Новые ответы

ipsec and vlan interface ,

bekzod, 14-Авг-12, 22:19 [смотреть все]

привет всем. поднял свой ipsec  vpn  , но и tут подвох меня ждал -непривычно все таки роутер с левел 2 портами . PC _А-routerA -routerB -PC _Б, с компа А(172.16.2.2/24)пингую и tracert  на комп Б(192.168.20.4/24) но с компа Б не могу, tracert dohodit tolko do WAN rutera A i vse...do interface vlan 20 ne dohodit..  конфиги на рутере зеркальные , помогите найти где закавыка тут.
R_A#sho run
Building configuration...
updated at 13:30:19 PCTime Tue Aug 14 2012 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R_A
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3088937797
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3088937797
revocation-check none
rsakeypair TP-self-signed-3088937797
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
license udi pid CISCO881-K9 sn FTX162683BP
!
username admin privilege 15 secret 5 $1$9.I7$4C61J/DT957rNQXyeuJ18/
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key 1voice1 address 192.168.15.1
!
!
crypto ipsec transform-set voice_set esp-des esp-md5-hmac
!
!
!
crypto map voice 10 ipsec-isakmp
set peer 192.168.15.1
set transform-set voice_set
set pfs group1
match address voice
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 20
!
interface FastEthernet4
ip address 192.168.15.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map voice
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan20
ip address 172.16.2.192 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 192.168.20.0 255.255.255.248 192.168.15.1 permanent
!
ip access-list extended test
ip access-list extended voice
permit ip 172.16.2.0 0.0.0.255 192.168.20.0 0.0.0.15
permit ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255
permit ip host 192.168.15.2 host 192.168.15.1
permit ip host 192.168.15.1 host 192.168.15.2
deny   ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 deny   ip 172.16.2.0 0.0.0.255 192.168.20.0 0.0.0.15
access-list 110 permit ip 172.16.2.0 0.0.0.255 any
no cdp run
!
route-map nonat permit 10
match ip address 110
!
!control-plane
!
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
show ip route
2.0.0.0/32 is subnetted, 1 subnets
C        2.2.2.2 is directly connected, Loopback0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.2.0/24 is directly connected, Vlan20
L        172.16.2.192/32 is directly connected, Vlan20
      192.168.15.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.15.0/24 is directly connected, FastEthernet4
L        192.168.15.2/32 is directly connected, FastEthernet4
      192.168.20.0/29 is subnetted, 1 subnets
S        192.168.20.0 [1/0] via 192.168.15.1

routerB:

R_B#sho run
Building configuration...
Current configuration : 6701 bytes
!
! Last configuration change at 16:58:30 UTC Tue Aug 14 2012 by admin
! NVRAM config last updated at 17:29:21 UTC Tue Aug 14 2012 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Remote_R
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3874039267
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3874039267
revocation-check none
rsakeypair TP-self-signed-3874039267
!
        quit
ip source-route
!
ip dhcp pool data30
   network 192.168.30.0 255.255.255.240
   default-router 192.168.30.1
   option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"
   lease 8
!
ip dhcp pool voice20
   network 192.168.20.0 255.255.255.240
   default-router 192.168.20.1
   option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"
   lease 8
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!license udi pid CISCO881-K9 sn FTX162683CE
!!
username admin privilege 15 secret 5 $1$o1/A$faF./HhQ.p9wyrlFlPVI90
!!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key 1voice1 address 192.168.15.2 255.255.255.0
!
crypto ipsec transform-set voice_set esp-des esp-md5-hmac
!
crypto map voice 10 ipsec-isakmp
set peer 192.168.15.2
set transform-set voice_set
set pfs group1
match address voice
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0
switchport trunk native vlan 30
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 30
switchport voice vlan 20
!
interface FastEthernet4
description WAN
ip address 192.168.15.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map voice
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan20
ip address 192.168.20.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface Vlan30
ip address 192.168.30.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 172.16.2.0 255.255.255.0 192.168.15.2 permanent
!
ip access-list extended voice
permit ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255
permit ip 172.16.2.0 0.0.0.255 192.168.20.0 0.0.0.15
permit ip host 192.168.15.1 host 192.168.15.2
permit ip host 192.168.15.2 host 192.168.15.1
deny   ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 deny   ip 192.168.20.0 0.0.0.15 172.16.2.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.15 any
no cdp run
route-map nonat permit 10
match ip address 110
!!
control-plane
!
banner exec ^C
%
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
sho ip route
1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback0
      172.16.0.0/24 is subnetted, 1 subnets
S        172.16.2.0 [1/0] via 192.168.15.2
      192.168.15.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.15.0/24 is directly connected, FastEthernet4
L        192.168.15.1/32 is directly connected, FastEthernet4
      192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/28 is directly connected, Vlan20
L        192.168.20.1/32 is directly connected, Vlan20

Ответить | Сообщить модератору

ipsec and vlan interface , McS555, 10:19 , 15-Авг-12 (1)
ping 172.16.2.192 sou vl20
sho cry is sa
sho cry ip sa
Ответить | Сообщить модератору

ipsec and vlan interface , bekzod, 01:18 , 16-Авг-12 (2)
> ping 172.16.2.192 sou vl20
> sho cry is sa
> sho cry ip sa
ping 172.16.2.192 source vlan20
Sending 5, 100-byte ICMP Echos to 172.16.2.192, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!
ping 172.16.2.2 (PC_A) source vlan20
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
.....
show crypto is sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.15.1    192.168.15.2    QM_IDLE           2001 ACTIVE
IPv6 Crypto ISAKMP SA
Livingstone_R# show crypto ip sa
interface: FastEthernet4
    Crypto map tag: voice, local addr 192.168.15.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.20.0/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
   current_peer 192.168.15.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.15.2, remote crypto endpt.: 192.168.15.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.240/0/0)
   current_peer 192.168.15.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 192.168.15.2, remote crypto endpt.: 192.168.15.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x2176D669(561436265)
     PFS (Y/N): Y, DH group: group1
     inbound esp sas:
      spi: 0x99AEC0E3(2578366691)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: voice
        sa timing: remaining key lifetime (k/sec): (4389856/3555)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x2176D669(561436265)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: voice
        sa timing: remaining key lifetime (k/sec): (4389856/3555)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.15.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.15.2/255.255.255.255/0/0)
   current_peer 192.168.15.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.15.2, remote crypto endpt.: 192.168.15.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.15.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.15.1/255.255.255.255/0/0)
   current_peer 192.168.15.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.15.2, remote crypto endpt.: 192.168.15.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
Ответить | Сообщить модератору

ipsec and vlan interface , bekzod, 01:42 , 16-Авг-12 (3)
похоже я нашел проблему , я сваппанул кабелечки и Ip адреса на компах теперь я могу делать пинги в обратном направлении -eто значит трабла была в направлении/в определенном компе на котором виндовс 7 стоит (на другом компе винда хп ) хотя у обоих firewallы выключены винда 7 не пускала пинги . спасибо кто пытался помочь мне
Ответить | Сообщить модератору