Всем здравствуйте.Есть два вышеозначенных роутера, соединённых напрямую патчкордом, на обоих поднят IPSEC и очень нужен GRE-тоннель, вывод комманды #show int tun0:
Cisco 1841
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Description: ToMainOffice
Internet address is 10.50.2.2/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 10.100.2.2, destination 10.100.2.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling disabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:04, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 151
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
7394 packets input, 354912 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
7422 packets output, 357016 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped outCisco 3845
Tunnel2 is up, line protocol is down
Hardware is Tunnel
Description: MorozPLP
Internet address is 10.50.2.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 10.100.2.1 (Vlan12), destination 10.100.2.2
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:09, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 47
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
14927 packets input, 716496 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
15172 packets output, 728256 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped outПочему в случае с 3845 "line protocol is down"?
Что такое "Fast tunneling enabled/disabled", и как этой опцией управлять?
>[оверквотинг удален]
>0 overrun, 0 ignored, 0 abort
> 15172 packets output, 728256 bytes, 0 underruns
>
> 0 output errors, 0 collisions, 0 interface
>resets
> 0 output buffer failures, 0 output buffers
>swapped out
>
>Почему в случае с 3845 "line protocol is down"?
>Что такое "Fast tunneling enabled/disabled", и как этой опцией управлять?Проверяйте маршрутизацию.
>[оверквотинг удален]
>>
>> 0 output errors, 0 collisions, 0 interface
>>resets
>> 0 output buffer failures, 0 output buffers
>>swapped out
>>
>>Почему в случае с 3845 "line protocol is down"?
>>Что такое "Fast tunneling enabled/disabled", и как этой опцией управлять?
>
>Проверяйте маршрутизацию.проверил, выяснилось, что не работает ipsec :)
перенастроил, всё равно не работаетping router1 -> router2
router1#debug crypto isakmp
*Oct 7 07:15:58.907: ISAKMP: received ke message (1/1)
*Oct 7 07:15:58.907: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Oct 7 07:15:58.907: ISAKMP: Created a peer struct for 10.100.2.1, peer port 500
*Oct 7 07:15:58.911: ISAKMP: New peer created peer = 0x637F639C peer_handle = 0x80000007
*Oct 7 07:15:58.911: ISAKMP: Locking peer struct 0x637F639C, IKE refcount 1 for isakmp_initiator
*Oct 7 07:15:58.911: ISAKMP: local port 500, remote port 500
*Oct 7 07:15:58.911: ISAKMP: set new node 0 to QM_IDLE
*Oct 7 07:15:58.911: insert sa successfully sa = 63D2DA18
*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.100.2.1 in default
*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0):No pre-shared key with 10.100.2.1!
*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Oct 7 07:15:58.911: ISAKMP:(0:0:N/A:0): sending packet to 10.100.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 7 07:15:58.915: ISAKMP (0:0): received packet from 10.100.2.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 7 07:15:58.915: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected.
*Oct 7 07:15:58.915: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 7 07:15:58.915: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 7 07:15:58.915: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM1*Oct 7 07:15:58.915: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.100.2.1
router2#debug crypto isakmp
#
*Oct 7 07:50:09.295: ISAKMP (0:0): received packet from 10.100.2.2 dport 500 sport 500 Global (N) NEW SA
*Oct 7 07:50:09.295: ISAKMP: Created a peer struct for 10.100.2.2, peer port 500
*Oct 7 07:50:09.299: ISAKMP: New peer created peer = 0x631D274C peer_handle = 0x80000009
*Oct 7 07:50:09.299: ISAKMP: Locking peer struct 0x631D274C, IKE refcount 1 for crypto_isakmp_process_block
*Oct 7 07:50:09.299: ISAKMP: local port 500, remote port 500
*Oct 7 07:50:09.299: insert sa successfully sa = 63829FD8
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 7 07:50:09.299: ISAKMP (0:0): vendor ID is NAT-T v7
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.100.2.2 in default
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): : success
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.100.2.2
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0): local preshared key found
*Oct 7 07:50:09.299: ISAKMP : Scanning profiles for xauth ...
*Oct 7 07:50:09.299: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 110 policy
*Oct 7 07:50:09.299: ISAKMP: encryption DES-CBC
*Oct 7 07:50:09.303: ISAKMP: hash SHA
*Oct 7 07:50:09.303: ISAKMP: default group 1
*Oct 7 07:50:09.303: ISAKMP: auth RSA sig
*Oct 7 07:50:09.303: ISAKMP: life type in seconds
*Oct 7 07:50:09.303: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 07:50:09.303: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
*Oct 7 07:50:09.303: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
*Oct 7 07:50:09.303: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy
*Oct 7 07:50:09.303: ISAKMP: encryption DES-CBC
*Oct 7 07:50:09.303: ISAKMP: hash SHA
*Oct 7 07:50:09.303: ISAKMP: default group 1
*Oct 7 07:50:09.303: ISAKMP: auth RSA sig
*Oct 7 07:50:09.303: ISAKMP: life type in seconds
*Oct 7 07:50:09.303: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 07:50:09.303: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Oct 7 07:50:09.335: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 7 07:50:09.335: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 7 07:50:09.335: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Oct 7 07:50:09.335: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 7 07:50:09.335: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 7 07:50:09.335: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Oct 7 07:50:09.339: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 7 07:50:09.339: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 7 07:50:09.339: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Oct 7 07:50:09.339: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 7 07:50:09.339: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1*Oct 7 07:50:09.339: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
*Oct 7 07:50:09.339: ISAKMP:(0:1:SW:1): sending packet to 10.100.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 7 07:50:09.339: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 7 07:50:09.339: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2*Oct 7 07:50:09.383: ISAKMP (0:134217729): received packet from 10.100.2.2 dport 500 sport 500 Global (R) MM_S A_SETUP
*Oct 7 07:50:09.383: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 7 07:50:09.383: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3*Oct 7 07:50:09.383: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Oct 7 07:50:09.423: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1):SKEYID state generated
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1): sending packet to 10.100.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 7 07:50:09.427: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4*Oct 7 07:50:09.643: ISAKMP (0:134217729): received packet from 10.100.2.2 dport 500 sport 500 Global (R) MM_K EY_EXCH
*Oct 7 07:50:09.643: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 7 07:50:09.643: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5*Oct 7 07:50:09.643: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Oct 7 07:50:09.643: ISAKMP (0:134217729): ID payload
next-payload : 9
type : 1
address : 10.100.2.2
protocol : 17
port : 500
length : 12
*Oct 7 07:50:09.643: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Oct 7 07:50:09.643: ISAKMP:(0:1:SW:1): processing SIG payload. message ID = 0
*Oct 7 07:50:09.643: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
*Oct 7 07:50:09.643: ISAKMP (0:134217729): process_rsa_sig: Querying key pair failed.
*Oct 7 07:50:09.647: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 7 07:50:09.647: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5*Oct 7 07:50:09.647: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: reset_retransmiss ion
Что они от меня хотят?
Спасибо.
>*Oct 7 07:50:09.643: ISAKMP (0:134217729): ID payload
>*Oct 7 07:50:09.643: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
>*Oct 7 07:50:09.643: ISAKMP:(0:1:SW:1): processing SIG payload. message ID = 0
>
>*Oct 7 07:50:09.643: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
>*Oct 7 07:50:09.643: ISAKMP (0:134217729): process_rsa_sig: Querying key pair failed.
>Что они от меня хотят?
>Спасибо.Либо крипто-карты не совпадают, либо ключи, либо и то и то.
Пример конфига для организации GRE over IPSEC.Роутер A:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.2
!
crypto ipsec transform-set some_set esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile some_profile
set transform-set some_set
!
interface Tunnel0
ip address 10.50.2.1 255.255.255.252
ip mtu 1400
tunnel source 10.100.2.1
tunnel destination 10.100.2.2
tunnel protection ipsec profile some_profile
endРоутер B:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.1
!
crypto ipsec transform-set some_set esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile some_profile
set transform-set some_set
!
interface Tunnel0
ip address 10.50.2.2 255.255.255.252
ip mtu 1400
tunnel source 10.100.2.2
tunnel destination 10.100.2.1
tunnel protection ipsec profile some_profile
end
>[оверквотинг удален]
>crypto ipsec profile some_profile
> set transform-set some_set
>!
>interface Tunnel0
> ip address 10.50.2.2 255.255.255.252
> ip mtu 1400
> tunnel source 10.100.2.2
> tunnel destination 10.100.2.1
> tunnel protection ipsec profile some_profile
>endtunnel mode ipsec ipv4 на туннельных интерфейсах
>[оверквотинг удален]
>>!
>>interface Tunnel0
>> ip address 10.50.2.2 255.255.255.252
>> ip mtu 1400
>> tunnel source 10.100.2.2
>> tunnel destination 10.100.2.1
>> tunnel protection ipsec profile some_profile
>>end
>
>tunnel mode ipsec ipv4 на туннельных интерфейсахсорри на дебаг внимание не обратил.
crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.1 no-xauth
>[оверквотинг удален]
>>> ip mtu 1400
>>> tunnel source 10.100.2.2
>>> tunnel destination 10.100.2.1
>>> tunnel protection ipsec profile some_profile
>>>end
>>
>>tunnel mode ipsec ipv4 на туннельных интерфейсах
>
>сорри на дебаг внимание не обратил.
>crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.1 no-xauthГоспода, у всех прошу прощения, всё из-за невнимательности, ключ, на втором роутере, прописал на его же интерфейс.
Всем огромное спасибо.