419. commands configure include no identity profile
  420. commands configure include no identity
  421. commands configure include all no dot1x
  422. commands configure include all no ip domain lookup
  423. commands configure include no ip domain
  424. commands configure include no ip
  425. commands configure include all no crypto
  426. commands configure include all no aaa
  427. commands configure include no
  428. commands exec include dir all-filesystems
  429. commands exec include dir
  430. commands exec include crypto ipsec client ezvpn connect
  431. commands exec include crypto ipsec client ezvpn xauth
  432. commands exec include crypto ipsec client ezvpn
  433. commands exec include crypto ipsec client
  434. commands exec include crypto ipsec
  435. commands exec include crypto
  436. commands exec include write memory
  437. commands exec include write
  438. commands exec include all ping ip
  439. commands exec include ping
  440. commands exec include configure terminal
  441. commands exec include configure
  442. commands exec include all show
  443. commands exec include no
  444. commands exec include all debug appfw
  445. commands exec include all debug ip inspect
  446. commands exec include debug ip
  447. commands exec include debug
  448. commands exec include all clear
  449. !
  450. !
  451. scheduler max-task-time 5000
  452. scheduler allocate 4000 1000
  453. scheduler interval 500
  454. end


Message édité par Bl4CKDES le 22-11-2008 à 19:23:49
Reply

Marsh Posté le 22-11-2008 à 19:23:11   

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed