Γεια χαρά σε όλους!
είπα να μοιραστώ μαζί σας το setup που έχω κάνει μεταξύ τριών περιοχών σε περίπτωση που κάποιος/α ενδιαφέρετε να κάνει κάτι παρόμοιο.
Έχω τις τρεις παρακάτω περιοχές που η κάθε μια έχει τελείως διαφορετική σύνδεση δικτύου, διαφορετικό router και τέλος χρησιμοποιούν ddns αντί για static IP.
Κατάφερα και βρήκα τον τρόπο μετά από αρκετό ψάξιμο online για το πως να λειτουργήσει με ddns αλλά και πως το κάθε IPSec tunnel έχει διαφορετικό pre-share key.
Enjoy
Site1 Details:
Router: C2911
Connection: VDSL
DDNS: site1.ddns.com
Site2 Details:
Router: C897
Connection: Broadband
DDNS: site2.ddns.com
Site3 Details:
Router: C897
Connection: ADSL
DDNS: site3.ddns.com
Site1 config:
Spoiler:Κώδικας:Building configuration... ! !blabla ! ip dhcp excluded-address 10.12.12.200 10.12.12.244 ! ip dhcp pool Vlan1 import all network 10.12.12.0 255.255.255.0 dns-server 10.12.12.51 1.1.1.1 8.8.8.8 default-router 10.12.12.51 lease 7 ! !blabla ! ip ddns update method noipsetup HTTP add http://user1:wellhellothere@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a> interval maximum 0 0 10 0 interval minimum 0 0 0 5 ! !blabla ! crypto isakmp policy 15 encr aes 128 authentication pre-share group 2 ! crypto isakmp policy 25 encr aes 128 authentication pre-share group 2 ! crypto isakmp key tunnel2key address 123.123.123.200 no-xauth <<<<<< Updated by script crypto isakmp key tunnel1key address 0.0.0.0 no-xauth crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set name1 esp-aes 128 esp-sha-hmac mode tunnel ! ! crypto ipsec profile ipsectunnel1 set transform-set name1 ! crypto ipsec profile ipsectunnel2 set transform-set name1 ! ! ! interface Tunnel1 ip address 172.16.12.1 255.255.255.0 tunnel source Dialer1 tunnel mode ipsec ipv4 tunnel destination 123.123.123.100 <<<<<< Updated by script tunnel protection ipsec profile ipsectunnel1 ! interface Tunnel2 ip address 172.16.13.1 255.255.255.0 tunnel source Dialer1 tunnel mode ipsec ipv4 tunnel destination 123.123.123.200 <<<<<< Updated by script tunnel protection ipsec profile ipsectunnel2 ! !blabla ! interface ATM0/0/0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0/0/0 description *** VDSL ISP *** no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress pppoe enable group global no mop enabled ! interface Ethernet0/0/0.835 description *** VLAN VDSL ISP *** encapsulation dot1Q 835 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly in pppoe enable group global pppoe-client dial-pool-number 1 ! !blabla ! interface Dialer1 description *** Dialer1 VDSL ISP *** ip ddns update hostname site1.ddns.com ip ddns update noipsetup ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip flow ingress ip nat outside ip virtual-reassembly in max-reassemblies 512 encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp chap hostname user1@isp.gr ppp chap password 1234567890 ppp pap sent-username user1@isp.gr password 1234567890 ppp ipcp dns request accept no cdp enable ! !blabla ! ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.12.13.0 255.255.255.0 Tunnel1 ip route 10.12.14.0 255.255.255.0 Tunnel2 ! !blabla ! scheduler allocate 20000 1000 ntp update-calendar ntp server pool.ntp.org ntp server ntp.ntua.gr prefer event manager applet change-tunnel1-destination event timer cron name TAC cron-entry "* * * * *" action 1.0 cli command "enable" action 1.1 cli command "configure terminal" action 1.2 cli command "interface tunnel1" action 1.3 cli command "tunnel destination site2.ddns.com" event manager applet change-tunnel2-destination event timer cron name TAC cron-entry "* * * * *" action 1.0 cli command "enable" action 1.1 cli command "configure terminal" action 1.2 cli command "interface tunnel2" action 1.3 cli command "tunnel destination site3.ddns.com" action 1.4 cli command "end" action 1.5 cli command "ping site3.ddns.com" action 1.6 regexp "to ([0-9\.]+)" "$_cli_result" match ip2 action 1.7 puts "Site3 IPADDR = $ip2" action 1.8 cli command "configure terminal" action 1.9 cli command "crypto isakmp key tunnel2key address $ip2 no-xauth" ! end
Site2 config:
Spoiler:Κώδικας:Building configuration... ! !blabla ! ip dhcp excluded-address 10.12.13.200 10.12.13.244 ! ip dhcp pool Vlan1 import all network 10.12.13.0 255.255.255.0 dns-server 10.12.13.51 1.1.1.1 8.8.8.8 default-router 10.12.13.51 lease 7 ! !blabla ! ip ddns update method noipsetup HTTP add http://user1:wellhellothere@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a> interval maximum 0 0 10 0 interval minimum 0 0 0 5 ! !blabla ! crypto isakmp policy 15 encr aes 128 authentication pre-share group 2 ! crypto isakmp policy 35 encr aes 128 authentication pre-share group 2 crypto isakmp key tunnel3key address 123.123.123.240 no-xauth <<<<<< Updated by script crypto isakmp key tunnel1key address 0.0.0.0 no-xauth crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set name1 esp-aes 128 esp-sha-hmac mode tunnel ! ! crypto ipsec profile ipsectunnel1 set transform-set name1 ! crypto ipsec profile ipsectunnel3 set transform-set name1 ! ! ! interface Tunnel1 ip address 172.16.12.2 255.255.255.0 tunnel source GigabitEthernet8 tunnel mode ipsec ipv4 tunnel destination 123.123.123.210 <<<<<< Updated by script tunnel protection ipsec profile ipsectunnel1 ! interface Tunnel3 ip address 172.16.14.1 255.255.255.0 tunnel source GigabitEthernet8 tunnel mode ipsec ipv4 tunnel destination 123.123.123.240 <<<<<< Updated by script tunnel protection ipsec profile ipsectunnel3 ! !blabla ! interface GigabitEthernet8 ip ddns update hostname site2.ddns.com ip ddns update noipsetup ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto ! !blabla ! ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 ip route 10.12.12.0 255.255.255.0 Tunnel1 ip route 10.12.14.0 255.255.255.0 Tunnel3 ! !blabla ! scheduler allocate 20000 1000 event manager applet change-tunnel-destination event timer cron name TAC cron-entry "* * * * *" action 1.0 cli command "enable" action 1.1 cli command "configure terminal" action 1.2 cli command "interface tunnel1" action 1.3 cli command "tunnel destination site1.ddns.com" event manager applet change-tunnel3-destination event timer cron name TAC cron-entry "* * * * *" action 1.0 cli command "enable" action 1.1 cli command "configure terminal" action 1.2 cli command "interface tunnel3" action 1.3 cli command "tunnel destination site3.ddns.com" action 1.4 cli command "end" action 1.5 cli command "ping site3.ddns.com" action 1.6 regexp "to ([0-9\.]+)" "$_cli_result" match ip action 1.7 puts "Site3 IPADDR = $ip" action 1.8 cli command "configure terminal" action 1.9 cli command "crypto isakmp key tunnel3key address $ip no-xauth" ! end
Site3 config:
Spoiler:Κώδικας:Building configuration... ! !blabla ! ip dhcp excluded-address 10.12.14.200 10.12.14.244 ! ip dhcp pool Vlan1 import all network 10.12.14.0 255.255.255.0 dns-server 10.12.14.51 1.1.1.1 8.8.8.8 default-router 10.12.14.51 lease 7 ! !blabla ! ip ddns update method noipsetup HTTP add http://user1:wellhellothere@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a> interval maximum 0 0 10 0 interval minimum 0 0 0 5 ! !blabla ! controller VDSL 0 description *** VDSL ISP *** ! ! ! crypto isakmp policy 25 encr aes 128 authentication pre-share group 2 ! crypto isakmp policy 35 encr aes 128 authentication pre-share group 2 crypto isakmp key tunnel3key address 123.123.123.122 no-xauth <<<<<< Updated by script crypto isakmp key tunnel2key address 0.0.0.0 no-xauth crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set name1 esp-aes 128 esp-sha-hmac mode tunnel ! ! crypto ipsec profile ipsectunnel2 set transform-set name1 ! crypto ipsec profile ipsectunnel3 set transform-set name1 ! ! ! interface Tunnel2 ip address 172.16.13.2 255.255.255.0 tunnel source Dialer1 tunnel mode ipsec ipv4 tunnel destination 123.123.123.210 <<<<<< Updated by script tunnel protection ipsec profile ipsectunnel2 ! interface Tunnel3 ip address 172.16.14.2 255.255.255.0 tunnel source Dialer1 tunnel mode ipsec ipv4 tunnel destination 123.123.123.122 <<<<<< Updated by script tunnel protection ipsec profile ipsectunnel3 ! interface ATM0 description *** ADSL ISP *** no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly in no atm ilmi-keepalive no snmp trap link-status pvc 8/35 pppoe-client dial-pool-number 1 ! ! !blabla ! interface Dialer1 description *** Dialer1 ISP *** ip ddns update hostname site3.ddns.com ip ddns update noipsetup host site3.ddns.com ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip flow ingress ip nat outside ip virtual-reassembly in max-reassemblies 512 encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp chap hostname user2@isp.gr ppp chap password 0987654321 ppp pap sent-username user2@isp.gr password 0987654321 ppp ipcp dns request accept no cdp enable ! !blabla ! ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.12.12.0 255.255.255.0 Tunnel2 ip route 10.12.13.0 255.255.255.0 Tunnel3 ! !blabla ! scheduler allocate 20000 1000 event manager applet change-tunnel2-destination event timer cron name TAC cron-entry "* * * * *" action 1.0 cli command "enable" action 1.1 cli command "configure terminal" action 1.2 cli command "interface tunnel2" action 1.3 cli command "tunnel destination site1.ddns.com" action 1.4 cli command "end" action 1.5 cli command "ping site1.ddns.com" action 1.6 regexp "to ([0-9\.]+)" "$_cli_result" match ip1 action 1.7 puts "Site1 IPADDR = $ip1" action 1.8 cli command "configure terminal" action 1.9 cli command "crypto isakmp key tunnel2key address $ip1 no-xauth" event manager applet change-tunnel3-destination event timer cron name TAC cron-entry "* * * * *" action 1.0 cli command "enable" action 1.1 cli command "configure terminal" action 1.2 cli command "interface tunnel3" action 1.3 cli command "tunnel destination site2.ddns.com" action 1.4 cli command "end" action 1.5 cli command "ping site2.ddns.com" action 1.6 regexp "to ([0-9\.]+)" "$_cli_result" match ip2 action 1.7 puts "Site2 IPADDR = $ip2" action 1.8 cli command "configure terminal" action 1.9 cli command "crypto isakmp key tunnel3key address $ip2 no-xauth" ! end
Εμφάνιση 1-5 από 5
-
15-10-22, 12:02 Cisco 2911/897 three sites tunneling IPSec with DDNS #1
Γεια χαρά σε όλους!
είπα να μοιραστώ μαζί σας το setup που έχω κάνει μεταξύ τριών περιοχών σε περίπτωση που κάποιος/α ενδιαφέρετε να κάνει κάτι παρόμοιο.
Έχω τις τρεις παρακάτω περιοχές που η κάθε μια έχει τελείως διαφορετική σύνδεση δικτύου, διαφορετικό router και τέλος χρησιμοποιούν ddns αντί για static IP.
Κατάφερα και βρήκα τον τρόπο μετά από αρκετό ψάξιμο online για το πως να λειτουργήσει με ddns αλλά και πως το κάθε IPSec tunnel έχει διαφορετικό pre-share key.
Enjoy
Site1 Details:
Router: C2911
Connection: VDSL
DDNS: site1.ddns.com
Site2 Details:
Router: C897
Connection: Broadband
DDNS: site2.ddns.com
Site3 Details:
Router: C897
Connection: ADSL
DDNS: site3.ddns.com
Site1 config:
Spoiler:
Site2 config:
Spoiler:
Site3 config:
Spoiler:Τελευταία επεξεργασία από το μέλος elessargr : 16-10-22 στις 09:22. Αιτία: forgot a littlibit of config on site1
Έχεις δίπλα στο σπίτι σου ένα ΚΑΦΑΟ;
Χαρτογράφησε το στο FttxGR.eu
-
16-10-22, 08:27 Απάντηση: Cisco 2911/897 three sites tunneling IPSec with DDNS #2
Πολύ καλό!
But who are ye in rags and rotten shoes,
You dirty-bearded, blocking up the way?
We are the Pilgrims, master; we shall go
Always a little further: it may be
Beyond the last blue mountain barred with snow,
Across that angry or that glimmering sea,
-
23-10-22, 17:16 Απάντηση: Cisco 2911/897 three sites tunneling IPSec with DDNS #3
πολύ ωραίο μπράβο! μια ερώτηση... Είσαι σίγουρος πως αυτό το regex ματσαρει αυτό που θέλεις? (IP address? )
-
24-10-22, 07:04 Απάντηση: Cisco 2911/897 three sites tunneling IPSec with DDNS #4
Το έχεις σε GNS3;
But who are ye in rags and rotten shoes,
You dirty-bearded, blocking up the way?
We are the Pilgrims, master; we shall go
Always a little further: it may be
Beyond the last blue mountain barred with snow,
Across that angry or that glimmering sea,
-
25-10-22, 21:49 Απάντηση: Cisco 2911/897 three sites tunneling IPSec with DDNS #5Έχεις δίπλα στο σπίτι σου ένα ΚΑΦΑΟ;
Χαρτογράφησε το στο FttxGR.eu
Bookmarks