День добрый! Прошу помочь разобраться в следующей ситуации.
Имеется две идентично сконфигурированные Cisco 857 и один D-Link 804.
Между всеми тремя устройствами подняты ipsec туннели. Между кисками всё ок.
А вот между одной киской и длинком не проходят пинги... в обоих направлениях. Несмотря на это и киска и длинк говорят что всё ок, туннель создан.
Между второй киской и длинком всё отлично.
Заранее спасибо!Настройки туннелей на длинке - одинаковы.
Конфиг первой (проблемной) киски:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$/KS7$47.uui/WLwYv1AW/mGPca1
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
ip domain name dom
!
!
!
username **** privilege 15 password 7 ****
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 222.*.*.*
crypto isakmp key 123 address 333.*.*.*
!
!
crypto ipsec transform-set VPN esp-3des
mode transport
crypto ipsec df-bit clear
!
crypto map dom2mag 10 ipsec-isakmp
set peer 222.*.*.*
set transform-set VPN
match address 101
reverse-route
crypto map dom2mag 20 ipsec-isakmp
set peer 333.*.*.*
set security-association lifetime seconds 28800
set transform-set VPN
set pfs group2
match address 110
reverse-route
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
description Tunnel interface to michurina
ip address 192.168.254.1 255.255.255.252
ip mtu 1412
tunnel source Dialer0
tunnel destination 222.*.*.*
!
interface ATM0
description webstream
no ip address
logging event atm pvc state
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username **** password 7 ****
crypto map dom2mag
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit gre host 111.*.*.* host 222.*.*.*
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
route-map nonat permit 10
match ip address 102
!
!
control-plane
!
!
line con 0
password 7 ****
login
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000
end
КОНФИГ ВТОРОЙ КИСКИ. Здесь всё ок.version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
boot-start-marker
boot system flash c850-advsecurityk9.mz.124-15.T13.bin
boot-end-marker
!
enable secret 5 $1$Q/pC$91aFnuAfp0RoZK6VE/dDZ1
!
no aaa new-model
!
!
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.109
ip dhcp excluded-address 192.168.2.120 192.168.2.254
!
ip dhcp pool sdm-pool1
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
!
ip cef
ip domain name mich
!
!
!
username **** privilege 15 password 7 ****
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 111.*.*.*
crypto isakmp key 123 address 333.*.*.*
!
!
crypto ipsec transform-set VPN esp-3des
mode transport
crypto ipsec df-bit clear
!
crypto map mich2branch 10 ipsec-isakmp
set peer 111.*.*.*
set transform-set VPN
match address 101
reverse-route
crypto map mich2branch 20 ipsec-isakmp
set peer 333.*.*.*
set security-association lifetime seconds 28800
set transform-set VPN
set pfs group2
match address 110
reverse-route
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
description tunnel interface to dom
ip address 192.168.254.2 255.255.255.252
ip mtu 1412
tunnel source Dialer0
tunnel destination 111.*.*.*
!
interface ATM0
description webstream
no ip address
logging event atm pvc state
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username **** password 7 ****
crypto map mich2branch
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 101 permit gre host 222.*.*.* host 111.*.*.*
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
route-map nonat permit 10
match ip address 102
!
!
control-plane
!
!
line con 0
password 7 ****
login
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000
end
Может глаз замылился но как-то у тебя мухи отдельно катлеты отдельно :)
Я так понимаю твоя цель создать тунель и зашифровать данные в нем. Сейчас у тебя тунели строяться отдельно а криптомапы на внешних интерфейсах строят криптотунель site-2-site отдельно. если хочешь рулить интересный трафик в тунель то добавь статику
ip route 192.168.2.0 255.255.255.0 tun 0 - на первой цицке
ip route 192.168.1.0 255.255.255.0 tun 0 - на второй цицке
а зашифровать тунель можно криптопрофайлом, и снять неудобные криптомапы с интервейсов.
приведи статискиткуsh ip int brie
sh cryp sess det
sh ip route
За совет по оптимизации всего этого дела и приведению в божеский вид - огромное спасибо!
Все же очень интерсно, почему при идентичных конфигах цисок, одна пингуется с длинком, а другая нет.статистика с проблемной циски:
sh ip int brie:Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM up up
Dialer0 111.*.*.* YES IPCP up up
NVI0 unassigned YES unset administratively down down
Tunnel0 192.168.254.1 YES NVRAM up up
Virtual-Access1 unassigned YES unset up up
Vlan1 192.168.1.1 YES NVRAM up upsh cryp sess det:
Interface: Virtual-Access1
Session status: DOWN
Peer: 222.*.*.* port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 47 host 111.*.*.* host 222.*.*.*
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0Interface: Virtual-Access1
Session status: DOWN
Peer: 333.*.*.* port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.3.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0Interface: Dialer0
Session status: UP-IDLE
Peer: 222.*.*.* port 500 fvrf: (none) ivrf: (none)
Phase1_id: 222.*.*.*
Desc: (none)
IKE SA: local 111.*.*.*/500 remote 222.*.*.*/500 Active
Capabilities:(none) connid:2008 lifetime:09:38:15
IPSEC FLOW: permit 47 host 111.*.*.* host 222.*.*.*
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 27669 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 26505 drop 0 life (KB/Sec) 0/0
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0Interface: Dialer0
Uptime: 01:52:26
Session status: UP-ACTIVE
Peer: 333.*.*.* port 500 fvrf: (none) ivrf: (none)
Phase1_id: 333.*.*.*
Desc: (none)
IKE SA: local 111.*.*.*/500 remote 333.*.*.*/500 Active
Capabilities:(none) connid:2009 lifetime:03:02:02
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.3.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4504577/22053
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4504577/22053sh ip route:
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
111.*.*.0/32 is subnetted, 1 subnets
C 111.*.*.* is directly connected, Dialer0
213.228.116.0/32 is subnetted, 1 subnets
C 213.228.116.99 is directly connected, Dialer0
192.168.254.0/30 is subnetted, 1 subnets
C 192.168.254.0 is directly connected, Tunnel0
C 192.168.1.0/24 is directly connected, Vlan1
S 192.168.2.0/24 is directly connected, Tunnel0
S 192.168.3.0/24 [1/0] via 333.*.*.*
S* 0.0.0.0/0 is directly connected, Dialer0
Спасибо. Вопрос решен.
Был неверный порядок листов доступа.