>я предпочитаю смотреть VPN по sh cry se [remote peer]
>по show crypto ipsec sa interface на активные сессии выводится несколько pgdn
>херни, которая по информативности ничем не отличается от sh cry se.
> )) CISCO831#show crypto session
Crypto session current status
Interface: Tunnel1
Session status: DOWN
Peer: 122.122.122.122/500
IPSEC FLOW: permit 47 host 192.168.0.1 host 192.168.1.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit 47 host 192.168.0.1 host 192.168.1.1
Active SAs: 0, origin: crypto map
CISCO831#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Interface is unnumbered. Using address of Ethernet1 (154.154.154.154)
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 154.154.154.154 (Ethernet1), destination 122.122.122.122
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Tunnel TTL 255
Checksumming of packets enabled, fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:02, output 00:05:20, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
3537380 packets input, 1135348181 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3892213 packets output, 744086129 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
CISCO831#ping 192.168.1.100 (Это внутр.ип сервера в европе а пинг из алмааты)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/175/180 ms
Типа все работает но sh cry se показывает DOWN- какие мысли???
Это конфиг-они эдинтичны(почти-сам понимаешь)
CISCO831#show configuration
Using 4912 out of 131072 bytes
!
! Last configuration change at 19:59:45 GMT Wed Jan 21 2009 by fet
! NVRAM config last updated at 19:59:54 GMT Wed Jan 21 2009 by fet
!
version 12.3
no service pad
service tcp-keepalives-in
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CISCO831!
boot-start-marker
boot-end-marker
!
no logging console
!
clock timezone GMT 6
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.100 192.168.0.254
!
ip dhcp pool DHCP-LAN
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 212.19.149.226 212.19.149.227
lease 14
!
!
ip domain name CISCO831.kz
ip name-server 212.19.149.226
ip name-server 212.19.149.227
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall ftp
ip inspect name firewall realaudio
ip inspect name firewall smtp
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall tftp
ip inspect name firewall rcmd
ip inspect name firewall http
ip ips po max-events 100
ip ssh version 2
no ftp-server write-enable
password encryption aes
!
!
!
!
class-map match-any www
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key 6 xxxxx address 122.122.122.122
!
!
crypto ipsec transform-set xxxxx-yyyyy esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 122.122.122.122
set transform-set xxxxx-yyyyy
match address 111
!
!
!
interface Tunnel1
ip unnumbered Ethernet1
tunnel source Ethernet1
tunnel destination 122.122.122.122
tunnel checksum
crypto map myvpn
!
interface Null0
no ip unreachables
!
interface Ethernet0
description ***LAN Interface***
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 32 in
!
interface Ethernet1
description *** WAN Interface ***
ip address 154.154.154.154 255.255.255.252
ip access-group incoming in
ip mask-reply
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
no ip split-horizon
duplex auto
no cdp enable
crypto map myvpn
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 154.154.154.153
ip route 192.168.1.0 255.255.255.0 Tunnel1
no ip http server
no ip http secure-server
ip nat service fullrange tcp port 511
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source route-map nonat pool DHCP-LAN overload
!
!
ip access-list extended incoming
permit tcp any any eq domain
permit udp any any eq domain
deny icmp any any redirect
permit udp any any eq ntp
permit tcp any any eq pop3 smtp www 443
permit tcp any eq domain any
permit udp any eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq www pop3 smtp
permit udp any eq ntp any
permit udp host 122.122.122.122 eq isakmp host 154.154.154.154 log
permit esp host 122.122.122.122 host 154.154.154.154 log
permit gre host 122.122.122.122 host 154.154.154.154 log
permit ip host 122.122.122.122 any log
deny tcp any eq 5938 any eq 5938
deny tcp any eq 12975 any log
permit tcp any any established log
deny ip any any log
ip access-list extended ssh
deny ip any any log
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit gre host 192.168.0.1 host 192.168.1.1
no cdp run
route-map nonat permit 10
match ip address 102
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1