Tak.. skonfiguriroval po toi je sxeme na cisco.com nu ne rabotaet..
Pervi tunnel rabotaet.. nu ostalnie tunneli ne xotiat ne kak..
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml
Hub configuration: (Spokes config is still the same as before)
Building configuration...
Current configuration : 2263 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HQRSC_GW
!
boot-start-marker
boot system flash:c3745-a3jk9s-mz.123-15a.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$/
enable password 7 jjj
!
no aaa new-model
ip subnet-zero
!
!
ip domain name hh.local
!
no ip cef
!
username jjj privilege 15 secret 5 $1$PslX0
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key xxx address 193.250.90.175 255.255.255.0
crypto isakmp key xxx address 193.250.90.182 255.255.255.0
crypto isakmp key xxx address 193.250.88.53 255.255.254.0
!
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 193.250.88.53
set transform-set myset
match address 110
crypto map mymap 20 ipsec-isakmp
set peer 193.250.90.175
set transform-set myset
match address 120
crypto map mymap 30 ipsec-isakmp
set peer 193.250.90.182
set transform-set myset
match address 130
!
!
!
!
interface FastEthernet0/0
description Link to HQ Lan
ip address 192.168.23.15 255.255.248.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 193.250.88.231 255.255.254.0
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.24.1
ip route 192.168.33.0 255.255.255.192 193.250.88.53
ip route 192.168.33.64 255.255.255.192 193.250.90.175 2
ip route 192.168.33.128 255.255.255.192 193.250.90.182 2
ip route 193.250.90.0 255.255.255.0 193.250.88.1 2
!
!
access-list 110 permit ip any any
access-list 120 permit ip any any
access-list 130 permit ip any any
!
line con 0
password 7 0612
login
transport output all
line aux 0
transport output all
line vty 0 4
privilege level 15
login local
transport input telnet
transport output all
!
end
=========================
Problematic Spoke configuratsia..
sh run
Building configuration...
Current configuration : 1215 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EREBUNI_GW
!
enable password 7 jhhkjh
!
ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key xxx address 193.250.88.231
!
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 193.250.88.231
set transform-set myset
match address 110
!
call rsvp-sync
!
interface FastEthernet0/0
ip address 192.168.33.65 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 193.250.88.175 255.255.254.0
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 193.250.88.0 255.255.254.0 193.250.90.1 2
ip http server
!
access-list 110 permit ip any any
!
!
dial-peer cor custom
!
!
!
gateway
!
!
!
line con 0
password 7 kh
login
line aux 0
line vty 0 4
password 7 ih
login
!
end
Hub Site debug + policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Failed spoke
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Working spoke {Kyevian}
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
==========================================================
The Sh ver from the Hub router:
HQRSC_GW#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 3700 Software (C3745-A3JK9S-M), Version 12.3(15a), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 21-Jul-05 19:32 by dchih
Image text-base: 0x60008AF4, data-base: 0x62260000
ROM: System Bootstrap, Version 12.3(6r) [cmong 6r], RELEASE SOFTWARE (fc1)
ROM: 3700 Software (C3745-A3JK9S-M), Version 12.3(15a), RELEASE SOFTWARE (fc2)
HQRSC_GW uptime is 3 hours, 36 minutes
System returned to ROM by reload
System image file is "flash:c3745-a3jk9s-mz.123-15a.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 3745 (R7000) processor (revision 2.0) with 249856K/12288K bytes of memory.
Processor board ID JHY0913K214
R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
2 FastEthernet/IEEE 802.3 interface(s)
DRAM configuration is 64 bits wide with parity disabled.
151K bytes of non-volatile configuration memory.
31360K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
The working spoke sh ver:
Spoke version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JK9S-M), Version 12.3(15a), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 21-Jul-05 19:54 by dchih
Image text-base: 0x80008098, data-base: 0x81F6D124
ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-JK9S-M), Version 12.3(15a), RELEASE SOFTWARE (fc2)
KIEVYAN_GW uptime is 13 minutes
System returned to ROM by power-on
System image file is "flash:c2600-jk9s-mz.123-15a.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 2621XM (MPC860P) processor (revision 0x401) with 126976K/4096K bytes of memory.
Processor board ID FTX0913C29N (660640112)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
2 FastEthernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
===================================================================
Finally, the ISAKMP debug on the faulty router:
Crypto IPSEC debugging is on
#ping 193.250.88.231
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 193.250.88.231, timeout is 2 seconds:
*Mar 1 00:16:23.583: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 193.250.88.233, remote= 193.250.88.231,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xAC2CDD97(2888621463), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:16:23.587: ISAKMP: received ke message (1/1)
*Mar 1 00:16:23.587: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 00:16:23.587: ISAKMP: local port 500, remote port 500
*Mar 1 00:16:23.587: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:16:23.587: ISAKMP: insert sa successfully sa = 8392B584
*Mar 1 00:16:23.587: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar 1 00:16:23.587: ISAKMP: Looking for a matching key for 193.250.88.231 in default : success
*Mar 1 00:16:23.591: ISAKMP (0:1): found peer pre-shared key matching 193.250.88.231
*Mar 1 00:16:23.591: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar 1 00:16:23.591: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 00:16:23.591: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 1 00:16:23.591: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:16:23.591: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:16:23.591: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 00:16:23.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
EREBUNI_GW#
*Mar 1 00:16:33.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:16:33.591: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 00:16:33.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:16:33.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:16:43.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:16:43.591: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 1 00:16:43.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:16:43.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:16:53.583: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 193.250.88.233, remote= 193.250.88.231,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Mar 1 00:16:53.583: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 193.250.88.233, remote= 193.250.88.231,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xAC248573(2888074611), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:16:53.583: ISAKMP: received ke message (1/1)
*Mar 1 00:16:53.587: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:16:53.587: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 193.250.88.233, remote 193.250.88.231)
*Mar 1 00:16:53.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:16:53.591: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 1 00:16:53.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:16:53.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:17:03.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:17:03.591: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 1 00:17:03.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:17:03.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:17:13.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:17:13.591: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 1 00:17:13.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:17:13.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:17:23.583: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 193.250.88.233, remote= 193.250.88.231,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Mar 1 00:17:23.583: ISAKMP: received ke message (3/1)
*Mar 1 00:17:23.583: ISAKMP (0:1): peer does not do paranoid keepalives.
*Mar 1 00:17:23.583: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 193.250.88.231) input queue 0
*Mar 1 00:17:23.583: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 193.250.88.231) input queue 0
*Mar 1 00:17:23.587: ISAKMP (0:1): deleting node -770471693 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 00:17:23.587: ISAKMP (0:1): deleting node 831470553 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 00:17:23.587: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 00:17:23.587: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Mar 1 00:18:13.587: ISAKMP (0:1): purging node -770471693
*Mar 1 00:18:13.587: ISAKMP (0:1): purging node 831470553
*Mar 1 00:18:23.587: ISAKMP (0:1): purging SA., sa=8392B584, delme=8392B584
=============================================================