Всем добрый день!Схема следующая:
Циска А внутренний интерфейс 192.168.1.15 MASK 255.255.255.0 и два внешних:
fa1 - 172.20.1.60
fa4 - 172.20.2.60
Циска B внутренний интерфейс 192.168.50.90 MASK 255.255.255.0 и два внешних:
fa1 - 172.20.1.50
fa4 - 172.20.2.50
Когда я на Циске А ввожу статический марширут ip route 0.0.0.0 0.0.0.0 172.20.1.50, а на циске В статический марширут ip route 0.0.0.0 0.0.0.0 172.20.1.60
То VPN тунель поднимаетьмся нормально все работает!
Если же я выставляю маршируты:
Циске А ввожу статический марширут ip route 0.0.0.0 0.0.0.0 172.20.2.50
циске В статический марширут ip route 0.0.0.0 0.0.0.0 172.20.2.60
То VPN тунель не поднимаеться. Пинг между интерфейсами идёт:
ping 172.20.2.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.2.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
При выводе команды на циско А:
debug crypto ipsec
debug crypto isakmp
*Mar 3 22:46:56.606: ISAKMP: set new node 795756617 to QM_IDLE
*Mar 3 22:46:56.610: ISAKMP:(1008):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2200926336, message ID = 795756617
*Mar 3 22:46:56.610: ISAKMP:(1008): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 3 22:46:56.610: ISAKMP:(1008):purging node 795756617
*Mar 3 22:46:56.610: ISAKMP:(1008):deleting node 931219803 error TRUE reason "QM rejected"
*Mar 3 22:46:56.610: ISAKMP (0:1008): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 931219803: state = IKE_QM_READY
*Mar 3 22:46:56.610: ISAKMP:(1008):Node 931219803, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 3 22:46:56.610: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 3 22:46:56.610: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.20.2.50
*Mar 3 22:47:26.482: ISAKMP (0:1008): received packet from 172.20.2.50 dport 500 sport 500 Global (R) QM_IDLE
*Mar 3 22:47:26.482: ISAKMP: set new node -598152818 to QM_IDLE
*Mar 3 22:47:26.486: ISAKMP:(1008): processing HASH payload. message ID = -598152818
*Mar 3 22:47:26.486: ISAKMP:(1008): processing SA payload. message ID = -598152818
*Mar 3 22:47:26.486: ISAKMP:(1008):Checking IPSec proposal 1
*Mar 3 22:47:26.486: ISAKMP: transform 1, ESP_3DES
*Mar 3 22:47:26.486: ISAKMP: attributes in transform:
*Mar 3 22:47:26.486: ISAKMP: encaps is 1 (Tunnel)
*Mar 3 22:47:26.486: ISAKMP: SA life type in seconds
*Mar 3 22:47:26.486: ISAKMP: SA life duration (basic) of 3600
*Mar 3 22:47:26.486: ISAKMP: SA life type in kilobytes
*Mar 3 22:47:26.486: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 3 22:47:26.486: ISAKMP: authenticator is HMAC-SHA
*Mar 3 22:47:26.486: ISAKMP:(1008):atts are acceptable.
*Mar 3 22:47:26.486: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.20.2.60, remote= 172.20.2.50,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 3 22:47:26.486: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 192.168.50.0
protocol : 0
src port : 0
dst port : 0
*Mar 3 22:47:26.486: IPSEC(crypto_ipsec_process_proposal): peer address 172.20.2.50 not found
*Mar 3 22:47:26.486: ISAKMP:(1008): IPSec policy invalidated proposal
*Mar 3 22:47:26.486: ISAKMP:(1008): phase 2 SA policy not acceptable! (local 172.20.2.60 remote 172.20.2.50)
*Mar 3 22:47:26.490: ISAKMP: set new node -1389853563 to QM_IDLE
*Mar 3 22:47:26.490: ISAKMP:(1008):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2200926336, message ID = -1389853563
*Mar 3 22:47:26.490: ISAKMP:(1008): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 3 22:47:26.490: ISAKMP:(1008):purging node -1389853563
*Mar 3 22:47:26.490: ISAKMP:(1008):deleting node -598152818 error TRUE reason "QM rejected"
*Mar 3 22:47:26.490: ISAKMP (0:1008): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -598152818: state = IKE_QM_READY
*Mar 3 22:47:26.494: ISAKMP:(1008):Node -598152818, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 3 22:47:26.494: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 3 22:47:46.610: ISAKMP:(1008):purging node 931219803
*Mar 3 22:47:56.482: ISAKMP (0:1008): received packet from 172.20.2.50 dport 500 sport 500 Global (R) QM_IDLE
*Mar 3 22:47:56.482: ISAKMP: set new node -500335845 to QM_IDLE
*Mar 3 22:47:56.486: ISAKMP:(1008): processing HASH payload. message ID = -500335845
*Mar 3 22:47:56.486: ISAKMP:(1008): processing DELETE payload. message ID = -500335845
*Mar 3 22:47:56.486: ISAKMP:(1008):peer does not do paranoid keepalives.
*Mar 3 22:47:56.486: ISAKMP:(1008):deleting SA reason "No reason" state (R) QM_IDLE (peer 172.20.2.50)
*Mar 3 22:47:56.486: ISAKMP:(1008):deleting node -500335845 error FALSE reason "Informational (in) state 1"
*Mar 3 22:47:56.486: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 3 22:47:56.486: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 3 22:47:56.486: ISAKMP:(1008):deleting SA reason "No reason" state (R) QM_IDLE (peer 172.20.2.50)
*Mar 3 22:47:56.486: ISAKMP: Unlocking peer struct 0x837BCFFC for isadb_mark_sa_deleted(), count 0
*Mar 3 22:47:56.486: ISAKMP: Deleting peer node by peer_reap for 172.20.2.50: 837BCFFC
*Mar 3 22:47:56.490: ISAKMP:(1008):deleting node -598152818 error FALSE reason "IKE deleted"
*Mar 3 22:47:56.490: ISAKMP:(1008):deleting node -500335845 error FALSE reason "IKE deleted"
*Mar 3 22:47:56.490: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 22:47:56.490: ISAKMP:(1008):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 3 22:47:56.490: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 3 22:48:43.834: %SEC-6-IPACCESSLOGP: list 160 denied udp 172.20.2.50(500) -> 172.20.1.60(500), 17 packets
*Mar 3 22:48:46.490: ISAKMP:(1008):purging node -598152818
*Mar 3 22:48:46.490: ISAKMP:(1008):purging node -500335845
*Mar 3 22:48:56.490: ISAKMP:(1008):purging SA., sa=83B2D0BC, delme=83B2D0BC
*Mar 3 22:48:57.518: ISAKMP (0:0): received packet from 172.20.2.50 dport 500 sport 500 Global (N) NEW SA
*Mar 3 22:48:57.518: ISAKMP: Created a peer struct for 172.20.2.50, peer port 500
*Mar 3 22:48:57.518: ISAKMP: New peer created peer = 0x837BCFFC peer_handle = 0x80000072
*Mar 3 22:48:57.518: ISAKMP: Locking peer struct 0x837BCFFC, refcount 1 for crypto_isakmp_process_block
*Mar 3 22:48:57.518: ISAKMP: local port 500, remote port 500
*Mar 3 22:48:57.518: insert sa successfully sa = 83B2D0BC
*Mar 3 22:48:57.518: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 22:48:57.518: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 3 22:48:57.518: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 3 22:48:57.522: ISAKMP:(0): processing vendor id payload
*Mar 3 22:48:57.522: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 3 22:48:57.522: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 3 22:48:57.522: ISAKMP:(0): processing vendor id payload
*Mar 3 22:48:57.522: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 3 22:48:57.522: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 3 22:48:57.522: ISAKMP:(0): processing vendor id payload
*Mar 3 22:48:57.522: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 3 22:48:57.522: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 3 22:48:57.522: ISAKMP:(0):Looking for a matching key for 172.20.2.50 in default
*Mar 3 22:48:57.522: ISAKMP:(0): : success
*Mar 3 22:48:57.522: ISAKMP:(0):found peer pre-shared key matching 172.20.2.50
*Mar 3 22:48:57.522: ISAKMP:(0): local preshared key found
*Mar 3 22:48:57.522: ISAKMP : Scanning profiles for xauth ...
*Mar 3 22:48:57.522: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 3 22:48:57.522: ISAKMP: encryption 3DES-CBC
*Mar 3 22:48:57.522: ISAKMP: hash SHA
*Mar 3 22:48:57.522: ISAKMP: default group 2
*Mar 3 22:48:57.522: ISAKMP: auth pre-share
*Mar 3 22:48:57.522: ISAKMP: life type in seconds
*Mar 3 22:48:57.522: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 3 22:48:57.522: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 3 22:48:57.522: ISAKMP:(0): processing vendor id payload
*Mar 3 22:48:57.522: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 3 22:48:57.522: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 3 22:48:57.526: ISAKMP:(0): processing vendor id payload
*Mar 3 22:48:57.526: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 3 22:48:57.526: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 3 22:48:57.526: ISAKMP:(0): processing vendor id payload
*Mar 3 22:48:57.526: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 3 22:48:57.526: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 3 22:48:57.526: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 3 22:48:57.526: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 3 22:48:57.526: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 3 22:48:57.526: ISAKMP:(0): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 3 22:48:57.526: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 3 22:48:57.526: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 3 22:48:57.542: ISAKMP (0:0): received packet from 172.20.2.50 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 3 22:48:57.542: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 22:48:57.542: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 3 22:48:57.542: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 3 22:48:57.570: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 3 22:48:57.570: ISAKMP:(0):Looking for a matching key for 172.20.2.50 in default
*Mar 3 22:48:57.570: ISAKMP:(0): : success
*Mar 3 22:48:57.570: ISAKMP:(0):found peer pre-shared key matching 172.20.2.50
*Mar 3 22:48:57.574: ISAKMP:(1009): processing vendor id payload
*Mar 3 22:48:57.574: ISAKMP:(1009): vendor ID is Unity
*Mar 3 22:48:57.574: ISAKMP:(1009): processing vendor id payload
*Mar 3 22:48:57.574: ISAKMP:(1009): vendor ID is DPD
*Mar 3 22:48:57.574: ISAKMP:(1009): processing vendor id payload
*Mar 3 22:48:57.574: ISAKMP:(1009): speaking to another IOS box!
*Mar 3 22:48:57.574: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 3 22:48:57.574: ISAKMP:(1009):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 3 22:48:57.574: ISAKMP:(1009): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 3 22:48:57.578: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 3 22:48:57.578: ISAKMP:(1009):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 3 22:48:57.614: ISAKMP (0:1009): received packet from 172.20.2.50 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 3 22:48:57.614: ISAKMP:(1009):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 22:48:57.614: ISAKMP:(1009):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 3 22:48:57.614: ISAKMP:(1009): processing ID payload. message ID = 0
*Mar 3 22:48:57.614: ISAKMP (0:1009): ID payload
next-payload : 8
type : 1
address : 172.20.2.50
protocol : 17
port : 500
length : 12
*Mar 3 22:48:57.614: ISAKMP:(1009):: peer matches *none* of the profiles
*Mar 3 22:48:57.618: ISAKMP:(1009): processing HASH payload. message ID = 0
*Mar 3 22:48:57.618: ISAKMP:(1009): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 83B2D0BC
*Mar 3 22:48:57.618: ISAKMP:(1009):SA authentication status:
authenticated
*Mar 3 22:48:57.618: ISAKMP:(1009): Process initial contact,
bring down existing phase 1 and 2 SA's with local 172.20.2.60 remote 172.20.2.50 remote port 500
*Mar 3 22:48:57.618: ISAKMP:(1009):SA authentication status:
authenticated
*Mar 3 22:48:57.618: ISAKMP:(1009):SA has been authenticated with 172.20.2.50
*Mar 3 22:48:57.618: ISAKMP: Trying to insert a peer 172.20.2.60/172.20.2.50/500/, and inserted successfully 837BCFFC.
*Mar 3 22:48:57.618: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 3 22:48:57.618: ISAKMP:(1009):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 3 22:48:57.618: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 3 22:48:57.622: ISAKMP:(1009):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 3 22:48:57.622: ISAKMP (0:1009): ID payload
next-payload : 8
type : 1
address : 172.20.2.60
protocol : 17
port : 500
length : 12
*Mar 3 22:48:57.622: ISAKMP:(1009):Total payload length: 12
*Mar 3 22:48:57.622: ISAKMP:(1009): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 3 22:48:57.622: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 3 22:48:57.622: ISAKMP:(1009):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 3 22:48:57.626: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 3 22:48:57.626: ISAKMP:(1009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 3 22:48:57.638: ISAKMP (0:1009): received packet from 172.20.2.50 dport 500 sport 500 Global (R) QM_IDLE
*Mar 3 22:48:57.638: ISAKMP: set new node -511218669 to QM_IDLE
*Mar 3 22:48:57.638: ISAKMP:(1009): processing HASH payload. message ID = -511218669
*Mar 3 22:48:57.638: ISAKMP:(1009): processing SA payload. message ID = -511218669
*Mar 3 22:48:57.638: ISAKMP:(1009):Checking IPSec proposal 1
*Mar 3 22:48:57.638: ISAKMP: transform 1, ESP_3DES
*Mar 3 22:48:57.638: ISAKMP: attributes in transform:
*Mar 3 22:48:57.638: ISAKMP: encaps is 1 (Tunnel)
*Mar 3 22:48:57.638: ISAKMP: SA life type in seconds
*Mar 3 22:48:57.642: ISAKMP: SA life duration (basic) of 3600
*Mar 3 22:48:57.642: ISAKMP: SA life type in kilobytes
*Mar 3 22:48:57.642: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 3 22:48:57.642: ISAKMP: authenticator is HMAC-SHA
*Mar 3 22:48:57.642: ISAKMP:(1009):atts are acceptable.
*Mar 3 22:48:57.642: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.20.2.60, remote= 172.20.2.50,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 3 22:48:57.642: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 192.168.50.0
protocol : 0
src port : 0
dst port : 0
*Mar 3 22:48:57.642: IPSEC(crypto_ipsec_process_proposal): peer address 172.20.2.50 not found
*Mar 3 22:48:57.642: ISAKMP:(1009): IPSec policy invalidated proposal
*Mar 3 22:48:57.642: ISAKMP:(1009): phase 2 SA policy not acceptable! (local 172.20.2.60 remote 172.20.2.50)
*Mar 3 22:48:57.642: ISAKMP: set new node 680652480 to QM_IDLE
*Mar 3 22:48:57.646: ISAKMP:(1009):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2200926336, message ID = 680652480
*Mar 3 22:48:57.646: ISAKMP:(1009): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 3 22:48:57.646: ISAKMP:(1009):purging node 680652480
*Mar 3 22:48:57.646: ISAKMP:(1009):deleting node -511218669 error TRUE reason "QM rejected"
*Mar 3 22:48:57.646: ISAKMP (0:1009): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -511218669: state = IKE_QM_READY
*Mar 3 22:48:57.646: ISAKMP:(1009):Node -511218669, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 3 22:48:57.646: ISAKMP:(1009):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 3 22:48:57.646: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.20.2.50
*Mar 3 22:49:27.518: ISAKMP (0:1009): received packet from 172.20.2.50 dport 500 sport 500 Global (R) QM_IDLE
*Mar 3 22:49:27.518: ISAKMP: set new node 1221686883 to QM_IDLE
*Mar 3 22:49:27.518: ISAKMP:(1009): processing HASH payload. message ID = 1221686883
*Mar 3 22:49:27.522: ISAKMP:(1009): processing SA payload. message ID = 1221686883
*Mar 3 22:49:27.522: ISAKMP:(1009):Checking IPSec proposal 1
*Mar 3 22:49:27.522: ISAKMP: transform 1, ESP_3DES
*Mar 3 22:49:27.522: ISAKMP: attributes in transform:
*Mar 3 22:49:27.522: ISAKMP: encaps is 1 (Tunnel)
*Mar 3 22:49:27.522: ISAKMP: SA life type in seconds
*Mar 3 22:49:27.522: ISAKMP: SA life duration (basic) of 3600
*Mar 3 22:49:27.522: ISAKMP: SA life type in kilobytes
*Mar 3 22:49:27.522: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 3 22:49:27.522: ISAKMP: authenticator is HMAC-SHA
*Mar 3 22:49:27.522: ISAKMP:(1009):atts are acceptable.
*Mar 3 22:49:27.522: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.20.2.60, remote= 172.20.2.50,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 3 22:49:27.522: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 192.168.50.0
protocol : 0
src port : 0
dst port : 0
*Mar 3 22:49:27.522: IPSEC(crypto_ipsec_process_proposal): peer address 172.20.2.50 not found
*Mar 3 22:49:27.522: ISAKMP:(1009): IPSec policy invalidated proposal
*Mar 3 22:49:27.522: ISAKMP:(1009): phase 2 SA policy not acceptable! (local 172.20.2.60 remote 172.20.2.50)
*Mar 3 22:49:27.522: ISAKMP: set new node -19287571 to QM_IDLE
*Mar 3 22:49:27.526: ISAKMP:(1009):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2200926336, message ID = -19287571
*Mar 3 22:49:27.526: ISAKMP:(1009): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 3 22:49:27.526: ISAKMP:(1009):purging node -19287571
*Mar 3 22:49:27.526: ISAKMP:(1009):deleting node 1221686883 error TRUE reason "QM rejected"
*Mar 3 22:49:27.526: ISAKMP (0:1009): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 1221686883: state = IKE_QM_READY
*Mar 3 22:49:27.526: ISAKMP:(1009):Node 1221686883, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 3 22:49:27.526: ISAKMP:(1009):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 3 22:49:47.646: ISAKMP:(1009):purging node -511218669
*Mar 3 22:49:57.518: ISAKMP (0:1009): received packet from 172.20.2.50 dport 500 sport 500 Global (R) QM_IDLE
*Mar 3 22:49:57.518: ISAKMP: set new node -1660860477 to QM_IDLE
*Mar 3 22:49:57.518: ISAKMP:(1009): processing HASH payload. message ID = -1660860477
*Mar 3 22:49:57.522: ISAKMP:(1009): processing DELETE payload. message ID = -1660860477
*Mar 3 22:49:57.522: ISAKMP:(1009):peer does not do paranoid keepalives.
*Mar 3 22:49:57.522: ISAKMP:(1009):deleting SA reason "No reason" state (R) QM_IDLE (peer 172.20.2.50)
*Mar 3 22:49:57.522: ISAKMP:(1009):deleting node -1660860477 error FALSE reason "Informational (in) state 1"
*Mar 3 22:49:57.522: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 3 22:49:57.522: ISAKMP:(1009):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 3 22:49:57.522: ISAKMP:(1009):deleting SA reason "No reason" state (R) QM_IDLE (peer 172.20.2.50)
*Mar 3 22:49:57.522: ISAKMP: Unlocking peer struct 0x837BCFFC for isadb_mark_sa_deleted(), count 0
*Mar 3 22:49:57.522: ISAKMP: Deleting peer node by peer_reap for 172.20.2.50: 837BCFFC
*Mar 3 22:49:57.522: ISAKMP:(1009):deleting node 1221686883 error FALSE reason "IKE deleted"
*Mar 3 22:49:57.522: ISAKMP:(1009):deleting node -1660860477 error FALSE reason "IKE deleted"
*Mar 3 22:49:57.526: ISAKMP:(1009):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 22:49:57.526: ISAKMP:(1009):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 3 22:49:57.526: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 3 22:50:47.522: ISAKMP:(1009):purging node 1221686883
*Mar 3 22:50:47.522: ISAKMP:(1009):purging node -1660860477
*Mar 3 22:50:57.522: ISAKMP:(1009):purging SA., sa=83B2D0BC, delme=83B2D0BC
*Mar 3 22:50:58.394: ISAKMP (0:0): received packet from 172.20.2.50 dport 500 sport 500 Global (N) NEW SA
*Mar 3 22:50:58.394: ISAKMP: Created a peer struct for 172.20.2.50, peer port 500
*Mar 3 22:50:58.394: ISAKMP: New peer created peer = 0x837BCFFC peer_handle = 0x80000074
*Mar 3 22:50:58.394: ISAKMP: Locking peer struct 0x837BCFFC, refcount 1 for crypto_isakmp_process_block
*Mar 3 22:50:58.394: ISAKMP: local port 500, remote port 500
*Mar 3 22:50:58.394: insert sa successfully sa = 83B2D0BC
*Mar 3 22:50:58.394: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 22:50:58.394: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 3 22:50:58.394: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 3 22:50:58.394: ISAKMP:(0): processing vendor id payload
*Mar 3 22:50:58.394: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 3 22:50:58.394: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 3 22:50:58.394: ISAKMP:(0): processing vendor id payload
*Mar 3 22:50:58.394: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 3 22:50:58.394: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 3 22:50:58.394: ISAKMP:(0): processing vendor id payload
*Mar 3 22:50:58.394: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 3 22:50:58.398: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 3 22:50:58.398: ISAKMP:(0):Looking for a matching key for 172.20.2.50 in default
*Mar 3 22:50:58.398: ISAKMP:(0): : success
*Mar 3 22:50:58.398: ISAKMP:(0):found peer pre-shared key matching 172.20.2.50
*Mar 3 22:50:58.398: ISAKMP:(0): local preshared key found
*Mar 3 22:50:58.398: ISAKMP : Scanning profiles for xauth ...
*Mar 3 22:50:58.398: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 3 22:50:58.398: ISAKMP: encryption 3DES-CBC
*Mar 3 22:50:58.398: ISAKMP: hash SHA
*Mar 3 22:50:58.398: ISAKMP: default group 2
*Mar 3 22:50:58.398: ISAKMP: auth pre-share
*Mar 3 22:50:58.398: ISAKMP: life type in seconds
*Mar 3 22:50:58.398: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 3 22:50:58.398: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 3 22:50:58.398: ISAKMP:(0): processing vendor id payload
*Mar 3 22:50:58.398: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 3 22:50:58.398: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 3 22:50:58.398: ISAKMP:(0): processing vendor id payload
*Mar 3 22:50:58.398: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 3 22:50:58.398: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 3 22:50:58.398: ISAKMP:(0): processing vendor id payload
*Mar 3 22:50:58.398: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 3 22:50:58.398: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 3 22:50:58.402: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 3 22:50:58.402: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 3 22:50:58.402: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 3 22:50:58.402: ISAKMP:(0): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 3 22:50:58.402: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 3 22:50:58.402: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 3 22:50:58.414: ISAKMP (0:0): received packet from 172.20.2.50 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 3 22:50:58.418: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 22:50:58.418: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 3 22:50:58.418: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 3 22:50:58.446: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 3 22:50:58.446: ISAKMP:(0):Looking for a matching key for 172.20.2.50 in default
*Mar 3 22:50:58.446: ISAKMP:(0): : success
*Mar 3 22:50:58.446: ISAKMP:(0):found peer pre-shared key matching 172.20.2.50
*Mar 3 22:50:58.450: ISAKMP:(1010): processing vendor id payload
*Mar 3 22:50:58.450: ISAKMP:(1010): vendor ID is Unity
*Mar 3 22:50:58.450: ISAKMP:(1010): processing vendor id payload
*Mar 3 22:50:58.450: ISAKMP:(1010): vendor ID is DPD
*Mar 3 22:50:58.450: ISAKMP:(1010): processing vendor id payload
*Mar 3 22:50:58.450: ISAKMP:(1010): speaking to another IOS box!
*Mar 3 22:50:58.450: ISAKMP:(1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 3 22:50:58.450: ISAKMP:(1010):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 3 22:50:58.450: ISAKMP:(1010): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 3 22:50:58.450: ISAKMP:(1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 3 22:50:58.450: ISAKMP:(1010):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 3 22:50:58.490: ISAKMP (0:1010): received packet from 172.20.2.50 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 3 22:50:58.490: ISAKMP:(1010):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 3 22:50:58.490: ISAKMP:(1010):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 3 22:50:58.490: ISAKMP:(1010): processing ID payload. message ID = 0
*Mar 3 22:50:58.490: ISAKMP (0:1010): ID payload
next-payload : 8
type : 1
address : 172.20.2.50
protocol : 17
port : 500
length : 12
*Mar 3 22:50:58.490: ISAKMP:(1010):: peer matches *none* of the profiles
*Mar 3 22:50:58.490: ISAKMP:(1010): processing HASH payload. message ID = 0
*Mar 3 22:50:58.494: ISAKMP:(1010): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 83B2D0BC
*Mar 3 22:50:58.494: ISAKMP:(1010):SA authentication status:
authenticated
*Mar 3 22:50:58.494: ISAKMP:(1010): Process initial contact,
bring down existing phase 1 and 2 SA's with local 172.20.2.60 remote 172.20.2.50 remote port 500
*Mar 3 22:50:58.494: ISAKMP:(1010):SA authentication status:
authenticated
*Mar 3 22:50:58.494: ISAKMP:(1010):SA has been authenticated with 172.20.2.50
*Mar 3 22:50:58.494: ISAKMP: Trying to insert a peer 172.20.2.60/172.20.2.50/500/, and inserted successfully 837BCFFC.
*Mar 3 22:50:58.494: ISAKMP:(1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 3 22:50:58.494: ISAKMP:(1010):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 3 22:50:58.494: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 3 22:50:58.494: ISAKMP:(1010):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 3 22:50:58.494: ISAKMP (0:1010): ID payload
next-payload : 8
type : 1
address : 172.20.2.60
protocol : 17
port : 500
length : 12
*Mar 3 22:50:58.498: ISAKMP:(1010):Total payload length: 12
*Mar 3 22:50:58.498: ISAKMP:(1010): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 3 22:50:58.498: ISAKMP:(1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 3 22:50:58.498: ISAKMP:(1010):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 3 22:50:58.498: ISAKMP:(1010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 3 22:50:58.502: ISAKMP:(1010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 3 22:50:58.514: ISAKMP (0:1010): received packet from 172.20.2.50 dport 500 sport 500 Global (R) QM_IDLE
*Mar 3 22:50:58.514: ISAKMP: set new node -1621343118 to QM_IDLE
*Mar 3 22:50:58.514: ISAKMP:(1010): processing HASH payload. message ID = -1621343118
*Mar 3 22:50:58.514: ISAKMP:(1010): processing SA payload. message ID = -1621343118
*Mar 3 22:50:58.514: ISAKMP:(1010):Checking IPSec proposal 1
*Mar 3 22:50:58.514: ISAKMP: transform 1, ESP_3DES
*Mar 3 22:50:58.514: ISAKMP: attributes in transform:
*Mar 3 22:50:58.514: ISAKMP: encaps is 1 (Tunnel)
*Mar 3 22:50:58.514: ISAKMP: SA life type in seconds
*Mar 3 22:50:58.514: ISAKMP: SA life duration (basic) of 3600
*Mar 3 22:50:58.514: ISAKMP: SA life type in kilobytes
*Mar 3 22:50:58.514: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 3 22:50:58.518: ISAKMP: authenticator is HMAC-SHA
*Mar 3 22:50:58.518: ISAKMP:(1010):atts are acceptable.
*Mar 3 22:50:58.518: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.20.2.60, remote= 172.20.2.50,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 3 22:50:58.518: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 192.168.50.0
protocol : 0
src port : 0
dst port : 0
*Mar 3 22:50:58.518: IPSEC(crypto_ipsec_process_proposal): peer address 172.20.2.50 not found
*Mar 3 22:50:58.518: ISAKMP:(1010): IPSec policy invalidated proposal
*Mar 3 22:50:58.518: ISAKMP:(1010): phase 2 SA policy not acceptable! (local 172.20.2.60 remote 172.20.2.50)
*Mar 3 22:50:58.518: ISAKMP: set new node -1679054531 to QM_IDLE
*Mar 3 22:50:58.518: ISAKMP:(1010):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2200926336, message ID = -1679054531
*Mar 3 22:50:58.522: ISAKMP:(1010): sending packet to 172.20.2.50 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 3 22:50:58.522: ISAKMP:(1010):purging node -1679054531
*Mar 3 22:50:58.522: ISAKMP:(1010):deleting node -1621343118 error TRUE reason "QM rejected"
*Mar 3 22:50:58.522: ISAKMP (0:1010): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -1621343118: state = IKE_QM_READY
*Mar 3 22:50:58.522: ISAKMP:(1010):Node -1621343118, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 3 22:50:58.522: ISAKMP:(1010):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 3 22:50:58.522: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.20.2.50
///////////////
Конфиг циски А:
///////////////
Building configuration...
Current configuration : 4927 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ХХХХХХ
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
!
!
username ХХХХХХ privilege 15 secret 5
!
!
class-map match-all TELNET_CLASS
match access-group name TELNET_ACL
class-map match-all DO2_CLASS
match access-group name DO2_ACL
class-map match-all DO1_CLASS
match access-group name DO1_ACL
class-map match-all VOICE_CLASS
match access-group name VOICE_ACL
!
!
policy-map QOS_POLICY
class VOICE_CLASS
priority 32
class TELNET_CLASS
bandwidth 64
policy-map SHAPE_POLICY
class DO1_CLASS
shape average 128000
service-policy QOS_POLICY
class DO2_CLASS
shape average 128000
service-policy QOS_POLICY
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key "ключ" address 172.20.1.50
crypto isakmp key "ключ" address 172.20.2.50
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CRYPTO_POLICY 1 ipsec-isakmp
set peer 172.20.1.50
set ip access-group 170 in
set transform-set ESP-3DES-SHA
match address 100
qos pre-classify
crypto map CRYPTO_POLICY 2 ipsec-isakmp
set peer 172.20.2.50
set ip access-group 170 in
set transform-set ESP-3DES-SHA
match address 101
qos pre-classify
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
bandwidth 128
ip address 172.20.1.60 255.255.255.0
ip access-group 160 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CRYPTO_POLICY
max-reserved-bandwidth 85
service-policy output SHAPE_POLICY
!
interface Vlan1
ip address 192.168.1.15 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input access-group 130 32000 2000 3000 conform-action transmit exceed-action drop
rate-limit input access-group 131 32000 2000 3000 conform-action transmit exceed-action drop
!
interface Vlan2
bandwidth 128
ip address 172.20.2.60 255.255.255.0
ip access-group 160 in
ip nat outside
ip virtual-reassembly
crypto map CRYPTO_POLICY
max-reserved-bandwidth 85
service-policy output SHAPE_POLICY
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.2.50
!
!
no ip http server
no ip http secure-server
!
ip access-list standard VOICE_ACL
permit 192.168.Х.ХХ
!
ip access-list extended DO1_ACL
permit ip any 192.168.50.0 0.0.0.255
ip access-list extended DO2_ACL
permit ip any 192.168.50.0 0.0.0.255
ip access-list extended TELNET_ACL
permit tcp any eq telnet any
!
logging trap debugging
logging 192.168.1.9
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 130 deny tcp any eq telnet any
access-list 130 deny ip host 192.168.Х.Х any
access-list 130 deny ip host 192.168.Х.Х any
access-list 130 permit ip any 192.168.50.0 0.0.0.255
access-list 131 deny tcp any eq telnet any
access-list 131 deny ip host 192.168.Х.Х any
access-list 131 deny ip host 192.168.Х.Х any
access-list 131 permit ip any 192.168.50.0 0.0.0.255
access-list 160 permit ip host 172.20.1.50 host 172.20.1.60
access-list 160 permit esp host 172.20.1.50 host 172.20.1.60
access-list 160 permit udp host 172.20.1.50 host 172.20.1.60 eq isakmp
access-list 160 permit ip host 172.20.2.50 host 172.20.2.60
access-list 160 permit esp host 172.20.2.50 host 172.20.2.60
access-list 160 permit udp host 172.20.2.50 host 172.20.2.60 eq isakmp
access-list 160 permit icmp any any echo
access-list 160 permit icmp any any echo-reply
access-list 160 permit icmp any any time-exceeded
access-list 160 permit icmp any any unreachable
access-list 160 deny ip any any log
access-list 170 permit tcp any host 192.168.Х.Х eq telnet
access-list 170 permit tcp any host 192.168.Х.Х eq telnet
access-list 170 permit tcp any host 192.168.Х.Х eq 1352
access-list 170 permit tcp any eq 1352 host 192.168.Х.Х
access-list 170 permit tcp any host 192.168.Х.Х
access-list 170 permit icmp any any echo
access-list 170 permit icmp any any echo-reply
access-list 170 permit icmp any any time-exceeded
access-list 170 permit icmp any any unreachable
access-list 170 deny ip any any log
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
!
scheduler max-task-time 5000
//////////////
конфиг циски В
//////////////
Building configuration...
Current configuration : 5197 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname do
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
!
!
username ХХХХХХ privilege 15 secret 5
!
!
class-map match-all TELNET_CLASS
match access-group name TELNET_ACL
class-map match-all DO2_CLASS
match access-group name DO2_ACL
class-map match-all DO1_CLASS
match access-group name DO1_ACL
class-map match-all VOICE_CLASS
match access-group name VOICE_ACL
!
!
policy-map QOS_POLICY
class VOICE_CLASS
priority 32
class TELNET_CLASS
bandwidth 64
policy-map SHAPE_POLICY
class DO1_CLASS
shape average 128000
service-policy QOS_POLICY
class DO2_CLASS
shape average 128000
service-policy QOS_POLICY
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key "ключ" address 172.20.1.60
crypto isakmp key "ключ" address 172.20.2.60
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CRYPTO_POLICY 1 ipsec-isakmp
set peer 172.20.1.60
set ip access-group 170 in
set transform-set ESP-3DES-SHA
match address 100
qos pre-classify
crypto map CRYPTO_POLICY 2 ipsec-isakmp
set peer 172.20.2.60
set ip access-group 170 in
set transform-set ESP-3DES-SHA
match address 101
qos pre-classify
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
bandwidth 128
ip address 172.20.1.50 255.255.255.0
ip access-group 160 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CRYPTO_POLICY
max-reserved-bandwidth 85
service-policy output SHAPE_POLICY
!
interface Vlan1
ip address 192.168.50.90 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input access-group 130 32000 2000 3000 conform-action transmit exceed-action drop
rate-limit input access-group 131 32000 2000 3000 conform-action transmit exceed-action drop
!
interface Vlan2
bandwidth 128
ip address 172.20.2.50 255.255.255.0
ip access-group 160 in
ip nat outside
ip virtual-reassembly
crypto map CRYPTO_POLICY
max-reserved-bandwidth 85
service-policy output SHAPE_POLICY
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.2.60
!
!
no ip http server
no ip http secure-server
!
ip access-list standard VOICE_ACL
permit 192.168.Х.Х
!
ip access-list extended DO1_ACL
permit ip any 192.168.1.0 0.0.0.255
ip access-list extended DO2_ACL
permit ip any 192.168.1.0 0.0.0.255
ip access-list extended TELNET_ACL
permit tcp any eq telnet any
!
access-list 100 permit ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny tcp any eq telnet any
access-list 130 deny ip host 192.168.ХХ.ХХ any
access-list 130 deny ip host 192.168.Х.Х any
access-list 130 permit ip any 192.168.50.0 0.0.0.255
access-list 131 deny tcp any eq telnet any
access-list 131 deny ip host 192.168.ХХ.ХХ any
access-list 131 deny ip host 192.168.Х.Х any
access-list 131 permit ip any 192.168.50.0 0.0.0.255
access-list 160 permit ip host 172.20.1.60 host 172.20.1.50
access-list 160 permit esp host 172.20.1.60 host 172.20.1.50
access-list 160 permit udp host 172.20.1.60 host 172.20.1.50 eq isakmp
access-list 160 permit ip host 172.20.2.60 host 172.20.2.50
access-list 160 permit esp host 172.20.2.60 host 172.20.2.50
access-list 160 permit udp host 172.20.2.60 host 172.20.2.50 eq isakmp
access-list 160 permit icmp any any echo
access-list 160 permit icmp any any echo-reply
access-list 160 permit icmp any any time-exceeded
access-list 160 permit icmp any any unreachable
access-list 160 deny ip any any log
access-list 170 permit tcp host 192.168.Х.Х eq telnet 192.168.50.0 0.0.0.255
access-list 170 permit tcp host 192.168.Х.Х eq telnet 192.168.50.0 0.0.0.255
access-list 170 permit tcp host 192.168.Х.Х eq telnet 192.168.50.0 0.0.0.255
access-list 170 permit tcp host 192.168.Х.Х eq telnet 192.168.50.0 0.0.0.255
access-list 170 permit tcp host 192.168.Х.Х eq 1352 192.168.50.0 0.0.0.255
access-list 170 permit tcp host 192.168.Х.Х 192.168.50.0 0.0.0.255 eq 1352
access-list 170 permit ip host 192.168.Х.Х any
access-list 170 permit ip host 192.168.Х.Х any
access-list 170 permit icmp any any echo
access-list 170 permit icmp any any echo-reply
access-list 170 permit icmp any any time-exceeded
access-list 170 permit icmp any any unreachable
access-list 170 deny ip any any log
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
!
scheduler max-task-time 5000
Может кто поможет советом что может быть?????????
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(ok) on 20-Авг-07, 11:29 
