3 routerа: 2 cisco 805 хочу связать с cisco 877 с помощью ipsec туннелей. GRE туннели работаютконфиг 877:
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key vpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set nostrong esp-des esp-md5-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 195.16.44.130
set transform-set nostrong
match address 101
crypto map vpn 2 ipsec-isakmp
set peer 81.211.31.149
set transform-set nostrong
match address 102
!
!
!
interface Tunnel0
ip address 10.16.17.1 255.255.255.0
tunnel source ATM0.1
tunnel destination 195.16.44.130
tunnel key 123
tunnel sequence-datagrams
tunnel checksum
crypto map vpn
!
interface Tunnel1
ip address 10.16.18.1 255.255.255.0
tunnel source ATM0.1
tunnel destination 81.211.31.149
tunnel key 123
tunnel sequence-datagrams
tunnel checksum
crypto map vpn
!
interface Loopback0
ip address 82.142.176.125 255.255.255.255
crypto map vpn
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
crypto map vpn
!
interface ATM0.1 point-to-point
ip unnumbered Loopback0
ip nat outside
ip virtual-reassembly
pvc 8/63
encapsulation aal5snap
!
crypto map vpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.16.13.0 255.255.255.0 Tunnel0
ip route 10.16.15.0 255.255.255.0 Tunnel1
!
!
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.16.12.2
access-list 1 permit 10.16.11.0 0.0.0.255
access-list 101 permit gre host 82.172.176.125 host 195.16.44.130
access-list 102 permit gre host 82.172.176.125 host 81.211.31.149
конфиг 805:
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key vpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set nostrong esp-des esp-md5-hmac
!
crypto map vpn-to-office 1 ipsec-isakmp
set peer 82.142.176.125
set transform-set nostrong
match address 101
!
!
!
!
interface Tunnel0
ip address 10.16.17.2 255.255.255.0
tunnel source Serial0
tunnel destination 82.142.176.125
tunnel key 123
tunnel sequence-datagrams
tunnel checksum
crypto map vpn-to-office
!
interface Ethernet0
ip address 10.16.14.1 255.255.255.0 secondary
ip address 10.16.13.1 255.255.255.0
no ip proxy-arp
ip nat inside
!
interface Serial0
description ISP
ip address 195.16.44.130 255.255.255.252
no ip proxy-arp
ip nat outside
!
ip nat inside source list 18 interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 10.16.11.0 255.255.255.0 Tunnel0
!
access-list 18 permit 10.16.14.2
access-list 18 permit 10.16.13.10
access-list 101 permit gre host 195.16.44.130 host 82.142.176.125
2-я 805 аналогично
как только пытаюсь привязать crypto map к интерфейсу s0 пинг в другую локалку пропадает и появляются сообщения на консоли 805:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
а на 877 просто куча сообщений:
.Feb 16 17:21:57.804: ISAKMP (0:0): received packet from 81.211.31.149 dport 500
sport 500 Global (N) NEW SA
.Feb 16 17:21:57.804: ISAKMP: Created a peer struct for 81.211.31.149, peer port
500
.Feb 16 17:21:57.804: ISAKMP: Locking peer struct 0x8332BE18, IKE refcount 1 for
crypto_isakmp_process_block
.Feb 16 17:21:57.804: ISAKMP: local port 500, remote port 500
.Feb 16 17:21:57.804: insert sa successfully sa = 82FE517C
.Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_
R_MM1
.Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
.Feb 16 17:21:57.804: ISAKMP: Looking for a matching key for 81.211.31.149 in de
fault : success
.Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 81.2
11.31.149
.Feb 16 17:21:57.808: ISAKMP:(0:0:N/A:0): local preshared key found
.Feb 16 17:21:57.808: ISAKMP : Scanning profiles for xauth ...
.Feb 16 17:21:57.808: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri
ority 1 policy
.Feb 16 17:21:57.808: ISAKMP: encryption DES-CBC
.Feb 16 17:21:57.808: ISAKMP: hash MD5
.Feb 16 17:21:57.808: ISAKMP: default group 2
.Feb 16 17:21:57.808: ISAKMP: auth pre-share
.Feb 16 17:21:57.808: ISAKMP: life type in seconds
router-elikon#
.Feb 16 17:21:57.808: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
.Feb 16 17:21:57.808: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
.Feb 16 17:21:57.836: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M
AIN_MODE
.Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM1 New State = IKE_R
_MM1
.Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) MM_SA_SETUP
.Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C
OMPLETE
.Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM1 New State = IKE_R
_MM2
.Feb 16 17:21:58.512: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) MM_SA_SETUP
.Feb 16 17:21:58.512: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Feb 16 17:21:58.512: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM2 New State = IKE_R
_MM3
.Feb 16 17:21:58.512: ISAKMP:(0:2:HW:2): processing KE payload. message ID = 0
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2): processing NONCE payload. message ID =
0
.Feb 16 17:21:58.544: ISAKMP: Looking for a matching key for 81.211.31.149 in de
fault : success
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):found peer pre-shared key matching 81.21
1.31.149
router-elikon#
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):SKEYID state generated
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2): processing vendor id payload
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2): speaking to another IOS box!
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M
AIN_MODE
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM3 New State = IKE_R
_MM3
.Feb 16 17:21:58.548: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) MM_KEY_EXCH
.Feb 16 17:21:58.548: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C
OMPLETE
.Feb 16 17:21:58.548: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM3 New State = IKE_R
_MM4
.Feb 16 17:21:59.260: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) MM_KEY_EXCH
.Feb 16 17:21:59.260: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM4 New State = IKE_R
_MM5
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2): processing ID payload. message ID = 0
.Feb 16 17:21:59.264: ISAKMP (0:268435458): ID payload
next-payload : 8
type : 1
address : 81.211.31.149
protocol : 17
port : 500
length : 12
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):: peer matches *none* of the profiles
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 0
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):SA authentication status:
authenticated
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):SA has been authenticated with 81.211.31
.149
.Feb 16 17:21:59.264: ISAKMP: Trying to insert a peer 82.142.176.125/81.211.31.1
49/500/, and inserted successfully 8332BE18.
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M
AIN_MODE
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM5 New State = IKE_R
_MM5
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):SA is doing pre-shared key authenticatio
n using id type ID_IPV4_ADDR
.Feb 16 17:21:59.268: ISAKMP (0:268435458): ID payload
next-payload : 8
type : 1
address : 82.142.176.125
protocol : 17
port : 500
length : 12
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):Total payload length: 12
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) MM_KEY_EXCH
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C
OMPLETE
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM5 New State = IKE_P
1_COMPLETE
.Feb 16 17:21:59.272: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_CO
MPLETE
.Feb 16 17:21:59.272: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
.Feb 16 17:21:59.356: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) QM_IDLE
.Feb 16 17:21:59.356: ISAKMP: set new node 1198284981 to QM_IDLE
.Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 1
198284981
.Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2): processing SA payload. message ID = 119
8284981
.Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2):Checking IPSec proposal 1
.Feb 16 17:21:59.360: ISAKMP: transform 1, ESP_DES
.Feb 16 17:21:59.360: ISAKMP: attributes in transform:
.Feb 16 17:21:59.360: ISAKMP: encaps is 1 (Tunnel)
.Feb 16 17:21:59.360: ISAKMP: SA life type in seconds
.Feb 16 17:21:59.360: ISAKMP: SA life duration (basic) of 3600
.Feb 16 17:21:59.360: ISAKMP: SA life type in kilobytes
.Feb 16 17:21:59.360: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
.Feb 16 17:21:59.360: ISAKMP: authenticator is HMAC-MD5
.Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2):atts are acceptable.
.Feb 16 17:21:59.360: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 82.142.176.125, remote= 81.211.31.149,
local_proxy= 82.142.176.125/255.255.255.255/47/0 (type=1),
remote_proxy= 81.211.31.149/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
.Feb 16 17:21:59.360: Crypto mapdb : proxy_match
src addr : 82.142.176.125
dst addr : 81.211.31.149
protocol : 47
src port : 0
dst port : 0
.Feb 16 17:21:59.360: Crypto mapdb : proxy_match
src addr : 82.142.176.125
dst addr : 81.211.31.149
protocol : 47
src port : 0
dst port : 0
.Feb 16 17:21:59.364: map_db_find_best did not find matching map
.Feb 16 17:21:59.364: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi
sts for local address 82.142.176.125
.Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2): IPSec policy invalidated proposal
.Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2): phase 2 SA policy not acceptable! (loca
l 82.142.176.125 remote 81.211.31.149)
.Feb 16 17:21:59.364: ISAKMP: set new node -1026013654 to QM_IDLE
.Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN proto
col 3
spi 2194346424, message ID = -1026013654
.Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) QM_IDLE
.Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):purging node -1026013654
.Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):deleting node 1198284981 error TRUE reas
on "QM rejected"
.Feb 16 17:21:59.368: ISAKMP (0:268435458): Unknown Input IKE_MESG_FROM_PEER, IK
E_QM_EXCH: for node 1198284981: state = IKE_QM_READY
.Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):Node 1198284981, Input = IKE_MESG_FROM_P
EER, IKE_QM_EXCH
.Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):Old State = IKE_QM_READY New State = IK
E_QM_READY
router-elikon#
.Feb 16 17:21:59.368: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 81.211.31.149
router-elikon#
.Feb 16 17:22:27.808: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) QM_IDLE
.Feb 16 17:22:27.808: ISAKMP: set new node 194806817 to QM_IDLE
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 1
94806817
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2): processing SA payload. message ID = 194
806817
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2):Checking IPSec proposal 1
.Feb 16 17:22:27.812: ISAKMP: transform 1, ESP_DES
.Feb 16 17:22:27.812: ISAKMP: attributes in transform:
.Feb 16 17:22:27.812: ISAKMP: encaps is 1 (Tunnel)
.Feb 16 17:22:27.812: ISAKMP: SA life type in seconds
.Feb 16 17:22:27.812: ISAKMP: SA life duration (basic) of 3600
.Feb 16 17:22:27.812: ISAKMP: SA life type in kilobytes
.Feb 16 17:22:27.812: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
.Feb 16 17:22:27.812: ISAKMP: authenticator is HMAC-MD5
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2):atts are acceptable.
.Feb 16 17:22:27.812: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 82.142.176.125, remote= 81.211.31.149,
local_proxy= 82.142.176.125/255.255.255.255/47/0 (type=1),
remote_proxy= 81.211.31.149/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
.Feb 16 17:22:27.812: Crypto mapdb : proxy_match
src addr : 82.142.176.125
dst addr : 81.211.31.149
protocol : 47
src port : 0
dst port : 0
.Feb 16 17:22:27.812: Crypto mapdb : proxy_match
src addr : 82.142.176.125
dst addr : 81.211.31.149
protocol : 47
src port : 0
dst port : 0
.Feb 16 17:22:27.812: map_db_find_best did not find matching map
.Feb 16 17:22:27.812: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi
sts for local address 82.142.176.125
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2): IPSec policy invalidated proposal
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2): phase 2 SA policy not acceptable! (loca
l 82.142.176.125 remote 81.211.31.149)
.Feb 16 17:22:27.816: ISAKMP: set new node -144067496 to QM_IDLE
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN proto
col 3
spi 2194346424, message ID = -144067496
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) QM_IDLE
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2):purging node -144067496
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2):deleting node 194806817 error TRUE reaso
n "QM rejected"
router-elikon#
.Feb 16 17:22:27.816: ISAKMP (0:268435458): Unknown Input IKE_MESG_FROM_PEER, IK
E_QM_EXCH: for node 194806817: state = IKE_QM_READY
.Feb 16 17:22:27.820: ISAKMP:(0:2:HW:2):Node 194806817, Input = IKE_MESG_FROM_PE
ER, IKE_QM_EXCH
.Feb 16 17:22:27.820: ISAKMP:(0:2:HW:2):Old State = IKE_QM_READY New State = IK
E_QM_READY
router-elikon#
.Feb 16 17:22:49.354: ISAKMP:(0:2:HW:2):purging node 1198284981
router-elikon#
.Feb 16 17:22:57.796: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) QM_IDLE
.Feb 16 17:22:57.796: ISAKMP: set new node 1401338307 to QM_IDLE
.Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 1
401338307
.Feb 16 17:22:57.796: ISAKMP:received payload type 18
.Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2): processing DELETE_WITH_REASON payload,
message ID = 1401338307, reason: DELETE_BY_ERROR
.Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2):peer does not do paranoid keepalives.
.Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2):deleting SA reason "By error" state (R)
QM_IDLE (peer 81.211.31.149)
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting node 1401338307 error FALSE rea
son "Informational (in) state 1"
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DE
L
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE New State =
IKE_DEST_SA
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting SA reason "No reason" state (R)
QM_IDLE (peer 81.211.31.149)
.Feb 16 17:22:57.800: ISAKMP: Unlocking IKE struct 0x8332BE18 for isadb_mark_sa_
deleted(), count 0
.Feb 16 17:22:57.800: ISAKMP: Deleting peer node by peer_reap for 81.211.31.149:
8332BE18
router-elikon#
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting node 194806817 error FALSE reas
on "IKE deleted"
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting node 1401338307 error FALSE rea
son "IKE deleted"
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Old State = IKE_DEST_SA New State = IKE
_DEST_SA
router-elikon#
.Feb 16 17:23:47.786: ISAKMP:(0:2:HW:2):purging node 194806817
.Feb 16 17:23:47.786: ISAKMP:(0:2:HW:2):purging node 1401338307
router-elikon#
.Feb 16 17:23:57.783: ISAKMP:(0:2:HW:2):purging SA., sa=82FE517C, delme=82FE517C
чего бы поделать?
Вариант для распечатки
(ok) on 16-Фев-06, 21:19 
