Исходные данные. Сторона 1 (германия) VPN публичный адрес: 194.43.X.X
server1: 194.118.Y.Y
esp, 3des, md5, group 2. Сторона 2 (Россия)публичный адрес: 85.117.X.X
srouter: 85.117.Y.Y
Pre-shared key. 43564532
Конфигурацию могу изменять только со стороны 2.
___________________
Building configuration...
Current configuration : 7052 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname gw
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
no aaa new-model
!
resource policy
!
clock timezone SIBIR 5
!
ip flow-cache timeout active 1
!
ftp-server topdir flash:
!
voice-card 0
no dspfarm
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
lifetime 7200
crypto isakmp key "pre-share key" address 194.43.X.X
!
!
crypto ipsec transform-set SAP_R3 esp-3des esp-md5-hmac
!
crypto map SAP local-address FastEthernet0/0
crypto map SAP 20 ipsec-isakmp
description SAP_VPN
set peer 194.43.X.X
set transform-set SAP_R3
match address 107
!
interface FastEthernet0/0
description sap
ip mtu 1420
ip tcp adjust-mss 500
ip address 85.117.X.X 255.255.255.252
duplex auto
speed auto
crypto map SAP
crypto ipsec fragmentation before-encryption
!
ip route 194.43.X.X 255.255.255.255 FastEthernet0/0
ip route 194.118.Y.Y 255.255.255.255 194.43.X.X
!
!
access-list 107 permit ip host 85.117.Y.Y host 194.118.Y.Y
access-list 107 permit ip host 85.117.X.X host 194.43.X.X
!
!
scheduler allocate 20000 1000
ntp clock-period 17179838
!
end
====================================================================================
Sending 5, 100-byte ICMP Echos to 194.43.X.X, timeout is 2 seconds:
Sep 10 12:04:33.990: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 85.117.X.X, remote= 194.43.X.X,
local_proxy= 85.117.X.X/255.255.255.255/0/0 (type=1),
remote_proxy= 194.43.X.X/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x31FDD771(838719345), conn_id= 0, keysize= 0, flags= 0x400A
Sep 10 12:04:33.990: ISAKMP: received ke message (1/1)
Sep 10 12:04:33.990: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Sep 10 12:04:33.990: ISAKMP: Created a peer struct for 194.43.X.X, peer port 500
Sep 10 12:04:33.990: ISAKMP: New peer created peer = 0x473851EC peer_handle = 0x80003BD5
Sep 10 12:04:33.990: ISAKMP: Locking peer struct 0x473851EC, IKE refcount 1 for isakmp_initiator
Sep 10 12:04:33.990: ISAKMP: local port 500, remote port 500
Sep 10 12:04:33.990: ISAKMP: set new node 0 to QM_IDLE
Sep 10 12:04:33.990: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 473A0138
Sep 10 12:04:33.990: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Sep 10 12:04:33.990: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 194.43.X.X
Sep 10 12:04:33.990: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Sep 10 12:04:33.990: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Sep 10 12:04:33.990: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Sep 10 12:04:33.994: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Sep 10 12:04:33.994: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
Sep 10 12:04:33.994: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Sep 10 12:04:33.994: ISAKMP:(0:0:N/A:0): sending packet to 194.43.X.X my_port 500 peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
gw-02#
Sep 10 12:04:43.994: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
Sep 10 12:04:43.994: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Sep 10 12:04:43.994: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
Sep 10 12:04:43.994: ISAKMP:(0:0:N/A:0): sending packet to 194.43.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
gw-02#
Sep 10 12:04:53.994: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
Sep 10 12:04:53.994: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Sep 10 12:04:53.994: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
Sep 10 12:04:53.994: ISAKMP:(0:0:N/A:0): sending packet to 194.43.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
================================================================================================
sh crypto isakmp sa
dst src state conn-id slot status
194.43.X.X 85.117.X.X MM_NO_STATE 0 0 ACTIVE
================================================================================================
FastEthernet0/0
Crypto map tag: SAP, local addr 85.117.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (85.117.Y.Y/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (194.118.Y.Y/255.255.255.255/0/0)
current_peer 194.43.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 85.117.X.X, remote crypto endpt.: 194.43.X.X
path mtu 1420, ip mtu 1420
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (85.117.X.X/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (194.43.X.X/255.255.255.255/0/0)
current_peer 194.43.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 38, #recv errors 0
local crypto endpt.: 85.117.X.X, remote crypto endpt.: 194.43.X.X
path mtu 1420, ip mtu 1420
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(ok) on 10-Сен-07, 16:12 
