ни в какую работать не хочет!
2811: IOS Version 12.4(1r)
VPN Client: 4.8.01.0300ругаеца
*Nov 9 15:41:34.384: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 172.16.30.54Настраивал с помощью wizard, на одном из внутренних Vlan, а именно Vlan4, локалка подключена на Vlan1.
HELP?!
конфиг полный покажите...
>конфиг полный покажите...
удалил то что по визарду, начал делать как тут написано:
http://www.cisco.com/warp/public/471/ios-unity.htmlне работает :(
строю на interface Vlan4
ошибки в клиенте:
2 17:29:01.068 11/11/06 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)3 17:29:01.068 11/11/06 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)ошибки на циске:
очень много, но суть как я понял в неверном методе шифрования,
кстати они такие же как и в статье указаны.конфиг:
Building configuration...Current configuration : 8897 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-10.bin
boot-end-marker
!
logging buffered 512000 debugging
enable secret 5 *****************
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone MSK 3
!
!
ip cef
!
!
ip domain name domain.com
ip name-server 172.16.0.3
ip name-server 172.16.0.4
!
!
username kot privilege 15 password 0 *****************
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ***************** address 172.16.53.245
crypto isakmp key ***************** address 172.16.52.253
!
crypto isakmp client configuration group 3000client
key cisco123
dns 172.16.0.3
wins 172.16.0.5
domain domain.com
pool ippool
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set cisco_vpn esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map dynmap 10
set transform-set cisco_vpn
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 172.16.53.245
set peer 172.16.53.245
set transform-set ESP-3DES-SHA
match address 100
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to 172.16.52.253
set peer 172.16.52.253
set transform-set ESP-3DES-SHA1
match address 101
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel0
description Tunnel to Moscow
ip address 172.16.103.1 255.255.255.252
ip mtu 1420
tunnel source 172.16.53.254
tunnel destination 172.16.53.245
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface FastEthernet0/0
description Vlan1 - New DHCP Scope$ETH-LAN$
ip address 172.16.0.254 255.255.240.0
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description Vlan1 - Main Office LAN$ETH-LAN$
ip address 192.168.12.254 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1420
duplex auto
speed auto
!
interface FastEthernet0/0/0
description Vlan10 - Site ZZZ VPN
switchport access vlan 10
!
interface FastEthernet0/0/1
description Vlan1 - Main Office LAN
!
interface FastEthernet0/0/2
description Vlan2 - Site NYC VPN
switchport access vlan 2
!
interface FastEthernet0/0/3
description Vlan3 - Site Moscow VPN
switchport access vlan 3
!
interface FastEthernet0/1/0
description Vlan4 - Cisco VPN
switchport access vlan 4
!
interface FastEthernet0/1/1
shutdown
!
interface FastEthernet0/1/2
shutdown
!
interface FastEthernet0/1/3
shutdown
!
interface Vlan1
description Main Office - LAN
ip address 172.16.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
!
interface Vlan2
description Site NYC - VPN
ip address 172.16.52.254 255.255.255.0
ip tcp adjust-mss 1420
crypto map SDM_CMAP_2
!
interface Vlan3
description Site Moscow - VPN
ip address 172.16.53.254 255.255.255.248
ip tcp adjust-mss 1420
crypto map SDM_CMAP_1
!
interface Vlan4
description Main Office - Cisco VPN
ip address 192.168.50.254 255.255.255.0
crypto map clientmap
!
interface Vlan10
description Site ZZZ - VPN
ip address 10.38.255.133 255.255.255.252
ip access-group vlan10_in in
ip access-group vlan10_out out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1420
!
ip local pool ippool 192.168.51.1 192.168.51.10
ip route 0.0.0.0 0.0.0.0 172.16.30.1
ip route 10.0.0.0 255.0.0.0 10.38.255.134 permanent
ip route 10.35.242.240 255.255.255.240 Vlan1 permanent
ip route 172.16.53.240 255.255.255.248 172.16.53.249 permanent
ip route 192.168.1.0 255.255.255.0 172.16.30.25 permanent
ip route 192.168.2.0 255.255.255.0 172.16.30.197 permanent
ip route 192.168.11.0 255.255.255.0 Vlan2 permanent
ip route 192.168.22.0 255.255.255.0 Tunnel0 permanent
ip route 192.168.30.0 255.255.255.0 172.16.30.1 permanent
!
no ip http server
ip http authentication local
ip http secure-server
ip nat translation timeout 6000
ip nat pool ZZZ 10.35.242.246 10.35.242.255 netmask 255.255.255.240
ip nat inside source list 11 pool ZZZ
ip nat inside source static 172.16.30.134 10.35.242.241
ip nat inside source static 172.16.30.32 10.35.242.242
ip nat inside source static 172.16.30.99 10.35.242.243
ip nat inside source static 172.16.30.223 10.35.242.244
ip nat inside source static 172.16.30.16 10.35.242.245
!
ip access-list extended vlan10_in
permit icmp any any
deny ip any any log
ip access-list extended vlan10_out
permit icmp any any
deny ip any any log
!
logging 172.16.30.11
access-list 11 deny 172.16.30.134
access-list 11 deny 172.16.30.3
access-list 11 remark NAT
access-list 11 remark SDM_ACL Category=2
access-list 11 deny 172.16.30.1
access-list 11 deny 172.16.30.5
access-list 11 deny 172.16.30.11
access-list 11 permit 172.16.30.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit gre host 172.16.53.254 host 172.16.53.245
access-list 100 remark SDM_ACL Category=4
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.30.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
snmp-server community public RO
snmp-server location Main Office
snmp-server contact kot
!
radius-server host 172.16.30.245 auth-port 1645 acct-port 1646 key cisco_key
!
control-plane
!
!
!
line con 0
line aux 0
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
password *****************
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
!
endcisco#
Up!
Up!
Up!
Где маршрут на адреса 192.168.51.1 192.168.51.10?
>Где маршрут на адреса 192.168.51.1 192.168.51.10?
согласен, но тут дело не в этом :(