Доброго времени суток.Проблемка в следующем: есть распределенная сеть офисов объединенных в одну сеть через циску в головном офисе -(везде 800-ые модели).
При открытии очередного офиса - добавляю очередной девайс (cisco 2811) с той лишь разницей что на ней необходимо поднять еще доступ через VPN Cisco client - что собственно по манулам производителя было сделано. Однако возникла проблема что теперь не поднимается автоматом VPN тунель между офисами, вернее поднимается, только после обращении со стороны удаленного офиса к центральному и то после суток благополучно отваливается. В акксцесс-листах везде выставлено "any any" для "допиливания" канала, но все равно ничего не помогает и что самое интересное даже невозможно подключится телнетом к последнему офису, соединение не "рефъюзит" а отваливается по таймауту =(
Неделю бъюсь и так и эдак. - не получается, посмотрите плиз конфиги может тонкость есть в настройке двойного доступа по VPN с помощью клиента и одновременным поднятием другого туннеля. Или я что-то упустил. Странно что с другими офисами все работает нормально.
Странно еще то, что при попытки "инициализации" туннеля (обращения к какому либо из ресурсов в сети удаленного офиса) со стороны головного офиса туннель появляется, но тут же отваливается и видится в "sh crypto isakmp sa" со статусом (deleted) =(
Единственное что гложет в последнем "проблемном" конфиге в странном диапазоне аксес-лист для ната находится - может в этом проблема, но туннель по посредством ВПН клиента поднимается на ура и работает, и между железками не хочет ну или через ж№пу =(
Конфиг головного офиса.
------------------------------------------------------------------
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname home
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name host.local
!
!
crypto pki trustpoint TP-self-signed-724721040
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-724721040
 revocation-check none
 rsakeypair TP-self-signed-724721040
!
!
crypto pki certificate chain TP-self-signed-724721040
 certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxx
  quit
username XXxxxx privilege 15 secret 5 $xxxxxxxxxxxxxxt5/
!
! 
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key XXXXXXXXXXXX address 212.XXX.XXX.42
crypto isakmp key XXXXXXXXXXXX address 83.XXX.XXX.106
crypto isakmp key XXXXXXXXXXXX address 87.XXX.XXX.66
crypto isakmp key XXXXXXXXXXXX address 93.XXX.XXX.50
!
!
crypto ipsec transform-set MYTS esp-des esp-md5-hmac 
!
crypto ipsec profile IPSECLINK
 set transform-set MYTS 
!
!
!
!
interface Tunnel0
 description DSL-not working
 ip address 172.30.1.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1460
 ip tcp adjust-mss 1420
 no ip mroute-cache
 tunnel source FastEthernet4
 tunnel destination 212.XXX.XXX.42
 tunnel protection ipsec profile IPSECLINK
!
interface Tunnel1
 description rezerv
 ip address 172.30.2.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1460
 ip tcp adjust-mss 1420
 no ip mroute-cache
 tunnel source FastEthernet4
 tunnel destination 83.XXX.XXX.106
 tunnel protection ipsec profile IPSECLINK
!
interface Tunnel3
 description Mitishi
 ip address 172.30.3.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1460
 ip tcp adjust-mss 1420
 no ip mroute-cache
 tunnel source FastEthernet4
 tunnel destination 87.XXX.XXX.66
 tunnel protection ipsec profile IPSECLINK
!
interface Tunnel4
 description Tunnel branch
 ip address 172.30.4.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1460
 ip tcp adjust-mss 1420
 no ip mroute-cache
 tunnel source FastEthernet4
 tunnel destination 93.XXX.XXX.50
 tunnel protection ipsec profile IPSECLINK
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description Uplink
 ip address 62.XXX.XXX.150 255.255.255.252
 ip access-group 103 in
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 description inside
 ip address 192.168.120.185 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1280
!
ip classless
ip route 0.0.0.0 0.0.0.0 62.XXX.XXX.149
ip route 192.168.70.0 255.255.255.0 172.30.4.2
ip route 192.168.99.0 255.255.255.0 172.30.2.2
ip route 192.168.100.0 255.255.255.0 172.30.3.2
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 9 interface FastEthernet4 overload
!
access-list 9 permit 192.168.120.0 0.0.0.255
access-list 23 permit 192.168.XXX.18
access-list 23 permit 192.168.XXX.3
access-list 23 permit 212.XXX.XXX.42
access-list 23 permit 213.XXX.XXX.2
access-list 100 permit ip any any
access-list 100 permit tcp any any established
access-list 103 permit tcp host 212.XXX.XXX.42 host 62.XXX.XXX.150 eq 22
access-list 103 permit tcp host 212.XXX.XXX.41 host 62.XXX.XXX.150 eq 22
access-list 103 permit tcp host 213.XXX.XXX.2 host 62.XXX.XXX.150 eq 22
access-list 103 deny   tcp any host 62.XXX.XXX.150 eq 22
access-list 103 permit ip any any
access-list 103 permit tcp any any established
no cdp run
!
control-plane
!
banner login 
h0me r0uter. 
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport preferred none
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
end
-----------------------------------------
поднятые тунели:
home#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
87.xxx.xxx.66   62.xxx.xxx.150  QM_IDLE           1001    0 ACTIVE
62.xxx.xxx.150  83.xxx.xxx.106  QM_IDLE           1014    0 ACTIVE 
Конфиг циски с работающим тунелем
----------------------  
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname farm-makomnet
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
memory-size iomem 20
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
ip domain name host.local
!
!
crypto pki trustpoint TP-self-signed-738111136
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-738111136
 revocation-check none
 rsakeypair TP-self-signed-738777136
!
!
crypto pki certificate chain TP-self-signed-738111136
 certificate self-signed 01
XXXXXXXXXXX
  quit
username XXXXXXXx privilege 15 secret 5 ZZZZZZZZ.
!
! 
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key XXXXXXXXXXXX address 62.XXX.XXX.150
!
!
crypto ipsec transform-set MYTS esp-des esp-md5-hmac 
!
crypto ipsec profile IPSECLINK
 set transform-set MYTS 
!
!
!
!
!
interface Tunnel0
 ip address 172.30.3.2 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1460
 ip tcp adjust-mss 1420
 no ip mroute-cache
 tunnel source FastEthernet4
 tunnel destination 62.XXX.XXX.150
 tunnel protection ipsec profile IPSECLINK
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 switchport access vlan 100
 switchport trunk native vlan 100
 switchport mode trunk
 shutdown
!
interface FastEthernet4
 description Uplink
 ip address 87.XXX.XXX.66 255.255.255.248
 ip access-group 103 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 description inside
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 no ip address
!
interface Vlan100
 ip address 192.168.10.1 255.255.255.0
 ip virtual-reassembly
 ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 87.XXX.XXX.65
ip route 192.168.120.0 255.255.255.0 172.30.3.1
!
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 11 permit any
access-list 100 permit ip any any
access-list 103 permit tcp any host 87.XXX.XXX.66 eq 22
access-list 103 permit ip any any
no cdp run
!
!
control-plane
!
banner login  fArm r0uter 
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 11 in
 privilege level 15
 login local
 transport preferred none
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
no scheduler allocate
end
-----------------------------------------------
Конфиг циски с нерабочим тунелем =(
----------------------------------------------
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname kk.686
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXX
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
!
!
ip cef
!
!
ip domain name spb.bdkbank.ru
ip name-server 217.XXX.XXX.9
ip name-server 217.XXX.XXX.253
!
!
!
crypto pki trustpoint TP-self-signed-3660782736
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3660782736
 revocation-check none
 rsakeypair TP-self-signed-3660782736
!
!
crypto pki certificate chain TP-self-signed-3660782736
 certificate self-signed 01
  XXXXXXXXquit
username XXXXXX privilege 15 password 7 XXXXXXXXXXXXX
!
! 
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXXXX address 62.XXX.XXX.150
!
crypto isakmp client configuration group vpnclient
 key xxxxxxxxxxxxxxx
 dns 192.168.70.254
 domain sss.ru
 pool ippool
 acl 101
!
!
crypto ipsec transform-set MYTS esp-des esp-md5-hmac 
crypto ipsec transform-set myset esp-3des esp-md5-hmac 
!
crypto ipsec profile IPSECLINK
 set transform-set MYTS 
!
!
crypto dynamic-map dynmap 10
 set transform-set myset 
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
!
!
!
interface Tunnel4
 description Tunnel MSC
 ip address 172.30.4.2 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1460
 ip tcp adjust-mss 1420
 no ip mroute-cache
 tunnel source FastEthernet0/0
 tunnel destination 62.xxx.xxx.150
 tunnel protection ipsec profile IPSECLINK
!
interface FastEthernet0/0
 description $FW_outside$
 ip address 93.xxx.xxx.50 255.255.255.248
 ip access-group 100 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!
interface FastEthernet0/1
 description $FW_inside$
 ip address 192.168.70.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip local pool ippool 192.168.50.1 192.168.50.10
ip classless
ip route 0.0.0.0 0.0.0.0 93.XXX.XXX.49
ip route 192.168.120.0 255.255.255.0 172.30.4.1
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 111 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.70.104 443 93.XXX.XXX.51 443 extendable
ip nat inside source static tcp 192.168.70.104 1778 93.XXX.XXX.51 1778 extendable
ip dns server
!
access-list 23 permit 95.XXX.XXX.95
access-list 23 permit 192.168.70.18
access-list 23 permit 213.XXX.XXX.2
access-list 23 permit 192.168.70.0 0.0.0.255
access-list 23 permit 192.168.50.0 0.0.0.255
access-list 23 permit 192.168.120.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit tcp any host 93.XXX.XXX.54 established
access-list 100 permit tcp any host 93.XXX.XXX.54 eq domain
access-list 100 permit tcp any host 93.XXX.XXX.54 eq smtp
access-list 100 permit tcp host 213.XXX.XXX.2 host 93.XXX.XXX.50 eq 22
access-list 100 permit tcp host 95.XXX.XXX.95 host 93.XXX.XXX.50 eq 22
access-list 100 permit tcp any any established
access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny   ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 permit ip any any
access-list 111 permit tcp any any established
access-list 111 permit tcp 192.168.70.0 0.0.0.255 any
!
!
control-plane
!
!
banner login  Authorized only 
!
line con 0
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 XXXXXXXXXXXXXXX
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
--------------------------------------------
 
Заранее всем спасибо на потраченное время.
Еще раз спасибо.