Здравствуйте!!! Имеется оборудование cisco asa две штуки, одна на основной площадке, др на уделенной (филиал). Необходимо настроить Ipsec vpn tunnel в transport mode
Текущие нерабочие конфигурации.
ASA maininterface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif remote
security-level 0
ip address 192.168.109.2 255.255.255.252
access-list remote_to_main extended permit ip 192.168.0.0 255.255.255.0 192.168.18.0 255.255.255.0
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto ipsec transform-set set mode transport
crypto map remote_to_main 10 match address remote_to_main
crypto map remote_to_main 10 set pfs
crypto map remote_to_main 10 set peer 192.168.109.6
crypto map remote_to_main 10 set transform-set set
crypto map remote_to_main interface remote
crypto isakmp enable remote
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.168.109.6 type ipsec-l2l
tunnel-group 192.168.109.6 ipsec-attributes
pre-shared-key *
ASA2
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.18.1 255.255.255.0
interface Ethernet0/1
nameif main
security-level 0
ip address 192.168.109.6 255.255.255.252
access-list main_to_remote extended permit ip 192.168.18.0 255.255.255.0 192.168.0.0 255.255.255.0
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto ipsec transform-set set mode transport
crypto map main_to_remote 10 match address main_to_remote
crypto map main_to_remote 10 set pfs
crypto map main_to_remote 10 set peer 192.168.109.2
crypto map main_to_remote 10 set transform-set set
crypto map main_to_remote interface main
crypto isakmp enable main
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.168.109.2 type ipsec-l2l
tunnel-group 192.168.109.2 ipsec-attributes
pre-shared-key *
sh isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.109.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE