The OpenNET Project / Index page

[ новости /+++ | форум | wiki | теги | ]

форумы  помощь  поиск  регистрация  майллист  ВХОД  слежка  RSS
"VPN PIX515- Cisco877 потери 50%"
Вариант для распечатки  
Пред. тема | След. тема 
Форумы Маршрутизаторы CISCO и др. оборудование. (Public)
Изначальное сообщение [Проследить за развитием треда]

"VPN PIX515- Cisco877 потери 50%"  
Сообщение от maxim675 email(ok) on 04-Июл-07, 19:24 
Добрый Господа.

Есть VPN IPSec LAN-to-LAN
схема:

10.2.16.5 ---- PIX515--- IPsec VPN --- Cisco877 --- 192.168.22.156

проблема в том что доходит ответ ~ на каждый 2-й icmp пакет.

bash-3.00$ /usr/sbin/ping -s 192.168.22.156 20 77
PING 192.168.22.156: 20 data bytes
28 bytes from 192.168.22.156: icmp_seq=0. time=84.7 ms
28 bytes from 192.168.22.156: icmp_seq=3. time=84.1 ms
28 bytes from 192.168.22.156: icmp_seq=5. time=84.0 ms
28 bytes from 192.168.22.156: icmp_seq=6. time=84.2 ms
28 bytes from 192.168.22.156: icmp_seq=8. time=84.6 ms
28 bytes from 192.168.22.156: icmp_seq=10. time=84.7 ms
28 bytes from 192.168.22.156: icmp_seq=12. time=84.9 ms
28 bytes from 192.168.22.156: icmp_seq=14. time=93.2 ms
28 bytes from 192.168.22.156: icmp_seq=17. time=88.9 ms
28 bytes from 192.168.22.156: icmp_seq=18. time=85.4 ms
28 bytes from 192.168.22.156: icmp_seq=20. time=84.8 ms
28 bytes from 192.168.22.156: icmp_seq=22. time=85.8 ms
....... и т.д.

sh crypto ipsec sa показывает

Cisco877# sh crypto ipsec sa

interface: Vlan2
Crypto map tag: TUNN1, local addr ССС.ССС.ССС.ССС

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.22.156/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.2.16.5/255.255.255.255/0/0)
current_peer PPP.PPP.PPP.PPP port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33
#pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: ССС.ССС.ССС.ССС, remote crypto endpt.: PPP.PPP.PPP.PPP
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0x230D0DEA(588058090)

inbound esp sas:
spi: 0x7E723BDA(2121415642)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: TUNN1
sa timing: remaining key lifetime (k/sec): (4396792/987)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x230D0DEA(588058090)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: TUNN1
sa timing: remaining key lifetime (k/sec): (4396828/987)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:


PIX515e# sh crypto ipsec sa peer CCC.CCC.CCC.CCC
peer address: CCC.CCC.CCC.CCC
Crypto map tag: ATM2, seq num: 22, local addr: PPP.PPP.PPP.PPP

access-list VPN143 permit ip host 10.2.16.5 host 192.168.21.156
local ident (addr/mask/prot/port): (10.2.16.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.21.156/255.255.255.255/0/0)
current_peer: CCC.CCC.CCC.CCC

#pkts encaps: 77, #pkts encrypt: 77, #pkts digest: 77
#pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 77, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: PPP.PPP.PPP.PPP, remote crypto endpt.: CCC.CCC.CCC.CCC

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: A1A840F6

inbound esp sas:
spi: 0x00AED011 (11456529)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 3067, crypto-map: ATM2
sa timing: remaining key lifetime (kB/sec): (4274999/3569)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xA1A840F6 (2712158454)
transform: esp-3des esp-sha-hmac
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 3067, crypto-map: ATM2
sa timing: remaining key lifetime (kB/sec): (4274998/3568)
IV size: 8 bytes
replay detection support: Y

то есть пакеты уходят через тунель на Cisco877 а там , где то путаються и возврашается тольно половина

Вопрос:
Как промониторить внутренний интерфейс на Cisco Router 877?
на PIX515 есть команда debug icmp trace. на 877 Это не проходит,

подскажете туда копать , с роутерами я не общался , всё PIX to PIX.


Конфиги
#####################
Cisco877

Building configuration...

Current configuration : 6112 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
no logging console
no logging monitor
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
!
multilink bundle-name authenticated
chat-script Dialout ABORT ERROR ABORT BUSY "" AT+CGDCONT=1,"IP","internet.mts.ru" TIMEOUT 45 CONNECT \c
chat-script reset "" \d\d\d+++\d\d\d
chat-script mts ABORT ERROR ABORT BUSY "" AT+CGDCONT=1,"IP","internet.mts.ru" OK "ATDT \T" TIMEOUT 45 CONNECT \c
modemcap entry MY_USR_MODEM:MSC=&ATD*99***1#
!
crypto pki trustpoint TP-self-signed-1541553693
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1541553693
revocation-check none
rsakeypair TP-self-signed-1541553693
!
!
crypto pki certificate chain TP-self-signed-1541553693
certificate self-signed 01
D2 CAB237D4
D6D8EC96 13FF92A9 9FB1DD1A 71C2F53C D1C2F309 E101D6
quit
!
!
username s#### privilege 15 secret 5 #####################
username m#### password 0 #########
username k##### privilege 15 secret 5 #########################
username ###v privilege 15 password 0 ########################
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 12
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 13
encr 3des
authentication pre-share
group 2
crypto isakmp key ################# address PPP.PPP.PPP.PPP
!
!
crypto ipsec transform-set DVAESSET esp-aes esp-sha-hmac
crypto ipsec transform-set SUPER esp-aes esp-sha-hmac
crypto ipsec transform-set portf esp-des esp-md5-hmac
crypto ipsec transform-set esp3des esp-3des esp-md5-hmac
crypto ipsec transform-set 3des2 esp-3des esp-sha-hmac
!
crypto ipsec profile IPSDVAES
set transform-set DVAESSET
!
!
crypto map TUNN1 11 ipsec-isakmp
set peer PPP.PPP.PPP.PPP
set transform-set 3des2
set pfs group5
match address 105
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/35
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.22.254 255.255.255.0
ip access-group 100 in
ip access-group 100 out
!
interface Vlan2
ip address CCC.CCC.CCC.CCC 255.255.255.252
ip virtual-reassembly
crypto map TUNN1
!
interface Async1
ip address negotiated
encapsulation ppp
no ip route-cache cef
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string "*99***1#"
dialer-group 1
async mode dedicated
no fair-queue
pulse-time 0
ppp chap refuse
ppp pap sent-username mts password 7 15KIHK1F
routing dynamic
!
ip route 0.0.0.0 0.0.0.0 GW.GW.GW.GW
ip route 10.2.16.4 255.255.255.254 Vlan2
ip route 10.2.16.5 255.255.255.255 PPP.PPP.PPP.PPP
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip any any
access-list 101 deny ip any any
access-list 105 permit icmp host 192.168.22.156 host 10.2.16.5
access-list 106 permit ip host 192.168.22.156 host 10.2.16.5
access-list 110 permit icmp host 192.168.22.156 host 10.2.16.5
access-list 110 permit tcp host 192.168.22.156 host 10.2.16.5 eq 5555
access-list 110 permit tcp host 192.168.22.156 host 10.2.16.5 eq 5555
access-list 111 permit ip host 192.168.22.156 host 10.2.16.5
access-list 180 permit ip any 192.168.21.0 0.0.0.255
access-list 180 permit ip any 10.2.16.0 0.0.0.255
access-list 181 permit icmp 10.2.16.0 0.0.0.255 any
access-list 190 permit ip host 10.2.16.5 host 192.168.22.156 log
access-list 190 permit icmp host 10.2.16.5 host 192.168.22.156 log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner login ^C
^C
!
line con 0
login local
modem enable
transport output none
speed 115200
line aux 0
exec-timeout 0 0
script dialer mts
script reset reset
modem InOut
exec-character-bits 8
special-character-bits 8
no exec
transport input all
transport output none
escape-character BREAK
stopbits 1
speed 57600
flowcontrol hardware
line vty 0
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
line vty 1
exec-timeout 0 0
login local
transport input all
transport output all
line vty 2 4
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

##########################
PIX 515

route INET 192.168.21.156 255.255.255.255 CCC.CCC.CCC.CCC 1

crypto map ATM2 22 match address VPN143
crypto map ATM2 22 set pfs group5
crypto map ATM2 22 set peer CCC.CCC.CCC.CCC
crypto map ATM2 22 set transform-set 3des2

access-list VPN143 extended permit icmp host 10.2.16.5 host 192.168.22.156

tunnel-group CCC.CCC.CCC.CCC type ipsec-l2l
tunnel-group CCC.CCC.CCC.CCC ipsec-attributes
pre-shared-key *


Прошу вас Господа, подскажите как debug на роутере настроить

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

 Оглавление

Сообщения по теме [Сортировка по времени, UBB]


1. "VPN PIX515- Cisco877 потери 50% дополнение: "  
Сообщение от maxim675 email(ok) on 04-Июл-07, 19:28 
дополнение:
Ещё
debug ip packet
показывает мне:

IP: s=192.168.22.156 (Vlan1), d=10.2.16.5 (Vlan2), g=10.2.16.5, len 84, forward
*Mar 7 14:05:06.151: ICMP type=0, code=0
*Mar 7 14:05:08.151: IP: tableid=0, s=192.168.22.156 (Vlan1), d=10.2.16.5 (Vlan2), routed via RIB
*Mar 7 14:05:08.151: IP: s=192.168.22.156 (Vlan1), d=10.2.16.5 (Vlan2), g=10.2.16.5, len 84, forward
*Mar 7 14:05:08.151: ICMP type=0, code=0


почему - то не видно пакетов типа s=10.2.16.5 d=192.168.22.156

А они точно проходят , так как то, что я вижу Это ответы на них.

Может здесь проблема???

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

2. "VPN PIX515- Cisco877 потери 50%"  
Сообщение от maxim675 email(??) on 04-Июл-07, 21:19 
проблема решена,

двойная маршрутизация
см.  ip route в конфиге Cisco 877

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема
Оцените тред (1=ужас, 5=супер)? [ 1 | 2 | 3 | 4 | 5 ] [Рекомендовать для помещения в FAQ]




Спонсоры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2022 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру