Исходное сообщение
"Шифрованный канал между двумя роутерами Cisco 881" Отправлено leonart, 04-Ноя-09 13:48
>[оверквотинг удален] >>line vty 0 4 >> privilege level 15 >> login local >> transport input telnet ssh >>! >>scheduler max-task-time 5000 >>end > >Забейте на криптомапы на физ. интрефейсах, если нужен шифрованный канал между двумя >роутерами cisco поднимайте VTI - http://www.cisco.com/en/US/technologies/tk583/tk372/technolo... Попытался сделать шифрование через VTI тунель. Вот конфиги, которые получились. Конфиг роутера А version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname routeLGC ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging message-counter syslog logging buffered 51200 logging console critical enable secret 5 *** ! no aaa new-model clock timezone PCTime 2 clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00 ! crypto pki trustpoint TP-self-signed-40950197 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-40950197 revocation-check none rsakeypair TP-self-signed-40950197 ! ! crypto pki certificate chain TP-self-signed-40950197 certificate self-signed 01 **** quit no ip source-route ! ! ip cef no ip bootp server ip domain name lgc.ua ip name-server 192.168.0.240 ! ! ! ! username admin privilege 15 secret 5 *** ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key masterkey address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set 3DES esp-3des esp-sha-hmac ! crypto ipsec profile VTI set transform-set 3DES ! ! archive log config   hidekeys ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! policy-map FOO class class-default     shape average 128000 ! ! ! ! interface Tunnel0 ip address 192.168.10.1 255.255.255.0 tunnel source 10.1.100.1 tunnel destination 10.1.100.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI service-policy output FOO ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $FW_OUTSIDE$$ES_WAN$ ip address 10.1.100.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress duplex auto speed auto ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.0.251 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip tcp adjust-mss 1452 ! router rip version 2 network 192.168.0.0 network 192.168.10.0 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.1.100.100 ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ! logging trap debugging no cdp run ! ! ! ! control-plane ! ! line con 0 login local no modem enable transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp update-calendar ntp server 192.168.0.241 source Vlan1 end Конфиг роутера Б version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname routeLSK ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging message-counter syslog logging buffered 51200 logging console critical enable secret 5 *** ! no aaa new-model clock timezone PCTime 2 clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00 ! crypto pki trustpoint TP-self-signed-40950197 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-40950197 revocation-check none rsakeypair TP-self-signed-40950197 ! ! crypto pki certificate chain TP-self-signed-40950197 certificate self-signed 01 **** quit no ip source-route ! ! ip cef no ip bootp server ip domain name lgc.ua ! ! ! ! username admin privilege 15 secret 5 *** ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key masterkey address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set 3DES esp-3des esp-sha-hmac ! crypto ipsec profile VTI set transform-set 3DES ! ! archive log config   hidekeys ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! policy-map FOO class class-default     shape average 128000 ! ! ! ! interface Tunnel0 ip address 192.168.10.2 255.255.255.0 tunnel source 10.1.100.2 tunnel destination 10.1.100.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI service-policy output FOO ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $FW_OUTSIDE$$ES_WAN$ ip address 10.1.100.2 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress duplex auto speed auto ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.2.251 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip tcp adjust-mss 1452 ! router rip version 2 network 192.168.2.0 network 192.168.10.0 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.1.100.100 ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ! logging trap debugging no cdp run ! ! ! ! control-plane ! ! line con 0 login local no modem enable transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh end Командым проверки тунеля и шифрования дают нормальные результаты. По всем признакам тунель работает. Вот кусок дебага ip route с роутера Б *Nov  4 10:47:23.746: Tunnel0 count tx, adding 0 encap bytes *Nov  4 10:47:23.750: IP: s=192.168.2.251 (local), d=192.168.0.223 (Tunnel0), len 576, output feature, CCE Post NAT Classification(29), rtype 1, forus FALSE, sendself FALSE, mtu 0 *Nov  4 10:47:23.750: IP: s=192.168.2.251 (local), d=192.168.0.223 (Tunnel0), len 576, post-encap feature, IPSEC Post-encap output classification(12), rtype 1, forus FALSE, sendself FALSE, mtu 0 *Nov  4 10:47:23.750: Tunnel0 count tx, adding 0 encap bytes *Nov  4 10:47:23.750: IP: s=192.168.2.251 (local), d=192.168.0.223 (Tunnel0), len 576, output feature, CCE Post NAT Classification(29), rtype 1, forus FALSE, sendself FALSE, mtu 0 *Nov  4 10:47:23.750: IP: s=192.168.2.251 (local), d=192.168.0.223 (Tunnel0), len 576, post-encap feature, IPSEC Post-encap output classification(12), rtype 1, forus FALSE, sendself FALSE, mtu 0 *Nov  4 10:47:23.750: Tunnel0 count tx, adding 0 encap bytes *Nov  4 10:47:23.754: IP: s=192.168.2.251 (local), d=192.168.0.223 (Tunnel0), len 576, output feature, CCE Post NAT Classification(29), rtype 1, forus FALSE, sendself FALSE, mtu 0 *Nov  4 10:47:23.754: IP: s=192.168.2.251 (local), d=192.168.0.223 (Tunnel0), len 576, post-encap feature, IPSEC Post-encap output classification(12), rtype 1, forus FALSE, sendself FALSE, mtu 0 *Nov  4 10:47:23.754: Tunnel0 count tx, adding 0 encap bytes *Nov  4 10:47:23.754: IP: s=10.1.100.2 (local), d=10.1.100.1 (FastEthernet4), g=10.1.100.1, len 632, forward *Nov  4 10:47:23.754: IP: s=10.1.10 Но ситуация полностью аналогичная, той что была при настройке шифрования через crypto map. Вопрос судя по всему уходит в сторону маршрутизации. !!!Подскажите, кто знает, что изменяется в плане маршрутизации при использовании шифрованого тунеля? Без тунеля все работает коректно. С тунелем пингуются все адреса с обоих сторон, но со стороны роутера Б невозможно заходить на шары, которые находятся на серверах за роутером А. Веб-сервера так же недоступны. Куда капать? Люди очень нужна ваша помощь!!!