>>crypto ipsec transform-set vpn esp-3des esp-sha-hmac
>>
>>crypto map vpn 100 ipsec-isakmp
>> set peer 195.162.?.?
>> set transform-set vpn
>> match address 101
>> reverse-route
>>!
>>!
>>interface Tunnel0
>> ip address 172.16.19.2 255.255.255.0
>> shutdown (пока down поднять не дает)
>> tunnel source Dialer1
>> tunnel destination 195.162.?.?
>> crypto map vpn
>>interface Vlan1
>> description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
>> ip address 172.16.19.100 255.255.255.0
>> ip nat inside
>> ip virtual-reassembly
>> ip tcp adjust-mss 1452
>>!
>>interface Dialer1
>> ip address 87.103.?.? 255.255.255.0
>> ip mtu 1492
>> ip nat outside
>> ip virtual-reassembly
>> encapsulation ppp
>> dialer pool 1
>> ppp authentication pap callin
>> ppp pap sent-username ___________ password ____________
>
>Не надо ни каких тунелей, и так все прекрасно работает.
>1. Тунель убираем.
>2. Где crypto-map на внешнем интерфейсе?
>3. Трафик для шифрования должен быть указан одинаковый как на той так
>и на этой стороне
>Тобишь на местной:
>ip access-list extended encryption
>permit ip 172.xx.xx.xx 0.0.0.255 172.yy.yy.yy 0.0.0.255
>на удаленной:
>ip access-list extended encryption
>permit ip 172.yy.yy.yy 0.0.0.255 172.xx.xx.xx 0.0.0.255
>4. VPN работать не будет с твоим конфигом т.к.(читать последовательность выполнения операций
>при попадании пакета на интерфейс) у тебя сначала выполняется НАТ а
>потом пакет шифруется. Соответственно acl для NAT должен исключать локальные ip:
>
>
>ip access-list extended nat
>deny ip 172.xx.xx.xx 0.0.0.255 (исли маска /24) 172.yy.yy.yy 0.0.0.255
>permit 172.xx.xx.xx 0.0.0.255 any
>
>5. Проверяем что открыты на входящее соединение udp 500,4500 и esp
>
>6. После чего делаем пинг(лучше из сетки, либо с кошака но с
>source ip лан)
>7. Смотрим sh crypto session или sh crypto ses de
>8. если down
>то включаем debug crypto ipsec debug crypto isakmp terminal monitor
>копируем лог и постим сюда ;))
>Если up то радуемся жизни ;)
Вобщем ситуэшен такой пинг не идет но канал вроде поднялся на циске загорелся ВПН
Сети внутренние тож не видны ???
Aug 17 10:38:09.868: ISAKMP (0:0): received packet from 195.162.38.__ dport 500
sport 500 Global (N) NEW SA
Aug 17 10:38:09.868: ISAKMP: Created a peer struct for 195.162.38.__, peer port
500
Aug 17 10:38:09.868: ISAKMP: Locking peer struct 0x82474D20, IKE refcount 1 for
crypto_isakmp_process_block
Aug 17 10:38:09.868: ISAKMP: local port 500, remote port 500
Aug 17 10:38:09.868: insert sa successfully sa = 823A0878
Aug 17 10:38:09.868: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 17 10:38:09.868: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R
_MM1
Aug 17 10:38:09.868: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Aug 17 10:38:09.868: ISAKMP:(0:0:N/A:0): processing vendor id payload
Aug 17 10:38:09.872: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157
mismatch
Aug 17 10:38:09.872: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
Aug 17 10:38:09.872: ISAKMP:(0:0:N/A:0): processing vendor id payload
Aug 17 10:38:09.872: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123
mismatch
Aug 17 10:38:09.872: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
Aug 17 10:38:09.872: ISAKMP: Looking for a matching key for 195.162.38.70 in def
ault : success
Aug 17 10:38:09.872: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 195.1
62.38.70
Aug 17 10:38:09.872: ISAKMP:(0:0:N/A:0): local preshared key found
Aug 17 10:38:09.872: ISAKMP : Scanning profiles for xauth ...
Aug 17 10:38:09.872: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against prio
rity 1 policy
Aug 17 10:38:09.872: ISAKMP: encryption 3DES-CBC
Aug 17 10:38:09.872: ISAKMP: hash MD5
Aug 17 10:38:09.872: ISAKMP: default group 2
Aug 17 10:38:09.872: ISAKMP: auth pre-share
Aug 17 10:38:09.872: ISAKMP: life type in seconds
Aug 17 10:38:09.872: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Aug 17 10:38:09.872: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
Aug 17 10:38:09.904: ISAKMP:(0:1:HW:2): processing vendor id payload
Aug 17 10:38:09.904: ISAKMP:(0:1:HW:2): vendor ID seems Unity/DPD but major 157
mismatch
Aug 17 10:38:09.904: ISAKMP:(0:1:HW:2): vendor ID is NAT-T v3
Aug 17 10:38:09.904: ISAKMP:(0:1:HW:2): processing vendor id payload
Aug 17 10:38:09.904: ISAKMP:(0:1:HW:2): vendor ID seems Unity/DPD but major 123
mismatch
Aug 17 10:38:09.904: ISAKMP:(0:1:HW:2): vendor ID is NAT-T v2
Aug 17 10:38:09.904: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MA
IN_MODE
Aug 17 10:38:09.904: ISAKMP:(0:1:HW:2):Old State = IKE_R_MM1 New State = IKE_R_
MM1
Aug 17 10:38:09.908: ISAKMP:(0:1:HW:2): constructed NAT-T vendor-03 ID
Aug 17 10:38:09.908: ISAKMP:(0:1:HW:2): sending packet to 195.162.38.70 my_port
500 peer_port 500 (R) MM_SA_SETUP
Aug 17 10:38:09.908: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_CO
MPLETE
Aug 17 10:38:09.908: ISAKMP:(0:1:HW:2):Old State = IKE_R_MM1 New State = IKE_R_
MM2
Aug 17 10:38:09.964: ISAKMP (0:268435457): received packet from 195.162.38.70 dp
ort 500 sport 500 Global (R) MM_SA_SETUP
Aug 17 10:38:09.964: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 17 10:38:09.964: ISAKMP:(0:1:HW:2):Old State = IKE_R_MM2 New State = IKE_R_
MM3
Aug 17 10:38:09.964: ISAKMP:(0:1:HW:2): processing KE payload. message ID = 0
Aug 17 10:38:09.996: ISAKMP:(0:1:HW:2): processing NONCE payload. message ID = 0
Aug 17 10:38:09.996: ISAKMP: Looking for a matching key for 195.162.38.70 in def
ault : success
Aug 17 10:38:09.996: ISAKMP:(0:1:HW:2):found peer pre-shared key matching 195.16
2.38.70
Aug 17 10:38:09.996: ISAKMP:(0:1:HW:2):SKEYID state generated
Aug 17 10:38:09.996: ISAKMP:(0:1:HW:2): processing vendor id payload
Aug 17 10:38:09.996: ISAKMP:(0:1:HW:2): vendor ID is Unity
Aug 17 10:38:09.996: ISAKMP:(0:1:HW:2): processing vendor id payload
Aug 17 10:38:09.996: ISAKMP:(0:1:HW:2): vendor ID is DPD
Aug 17 10:38:09.996: ISAKMP:(0:1:HW:2): processing vendor id payload
Aug 17 10:38:10.000: ISAKMP:(0:1:HW:2): speaking to another IOS box!
Aug 17 10:38:10.000: ISAKMP:received payload type 20
Aug 17 10:38:10.000: ISAKMP:received payload type 20
Aug 17 10:38:10.000: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MA
IN_MODE
Aug 17 10:38:10.000: ISAKMP:(0:1:HW:2):Old State = IKE_R_MM3 New State = IKE_R_
MM3
Aug 17 10:38:10.000: ISAKMP:(0:1:HW:2): sending packet to 195.162.38.__ my_port
500 peer_port 500 (R) MM_KEY_EXCH
Aug 17 10:38:10.000: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_CO
MPLETE
Aug 17 10:38:10.000: ISAKMP:(0:1:HW:2):Old State = IKE_R_MM3 New State = IKE_R_
MM4
Aug 17 10:38:10.064: ISAKMP (0:268435457): received packet from 195.162.38.__ dp
ort 500 sport 500 Global (R) MM_KEY_EXCH
Aug 17 10:38:10.064: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 17 10:38:10.064: ISAKMP:(0:1:HW:2):Old State = IKE_R_MM4 New State = IKE_R_
MM5
Aug 17 10:38:10.064: ISAKMP:(0:1:HW:2): processing ID payload. message ID = 0
Aug 17 10:38:10.064: ISAKMP (0:268435457): ID payload
next-payload : 8
type : 1
address : 195.162.38.__
protocol : 17
port : 500
length : 12
Aug 17 10:38:10.064: ISAKMP:(0:1:HW:2):: peer matches *none* of the profiles
Aug 17 10:38:10.064: ISAKMP:(0:1:HW:2): processing HASH payload. message ID = 0
Aug 17 10:38:10.068: ISAKMP:(0:1:HW:2): processing NOTIFY INITIAL_CONTACT protoc
ol 1
spi 0, message ID = 0, sa = 823A0878
Aug 17 10:38:10.068: ISAKMP:(0:1:HW:2):SA authentication status:
authenticated
Aug 17 10:38:10.068: ISAKMP:(0:1:HW:2): Process initial contact,
bring down existing phase 1 and 2 SA's with local 87.103.179.___ remote 195.162.
38.70 remote port 500
Aug 17 10:38:10.068: ISAKMP:(0:1:HW:2):SA authentication status:
authenticated
Aug 17 10:38:10.068: ISAKMP:(0:1:HW:2):SA has been authenticated with 195.162.38
.__
Aug 17 10:38:10.068: ISAKMP: Trying to insert a peer 87.103.179.178/195.162.38._
0/500/, and inserted successfully 82474D20.
Aug 17 10:38:10.068: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MA
IN_MODE
Aug 17 10:38:10.068: ISAKMP:(0:1:HW:2):Old State = IKE_R_MM5 New State = IKE_R_
MM5
Aug 17 10:38:10.068: IPSEC(key_engine): got a queue event with 1 kei messages
Aug 17 10:38:10.068: ISAKMP:(0:1:HW:2):SA is doing pre-shared key authentication
using id type ID_IPV4_ADDR
Aug 17 10:38:10.072: ISAKMP (0:268435457): ID payload
next-payload : 8
type : 1
address : 87.103.179.__
protocol : 17
port : 500
length : 12
Aug 17 10:38:10.072: ISAKMP:(0:1:HW:2):Total payload length: 12
Aug 17 10:38:10.072: ISAKMP:(0:1:HW:2): sending packet to 195.162.38.70 my_port
500 peer_port 500 (R) MM_KEY_EXCH
Aug 17 10:38:10.072: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_CO
MPLETE
Aug 17 10:38:10.072: ISAKMP:(0:1:HW:2):Old State = IKE_R_MM5 New State = IKE_P1
_COMPLETE
Aug 17 10:38:10.076: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COM
PLETE
Aug 17 10:38:10.076: ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
Aug 17 10:38:10.132: ISAKMP (0:268435457): received packet from 195.162.38.__ dp
ort 500 sport 500 Global (R) QM_IDLE
Aug 17 10:38:10.132: ISAKMP: set new node 468270712 to QM_IDLE
Aug 17 10:38:10.136: ISAKMP:(0:1:HW:2): processing HASH payload. message ID = 46
8270712
Aug 17 10:38:10.136: ISAKMP:(0:1:HW:2): processing SA payload. message ID = 4682
70712
Aug 17 10:38:10.136: ISAKMP:(0:1:HW:2):Checking IPSec proposal 1
Aug 17 10:38:10.136: ISAKMP: transform 1, ESP_3DES
Aug 17 10:38:10.136: ISAKMP: attributes in transform:
Aug 17 10:38:10.136: ISAKMP: encaps is 1 (Tunnel)
Aug 17 10:38:10.136: ISAKMP: SA life type in seconds
Aug 17 10:38:10.136: ISAKMP: SA life duration (basic) of 3600
Aug 17 10:38:10.136: ISAKMP: SA life type in kilobytes
Aug 17 10:38:10.136: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Aug 17 10:38:10.136: ISAKMP: authenticator is HMAC-SHA
Aug 17 10:38:10.136: ISAKMP: group is 2
Aug 17 10:38:10.136: ISAKMP:(0:1:HW:2):atts are acceptable.
Aug 17 10:38:10.136: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 87.103.179.__, remote= 195.162.38.__,
local_proxy= 172.16.19.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.14.9.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x22
Aug 17 10:38:10.140: Crypto mapdb : proxy_match
src addr : 172.16.19.0
dst addr : 10.14.9.0
protocol : 0
src port : 0
dst port : 0
Aug 17 10:38:10.168: ISAKMP:(0:1:HW:2): processing NONCE payload. message ID = 4
68270712
Aug 17 10:38:10.168: ISAKMP:(0:1:HW:2): processing KE payload. message ID = 4682
70712
Aug 17 10:38:10.200: ISAKMP:(0:1:HW:2): processing ID payload. message ID = 4682
70712
Aug 17 10:38:10.200: ISAKMP:(0:1:HW:2): processing ID payload. message ID = 4682
70712
Aug 17 10:38:10.200: ISAKMP:(0:1:HW:2): asking for 1 spis from ipsec
Aug 17 10:38:10.200: ISAKMP:(0:1:HW:2):Node 468270712, Input = IKE_MESG_FROM_PEE
R, IKE_QM_EXCH
Aug 17 10:38:10.200: ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY New State = IKE
_QM_SPI_STARVE
Aug 17 10:38:10.200: IPSEC(key_engine): got a queue event with 1 kei messages
Aug 17 10:38:10.200: IPSEC(spi_response): getting spi 434742837 for SA
from 87.103.179.__ to 195.162.38.__ for prot 3
Aug 17 10:38:10.204: ISAKMP: received ke message (2/1)
Aug 17 10:38:10.204: ISAKMP: Locking peer struct 0x82474D20, IPSEC refcount 1 fo
r for stuff_ke
Aug 17 10:38:10.204: ISAKMP:(0:1:HW:2): Creating IPSec SAs
Aug 17 10:38:10.204: inbound SA from 195.162.38.__ to 87.103.179.__ (f/
i) 0/ 0
(proxy 10.14.9.0 to 172.16.19.0)
Aug 17 10:38:10.204: has spi 0x19E9A635 and conn_id 0 and flags 23
Aug 17 10:38:10.208: lifetime of 3600 seconds
Aug 17 10:38:10.208: lifetime of 4608000 kilobytes
Aug 17 10:38:10.208: has client flags 0x0
Aug 17 10:38:10.208: outbound SA from 87.103.179.__ to 195.162.38.__ (f
/i) 0/0
(proxy 172.16.19.0 to 10.14.9.0)
Aug 17 10:38:10.208: has spi 2012559701 and conn_id 0 and flags 2B
Aug 17 10:38:10.208: lifetime of 3600 seconds
Aug 17 10:38:10.208: lifetime of 4608000 kilobytes
Aug 17 10:38:10.208: has client flags 0x0
Aug 17 10:38:10.208: IPSEC(key_engine): got a queue event with 2 kei messages
Aug 17 10:38:10.208: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 87.103.179.__, remote= 195.162.38.__,
local_proxy= 172.16.19.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.14.9.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x19E9A635(434742837), conn_id= 0, keysize= 0, flags= 0x23
Aug 17 10:38:10.208: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 87.103.179.__, remote= 195.162.38.__,
local_proxy= 172.16.19.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.14.9.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x77F53955(2012559701), conn_id= 0, keysize= 0, flags= 0x2B
Aug 17 10:38:10.208: Crypto mapdb : proxy_match
src addr : 172.16.19.0
dst addr : 10.14.9.0
protocol : 0
src port : 0
dst port : 0
Aug 17 10:38:10.212: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with t
he same proxies and 130.87.250.76
Aug 17 10:38:10.212: IPSec: Flow_switching Allocated flow for sibling 80000002
Aug 17 10:38:10.212: IPSEC(policy_db_add_ident): src 172.16.19.0, dest 10.14.9.0
, dest_port 0
Aug 17 10:38:10.212: IPSEC(create_sa): sa created,
(sa) sa_dest= 87.103.179.___, sa_proto= 50,
sa_spi= 0x19E9A635(434742837),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
Aug 17 10:38:10.212: IPSEC(create_sa): sa created,
(sa) sa_dest= 195.162.38.70, sa_proto= 50,
sa_spi= 0x77F53955(2012559701),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2002
Aug 17 10:38:10.212: ISAKMP:(0:1:HW:2): sending packet to 195.162.38.70 my_port
500 peer_port 500 (R) QM_IDLE
Aug 17 10:38:10.216: ISAKMP:(0:1:HW:2):Node 468270712, Input = IKE_MESG_FROM_IPS
EC, IKE_SPI_REPLY
Aug 17 10:38:10.216: ISAKMP:(0:1:HW:2):Old State = IKE_QM_SPI_STARVE New State
= IKE_QM_R_QM2
Aug 17 10:38:10.284: ISAKMP (0:268435457): received packet from 195.162.38.__ dp
ort 500 sport 500 Global (R) QM_IDLE
Aug 17 10:38:10.288: ISAKMP:(0:1:HW:2):deleting node 468270712 error FALSE reaso
n "QM done (await)"
Aug 17 10:38:10.288: ISAKMP:(0:1:HW:2):Node 468270712, Input = IKE_MESG_FROM_PEE
R, IKE_QM_EXCH
Aug 17 10:38:10.288: ISAKMP:(0:1:HW:2):Old State = IKE_QM_R_QM2 New State = IKE
_QM_PHASE2_COMPLETE
Aug 17 10:38:10.288: IPSEC(key_engine): got a queue event with 1 kei messages
Aug 17 10:38:10.288: IPSEC(key_engine_enable_outbound): rec'd enable notify from
ISAKMP
Aug 17 10:38:10.288: IPSEC(key_engine_enable_outbound): enable SA with spi 20125
59701/50
Aug 17 10:39:00.274: ISAKMP:(0:1:HW:2):purging node 468270712
poltavlka#terminal monitor
% Console already monitors
poltavlka#
poltavlka#
poltavlka#
poltavlka#
poltavlka#
poltavlka#debug crypto isakmp
Crypto ISAKMP debugging is on
poltavlka#debug crypto ipsec
Crypto IPSEC debugging is on
poltavlka#sh cryptoses de
^
% Invalid input detected at '^' marker.
poltavlka#sh crypto ses de
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Dialer1
Session status: UP-ACTIVE
Peer: 195.162.38.70 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 195.162.38.70
Desc: (none)
IKE SA: local 87.103.179.__/500 remote 195.162.38.__/500 Active
Capabilities:(none) connid:268435457 lifetime:23:43:20
IPSEC FLOW: permit ip 172.16.19.0/255.255.255.0 172.16.29.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
IPSEC FLOW: permit ip 172.16.19.0/255.255.255.0 10.14.9.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 39 drop 0 life (KB/Sec) 4574926/2600
Outbound: #pkts enc'ed 318 drop 0 life (KB/Sec) 4574962/2600
IPSEC FLOW: permit ip 172.16.19.0/255.255.255.0 172.16.29.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
IPSEC FLOW: permit ip 172.16.19.0/255.255.255.0 10.14.9.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 39 drop 0 life (KB/Sec) 4574926/2600
Outbound: #pkts enc'ed 318 drop 0 life (KB/Sec) 4574962/2600