Здравствуйте!

Не ходят пакеты по IPSec, причину найти не могу

собственно конфиги

ROUTER 1

crypto isakmp policy 3
hash md5
authentication pre-share
crypto isakmp key 6 WhVUideKbW_OYFMgHIKGFgYbPEfRYfOTH address 10.xxx.xxx.10
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 10.xxx.xxx.10
set transform-set rtpset
match address 103
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
description !xxx!
ip address 10.xxx.xxx.2 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map rtp
!
interface Vlan1
description !xxx!
ip address 192.xxx.xxx.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.xxx.xxx.1
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 100 deny   ip 192.xxx.xxx.0 0.0.0.15 192.xxx.xxx.16 0.0.0.15
access-list 100 permit ip 192.xxx.xxx.0 0.0.0.15 any
access-list 103 permit ip 192.xxx.xxx.0 0.0.0.15 192.xxx.xxx.16 0.0.0.15
route-map nonat permit 10
match ip address 100

ROUTER 2

crypto isakmp policy 3
hash md5
authentication pre-share
crypto isakmp key 6 WhVUideKbW_OYFMgHIKGFgYbPEfRYfOTH address 10.xxx.xxx.2
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
!
crypto map rtp 1 ipsec-isakmp
set peer 10.xxx.xxx.2
set transform-set rtpset
match address 103
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
shutdown
no cdp enable
!
interface FastEthernet4
description !xxx!
ip address 10.xxx.xxx.10 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map rtp
!
interface Vlan1
description !xxx!
ip address 192.xxx.xxx.17 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.xxx.xxx.9
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 100 deny   ip 192.xxx.xxx.16 0.0.0.15 192.xxx.xxx.0 0.0.0.15
access-list 100 permit ip 192.xxx.xxx.16 0.0.0.15 any
access-list 103 permit ip 192.xxx.xxx.16 0.0.0.15 192.xxx.xxx.0 0.0.0.15
snmp-server community public RO
route-map mainroute permit 1
match ip address 115
!
route-map nonat permit 10
match ip address 100

Что за беда?

• IPSec Cisco871 <-> Cisco871 - не выходит каменный цветок,Ash, 13:44 , 08-Авг-08
  • IPSec Cisco871 <-> Cisco871 - не выходит каменный цветок,papashko, 15:48 , 08-Авг-08
    • IPSec Cisco871 <-> Cisco871 - не выходит каменный цветок,papashko, 16:00 , 08-Авг-08
      • IPSec Cisco871 <-> Cisco871 - не выходит каменный цветок,sh_, 16:23 , 08-Авг-08
      • IPSec Cisco871 <-> Cisco871 - не выходит каменный цветок,Ash, 16:38 , 11-Авг-08
• IPSec Cisco871 <-> Cisco871 - не выходит каменный цветок,ViKu, 14:25 , 13-Авг-08

покажи
sh crypto ipsec sa
и крестики зачем на серых ИП??

>покажи
>sh crypto ipsec sa
>и крестики зачем на серых ИП??

ROUTER 1

interface: FastEthernet4
    Crypto map tag: rtp, local addr 10.0.100.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.64.0/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (192.168.64.16/255.255.255.240/0/0)
   current_peer 10.0.100.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.100.2, remote crypto endpt.: 10.0.100.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

ROUTER 2

interface: FastEthernet4
    Crypto map tag: rtp, local addr 10.0.100.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.64.16/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (192.168.64.0/255.255.255.240/0/0)
   current_peer 10.0.100.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 35, #recv errors 0

     local crypto endpt.: 10.0.100.10, remote crypto endpt.: 10.0.100.2
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

ГЛУХО КАК В ТАНКЕ! :(

>>покажи
>>sh crypto ipsec sa
>>и крестики зачем на серых ИП??
>

нашел косяк с pre-shared key

теперь так выглядит:

ROUTER 2

interface: FastEthernet4
    Crypto map tag: rtp, local addr 10.0.100.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.64.16/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (192.168.64.0/255.255.255.240/0/0)
   current_peer 10.0.100.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 35, #recv errors 0

     local crypto endpt.: 10.0.100.10, remote crypto endpt.: 10.0.100.2
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xB20509D3(2986674643)

     inbound esp sas:
      spi: 0x67087057(1728606295)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: C87X_MBRD:1, crypto map: rtp
        sa timing: remaining key lifetime (k/sec): (4468172/3480)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB20509D3(2986674643)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: C87X_MBRD:2, crypto map: rtp
        sa timing: remaining key lifetime (k/sec): (4468172/3480)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Router 1

interface: FastEthernet4
    Crypto map tag: rtp, local addr 10.0.100.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.64.0/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (192.168.64.16/255.255.255.240/0/0)
   current_peer 10.0.100.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 10.0.100.2, remote crypto endpt.: 10.0.100.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x67087057(1728606295)

     inbound esp sas:
      spi: 0xB20509D3(2986674643)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: C87X_MBRD:1, crypto map: rtp
        sa timing: remaining key lifetime (k/sec): (4598605/3364)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x67087057(1728606295)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: C87X_MBRD:2, crypto map: rtp
        sa timing: remaining key lifetime (k/sec): (4598605/3364)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Но за тонелем из этой сети всё равно никто не пингуется... :(

>Но за тонелем из этой сети всё равно никто не пингуется... :(
>

Значит нужно добавить что-то в access-list 103

>[оверквотинг удален]
>    Crypto map tag: rtp, local addr 10.0.100.10
>
>   protected vrf: (none)
>   local  ident (addr/mask/prot/port): (192.168.64.16/255.255.255.240/0/0)
>   remote ident (addr/mask/prot/port): (192.168.64.0/255.255.255.240/0/0)
>   current_peer 10.0.100.2 port 500
>     PERMIT, flags={origin_is_acl,}
>    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest:
>14
>    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify:

Видно что в тоннеле байты бегают.

>Но за тонелем из этой сети всё равно никто не пингуется... :(
>

Тут проблема в роутинге может быть
просвети насчет роутинга (на cisco и компах)

>access-list 100 deny   ip 192.xxx.xxx.0 0.0.0.15 192.xxx.xxx.16 0.0.0.15
>access-list 100 permit ip 192.xxx.xxx.0 0.0.0.15 any
>access-list 103 permit ip 192.xxx.xxx.0 0.0.0.15 192.xxx.xxx.16 0.0.0.15

Вот так попробуй дополни ACL
access-list 100 deny  icmp 192.xxx.xxx.0 0.0.0.15 192.xxx.xxx.16 0.0.0.15
access-list 103 permit icmp 192.xxx.xxx.0 0.0.0.15 192.xxx.xxx.16 0.0.0.15

на другой стороне аналогично. Если интересуют только пинги тогда  в конец echo и echo-reply.
Да и есчо на каком-то IOS 12.3 была такая проблемма если прервым правилом в ACL ip - неработало если icmp - работало :-)