Вот еще какие мысли:
странно что local ident по нулям или так должно быть?Или маршрутизация тут не причем, а просто тунель криво работает?
потому как #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
Router101#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
80.XXX.XXX.66 178.176.XXX.193 QM_IDLE 1002 ACTIVE VPNclient
IPv6 Crypto ISAKMP SA
Router101#sh cry ips sa
interface: FastEthernet0/0.10
Crypto map tag: mymap, local addr 80.XXX.XXX.66
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.1/255.255.255.255/0/0)
current_peer 178.176.XXX.193 port 54476
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 207, #pkts decrypt: 207, #pkts verify: 207
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 80.XXX.XXX.66, remote crypto endpt.: 178.176.XXX.193
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.10
current outbound spi: 0xD85E864E(3630073422)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x78E03F81(2027962241)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, sibling_flags 80000046, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4434746/3413)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD85E864E(3630073422)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, sibling_flags 80000046, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4434777/3413)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Дебаг вот что вещает:
.Sep 16 11:56:10: ISAKMP:(1002):purging node 1704405348
.Sep 16 11:56:11: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 16
.Sep 16 11:56:12: ISAKMP (1002): received packet from 178.176.XXX.193 dport 4500 sport 54476 Global (R) QM_IDLE
.Sep 16 11:56:12: ISAKMP: set new node -1185914787 to QM_IDLE
.Sep 16 11:56:12: ISAKMP:(1002): processing HASH payload. message ID = -1185914787
.Sep 16 11:56:12: ISAKMP:(1002): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1185914787, sa = 663A6834
.Sep 16 11:56:12: ISAKMP:(1002):deleting node -1185914787 error FALSE reason "Informational (in) state 1"
.Sep 16 11:56:12: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
.Sep 16 11:56:12: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
.Sep 16 11:56:12: ISAKMP:(1002):DPD/R_U_THERE received from peer 178.176.XXX.193, sequence 0xC88A078F
.Sep 16 11:56:12: ISAKMP: set new node 1681074263 to QM_IDLE
.Sep 16 11:56:12: ISAKMP:(1002):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1702354424, message ID = 1681074263
.Sep 16 11:56:12: ISAKMP:(1002): seq. no 0xC88A078F
.Sep 16 11:56:12: ISAKMP:(1002): sending packet to 178.176.XXX.193 my_port 4500 peer_port 54476 (R) QM_IDLE
.Sep 16 11:56:12: ISAKMP:(1002):Sending an IKE IPv4 Packet.
.Sep 16 11:56:12: ISAKMP:(1002):purging node 1681074263
.Sep 16 11:56:12: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
.Sep 16 11:56:12: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
P.S. уже другую схему использовал из всем известного примера
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_con...
= такая же фигня. Или циска 1841 не поддерживает работу по данной схеме ?
Спасибо за ответы.
WBR,
Версия для распечатки
Хелп! Нет маршрутизации с локалкой - VPN тунель cisco-client , 
meb1us, 15-Сен-11, 17:11 [смотреть все]
