URL: https://www.opennet.ru/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 21273
[ Назад ]

Исходное сообщение
"проблема создания IPSEC тунеля"

Отправлено ss2707 , 07-Июл-10 12:29 
сетка 10.0.1.0/24 внешний ip 192.168.1.1
сетка 10.0.2.0/24 внешний ip 192.168.2.1

на стороне 192.168.1.1 стоит cisco 2811, на стороне 192.168.2.1 стоит openbsd.
ipsec vpn канал устанавливается.
traceroute с компа 10.0.1.17
traceroute to 10.1.6.17 (10.1.6.17), 30 hops max, 40 byte packets using UDP
1  10.0.1.1 (10.0.1.1)  0.854 ms   0.862 ms   1.965 ms
2  192.168.2.1 (192.168.2.1)  2.402 ms   6.567 ms   9.843 ms
3  10.0.2.17 (10.0.2.17)  12.256 ms   8.601 ms   6.955 ms
traceroute с компа 10.0.2.17
traceroute to 10.1.6.17 (10.1.6.17), 30 hops max, 40 byte packets using UDP
1  10.0.1.1 (10.0.1.1)  0.854 ms   0.862 ms   1.965 ms
2  * * *
3  * * *
причем
PING 10.0.1.17 (10.0.1.17): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=63 time=3.034 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=1.690 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=1.994 ms


помогите понять причину такой ерести.


конфиг cisco:
!
crypto isakmp policy 15
encr aes
authentication pre-share
group 5
crypto isakmp key c00cefffc627f1a05d458652d9c2e8de410041ff address 192.168.2.1
crypto ipsec transform-set aes-set esp-aes esp-sha-hmac
!
crypto map MSK-TEST 15 ipsec-isakmp
set peer 192.168.2.1
set transform-set aes-set
match address MSK-TEST
!                                    
interface Tunnel6                          
description tunnel MSK-TEST                
no ip address                            
ip access-group INET in              
tunnel source FastEthernet0/1                    
tunnel destination 192.168.2.1                
crypto map MSK-TEST
!
interface FastEthernet0/0                          
description LAN interface                  
ip address 10.0.1.1 255.255.255.0          
ip access-group LAN_INTERFACE in    
ip nat inside                            
no ip virtual-reassembly                    
duplex auto                            
speed auto                            
no cdp enable                            
!
interface FastEthernet0/1                          
description WAN interface                  
ip address 192.168.1.1 255.255.255.0          
ip access-group WAN_INTERFACE in      
ip nbar protocol-discovery                  
ip flow ingress                          
ip flow egress                          
ip nat outside                            
ip virtual-reassembly                        
ip route-cache flow                    
no ip mroute-cache                            
duplex auto                            
speed auto                            
no cdp enable
!
ip access-list extended INET            
permit esp any any                    
permit udp any any eq isakmp            
permit gre any any
!
ip access-list extended MSK-TEST            
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
deny   ip any any log
!
ip access-list extended LAN_INTERFACE            
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
permit ip 10.0.1.0 0.0.0.255 host 192.168.2.1
!
ip access-list extended WAN_INTERFACE            
permit ip 192.168.2.1 host 192.168.1.1
permit esp 192.168.2.1 host 192.168.1.1
permit gre 192.168.2.1 host 192.168.1.1
!
ip route 10.0.2.0 255.255.255.0 Tunnel6


Содержание

Сообщения в этом обсуждении
"проблема создания IPSEC тунеля"
Отправлено karen durinyan , 07-Июл-10 13:28 
>[оверквотинг удален]
>ip access-list extended LAN_INTERFACE
> permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
> permit ip 10.0.1.0 0.0.0.255 host 192.168.2.1
>!
>ip access-list extended WAN_INTERFACE
> permit ip 192.168.2.1 host 192.168.1.1
> permit esp 192.168.2.1 host 192.168.1.1
> permit gre 192.168.2.1 host 192.168.1.1
>!
>ip route 10.0.2.0 255.255.255.0 Tunnel6

privet.

1. iz vashego traceroute ja ne vizhu chto ipsec tunnel ustanovlen tak kak ja vizhu tam peer address chto v principe ne dolzhen bit tam.

2. esli vse taki ja ne prav na schet 1. :) uberite "ip access-group INET in" iz tun6 interfeisa na vremja dlja testa.

udachi


"проблема создания IPSEC тунеля"
Отправлено karen durinyan , 07-Июл-10 13:36 
>[оверквотинг удален]
>
>1. iz vashego traceroute ja ne vizhu chto ipsec tunnel ustanovlen tak
>kak ja vizhu tam peer address chto v principe ne dolzhen
>bit tam.
>
>2. esli vse taki ja ne prav na schet 1. :) uberite
>"ip access-group INET in" iz tun6 interfeisa na vremja dlja testa.
>
>
>udachi

3. 10.1.6.17 ne popodaet v MSK-TEST ACL


"проблема создания IPSEC тунеля"
Отправлено ss2707 , 07-Июл-10 14:04 
>>[оверквотинг удален]
>3. 10.1.6.17 ne popodaet v MSK-TEST ACL

я тормознул. :( должно быть так:

traceroute с компа 10.0.1.17
traceroute to 10.0.2.17 (10.0.2.17), 30 hops max, 40 byte packets using UDP
1  10.0.1.1 (10.0.1.1)  0.854 ms   0.862 ms   1.965 ms
2  192.168.2.1 (192.168.2.1)  2.402 ms   6.567 ms   9.843 ms
3  10.0.2.17 (10.0.2.17)  12.256 ms   8.601 ms   6.955 ms
traceroute с компа 10.0.2.17
traceroute to 10.0.1.17 (10.0.1.17), 30 hops max, 40 byte packets using UDP
1  10.0.1.1 (10.0.1.1)  0.854 ms   0.862 ms   1.965 ms
2  * * *
3  * * *


"проблема создания IPSEC тунеля"
Отправлено ss2707 , 07-Июл-10 13:55 
>>[оверквотинг удален]
>1. iz vashego traceroute ja ne vizhu chto ipsec tunnel ustanovlen tak
>kak ja vizhu tam peer address chto v principe ne dolzhen
>bit tam.
>
>2. esli vse taki ja ne prav na schet 1. :) uberite
>"ip access-group INET in" iz tun6 interfeisa na vremja dlja testa.

interface: Tunnel6
    Crypto map tag: MSK-TEST, local addr 192.168.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
   current_peer 192.168.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
     path mtu 1476, ip mtu 1476, ip mtu idb Tunnel6
     current outbound spi: 0xCEA2D5F3(3466778099)

     inbound esp sas:
      spi: 0x410C0D53(1091308883)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2777, flow_id: NETGX:777, crypto map: MSK-TEST
        sa timing: remaining key lifetime (k/sec): (4501033/203)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCEA2D5F3(3466778099)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2778, flow_id: NETGX:778, crypto map: MSK-TEST
        sa timing: remaining key lifetime (k/sec): (4501043/203)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


"проблема создания IPSEC тунеля"
Отправлено karen durinyan , 07-Июл-10 15:15 
>[оверквотинг удален]
>lifetime (k/sec): (4501043/203)
>        IV size: 16 bytes
>
>        replay detection support: Y
>
>        Status: ACTIVE
>
>     outbound ah sas:
>
>     outbound pcp sas:

jasno. no iz
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368"

strochek vidno chto u vas tol'ko decaps paket@, to est' pakiti vixodyat is ipsec tunelja, no tuda ne vxodjat.

u menja 2 predlozhenie.
1. kak skazal na vremja udalite access-group iz tun interfeisax.
2. postavte /30 network na tun interfeisax (eto pomozhet uvidet tun ip v traceroute a ne peer ip, cto delajet legche trablesuting.)



"проблема создания IPSEC тунеля"
Отправлено karen durinyan , 07-Июл-10 15:40 
>[оверквотинг удален]
>#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>#pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368"
>
>strochek vidno chto u vas tol'ko decaps paket@, to est' pakiti vixodyat
>is ipsec tunelja, no tuda ne vxodjat.
>
>u menja 2 predlozhenie.
>1. kak skazal na vremja udalite access-group iz tun interfeisax.
>2. postavte /30 network na tun interfeisax (eto pomozhet uvidet tun ip
>v traceroute a ne peer ip, cto delajet legche trablesuting.)

esho zametil...
peremestite "crypto map MSK-TEST" iz tun6 k  FastEthernet0/1


"проблема создания IPSEC тунеля"
Отправлено ss2707 , 07-Июл-10 16:00 
всем спасибо. :)

изменения

ip route 10.0.2.0 255.255.255.0 192.168.2.1

ip nat inside source list 110 interface FastEthernet0/1 overload
access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 110 permit ip 10.0.1.0 0.0.0.255 any