Не получается настроить VPN между 2871 и 871.
Оба роутера имеют реальный IP.
Друг друга пингуют, но VPN упорно не хотят поднимать.
Привожу вырезку из конфига:
-------
-2871-
-------
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
aaa session-id common
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name c2821.tgs.ru
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
l2tp tunnel receive-window 1024
!
!
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
!
!

username 111111 password 0 111111
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key superkey address 84.253.91.125
!
crypto isakmp client configuration group vpnclient
key 111111
pool SDM_POOL_3
acl 103
max-users 10
netmask 255.255.252.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN esp-des esp-md5-hmac
mode transport
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 10 ipsec-isakmp
set peer 84.253.91.125
set transform-set VPN
match address 150
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
ip ssh version 1
!
!
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
tunnel source 87.251.157.145
tunnel destination 85.94.18.198
tunnel mode ipip
!
interface Tunnel2
ip address 192.168.16.1 255.255.255.0
ip mtu 1400
tunnel source GigabitEthernet0/1.1
tunnel destination 84.253.91.125
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.2
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 666
ip access-group 101 in
ip access-group 101 out
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description $ETH-LAN$
encapsulation dot1Q 3
ip address 87.251.157.145 255.255.255.240
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1.2
ip nat outside
ip virtual-reassembly
rate-limit input access-group 110 8192000 128000 1024000 conform-action transmit exceed-action drop
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.1
peer default ip address pool test
no keepalive
ppp authentication pap chap ms-chap ms-chap-v2
!
ip local pool SDM_POOL_2 192.168.0.226 192.168.0.228
ip local pool SDM_POOL_3 192.168.0.94 192.168.0.96
ip local pool test 192.168.5.100 192.168.5.109
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.251.157.144 100
ip route 10.0.0.0 255.255.255.0 Tunnel0
ip route 192.168.30.0 255.255.255.0 Tunnel2
!
!
ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1.1 overload
!
ip access-list extended ACL
deny   ip 192.168.0.0 0.0.0.255 81.177.141.0 0.0.0.255
deny   tcp any any eq 8000
permit ip any any
ip access-list extended SB
!
access-list 15 remark SDM_ACL Category=16
access-list 15 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=18
access-list 100 deny   ip 192.168.0.0 0.0.255.255 host 192.168.0.94
access-list 100 deny   ip 192.168.0.0 0.0.255.255 host 192.168.0.95
access-list 100 deny   ip 192.168.0.0 0.0.255.255 host 192.168.0.96
access-list 100 permit ip any host 192.168.0.94
access-list 100 permit ip any host 192.168.0.95
access-list 100 permit ip any host 192.168.0.96
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.94
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.95
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.96
access-list 100 permit ip any host 192.168.0.226
access-list 100 permit ip any host 192.168.0.227
access-list 100 permit ip any host 192.168.0.228
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.226
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.227
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.228
access-list 100 permit ip host 87.251.157.145 any
access-list 100 permit ip host 213.85.173.178 any
access-list 100 permit ip any any
access-list 100 permit ip host 87.251.157.147 any
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit ip any host 87.251.157.145
access-list 110 deny   ip any any
access-list 120 deny   ip 192.168.0.0 0.0.255.255 host 192.168.0.100
access-list 120 permit ip any any
access-list 150 permit gre host 87.251.157.148 host 84.253.91.125
!
!
route-map SDM_RMAP_2 permit 1
match ip address 100
!
end

--------
--871--
--------
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3819309847
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3819309847
revocation-check none
rsakeypair TP-self-signed-3819309847
!
!
crypto pki certificate chain TP-self-signed-3819309847
certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383139 33303938 3437301E 170D3032 30333032 30333334
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38313933
  30393834 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100DC6C D73F04C7 D0CBAF00 443A0946 B4B8F9BB 99503178 3E5242CD F0F951E9
  CD1B8320 9C2125A3 B34F889F 6AAA1D68 35C21EF0 70A1A120 218DD309 A28A443B
  6987FC4C 36710A97 A1C7A917 B85D6706 F6188EAC B448487E CB7A27BF 48510CF0
  9FA3C348 C31774DF 80A36D96 0A725A0F 7AF1563D C58E67B1 9CC09436 07F6780F
  BB510203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 1563726F 6375732E 796F7572 646F6D61 696E2E63 6F6D301F
  0603551D 23041830 168014BB AC7F5B19 18CE7331 26F9CC11 3A95163B 90FB7730
  1D060355 1D0E0416 0414BBAC 7F5B1918 CE733126 F9CC113A 95163B90 FB77300D
  06092A86 4886F70D 01010405 00038181 00BE6925 DA3CE33A D8C5C7C2 5A327E87
  8DAEA739 8BEF4F08 8730D5FD 3D2516FF 29AAA3CD 879B0C81 0E9763A0 896D85EA
  119A2027 CA10ECD8 70ADEED2 2E37EFFE 2F05B0D7 16D54359 C5356C18 0149446C
  C9C3A30A 5D88EFFC F257C3F2 8AB0AE0D EDDD9998 D870F055 99DF4398 A901C5A6
  58ACF9DA 1E2F3EE8 8778EF6D 374D6C58 AB
        quit
dot11 syslog
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
!
!
!
username 123456 privilege 15 secret 5 $1$ajQj$qcqOcQ3pM/VbWDlisrHp81
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key superkey address 87.251.157.145
!
!
crypto ipsec transform-set VPN esp-des esp-md5-hmac
mode transport
!
crypto map SDM_CMAP_1 10 ipsec-isakmp
set peer 87.251.157.145
set transform-set VPN
match address 101
!
archive
log config
  hidekeys
!
!
!
!
!
interface Tunnel2
ip address 192.168.16.2 255.255.255.0
tunnel source FastEthernet4
tunnel destination 87.251.157.145
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address 84.253.91.125 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 84.253.91.129
ip route 192.168.0.0 255.255.252.0 Tunnel2
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat_rm interface FastEthernet4 overload
!
ip access-list extended Internet
permit ip any any
!
access-list 101 permit gre host 84.253.91.125 host 87.251.157.145
access-list 110 permit ip 192.168.30.0 0.0.0.255 any
no cdp run
!
!
route-map nat_rm permit 10
match ip address 110
!
!
control-plane