Cisco 881 pci k9. Добрый вечер. Не получается настроить трафик через VPN туннель. Сразу покажу как настраивал. Конфиг нашел в инете:aaa new-model
aaa authentication login USER-EVPN local
aaa authorization network GROUP-EVPN local
!
username user password 0 12345678ip local pool VPN-POOL 192.168.1.1 192.168.1.50
!
crypto isakmp policy 10
authentication pre-share
hash md5
group 2crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
crypto isakmp client configuration group EVPN-GROUP
key 12345678
pool VPN-POOL
acl 120crypto isakmp profile VPN-CLIENT
match identity group EVPN-GROUP
client authentication list USER-EVPN
isakmp authorization list GROUP-EVPN
client configuration address respondcrypto dynamic-map DYNMAP 10
set transform-set 3DES-MD5
set isakmp-profile VPN-CLIENT
reverse-routecrypto map DMAP 1 ipsec-isakmp dynamic DYNMAP
int FA4
crypto map DMAProute rip
redistribute staticaccess-list 170 permit esp any any
access-list 170 permit udp any any eq isakmp
access-list 170 permit udp any any eq non500-isakmp
---------------------------------------------------------После ввода команд. Запускаю из дома cisco vpn client. Ввожу логин EVPN-GROUP и пароль. Далее логиню пользователя. Соединение происходит. В сетевых подключениях появляется vpn подключение с заданными настройками в маршрутизаторе. Но пинг не в офис не из офиса не происходит. Статистика на vpn клиенте encrypted и decrypted показывает 0. На маршрутизаторе:
sh cry sess detail
Interface: FastEthernet4
Username: EVPN
Profile: VPN-CLIENT
Group: EVPN-GROUP
Assigned address: 192.168.1.1
Uptime: 00:33:58
Session status: UP-ACTIVE
Peer: 109.72.*.*(дом.ip) port 51603 fvrf: (none) ivrf: (none)
Phase1_id: EVPN-GROUP
Desc: (none)
IKEv1 SA: local 84.47.*.*/4500 remote 109.72.*.*/51603 Active
Capabilities:CXN connid:2014 lifetime:23:25:54
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.1.1
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4388316/1561
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4388316/1561
---------------------------------------------
sh cryp engi connect active
Crypto Engine ConnectionsID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
9 IPsec 3DES+MD5 0 0 0 84.47.*.*
10 IPsec 3DES+MD5 0 0 0 84.47.*.*
2001 IKE MD5+DES 0 0 0 84.47.*.*
2002 IKE MD5+DES 0 0 0 84.47.*.*
2003 IKE MD5+DES 0 0 0 84.47.*.*
2004 IKE MD5+DES 0 0 0 84.47.*.*
2005 IKE MD5+DES 0 0 0 84.47.*.*
2007 IKE MD5+DES 0 0 0 84.47.*.*
2011 IKE MD5+DES 0 0 0 84.47.*.*
2014 IKE MD5+DES 0 0 0 84.47.*.*
-------------------------------------------------------sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
84.47.*.* 109.72.*.* (дом.ip) QM_IDLE 2014 ACTIVE VPN-CLIENT
84.47.*.* 109.72.*.* QM_IDLE 2011 ACTIVE VPN-CLIENT
84.47.*.* 109.72.*.* QM_IDLE 2007 ACTIVE VPN-CLIENT
--------------------------------------------------------sh crypto ipsec sa
interface: FastEthernet4
Crypto map tag: DMAP, local addr 84.47.*.*protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
current_peer 109.72.*.* port 51603
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0local crypto endpt.: 84.47.*.*, remote crypto endpt.: 109.72.*.*
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x88F87139(2297983289)
PFS (Y/N): N, DH group: noneinbound esp sas:
spi: 0xF54D33E9(4115477481)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 9, flow_id: Onboard VPN:9, sibling_flags 80000046, crypto map: DMAP
sa timing: remaining key lifetime (k/sec): (4388316/1053)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
------------------------------------
sh crypto map
Crypto Map IPv4 "DMAP" 1 ipsec-isakmp
Dynamic map template tag: DYNMAPCrypto Map IPv4 "DMAP" 65536 ipsec-isakmp
Peer = 109.72.*.*
ISAKMP Profile: VPN-CLIENT
Extended IP access list
access-list permit ip any host 192.168.1.1
dynamic (created from dynamic map DYNMAP/10)
Current peer: 109.72.*.*
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
3DES-MD5: { esp-3des esp-md5-hmac } ,
}
Reverse Route Injection Enabled
Interfaces using crypto map DMAP:
FastEthernet1FastEthernet4
устареловот пример
https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/g...
> устарело
> вот пример
> https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/g...Ну просто ооогггрррооомнийшее спасибо. "По ссылке" впн заработал.
>> устарело
>> вот пример
>> https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/g...
> Ну просто ооогггрррооомнийшее спасибо. "По ссылке" впн заработал.Не все так гладко. Сегодня на одном компьютере который подключался к VPN замечен глюк. Утром он через cisco vpn client подключился к маршрутизатору, затем запускал подключение к серверу терминалов (RDP) который находится за маршрутизатором. Все ок. Потом через некоторое время отключился, затем опять подключился и более не смог зайти на сервер терминалов. Точнее, он в локальной сети за маршрутизатором мог пинговать все кроме сервера терминалов. Сервер терминалов не пинговался, но при этом был в рабочем состоянии, т.к. из того офиса к нему доступ был. Т.е. думаю 100% проблема где то в впн. Потом через некоторое время (минут 5), после нескольких раз connect\disconnect все заработало опять. Подскажите, что могло быть?
;)
> ;)aaa new-model
!
!
aaa authentication login USER-EVPN local
aaa authorization network GROUP-EVPN local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
clock timezone PCTime 3 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3162754647
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3162754647
revocation-check none
rsakeypair TP-self-signed-3162754647
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-3162754647
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
!
!
!
ip vrf MyRouter
!
!
!
ip cef
ip flow-cache timeout active 1
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-PCI-K9 sn FCZ16
license boot module c880-data level advipservices
!
!
username 1 privilege 15 view root secret 4 WIt8jvB9k8OmgaoqfrYwU//PXImqYGmcAxH9SvUrP.Q
username 2 privilege 15 view root secret 4 Al8uww7VpZFUTM/RUP.HMrmnPkjI38WOgymMWl8y/QY
username VPN password 0 12345678
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN-GROUP
key **********
dns 192.168.3.4
wins 192.168.3.4
pool VPN-POOL
acl 120
save-password
crypto isakmp profile VPN-CLIENT
match identity group VPN-GROUP
client authentication list USER-VPN
isakmp authorization list GROUP-VPN
client configuration address respond
virtual-template 1
!!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
!
crypto ipsec profile test-vti1
set transform-set VTI-TS
!interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
shutdown
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description Internet$ETH-WAN$
ip address 81.*.*.* 255.255.255.248
ip broadcast-address 0.0.0.0
ip access-group dostup-rdp in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
ip broadcast-address 0.0.0.0
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile test-vti1
!
interface Vlan1
description Lan$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.3.3 255.255.0.0
ip broadcast-address 0.0.0.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
!
interface Vlan2
description second_int
ip address 192.168.6.2 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat outside
ip nat enable
ip virtual-reassembly in
shutdown
!
ip local pool VPN-POOL 192.168.3.80 192.168.3.99
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export version 5
ip flow-export destination 192.168.3.7 9996
!
ip nat sip-sbc
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.3.8 3389 interface FastEthernet4 3154
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 81.*.*.*
!
ip access-list extended dostup-rdp
remark Ivlev
permit tcp 109.*.*.0 0.0.0.255 host 81.*.*.* eq 3154
deny tcp any host 81.*.*.* eq 3154
permit ip any any
!
no logging trap
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 192.168.3.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 104 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.3.0 0.0.0.255 any
access-list 120 permit ip 192.168.3.0 0.0.0.255 any
access-list 170 permit esp any any
access-list 170 permit udp any any eq isakmp
access-list 170 permit udp any any eq non500-isakmp
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
match interface FastEthernet4
!
snmp-server community public RO
snmp-server ifindex persist
snmp-server host 192.168.3.7 public
!
!
!
control-plane
!