Коллеги есть такая проблема.
В центрально офисе есть маршрутизатор 2811 в такой конфигурации:================================================================================
version 12.4
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
no service password-encryption
!
hostname MAIN_OFFICE
!
boot-start-marker
boot-end-marker
!
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 3:00 last Sun Oct 2:00
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key test@gre address WWW.XXX.YYY.ZZZ
!
!
crypto ipsec transform-set GRE_IPSEC esp-des esp-md5-hmac
mode transport
!
crypto map GRE_VPN 10 ipsec-isakmp
set peer WWW.XXX.YYY.ZZZ
set transform-set GRE_IPSEC
match address GRE
!
!
!
!
class-map match-all VoIP
match access-group 105
!
!
policy-map VoIP_OUT
class VoIP
priority 256
class class-default
fair-queue
policy-map GRE_TUNNEL
class class-default
shape average 2000000
service-policy VoIP_OUT
!
!
!
!
!
interface Tunnel64
description EMC_TO_MARK
bandwidth 2048
ip address 172.16.2.2 255.255.255.252
ip tcp adjust-mss 1380
qos pre-classify
tunnel source AAA.BBB.CCC.DDD
tunnel destination WWW.XXX.YYY.ZZZ
service-policy output GRE_TUNNEL
!
!
interface FastEthernet0/0
description External
no ip address
duplex auto
speed auto
service-policy output VoIP_OUT
!
interface FastEthernet0/0.100
description Caravan
encapsulation dot1Q 100
ip address 212.24.36.27 255.255.255.248
ip virtual-reassembly
!
interface FastEthernet0/0.200
description M9 (local ISP)
encapsulation dot1Q 200
ip address AAA.BBB.CCC.DDD 255.255.255.224
!
!
interface FastEthernet0/1
description Internal
ip address 10.0.0.50 255.255.0.0
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 212.24.36.25
ip route 10.2.0.0 255.255.0.0 172.16.2.1
!
!
!
ip access-list extended GRE
permit gre host AAA.BBB.CCC.DDD host WWW.XXX.YYY.ZZZ
!
access-list 105 permit ip host 10.0.0.7 any
access-list 105 permit ip host 10.0.0.60 any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 45 0
transport input telnet
line vty 5 15
transport input telnet ssh
!
!
end
================================================================================
В удаленном офисе стоит так же 2811 вот с такой конфигурацией:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
version 12.4
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
no service password-encryption
!
hostname BRANCH_OFFICE
!
boot-start-marker
boot-end-marker
!
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 3:00 last Sun Oct 2:00
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key test@gre address AAA.BBB.CCC.DDD
!
!
crypto ipsec transform-set GRE_IPSEC esp-des esp-md5-hmac
mode transport
!
crypto map GRE_VPN 10 ipsec-isakmp
set peer AAA.BBB.CCC.DDD
set transform-set GRE_IPSEC
match address GRE
!
!
!
!
class-map match-all VoIP
match access-group 105
!
!
policy-map VoIP_OUT
class VoIP
priority 256
class class-default
fair-queue
policy-map GRE_TUNNEL
class class-default
shape average 10000000
service-policy VoIP_OUT
!
!
!
!
interface Tunnel64
description MARK_TO_EMC
bandwidth 10240
ip address 172.16.2.1 255.255.255.252
ip tcp adjust-mss 1380
qos pre-classify
tunnel source WWW.XXX.YYY.ZZZ
tunnel destination AAA.BBB.CCC.DDD
service-policy output GRE_TUNNEL
!
interface FastEthernet0/0
ip address WWW.XXX.YYY.ZZZ 255.255.255.224
no ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.0.50 255.255.0.0
no ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 82.138.13.193
ip route 10.0.0.0 255.255.0.0 172.16.2.2
!
!
!
ip access-list extended GRE
permit gre host WWW.XXX.YYY.ZZZ host AAA.BBB.CCC.DDD
!
access-list 105 permit ip host 10.2.0.80 any
access-list 105 permit ip host 10.2.0.90 any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
!
end
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Собственно все делал по докам:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_con...
http://www.cisco.com/en/US/tech/tk827/tk369/tk287/tsd_techno...
В основном офисе вешаю crypto map GRE_VPN и на туннельный интерфейс и на sub interface interface FastEthernet0/0.200.
В основном офисе вешаю crypto map GRE_VPN и на туннельный интерфейс и на interface interface FastEthernet0/0.
При этом команда sh crypto isakmp sa
BRANCH_OFFICE#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
WWW.XXX.YYY.ZZZ AAA.BBB.CCC.DDD MM_NO_STATE 0 0 ACTIVE
IPv6 Crypto ISAKMP SA
Показывает что крипто активно, НО тоннель тут же ложится и перестает работать, вообще.
Теперь вопросы:
1) Что я не так делаю? Где могут быть ошибки в настройках?
2) На cisco.com описаны конфигурации на физических интерфейсах. Можно ли это делать на суб интерфейсах?
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(??) on 26-Мрт-08, 12:42 
