сетка 10.0.1.0/24 внешний ip 192.168.1.1
сетка 10.0.2.0/24 внешний ip 192.168.2.1на стороне 192.168.1.1 стоит cisco 2811, на стороне 192.168.2.1 стоит openbsd.
ipsec vpn канал устанавливается.
traceroute с компа 10.0.1.17
traceroute to 10.1.6.17 (10.1.6.17), 30 hops max, 40 byte packets using UDP
1 10.0.1.1 (10.0.1.1) 0.854 ms 0.862 ms 1.965 ms
2 192.168.2.1 (192.168.2.1) 2.402 ms 6.567 ms 9.843 ms
3 10.0.2.17 (10.0.2.17) 12.256 ms 8.601 ms 6.955 ms
traceroute с компа 10.0.2.17
traceroute to 10.1.6.17 (10.1.6.17), 30 hops max, 40 byte packets using UDP
1 10.0.1.1 (10.0.1.1) 0.854 ms 0.862 ms 1.965 ms
2 * * *
3 * * *
причем
PING 10.0.1.17 (10.0.1.17): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=63 time=3.034 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=1.690 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=1.994 ms
помогите понять причину такой ерести.
конфиг cisco:
!
crypto isakmp policy 15
encr aes
authentication pre-share
group 5
crypto isakmp key c00cefffc627f1a05d458652d9c2e8de410041ff address 192.168.2.1
crypto ipsec transform-set aes-set esp-aes esp-sha-hmac
!
crypto map MSK-TEST 15 ipsec-isakmp
set peer 192.168.2.1
set transform-set aes-set
match address MSK-TEST
!
interface Tunnel6
description tunnel MSK-TEST
no ip address
ip access-group INET in
tunnel source FastEthernet0/1
tunnel destination 192.168.2.1
crypto map MSK-TEST
!
interface FastEthernet0/0
description LAN interface
ip address 10.0.1.1 255.255.255.0
ip access-group LAN_INTERFACE in
ip nat inside
no ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description WAN interface
ip address 192.168.1.1 255.255.255.0
ip access-group WAN_INTERFACE in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
ip access-list extended INET
permit esp any any
permit udp any any eq isakmp
permit gre any any
!
ip access-list extended MSK-TEST
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
deny ip any any log
!
ip access-list extended LAN_INTERFACE
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
permit ip 10.0.1.0 0.0.0.255 host 192.168.2.1
!
ip access-list extended WAN_INTERFACE
permit ip 192.168.2.1 host 192.168.1.1
permit esp 192.168.2.1 host 192.168.1.1
permit gre 192.168.2.1 host 192.168.1.1
!
ip route 10.0.2.0 255.255.255.0 Tunnel6
>[оверквотинг удален]
>ip access-list extended LAN_INTERFACE
> permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
> permit ip 10.0.1.0 0.0.0.255 host 192.168.2.1
>!
>ip access-list extended WAN_INTERFACE
> permit ip 192.168.2.1 host 192.168.1.1
> permit esp 192.168.2.1 host 192.168.1.1
> permit gre 192.168.2.1 host 192.168.1.1
>!
>ip route 10.0.2.0 255.255.255.0 Tunnel6privet.
1. iz vashego traceroute ja ne vizhu chto ipsec tunnel ustanovlen tak kak ja vizhu tam peer address chto v principe ne dolzhen bit tam.
2. esli vse taki ja ne prav na schet 1. :) uberite "ip access-group INET in" iz tun6 interfeisa na vremja dlja testa.
udachi
>[оверквотинг удален]
>
>1. iz vashego traceroute ja ne vizhu chto ipsec tunnel ustanovlen tak
>kak ja vizhu tam peer address chto v principe ne dolzhen
>bit tam.
>
>2. esli vse taki ja ne prav na schet 1. :) uberite
>"ip access-group INET in" iz tun6 interfeisa na vremja dlja testa.
>
>
>udachi3. 10.1.6.17 ne popodaet v MSK-TEST ACL
>>[оверквотинг удален]
>3. 10.1.6.17 ne popodaet v MSK-TEST ACLя тормознул. :( должно быть так:
traceroute с компа 10.0.1.17
traceroute to 10.0.2.17 (10.0.2.17), 30 hops max, 40 byte packets using UDP
1 10.0.1.1 (10.0.1.1) 0.854 ms 0.862 ms 1.965 ms
2 192.168.2.1 (192.168.2.1) 2.402 ms 6.567 ms 9.843 ms
3 10.0.2.17 (10.0.2.17) 12.256 ms 8.601 ms 6.955 ms
traceroute с компа 10.0.2.17
traceroute to 10.0.1.17 (10.0.1.17), 30 hops max, 40 byte packets using UDP
1 10.0.1.1 (10.0.1.1) 0.854 ms 0.862 ms 1.965 ms
2 * * *
3 * * *
>>[оверквотинг удален]
>1. iz vashego traceroute ja ne vizhu chto ipsec tunnel ustanovlen tak
>kak ja vizhu tam peer address chto v principe ne dolzhen
>bit tam.
>
>2. esli vse taki ja ne prav na schet 1. :) uberite
>"ip access-group INET in" iz tun6 interfeisa na vremja dlja testa.interface: Tunnel6
Crypto map tag: MSK-TEST, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
current_peer 192.168.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel6
current outbound spi: 0xCEA2D5F3(3466778099)inbound esp sas:
spi: 0x410C0D53(1091308883)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2777, flow_id: NETGX:777, crypto map: MSK-TEST
sa timing: remaining key lifetime (k/sec): (4501033/203)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCEA2D5F3(3466778099)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2778, flow_id: NETGX:778, crypto map: MSK-TEST
sa timing: remaining key lifetime (k/sec): (4501043/203)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:
>[оверквотинг удален]
>lifetime (k/sec): (4501043/203)
> IV size: 16 bytes
>
> replay detection support: Y
>
> Status: ACTIVE
>
> outbound ah sas:
>
> outbound pcp sas:jasno. no iz
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368"strochek vidno chto u vas tol'ko decaps paket@, to est' pakiti vixodyat is ipsec tunelja, no tuda ne vxodjat.
u menja 2 predlozhenie.
1. kak skazal na vremja udalite access-group iz tun interfeisax.
2. postavte /30 network na tun interfeisax (eto pomozhet uvidet tun ip v traceroute a ne peer ip, cto delajet legche trablesuting.)
>[оверквотинг удален]
>#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>#pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368"
>
>strochek vidno chto u vas tol'ko decaps paket@, to est' pakiti vixodyat
>is ipsec tunelja, no tuda ne vxodjat.
>
>u menja 2 predlozhenie.
>1. kak skazal na vremja udalite access-group iz tun interfeisax.
>2. postavte /30 network na tun interfeisax (eto pomozhet uvidet tun ip
>v traceroute a ne peer ip, cto delajet legche trablesuting.)esho zametil...
peremestite "crypto map MSK-TEST" iz tun6 k FastEthernet0/1
всем спасибо. :)изменения
ip route 10.0.2.0 255.255.255.0 192.168.2.1
ip nat inside source list 110 interface FastEthernet0/1 overload
access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 110 permit ip 10.0.1.0 0.0.0.255 any