Требуется помощь в настройке туннеля между Asus SL200 и Cisco 2811.
Сам не являюсь специалистом в этой области, поэтому обращаюсь к Вам товарищи.
Есть Cisco 2811, настроено несколько GRE IPSec к удалёнными локалками(Cisco 871)
Задача: добавить в существующую конфигурацию IPSec туннель к ещё одной сетке(Asus SL200)
За основу была взята инфа вот отсюда http://blog.ronix.net.ua/2007/11/ipsec-cisco-d-link.html Не DLink конечна, но очень похоже.Настройки на SL200
Local Secure Group:
subnet: 192.192.9.0
mask: 255.255.255.0
Remote Secure Group:
subnet: 192.168.0.0
netmask: 255.255.255.0
Remote Secure Gateway
IP: 222.222.222.222
Preshared Key: 123456
IKE Parametes
Phase 1:
Encryption - 3DES
Authentication - SHA1
Group - Group2 (1024)
Key Life Time 86400
Phase 2:
Encryption - 3DES
Authentication - SHA1
Group - Group2 (1024)
Key Life Time 28800
NAT-Traversal - enable
Конфа Cisco с дополнениями
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx no-xauth
crypto isakmp key key address yyy.yyy.yyy.yyy no-xauth
crypto isakmp key key address zzz.zzz.zzz.zzz no-xauth
crypto isakmp key key address sss.sss.sss.sss no-xauth
crypto isakmp key key address ttt.ttt.ttt.ttt no-xauth
----Добавил----
crypto isakmp key 123456 address 222.222.222.222 no-xauth
---------------
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group company
key key
dns x.x.x.x x.x.x.x
pool
acl 125
max-users 10
netmask 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA0 esp-3des esp-sha-hmac
!
crypto dynamic-map companyMAP 1
set security-association idle-time 600
set transform-set ESP-3DES-SHA0
!
crypto map core_map local-address FastEthernet0/1
crypto map core_map isakmp authorization list sdm_vpn_group_ml_1
crypto map core_map client configuration address respond
crypto map core_map 1 ipsec-isakmp
description office5
set peer xxx.xxx.xxx.xxx
set transform-set ESP-3DES-SHA1
match address 100
crypto map core_map 2 ipsec-isakmp
description office3
set peer ttt.ttt.ttt.ttt
set transform-set ESP-3DES-SHA1
match address 101
crypto map core_map 3 ipsec-isakmp
description office2
set peer sss.sss.sss.sss
set transform-set ESP-3DES-SHA1
match address 102
crypto map core_map 4 ipsec-isakmp
set peer yyy.yyy.yyy.yyy
set transform-set ESP-3DES-SHA1
match address 103
crypto map core_map 5 ipsec-isakmp
set peer zzz.zzz.zzz.zzz
set transform-set ESP-3DES-SHA1
match address 104
----Добавил----
crypto map core_map 6 ipsec-isakmp
description ASUS_SL200
set peer 222.222.222.222
set security-association lifetime seconds 28800
set transform-set ESP-3DES-SHA0
set pfs group2
match address 105
---------------
crypto map core_map 65535 ipsec-isakmp dynamic companyMAP
!
interface Tunnel0
description office5
ip address 192.168.255.2 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 111.111.111.111
tunnel destination xxx.xxx.xxx.xxx
crypto map core_map
!
interface Tunnel1
description office3
ip address 192.168.255.6 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 111.111.111.111
tunnel destination ttt.ttt.ttt.ttt
crypto map core_map
!
interface Tunnel2
description office2
ip address 192.168.255.10 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 111.111.111.111
tunnel destination sss.sss.sss.sss
crypto map core_map
!
interface Tunnel3
ip address 192.168.255.14 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 111.111.111.111
tunnel destination yyy.yyy.yyy.yyy
crypto map core_map
!
interface Tunnel4
ip address 192.168.255.18 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 111.111.111.111
tunnel destination zzz.zzz.zzz.zzz
crypto map core_map
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 192.168.0.252 255.255.255.0
ip access-group 140 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 111.111.111.111 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map core_map
!
ip local pool company 192.168.100.10 192.168.100.20
ip route 0.0.0.0 0.0.0.0 111.111.111.100
ip route 192.168.2.0 255.255.255.0 Tunnel2
ip route 192.168.3.0 255.255.255.0 Tunnel1
ip route 192.168.4.0 255.255.255.0 Tunnel4
ip route 192.168.5.0 255.255.255.0 Tunnel0
ip route 192.168.8.0 255.255.255.0 Tunnel3
----Добавил----
ip route 192.168.9.0 255.255.255.0 FastEthernet0/1
---------------
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source route-map NAT1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.250 4090 111.111.111.111 4090 extendable
!
ip access-list extended For_NAT_VPN
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
permit ip 192.168.9.0 0.0.0.255 any
ip access-list extended From-INTERNET
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit gre host 111.111.111.111 host xxx.xxx.xxx.xxx
access-list 101 permit gre host 111.111.111.111 host ttt.ttt.ttt.ttt
access-list 102 permit gre host 111.111.111.111 host sss.sss.sss.sss
access-list 103 permit gre host 111.111.111.111 host yyy.yyy.yyy.yyy
access-list 104 permit gre host 111.111.111.111 host zzz.zzz.zzz.zzz
----Добавил----
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.9.0 0.0.0.255
---------------
access-list 140 permit ip any any
snmp-server community public RW
snmp-server ifindex persist
snmp-server enable traps tty
snmp-server enable traps frame-relay multilink bundle-mismatch
!
route-map NAT1 permit 1
match ip address For_NAT_VPN
!
control-plane
Итог: не работает, сетки друг друга не видят.
Причём судя по логам Asus-а туннель вроде как устанавливается, но при этом в таблице роутинга Asus-а новых маршрутов не появляется
[Thu Feb 03 12:22:09 2011]:[VPN] initiate new phase 1 negotiation: 222.222.222.222[500]<=>111.111.111.111[500] in Identity Protection mode
[Thu Feb 03 12:22:11 2011]:[VPN] ISAKMP-SA established 222.222.222.222[500]-111.111.111.111[500]
[Thu Feb 03 12:22:12 2011]:[VPN] initiate new phase 2 negotiation: 222.222.222.222[500]<=>111.111.111.111[500]
[Thu Feb 03 12:22:12 2011]:[VPN] Quick Mode: i1 => 111.111.111.111[500]
[Thu Feb 03 12:22:12 2011]:[VPN] Quick Mode: r1 <= 111.111.111.111[500]
[Thu Feb 03 12:22:13 2011]:[VPN] Quick Mode: i2 => 111.111.111.111[500]
[Thu Feb 03 12:22:13 2011]:[VPN] IPsec-SA established: ESP/Tunnel 111.111.111.111[0]->222.222.222.222[0] spi=203619198(0xc22fb7e)
[Thu Feb 03 12:22:13 2011]:[VPN] IPsec-SA established: ESP/Tunnel 222.222.222.222[0]->111.111.111.111[0] spi=2607712181(0x9b6e87b5)
Во лог с Cisco:
*Feb 3 11:31:32.367: IPSEC(validate_proposal_request): proposal part #1
*Feb 3 11:31:32.367: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 111.111.111.111, remote= 222.222.222.222,
local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.9.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 3 11:31:32.367: Crypto mapdb : proxy_match
src addr : 192.168.0.0
dst addr : 192.168.9.0
protocol : 0
src port : 0
dst port : 0
*Feb 3 11:31:32.379: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 3 11:31:32.379: Crypto mapdb : proxy_match
src addr : 192.168.0.0
dst addr : 192.168.9.0
protocol : 0
src port : 0
dst port : 0
*Feb 3 11:31:32.379: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 222.222.222.222
*Feb 3 11:31:32.379: IPSEC(policy_db_add_ident): src 192.168.0.0, dest 192.168.9.0, dest_port 0
*Feb 3 11:31:32.379: IPSEC(create_sa): sa created,
(sa) sa_dest= 111.111.111.111, sa_proto= 50,
sa_spi= 0x5B20C618(1528874520),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 173
*Feb 3 11:31:32.383: IPSEC(create_sa): sa created,
(sa) sa_dest= 222.222.222.222, sa_proto= 50,
sa_spi= 0x60EA98F(101624207),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 174
*Feb 3 11:31:32.475: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 3 11:31:32.475: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Feb 3 11:31:32.475: IPSEC(key_engine_enable_outbound): enable SA with spi 1016 24207/50
*Feb 3 11:31:32.475: IPSEC(update_current_outbound_sa): updated peer 222.222.222.222 current outbound sa to SPI 60EA98F
По-моему тут какая-то чача с роутингом.
Или вообще всё не так надо делать?
Люди помогите пожалуйста.
Версия для распечатки
VPN между Asus SL200 и Cisco 2811, 
HRomiK, 03-Фев-11, 14:54 [смотреть все]
