forum.opennet.ru

Составление сообщения

Исходное сообщение

"cisco  VPN   падает канал  ???"
Отправлено peering, 14-Май-13 20:40

Есть 3 циски, использую тунель gre+ipsec
Пробовал уже и transport mode,, c VTI и без, результат одни. пока с ip address 10.9.0.1 не начнёшь пиноговать  10.9.0.2 тунель не поднимаеться,причём как то с паузой.... ,3 й роутер работает с 1  работает без проблем через VTI.

1 роутер System Bootstrap, Version 12.3(8r)YI4,
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 4444 address ........218.12
crypto isakmp key 5555 address .........164.11
crypto isakmp keepalive 30 10
!
!
crypto ipsec transform-set VTI esp-aes esp-sha-hmac
!
crypto ipsec profile prof-gre
set transform-set VTI
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface Tunnel0
ip address 10.9.0.1 255.255.255.0
keepalive 5 4
tunnel source FastEthernet4
tunnel destination .......164.11
tunnel mode ipsec ipv4
tunnel protection ipsec profile prof-gre
!
interface Tunnel1
ip address 10.10.0.1 255.255.255.0
tunnel source FastEthernet4
tunnel destination .......218.12
tunnel protection ipsec profile prof-gre
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address  ip.......  255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.0.230 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 94.230.115.34
ip route 0.0.0.0 255.255.255.252 .......GATE.....
ip route 192.168.1.0 255.255.255.0 10.9.0.2
ip route 192.168.5.0 255.255.255.0 10.0.0.1
ip route 192.168.10.0 255.255.255.0 10.10.0.2
--------------------------------------
flash:c1841-advipservicesk9-mz.124-3j.bin"
2 роутер
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 5555 address ......115.34
crypto isakmp keepalive 30 10
!
!
crypto ipsec transform-set VTI esp-aes esp-sha-hmac
!
crypto ipsec profile prof-gre
set transform-set VTI
!
!
!
!
!
interface Tunnel0
ip address 10.9.0.2 255.255.255.0
keepalive 5 4
tunnel source .......164.12
tunnel destination ......115.34
tunnel mode ipsec ipv4
tunnel protection ipsec profile prof-gre
!
interface FastEthernet0/0
ip address .......164.11 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.21 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1
ip address 172.16.1.1 255.255.255.0
peer default ip address dhcp-pool forvpn
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip classless
ip route 0.0.0.0 0.0.0.0 GATE
ip route 192.168.0.0 255.255.255.0 10.9.0.1
ip route 192.168.10.0 255.255.255.0 10.9.0.1
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!
------------------------------------------------
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
......115.33    ......164.11   QM_IDLE           2001    0 ACTIVE
......115.33   ......142.102  MM_KEY_EXCH       2018    0 ACTIVE.
.....115.33    ......142.102  MM_NO_STATE       2017    0 ACTIVE (deleted)

Удивил .......142.102  это ip linux роутера он маршрутизирует подсеть ,,,,,    ......164.11 /29   как вообше этот ip попал в таблицу ???  мож в этом дело ???

IPv6 Crypto ISAKMP SA
163#
163#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation
Interface: Tunnel0
Uptime: 00:30:53
Session status: UP-ACTIVE
Peer: ..........164.11 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: ........164.11
      Desc: (none)
  IKE SA: local .........115.34/500 remote ........164.11/500 Active
          Capabilities:D connid:2001 lifetime:23:29:06
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4582265/1746
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4582265/1746
Interface: Tunnel1
Session status: DOWN
Peer: ........218.12 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IPSEC FLOW: permit 47 host ........115.34 host .........218.12
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: FastEthernet4
Session status: DOWN-NEGOTIATING
Peer: .........142.102 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IKE SA: local ...........115.33/500 remote ...........142.102/500 Inactive
          Capabilities:DN connid:2018 lifetime:0
163#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
......115.33   .........164.11   QM_IDLE           2001    0 ACTIVE
........115.33   ...........143.102  MM_NO_STATE       2018    0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA

Исходное сообщение
"cisco VPN падает канал ???" Отправлено peering, 14-Май-13 20:40
Есть 3 циски, использую тунель gre+ipsec Пробовал уже и transport mode,, c VTI и без, результат одни. пока с ip address 10.9.0.1 не начнёшь пиноговать 10.9.0.2 тунель не поднимаеться,причём как то с паузой.... ,3 й роутер работает с 1 работает без проблем через VTI. 1 роутер System Bootstrap, Version 12.3(8r)YI4, crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 4444 address ........218.12 crypto isakmp key 5555 address .........164.11 crypto isakmp keepalive 30 10 ! ! crypto ipsec transform-set VTI esp-aes esp-sha-hmac ! crypto ipsec profile prof-gre set transform-set VTI ! ! archive log config hidekeys ! ! ! ! ! interface Tunnel0 ip address 10.9.0.1 255.255.255.0 keepalive 5 4 tunnel source FastEthernet4 tunnel destination .......164.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile prof-gre ! interface Tunnel1 ip address 10.10.0.1 255.255.255.0 tunnel source FastEthernet4 tunnel destination .......218.12 tunnel protection ipsec profile prof-gre ! interface FastEthernet0 switchport access vlan 2 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address ip....... 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Vlan1 no ip address ip nat inside ip virtual-reassembly ! interface Vlan2 ip address 192.168.0.230 255.255.255.0 ip nat inside ip virtual-reassembly ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 94.230.115.34 ip route 0.0.0.0 255.255.255.252 .......GATE..... ip route 192.168.1.0 255.255.255.0 10.9.0.2 ip route 192.168.5.0 255.255.255.0 10.0.0.1 ip route 192.168.10.0 255.255.255.0 10.10.0.2 -------------------------------------- flash:c1841-advipservicesk9-mz.124-3j.bin" 2 роутер crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 5555 address ......115.34 crypto isakmp keepalive 30 10 ! ! crypto ipsec transform-set VTI esp-aes esp-sha-hmac ! crypto ipsec profile prof-gre set transform-set VTI ! ! ! ! ! interface Tunnel0 ip address 10.9.0.2 255.255.255.0 keepalive 5 4 tunnel source .......164.12 tunnel destination ......115.34 tunnel mode ipsec ipv4 tunnel protection ipsec profile prof-gre ! interface FastEthernet0/0 ip address .......164.11 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.1.21 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface Virtual-Template1 ip address 172.16.1.1 255.255.255.0 peer default ip address dhcp-pool forvpn ppp encrypt mppe auto required ppp authentication ms-chap ms-chap-v2 ! ip classless ip route 0.0.0.0 0.0.0.0 GATE ip route 192.168.0.0 255.255.255.0 10.9.0.1 ip route 192.168.10.0 255.255.255.0 10.9.0.1 ! ip dns server ! no ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 104 permit ip 192.168.1.0 0.0.0.255 any access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 any ! ------------------------------------------------ IPv4 Crypto ISAKMP SA dst src state conn-id slot status ......115.33 ......164.11 QM_IDLE 2001 0 ACTIVE ......115.33 ......142.102 MM_KEY_EXCH 2018 0 ACTIVE. .....115.33 ......142.102 MM_NO_STATE 2017 0 ACTIVE (deleted) Удивил .......142.102 это ip linux роутера он маршрутизирует подсеть ,,,,, ......164.11 /29 как вообше этот ip попал в таблицу ??? мож в этом дело ??? IPv6 Crypto ISAKMP SA 163# 163#sh crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication F - IKE Fragmentation Interface: Tunnel0 Uptime: 00:30:53 Session status: UP-ACTIVE Peer: ..........164.11 port 500 fvrf: (none) ivrf: (none) Phase1_id: ........164.11 Desc: (none) IKE SA: local .........115.34/500 remote ........164.11/500 Active Capabilities:D connid:2001 lifetime:23:29:06 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4582265/1746 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4582265/1746 Interface: Tunnel1 Session status: DOWN Peer: ........218.12 port 500 fvrf: (none) ivrf: (none) Desc: (none) Phase1_id: (none) IPSEC FLOW: permit 47 host ........115.34 host .........218.12 Active SAs: 0, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 Interface: FastEthernet4 Session status: DOWN-NEGOTIATING Peer: .........142.102 port 500 fvrf: (none) ivrf: (none) Desc: (none) Phase1_id: (none) IKE SA: local ...........115.33/500 remote ...........142.102/500 Inactive Capabilities:DN connid:2018 lifetime:0 163#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status ......115.33 .........164.11 QM_IDLE 2001 0 ACTIVE ........115.33 ...........143.102 MM_NO_STATE 2018 0 ACTIVE (deleted) IPv6 Crypto ISAKMP SA

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	> Есть 3 циски, использую тунель gre+ipsec > Пробовал уже и transport mode,, c VTI и без, результат одни. пока > с ip address 10.9.0.1 не начнёшь пиноговать 10.9.0.2 тунель не > поднимаеться,причём как то с паузой.... ,3 й роутер работает с 1 > работает без проблем через VTI. > 1 роутер System Bootstrap, Version 12.3(8r)YI4, > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key 4444 address ........218.12 > crypto isakmp key 5555 address .........164.11 > crypto isakmp keepalive 30 10 > ! > ! > crypto ipsec transform-set VTI esp-aes esp-sha-hmac > ! > crypto ipsec profile prof-gre > set transform-set VTI > ! > ! > archive > log config > hidekeys > ! > ! > ! > ! > ! > interface Tunnel0 > ip address 10.9.0.1 255.255.255.0 > keepalive 5 4 > tunnel source FastEthernet4 > tunnel destination .......164.11 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile prof-gre > ! > interface Tunnel1 > ip address 10.10.0.1 255.255.255.0 > tunnel source FastEthernet4 > tunnel destination .......218.12 > tunnel protection ipsec profile prof-gre > ! > interface FastEthernet0 > switchport access vlan 2 > ! > interface FastEthernet1 > ! > interface FastEthernet2 > ! > interface FastEthernet3 > ! > interface FastEthernet4 > ip address ip....... 255.255.255.0 > ip nat outside > ip virtual-reassembly > duplex auto > speed auto > ! > interface Vlan1 > no ip address > ip nat inside > ip virtual-reassembly > ! > interface Vlan2 > ip address 192.168.0.230 255.255.255.0 > ip nat inside > ip virtual-reassembly > ! > ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 94.230.115.34 > ip route 0.0.0.0 255.255.255.252 .......GATE..... > ip route 192.168.1.0 255.255.255.0 10.9.0.2 > ip route 192.168.5.0 255.255.255.0 10.0.0.1 > ip route 192.168.10.0 255.255.255.0 10.10.0.2 > -------------------------------------- > flash:c1841-advipservicesk9-mz.124-3j.bin" > 2 роутер > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key 5555 address ......115.34 > crypto isakmp keepalive 30 10 > ! > ! > crypto ipsec transform-set VTI esp-aes esp-sha-hmac > ! > crypto ipsec profile prof-gre > set transform-set VTI > ! > ! > ! > ! > ! > interface Tunnel0 > ip address 10.9.0.2 255.255.255.0 > keepalive 5 4 > tunnel source .......164.12 > tunnel destination ......115.34 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile prof-gre > ! > interface FastEthernet0/0 > ip address .......164.11 255.255.255.248 > ip nat outside > ip virtual-reassembly > duplex auto > speed auto > ! > interface FastEthernet0/1 > ip address 192.168.1.21 255.255.255.0 > ip nat inside > ip virtual-reassembly > duplex auto > speed auto > ! > interface Virtual-Template1 > ip address 172.16.1.1 255.255.255.0 > peer default ip address dhcp-pool forvpn > ppp encrypt mppe auto required > ppp authentication ms-chap ms-chap-v2 > ! > ip classless > ip route 0.0.0.0 0.0.0.0 GATE > ip route 192.168.0.0 255.255.255.0 10.9.0.1 > ip route 192.168.10.0 255.255.255.0 10.9.0.1 > ! > ip dns server > ! > no ip http server > no ip http secure-server > ip nat inside source list 1 interface FastEthernet0/0 overload > ! > access-list 1 permit 192.168.1.0 0.0.0.255 > access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 > access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 > access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 > access-list 104 permit ip 192.168.1.0 0.0.0.255 any > access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 > access-list 110 permit ip 192.168.1.0 0.0.0.255 any > ! > ------------------------------------------------ > IPv4 Crypto ISAKMP SA > dst > src > state > conn-id slot status > ......115.33 ......164.11 QM_IDLE > 2001 0 > ACTIVE > ......115.33 ......142.102 MM_KEY_EXCH > 2018 0 ACTIVE. > .....115.33 ......142.102 MM_NO_STATE > 2017 0 ACTIVE (deleted) > Удивил .......142.102 это ip linux роутера он маршрутизирует подсеть ,,,,, > ......164.11 /29 как вообше этот ip попал > в таблицу ??? мож в этом дело ??? > IPv6 Crypto ISAKMP SA > 163# > 163#sh crypto session detail > Crypto session current status > Code: C - IKE Configuration mode, D - Dead Peer Detection > K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication > F - IKE Fragmentation > Interface: Tunnel0 > Uptime: 00:30:53 > Session status: UP-ACTIVE > Peer: ..........164.11 port 500 fvrf: (none) ivrf: (none) > Phase1_id: ........164.11 > Desc: (none) > IKE SA: local .........115.34/500 remote ........164.11/500 Active > Capabilities:D connid:2001 > lifetime:23:29:06 > IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 > Active SAs: 2, origin: > crypto map > Inbound: #pkts dec'ed > 0 drop 0 life (KB/Sec) 4582265/1746 > Outbound: #pkts enc'ed 0 > drop 0 life (KB/Sec) 4582265/1746 > Interface: Tunnel1 > Session status: DOWN > Peer: ........218.12 port 500 fvrf: (none) ivrf: (none) > Desc: (none) > Phase1_id: (none) > IPSEC FLOW: permit 47 host ........115.34 host .........218.12 > Active SAs: 0, origin: > crypto map > Inbound: #pkts dec'ed > 0 drop 0 life (KB/Sec) 0/0 > Outbound: #pkts enc'ed 0 > drop 0 life (KB/Sec) 0/0 > Interface: FastEthernet4 > Session status: DOWN-NEGOTIATING > Peer: .........142.102 port 500 fvrf: (none) ivrf: (none) > Desc: (none) > Phase1_id: (none) > IKE SA: local ...........115.33/500 remote ...........142.102/500 Inactive > Capabilities:DN connid:2018 > lifetime:0 > 163#sh crypto isakmp sa > IPv4 Crypto ISAKMP SA > dst > src > state > conn-id slot status > ......115.33 .........164.11 QM_IDLE > 2001 0 ACTIVE > ........115.33 ...........143.102 MM_NO_STATE > 2018 0 ACTIVE (deleted) > IPv6 Crypto ISAKMP SA
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру