URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 17299
[ Назад ]

Исходное сообщение
"Тоннель между Cisco 3845 и Cisco 1841"

Отправлено antacid , 03-Окт-08 09:56 
Всем здравствуйте.

Есть два вышеозначенных роутера, соединённых напрямую патчкордом, на обоих поднят IPSEC и очень нужен GRE-тоннель, вывод комманды #show int tun0:

Cisco 1841

Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Description: ToMainOffice
  Internet address is 10.50.2.2/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive set (10 sec), retries 3
  Tunnel source 10.100.2.2, destination 10.100.2.1
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling disabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 00:00:04, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 151
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     7394 packets input, 354912 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     7422 packets output, 357016 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

Cisco 3845

Tunnel2 is up, line protocol is down
  Hardware is Tunnel
  Description: MorozPLP
  Internet address is 10.50.2.1/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive set (10 sec), retries 3
  Tunnel source 10.100.2.1 (Vlan12), destination 10.100.2.2
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 00:00:09, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 47
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     14927 packets input, 716496 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     15172 packets output, 728256 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

Почему в случае с 3845 "line protocol is down"?
Что такое "Fast tunneling enabled/disabled", и как этой опцией управлять?


Содержание

Сообщения в этом обсуждении
"Тоннель между Cisco 3845 и Cisco 1841"
Отправлено Pistonov , 03-Окт-08 11:46 
>[оверквотинг удален]
>0 overrun, 0 ignored, 0 abort
>     15172 packets output, 728256 bytes, 0 underruns
>
>     0 output errors, 0 collisions, 0 interface
>resets
>     0 output buffer failures, 0 output buffers
>swapped out
>
>Почему в случае с 3845 "line protocol is down"?
>Что такое "Fast tunneling enabled/disabled", и как этой опцией управлять?

Проверяйте маршрутизацию.


"Тоннель между Cisco 3845 и Cisco 1841"
Отправлено antacid , 07-Окт-08 11:52 
>[оверквотинг удален]
>>
>>     0 output errors, 0 collisions, 0 interface
>>resets
>>     0 output buffer failures, 0 output buffers
>>swapped out
>>
>>Почему в случае с 3845 "line protocol is down"?
>>Что такое "Fast tunneling enabled/disabled", и как этой опцией управлять?
>
>Проверяйте маршрутизацию.

проверил, выяснилось, что не работает ipsec :)
перенастроил, всё равно не работает

ping router1 -> router2

router1#debug crypto isakmp
*Oct  7 07:15:58.907: ISAKMP: received ke message (1/1)
*Oct  7 07:15:58.907: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Oct  7 07:15:58.907: ISAKMP: Created a peer struct for 10.100.2.1, peer port 500
*Oct  7 07:15:58.911: ISAKMP: New peer created peer = 0x637F639C peer_handle = 0x80000007
*Oct  7 07:15:58.911: ISAKMP: Locking peer struct 0x637F639C, IKE refcount 1 for isakmp_initiator
*Oct  7 07:15:58.911: ISAKMP: local port 500, remote port 500
*Oct  7 07:15:58.911: ISAKMP: set new node 0 to QM_IDLE
*Oct  7 07:15:58.911: insert sa successfully sa = 63D2DA18
*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.100.2.1 in default
*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):No pre-shared key with 10.100.2.1!
*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): sending packet to 10.100.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct  7 07:15:58.915: ISAKMP (0:0): received packet from 10.100.2.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct  7 07:15:58.915: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected.
*Oct  7 07:15:58.915: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Oct  7 07:15:58.915: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct  7 07:15:58.915: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Oct  7 07:15:58.915: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.100.2.1

router2#debug crypto isakmp
#
*Oct  7 07:50:09.295: ISAKMP (0:0): received packet from 10.100.2.2 dport 500 sport 500 Global (N) NEW SA
*Oct  7 07:50:09.295: ISAKMP: Created a peer struct for 10.100.2.2, peer port 500
*Oct  7 07:50:09.299: ISAKMP: New peer created peer = 0x631D274C peer_handle = 0x80000009
*Oct  7 07:50:09.299: ISAKMP: Locking peer struct 0x631D274C, IKE refcount 1 for crypto_isakmp_process_block
*Oct  7 07:50:09.299: ISAKMP: local port 500, remote port 500
*Oct  7 07:50:09.299: insert sa successfully sa = 63829FD8
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct  7 07:50:09.299: ISAKMP (0:0): vendor ID is NAT-T v7
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.100.2.2 in default
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): : success
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.100.2.2
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): local preshared key found
*Oct  7 07:50:09.299: ISAKMP : Scanning profiles for xauth ...
*Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 110 policy
*Oct  7 07:50:09.299: ISAKMP:      encryption DES-CBC
*Oct  7 07:50:09.303: ISAKMP:      hash SHA
*Oct  7 07:50:09.303: ISAKMP:      default group 1
*Oct  7 07:50:09.303: ISAKMP:      auth RSA sig
*Oct  7 07:50:09.303: ISAKMP:      life type in seconds
*Oct  7 07:50:09.303: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Oct  7 07:50:09.303: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
*Oct  7 07:50:09.303: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
*Oct  7 07:50:09.303: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy
*Oct  7 07:50:09.303: ISAKMP:      encryption DES-CBC
*Oct  7 07:50:09.303: ISAKMP:      hash SHA
*Oct  7 07:50:09.303: ISAKMP:      default group 1
*Oct  7 07:50:09.303: ISAKMP:      auth RSA sig
*Oct  7 07:50:09.303: ISAKMP:      life type in seconds
*Oct  7 07:50:09.303: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Oct  7 07:50:09.303: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Oct  7 07:50:09.335: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
*Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): sending packet to 10.100.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Oct  7 07:50:09.383: ISAKMP (0:134217729): received packet from 10.100.2.2 dport 500 sport 500 Global (R) MM_S                A_SETUP
*Oct  7 07:50:09.383: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct  7 07:50:09.383: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Oct  7 07:50:09.383: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Oct  7 07:50:09.423: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):SKEYID state generated
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): sending packet to 10.100.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Oct  7 07:50:09.643: ISAKMP (0:134217729): received packet from 10.100.2.2 dport 500 sport 500 Global (R) MM_K                EY_EXCH
*Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Oct  7 07:50:09.643: ISAKMP (0:134217729): ID payload
        next-payload : 9
        type         : 1
        address      : 10.100.2.2
        protocol     : 17
        port         : 500
        length       : 12
*Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1): processing SIG payload. message ID = 0
*Oct  7 07:50:09.643: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
*Oct  7 07:50:09.643:  ISAKMP (0:134217729): process_rsa_sig: Querying key pair failed.
*Oct  7 07:50:09.647: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct  7 07:50:09.647: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Oct  7 07:50:09.647: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: reset_retransmiss                ion

Что они от меня хотят?
Спасибо.


"Тоннель между Cisco 3845 и Cisco 1841"
Отправлено max2k1 , 08-Окт-08 13:49 
>*Oct  7 07:50:09.643: ISAKMP (0:134217729): ID payload
>*Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
>*Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1): processing SIG payload. message ID = 0
>
>*Oct  7 07:50:09.643: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
>*Oct  7 07:50:09.643:  ISAKMP (0:134217729): process_rsa_sig: Querying key pair failed.
>Что они от меня хотят?
>Спасибо.

Либо крипто-карты не совпадают, либо ключи, либо и то и то.


"Тоннель между Cisco 3845 и Cisco 1841"
Отправлено max2k1 , 08-Окт-08 13:58 
Пример конфига для организации GRE over IPSEC.

Роутер A:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.2
!
crypto ipsec transform-set some_set esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile some_profile
set transform-set some_set
!
interface Tunnel0
ip address 10.50.2.1 255.255.255.252
ip mtu 1400
tunnel source 10.100.2.1
tunnel destination 10.100.2.2
tunnel protection ipsec profile some_profile
end

Роутер B:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.1
!
crypto ipsec transform-set some_set esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile some_profile
set transform-set some_set
!
interface Tunnel0
ip address 10.50.2.2 255.255.255.252
ip mtu 1400
tunnel source 10.100.2.2
tunnel destination 10.100.2.1
tunnel protection ipsec profile some_profile
end


"Тоннель между Cisco 3845 и Cisco 1841"
Отправлено Eduard_k , 08-Окт-08 18:58 
>[оверквотинг удален]
>crypto ipsec profile some_profile
> set transform-set some_set
>!
>interface Tunnel0
> ip address 10.50.2.2 255.255.255.252
> ip mtu 1400
> tunnel source 10.100.2.2
> tunnel destination 10.100.2.1
> tunnel protection ipsec profile some_profile
>end

tunnel mode ipsec ipv4 на туннельных интерфейсах


"Тоннель между Cisco 3845 и Cisco 1841"
Отправлено Eduard_k , 08-Окт-08 19:06 
>[оверквотинг удален]
>>!
>>interface Tunnel0
>> ip address 10.50.2.2 255.255.255.252
>> ip mtu 1400
>> tunnel source 10.100.2.2
>> tunnel destination 10.100.2.1
>> tunnel protection ipsec profile some_profile
>>end
>
>tunnel mode ipsec ipv4 на туннельных интерфейсах

сорри на дебаг внимание не обратил.
crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.1 no-xauth


"Тоннель между Cisco 3845 и Cisco 1841"
Отправлено antacid , 08-Окт-08 23:17 
>[оверквотинг удален]
>>> ip mtu 1400
>>> tunnel source 10.100.2.2
>>> tunnel destination 10.100.2.1
>>> tunnel protection ipsec profile some_profile
>>>end
>>
>>tunnel mode ipsec ipv4 на туннельных интерфейсах
>
>сорри на дебаг внимание не обратил.
>crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.1 no-xauth

Господа, у всех прошу прощения, всё из-за невнимательности, ключ, на втором роутере, прописал на его же интерфейс.
Всем огромное спасибо.