Вот пытаюсь разобраться с проблемой да что-то своими силами никак не решитьНужно поднять vpn между dlink и cisco! (Сделано только не совсем так как хотелось)
делал по этой схеме http://www.dlink.ru/technical/faq_vpn_4.php
Получилось поднять туннель но подсети внутренние так друг друга и не увидели.
Надо обратить особое внимание на то что подключение со стороны dlik DI-804HV происходит через l2tp (так что если использовать нижеследующую конфигурацию и приэтом использовать другой тип подключения типа pppoe то все работает) т.е я особо акцентирую внимание на этом что такое ощщение что в этом и есть проблема.
конфиг с циски:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******* address 93.81.254.191 no-xauth
!
!
crypto ipsec transform-set temp esp-3des esp-md5-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 93.81.254.191
set security-association lifetime seconds 900
set transform-set temp
set pfs group2
match address 100
!
!
!
!
interface FastEthernet0/0
description local
ip address 192.168.10.10 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description vpn
ip address 212.248.90.52 255.255.255.248
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
ip route 0.0.0.0 0.0.0.0 212.248.90.49
!
ip access-list extended 100
permit ip 192.168.0.0 0.0.15.255 192.168.200.64 0.0.0.15
VPN#sh crypto isakmp sa
dst src state conn-id slot status
93.81.254.191 212.248.90.52 QM_IDLE 3 0 ACTIVE
VPN#sh crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: vpn, local addr 212.248.90.52
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.64/255.255.255.240/0/0)
current_peer 93.81.254.191 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 460, #pkts encrypt: 460, #pkts digest: 460
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 212.248.90.52, remote crypto endpt.: 93.81.254.191
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x71000010(1895825424)
inbound esp sas:
spi: 0x462FA82E(1177528366)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: FPGA:1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4477780/83)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x71000010(1895825424)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4477763/83)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
VPN#sh crypto se
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 93.81.254.191 port 500
IKE SA: local 212.248.90.52/500 remote 93.81.254.191/500 Active
IPSEC FLOW: permit ip 192.168.0.0/255.255.240.0 192.168.200.64/255.255.255.240
Active SAs: 2, origin: crypto map
А вот логи с DLINKA
WAN Type: L2TP (V1.44)
Display time: Friday November 24, 2006 21:50:20
Friday November 24, 2006 21:50:12 Receive IKE M1(INIT) : 212.248.90.52 --> 93.81.254.191
Friday November 24, 2006 21:50:12 Try to match with ENC:3DES AUTH:PSK HASH:MD5 Group:Group2
Friday November 24, 2006 21:50:12 Send IKE M2(RESP) : 93.81.254.191 --> 212.248.90.52
Friday November 24, 2006 21:50:12 Receive IKE M3(KEYINIT) : 212.248.90.52 --> 93.81.254.191
Friday November 24, 2006 21:50:12 Send IKE M4(KEYRESP) : 93.81.254.191 --> 212.248.90.52
Friday November 24, 2006 21:50:13 Receive IKE M5(IDINIT) : 212.248.90.52 --> 93.81.254.191
Friday November 24, 2006 21:50:13 Send IKE M6(IDRESP) : 93.81.254.191 --> 212.248.90.52
Friday November 24, 2006 21:50:13 IKE Phase1 (ISAKMP SA) established : 93.81.254.191 <-> 212.248.90.52
Friday November 24, 2006 21:50:13 Receive IKE Q1(QINIT) : [212.248.90.52]-->[93.81.254.191]
Friday November 24, 2006 21:50:13 Requested routing is [192.168.0.0|212.248.90.52]<->[93.81.254.191|192.168.200.64]
Friday November 24, 2006 21:50:13 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-3DES AUTH:MD5 HASH:Others PFS(Group):Group2
Friday November 24, 2006 21:50:13 Send IKE Q2(QRESP) : 192.168.200.64 --> 192.168.0.0
Friday November 24, 2006 21:50:13 Receive IKE Q3(QHASH) : [192.168.0.0|212.248.90.52]-->[93.81.254.191|192.168.200.64]
Friday November 24, 2006 21:50:13 IKE Phase2 (IPSEC SA) established : [192.168.0.0|212.248.90.52]<->[93.81.254.191|192.168.200.64]
Friday November 24, 2006 21:50:13 inbound SPI = 0x75000010, outbound SPI = 0x594b783
Friday November 24, 2006 21:50:16 Send IKE (INFO) : delete [192.168.200.64|93.81.254.191]-->[212.248.90.52|192.168.0.0] phase 2
Friday November 24, 2006 21:50:16 IKE phase2 (IPSec SA) remove : 192.168.200.64 <-> 192.168.0.0
Friday November 24, 2006 21:50:16 inbound SPI = 0x75000010, outbound SPI = 0x594b783
Friday November 24, 2006 21:50:16 Send IKE (INFO) : delete 93.81.254.191 -> 212.248.90.52 phase 1
Friday November 24, 2006 21:50:16 IKE phase1 (ISAKMP SA) remove : 93.81.254.191 <-> 212.248.90.52
Friday November 24, 2006 21:50:17 IKE phase1 (ISAKMP SA) remove : 93.81.254.191 <-> 212.248.90.52
Friday November 24, 2006 21:50:19 Send IKE M1(INIT) : 93.81.254.191 --> 212.248.90.52
Friday November 24, 2006 21:50:19 Receive IKE M2(RESP) : 212.248.90.52 --> 93.81.254.191
Friday November 24, 2006 21:50:19 Try to match with ENC:3DES AUTH:PSK HASH:MD5 Group:Group2
Friday November 24, 2006 21:50:19 Send IKE M3(KEYINIT) : 93.81.254.191 --> 212.248.90.52
Friday November 24, 2006 21:50:19 Receive IKE M4(KEYRESP) : 212.248.90.52 --> 93.81.254.191
Friday November 24, 2006 21:50:20 Send IKE M5(IDINIT) : 93.81.254.191 --> 212.248.90.52
Friday November 24, 2006 21:50:20 Receive IKE M6(IDRESP) : 212.248.90.52 --> 93.81.254.191
Friday November 24, 2006 21:50:20 IKE Phase1 (ISAKMP SA) established : 212.248.90.52 <-> 93.81.254.191
Friday November 24, 2006 21:50:20 Send IKE Q1(QINIT) : 192.168.200.64 --> 192.168.0.0
Friday November 24, 2006 21:50:20 Receive IKE Q2(QRESP) : [192.168.0.0|212.248.90.52]-->[93.81.254.191|192.168.200.64]
Friday November 24, 2006 21:50:20 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-3DES AUTH:MD5 HASH:Others PFS(Group):Group2
Friday November 24, 2006 21:50:20 Send IKE Q3(QHASH) : 192.168.200.64 --> 192.168.0.0
Friday November 24, 2006 21:50:20 IKE Phase2 (IPSEC SA) established : [192.168.0.0|212.248.90.52]<->[93.81.254.191|192.168.200.64]
Friday November 24, 2006 21:50:20 inbound SPI = 0x77000010, outbound SPI = 0x9980b506
Т.е получается что все две фазы vpn проходит но куда тогда траффик пропадает не понятно?
нужна помощь!