forum.opennet.ru - "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix" (7)

форумы

помощь

поиск

регистрация

майллист

ВХОД

слежка

"Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"

Форумы Маршрутизаторы CISCO и др. оборудование. (Public)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[Проследить за развитием треда]

"Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"
Сообщение от Micha on 03-Авг-05, 16:51 (MSK)
Tak.. skonfiguriroval po toi je sxeme na cisco.com nu ne rabotaet.. Pervi tunnel rabotaet.. nu ostalnie tunneli ne xotiat ne kak.. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml Hub configuration: (Spokes config is still the same as before) Building configuration... Current configuration : 2263 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname HQRSC_GW ! boot-start-marker boot system flash:c3745-a3jk9s-mz.123-15a.bin boot-end-marker ! logging buffered 51200 warnings enable secret 5 $1$/ enable password 7 jjj ! no aaa new-model ip subnet-zero ! ! ip domain name hh.local ! no ip cef ! username jjj privilege 15 secret 5 $1$PslX0 ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key xxx address 193.250.90.175 255.255.255.0 crypto isakmp key xxx address 193.250.90.182 255.255.255.0 crypto isakmp key xxx address 193.250.88.53 255.255.254.0 ! ! crypto ipsec transform-set myset esp-des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 193.250.88.53 set transform-set myset match address 110 crypto map mymap 20 ipsec-isakmp set peer 193.250.90.175 set transform-set myset match address 120 crypto map mymap 30 ipsec-isakmp set peer 193.250.90.182 set transform-set myset match address 130 ! ! ! ! interface FastEthernet0/0 description Link to HQ Lan ip address 192.168.23.15 255.255.248.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 193.250.88.231 255.255.254.0 no ip route-cache no ip mroute-cache duplex auto speed auto crypto map mymap ! ! ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip classless ip route 0.0.0.0 0.0.0.0 192.168.24.1 ip route 192.168.33.0 255.255.255.192 193.250.88.53 ip route 192.168.33.64 255.255.255.192 193.250.90.175 2 ip route 192.168.33.128 255.255.255.192 193.250.90.182 2 ip route 193.250.90.0 255.255.255.0 193.250.88.1 2 ! ! access-list 110 permit ip any any access-list 120 permit ip any any access-list 130 permit ip any any ! line con 0 password 7 0612 login transport output all line aux 0 transport output all line vty 0 4 privilege level 15 login local transport input telnet transport output all ! end ========================= Problematic Spoke configuratsia.. sh run Building configuration... Current configuration : 1215 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname EREBUNI_GW ! enable password 7 jhhkjh ! ip subnet-zero ! ! no ip domain-lookup ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 10 authentication pre-share crypto isakmp key xxx address 193.250.88.231 ! ! crypto ipsec transform-set myset esp-des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 193.250.88.231 set transform-set myset match address 110 ! call rsvp-sync ! interface FastEthernet0/0 ip address 192.168.33.65 255.255.255.192 duplex auto speed auto ! interface FastEthernet0/1 ip address 193.250.88.175 255.255.254.0 no ip route-cache no ip mroute-cache duplex auto speed auto crypto map mymap ! ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 ip route 193.250.88.0 255.255.254.0 193.250.90.1 2 ip http server ! access-list 110 permit ip any any ! ! dial-peer cor custom ! ! ! gateway ! ! ! line con 0 password 7 kh login line aux 0 line vty 0 4 password 7 ih login ! end Hub Site debug + policy Global IKE policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Failed spoke Global IKE policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Working spoke {Kyevian} Global IKE policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit ========================================================== The Sh ver from the Hub router: HQRSC_GW#sh ver Cisco Internetwork Operating System Software IOS (tm) 3700 Software (C3745-A3JK9S-M), Version 12.3(15a), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Thu 21-Jul-05 19:32 by dchih Image text-base: 0x60008AF4, data-base: 0x62260000 ROM: System Bootstrap, Version 12.3(6r) [cmong 6r], RELEASE SOFTWARE (fc1) ROM: 3700 Software (C3745-A3JK9S-M), Version 12.3(15a), RELEASE SOFTWARE (fc2) HQRSC_GW uptime is 3 hours, 36 minutes System returned to ROM by reload System image file is "flash:c3745-a3jk9s-mz.123-15a.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco 3745 (R7000) processor (revision 2.0) with 249856K/12288K bytes of memory. Processor board ID JHY0913K214 R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). TN3270 Emulation software. 2 FastEthernet/IEEE 802.3 interface(s) DRAM configuration is 64 bits wide with parity disabled. 151K bytes of non-volatile configuration memory. 31360K bytes of ATA System CompactFlash (Read/Write) Configuration register is 0x2102 The working spoke sh ver: Spoke version Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK9S-M), Version 12.3(15a), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Thu 21-Jul-05 19:54 by dchih Image text-base: 0x80008098, data-base: 0x81F6D124 ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-JK9S-M), Version 12.3(15a), RELEASE SOFTWARE (fc2) KIEVYAN_GW uptime is 13 minutes System returned to ROM by power-on System image file is "flash:c2600-jk9s-mz.123-15a.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco 2621XM (MPC860P) processor (revision 0x401) with 126976K/4096K bytes of memory. Processor board ID FTX0913C29N (660640112) M860 processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). TN3270 Emulation software. 2 FastEthernet/IEEE 802.3 interface(s) 32K bytes of non-volatile configuration memory. 32768K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 =================================================================== Finally, the ISAKMP debug on the faulty router: Crypto IPSEC debugging is on #ping 193.250.88.231 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 193.250.88.231, timeout is 2 seconds: Mar 1 00:16:23.583: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 193.250.88.233, remote= 193.250.88.231, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xAC2CDD97(2888621463), conn_id= 0, keysize= 0, flags= 0x400A Mar 1 00:16:23.587: ISAKMP: received ke message (1/1) Mar 1 00:16:23.587: ISAKMP (0:0): SA request profile is (NULL) Mar 1 00:16:23.587: ISAKMP: local port 500, remote port 500 Mar 1 00:16:23.587: ISAKMP: set new node 0 to QM_IDLE Mar 1 00:16:23.587: ISAKMP: insert sa successfully sa = 8392B584 Mar 1 00:16:23.587: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode. Mar 1 00:16:23.587: ISAKMP: Looking for a matching key for 193.250.88.231 in default : success Mar 1 00:16:23.591: ISAKMP (0:1): found peer pre-shared key matching 193.250.88.231 Mar 1 00:16:23.591: ISAKMP (0:1): constructed NAT-T vendor-07 ID Mar 1 00:16:23.591: ISAKMP (0:1): constructed NAT-T vendor-03 ID Mar 1 00:16:23.591: ISAKMP (0:1): constructed NAT-T vendor-02 ID Mar 1 00:16:23.591: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Mar 1 00:16:23.591: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1 Mar 1 00:16:23.591: ISAKMP (0:1): beginning Main Mode exchange Mar 1 00:16:23.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE..... Success rate is 0 percent (0/5) EREBUNI_GW# Mar 1 00:16:33.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE... Mar 1 00:16:33.591: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 Mar 1 00:16:33.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE Mar 1 00:16:33.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE Mar 1 00:16:43.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE... Mar 1 00:16:43.591: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 Mar 1 00:16:43.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE Mar 1 00:16:43.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE Mar 1 00:16:53.583: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 193.250.88.233, remote= 193.250.88.231, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) Mar 1 00:16:53.583: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 193.250.88.233, remote= 193.250.88.231, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xAC248573(2888074611), conn_id= 0, keysize= 0, flags= 0x400A Mar 1 00:16:53.583: ISAKMP: received ke message (1/1) Mar 1 00:16:53.587: ISAKMP: set new node 0 to QM_IDLE Mar 1 00:16:53.587: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 193.250.88.233, remote 193.250.88.231) Mar 1 00:16:53.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE... Mar 1 00:16:53.591: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 Mar 1 00:16:53.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE Mar 1 00:16:53.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE Mar 1 00:17:03.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE... Mar 1 00:17:03.591: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 Mar 1 00:17:03.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE Mar 1 00:17:03.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE Mar 1 00:17:13.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE... Mar 1 00:17:13.591: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 Mar 1 00:17:13.591: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE Mar 1 00:17:13.591: ISAKMP (0:1): sending packet to 193.250.88.231 my_port 500 peer_port 500 (I) MM_NO_STATE Mar 1 00:17:23.583: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 193.250.88.233, remote= 193.250.88.231, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) Mar 1 00:17:23.583: ISAKMP: received ke message (3/1) Mar 1 00:17:23.583: ISAKMP (0:1): peer does not do paranoid keepalives. Mar 1 00:17:23.583: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 193.250.88.231) input queue 0 Mar 1 00:17:23.583: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 193.250.88.231) input queue 0 Mar 1 00:17:23.587: ISAKMP (0:1): deleting node -770471693 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp" Mar 1 00:17:23.587: ISAKMP (0:1): deleting node 831470553 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp" Mar 1 00:17:23.587: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Mar 1 00:17:23.587: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA Mar 1 00:18:13.587: ISAKMP (0:1): purging node -770471693 Mar 1 00:18:13.587: ISAKMP (0:1): purging node 831470553 *Mar 1 00:18:23.587: ISAKMP (0:1): purging SA., sa=8392B584, delme=8392B584 =============================================================
	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх

Оглавление

Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix, toor99, 16:58 , 03-Авг-05, (1)
- Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix, Micha, 17:03 , 03-Авг-05, (2)
  - Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix, toor99, 17:06 , 03-Авг-05, (3)
    - Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix, Micha, 04:59 , 04-Авг-05, (4)
      - Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix, Micha, 05:29 , 04-Авг-05, (5)
        
        Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix, Micha, 05:43 , 04-Авг-05, (6)
        Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix, Micha, 08:37 , 04-Авг-05, (7)

Индекс форумов | Темы | Пред. тема | След. тема

Сообщения по теме

1. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"

Сообщение от toor99 (ok) on 03-Авг-05, 16:58  (MSK)

> access-list 110 permit ip any any
> access-list 120 permit ip any any
> access-list 130 permit ip any any
Не употребляйте в криптоACL слово "any". Никогда.
Разве что если вы на 101% уверены, что понимаете, чего именно пытаетесь добиться.

Удалить Правка | Высказать мнение | Ответить | Рекомендовать в FAQ | Cообщить модератору | Наверх

2. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"

Сообщение от Micha on 03-Авг-05, 17:03  (MSK)

>> access-list 110 permit ip any any
>> access-list 120 permit ip any any
>> access-list 130 permit ip any any
>
>Не употребляйте в криптоACL слово "any". Никогда.

Znaiu.. Ia dlia testa chtob ACL ne mechal.. kak srabotaet postavlu to chto nado..

Удалить Правка | Высказать мнение | Ответить | Рекомендовать в FAQ | Cообщить модератору | Наверх

3. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"

Сообщение от toor99 (ok) on 03-Авг-05, 17:06  (MSK)

>>> access-list 110 permit ip any any
>>> access-list 120 permit ip any any
>>> access-list 130 permit ip any any
>>
>>Не употребляйте в криптоACL слово "any". Никогда.
>
>
>Znaiu.. Ia dlia testa chtob ACL ne mechal.. kak srabotaet postavlu to
>chto nado..
Всё-таки вы не понимаете.
До тех пор, пока вы не напишете нормальные ACL, у вас ничего не "srabotaet".
Подумайте над тем, что эти ACL делают, и для чего нужны. Или хотя бы проанализируйте пример, по которому писали конфиг. Тогда станет понятно.
Хинт: эти ACL не имеют никакого отношения к *фильтрации* трафика.

Удалить Правка | Высказать мнение | Ответить | Рекомендовать в FAQ | Cообщить модератору | Наверх

4. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"

Сообщение от Micha on 04-Авг-05, 04:59  (MSK)

>>>> access-list 110 permit ip any any
>>>> access-list 120 permit ip any any
>>>> access-list 130 permit ip any any
>>>
>>>Не употребляйте в криптоACL слово "any". Никогда.
>>
>>
>>Znaiu.. Ia dlia testa chtob ACL ne mechal.. kak srabotaet postavlu to
>>chto nado..
>
>Всё-таки вы не понимаете.
>До тех пор, пока вы не напишете нормальные ACL, у вас ничего
>не "srabotaet".
>Подумайте над тем, что эти ACL делают, и для чего нужны. Или
>хотя бы проанализируйте пример, по которому писали конфиг. Тогда станет понятно.
>
>Хинт: эти ACL не имеют никакого отношения к *фильтрации* трафика.

Ladno.. oni ukazivaiut traffic kotorii nado cryptovat.. ia je ukazivaiu chtob ves traffic cryptovalsia..
Ia sdelaiu kak skazali.. nu vopros zdes ne kleitsa.. Pochemu pervii tunnel rabotaet gladko??

Удалить Правка | Высказать мнение | Ответить | Рекомендовать в FAQ | Cообщить модератору | Наверх

5. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"

Сообщение от Micha on 04-Авг-05, 05:29  (MSK)

Cherez 2 chasa nachnetsa rabochi den i ispravlu Kiski moi na novii acl
Na hub postavlu chtoto typo
access-list 110 permit ip 192.168.23.0 0.0.0.255 192.168.33.0 0.0.0.64
access-list 110 permit ip 192.168.33.64 0.0.0.64 192.168.33.0 0.0.0.64
access-list 110 permit ip 192.168.33.128 0.0.0.64 192.168.33.0 0.0.0.64
access-list 120 permit ip 192.168.23.0 0.0.0.255 192.168.33.64 0.0.0.64
access-list 120 permit ip 192.168.33.0 0.0.0.64 192.168.33.64 0.0.0.64
access-list 120 permit ip 192.168.33.128 0.0.0.64 192.168.33.64 0.0.0.64
access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.33.128 0.0.0.64
access-list 130 permit ip 192.168.33.64 0.0.0.64 192.168.33.128 0.0.0.64
access-list 130 permit ip 192.168.33.0 0.0.0.64 192.168.33.128 0.0.0.64
a na Spokes :

access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.23.0 0.0.0.255
access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.33.64 0.0.0.64
access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.33.128 0.0.0.64
itd

Nadeius srabotaet..

Удалить Правка | Высказать мнение | Ответить | Рекомендовать в FAQ | Cообщить модератору | Наверх

6. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"

Сообщение от Micha on 04-Авг-05, 05:43  (MSK)

Vot ponial pochemu puskaet cherez pervi tunnel kogda stavlu vtoroi peer toje... t.e kogda stavlu any any ves traffic posilaetsia cherez pervi tunnel.. zdes u acl 2oinaia polza.. tak? .. tak po moemu..
Spasibo

Удалить Правка | Высказать мнение | Ответить | Рекомендовать в FAQ | Cообщить модератору | Наверх

7. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"

Сообщение от Micha on 04-Авг-05, 08:37  (MSK)

>Cherez 2 chasa nachnetsa rabochi den i ispravlu Kiski moi na novii
>acl
>
>Na hub postavlu chtoto typo
>
>access-list 110 permit ip 192.168.23.0 0.0.0.255 192.168.33.0 0.0.0.64
>access-list 110 permit ip 192.168.33.64 0.0.0.64 192.168.33.0 0.0.0.64
>access-list 110 permit ip 192.168.33.128 0.0.0.64 192.168.33.0 0.0.0.64
>
>access-list 120 permit ip 192.168.23.0 0.0.0.255 192.168.33.64 0.0.0.64
>access-list 120 permit ip 192.168.33.0 0.0.0.64 192.168.33.64 0.0.0.64
>access-list 120 permit ip 192.168.33.128 0.0.0.64 192.168.33.64 0.0.0.64
>
>access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.33.128 0.0.0.64
>access-list 130 permit ip 192.168.33.64 0.0.0.64 192.168.33.128 0.0.0.64
>access-list 130 permit ip 192.168.33.0 0.0.0.64 192.168.33.128 0.0.0.64
>
>a na Spokes :
>
>
>
>
>access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.23.0 0.0.0.255
>access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.33.64 0.0.0.64
>access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.33.128 0.0.0.64
>
>itd
>
>
>Nadeius srabotaet..

Errata.. wildecard .63 :o)

Srabotalo! Yppaaaa!

Удалить Правка | Высказать мнение | Ответить | Рекомендовать в FAQ | Cообщить модератору | Наверх

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема

Оцените тред (1=ужас, 5=супер)? [ 1 | 2 | 3 | 4 | 5 ]

Пожалуйста, прежде чем написать сообщение, ознакомьтесь с данными рекомендациями.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"
Сообщение от toor99 (ok) on 03-Авг-05, 16:58 (MSK)
> access-list 110 permit ip any any > access-list 120 permit ip any any > access-list 130 permit ip any any Не употребляйте в криптоACL слово "any". Никогда. Разве что если вы на 101% уверены, что понимаете, чего именно пытаетесь добиться.
Удалить	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх


	2. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"
	Сообщение от Micha on 03-Авг-05, 17:03 (MSK)
	>> access-list 110 permit ip any any >> access-list 120 permit ip any any >> access-list 130 permit ip any any > >Не употребляйте в криптоACL слово "any". Никогда. Znaiu.. Ia dlia testa chtob ACL ne mechal.. kak srabotaet postavlu to chto nado..
	Удалить	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх


	3. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"
	Сообщение от toor99 (ok) on 03-Авг-05, 17:06 (MSK)
	>>> access-list 110 permit ip any any >>> access-list 120 permit ip any any >>> access-list 130 permit ip any any >> >>Не употребляйте в криптоACL слово "any". Никогда. > > >Znaiu.. Ia dlia testa chtob ACL ne mechal.. kak srabotaet postavlu to >chto nado.. Всё-таки вы не понимаете. До тех пор, пока вы не напишете нормальные ACL, у вас ничего не "srabotaet". Подумайте над тем, что эти ACL делают, и для чего нужны. Или хотя бы проанализируйте пример, по которому писали конфиг. Тогда станет понятно. Хинт: эти ACL не имеют никакого отношения к фильтрации трафика.
	Удалить	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх


	4. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"
	Сообщение от Micha on 04-Авг-05, 04:59 (MSK)
	>>>> access-list 110 permit ip any any >>>> access-list 120 permit ip any any >>>> access-list 130 permit ip any any >>> >>>Не употребляйте в криптоACL слово "any". Никогда. >> >> >>Znaiu.. Ia dlia testa chtob ACL ne mechal.. kak srabotaet postavlu to >>chto nado.. > >Всё-таки вы не понимаете. >До тех пор, пока вы не напишете нормальные ACL, у вас ничего >не "srabotaet". >Подумайте над тем, что эти ACL делают, и для чего нужны. Или >хотя бы проанализируйте пример, по которому писали конфиг. Тогда станет понятно. > >Хинт: эти ACL не имеют никакого отношения к фильтрации трафика. Ladno.. oni ukazivaiut traffic kotorii nado cryptovat.. ia je ukazivaiu chtob ves traffic cryptovalsia.. Ia sdelaiu kak skazali.. nu vopros zdes ne kleitsa.. Pochemu pervii tunnel rabotaet gladko??
	Удалить	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх


	5. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"
	Сообщение от Micha on 04-Авг-05, 05:29 (MSK)
	Cherez 2 chasa nachnetsa rabochi den i ispravlu Kiski moi na novii acl Na hub postavlu chtoto typo access-list 110 permit ip 192.168.23.0 0.0.0.255 192.168.33.0 0.0.0.64 access-list 110 permit ip 192.168.33.64 0.0.0.64 192.168.33.0 0.0.0.64 access-list 110 permit ip 192.168.33.128 0.0.0.64 192.168.33.0 0.0.0.64 access-list 120 permit ip 192.168.23.0 0.0.0.255 192.168.33.64 0.0.0.64 access-list 120 permit ip 192.168.33.0 0.0.0.64 192.168.33.64 0.0.0.64 access-list 120 permit ip 192.168.33.128 0.0.0.64 192.168.33.64 0.0.0.64 access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.33.128 0.0.0.64 access-list 130 permit ip 192.168.33.64 0.0.0.64 192.168.33.128 0.0.0.64 access-list 130 permit ip 192.168.33.0 0.0.0.64 192.168.33.128 0.0.0.64 a na Spokes : access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.23.0 0.0.0.255 access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.33.64 0.0.0.64 access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.33.128 0.0.0.64 itd Nadeius srabotaet..
	Удалить	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх


	6. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"
	Сообщение от Micha on 04-Авг-05, 05:43 (MSK)
	Vot ponial pochemu puskaet cherez pervi tunnel kogda stavlu vtoroi peer toje... t.e kogda stavlu any any ves traffic posilaetsia cherez pervi tunnel.. zdes u acl 2oinaia polza.. tak? .. tak po moemu.. Spasibo
	Удалить	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх


	7. "Cisco Ipsec VPN ne rabotaet.. tolko dlia krutix"
	Сообщение от Micha on 04-Авг-05, 08:37 (MSK)
	>Cherez 2 chasa nachnetsa rabochi den i ispravlu Kiski moi na novii >acl > >Na hub postavlu chtoto typo > >access-list 110 permit ip 192.168.23.0 0.0.0.255 192.168.33.0 0.0.0.64 >access-list 110 permit ip 192.168.33.64 0.0.0.64 192.168.33.0 0.0.0.64 >access-list 110 permit ip 192.168.33.128 0.0.0.64 192.168.33.0 0.0.0.64 > >access-list 120 permit ip 192.168.23.0 0.0.0.255 192.168.33.64 0.0.0.64 >access-list 120 permit ip 192.168.33.0 0.0.0.64 192.168.33.64 0.0.0.64 >access-list 120 permit ip 192.168.33.128 0.0.0.64 192.168.33.64 0.0.0.64 > >access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.33.128 0.0.0.64 >access-list 130 permit ip 192.168.33.64 0.0.0.64 192.168.33.128 0.0.0.64 >access-list 130 permit ip 192.168.33.0 0.0.0.64 192.168.33.128 0.0.0.64 > >a na Spokes : > > > > >access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.23.0 0.0.0.255 >access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.33.64 0.0.0.64 >access-list 110 permit ip 192.168.33.0 0.0.0.64 192.168.33.128 0.0.0.64 > >itd > > >Nadeius srabotaet.. Errata.. wildecard .63 :o) Srabotalo! Yppaaaa!
	Удалить	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх

Архив \| Удалить	Индекс форумов \| Темы \| Пред. тема \| След. тема
Оцените тред (1=ужас, 5=супер)? [ 1 \| 2 \| 3 \| 4 \| 5 ]