|
|
|
|
| Компьютерный форум OSzone.net » Железо » Сетевое оборудование » Cisco - Cisco - ipsec vpn - ISA |
|
||||
|
|
Cisco - Cisco - ipsec vpn - ISA
|
Сообщения: 526 |
Добрый день.
Появилась задача - седалть vpn ipsec тунель между двумя офисами. В Главном стоит ISA Server 2006 на Windows Server 2003 r2 В Branch офисе стоит Cisco 871. Конфиг с Cisco ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname emwhgt01 ! boot-start-marker boot-end-marker ! logging message-counter syslog no logging buffered enable password service ! aaa new-model ! ! ! ! aaa session-id common clock timezone Moscow 3 clock summer-time Moscow date Mar 30 2003 2:00 Oct 26 2003 3:00 ! crypto pki trustpoint TP-self-signed-1042110583 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1042110583 revocation-check none rsakeypair TP-self-signed-1042110583 ! ! crypto pki certificate chain TP-self-signed-1042110583 certificate self-signed 01 nvram:IOS-Self-Sig#11.cer dot11 syslog ip source-route no ip dhcp use vrf connected ip dhcp excluded-address 171.10.2.1 171.10.2.10 ip dhcp excluded-address 171.10.2.231 171.10.2.254 ! ip dhcp pool branch import all network 171.10.2.0 255.255.255.0 domain-name emviko.ru dns-server 171.10.2.251 171.10.1.251 default-router 171.10.2.254 lease 8 ! ! ip cef ip domain name emviko.ru ip name-server 192.168.104.98 ip name-server 171.10.2.251 ip name-server 171.10.1.251 ntp server 82.98.86.179 prefer source Vlan1 ! ! ! ! username root privilege 15 password 0 service ! ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp key 12345 address office ip ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-MD5-SHA esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel tooffice set peer office ip set security-association lifetime kilobytes 10000 set security-association idle-time 3600 set transform-set ESP-MD5-SHA match address 102 ! archive log config hidekeys ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address branch ip 255.255.255.0 ip virtual-reassembly speed auto half-duplex crypto map SDM_CMAP_1 ! interface Vlan1 ip address 192.168.104.254 255.255.255.0 ip virtual-reassembly ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 branch gate ip route 171.10.1.0 255.255.255.0 vlan1 ip http server ip http secure-server ! ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.104.0 0.0.0.255 171.10.1.0 0.0.0.255 access-list 101 remark SDM_ACL Category=4 access-list 101 remark IPSec Rule access-list 101 permit ip 192.168.104.0 0.0.0.255 171.10.1.0 0.0.0.255 access-list 102 remark SDM_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 192.168.104.0 0.0.0.255 171.10.1.0 0.0.0.255 access-list 110 remark SDM_ACL Category=18 access-list 110 remark IPSec Rule access-list 110 deny ip 192.168.104.0 0.0.0.255 171.10.1.0 0.0.0.255 access-list 110 deny ip 192.168.104.0 0.0.0.255 any ! ! ! route-map nonat permit 10 match ip address 110 ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 password sservice transport input telnet ssh ! scheduler max-task-time 5000 end Sh ver с Cisco emwhgt01#sh ver Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Sat 20-Jun-09 02:20 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE emwhgt01 uptime is 2 days, 19 hours, 9 minutes System returned to ROM by reload at 16:32:13 Moscow Fri Oct 9 2009 System image file is "flash:c870-advsecurityk9-mz.124-24.t1.bin" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Cisco 871 (MPC8272) processor (revision 0x300) with 118784K/12288K bytes of memory. Processor board ID FCZ122910CA MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10 5 FastEthernet interfaces 128K bytes of non-volatile configuration memory. 24576K bytes of processor board System flash (Intel Strataflash) Configuration register is 0x2102 Настройки с ISA Server Local Tunnel Endpoint: Office IP Remote Tunnel Endpoint: Branch IP To allow HTTP proxy or NAT traffic to the remote site, the remote site configuration must contain the local site tunnel end-point IP address. IKE Phase I Parameters: Mode: Main mode Encryption: 3DES Integrity: MD5 Diffie-Hellman group: Group 2 (1024 bit) Authentication Method: Pre-shared secret (12345) Security Association Lifetime: 28800 seconds IKE Phase II Parameters: Mode: ESP tunnel mode Encryption: 3DES Integrity: MD5 Perfect Forward Secrecy: OFF Diffie-Hellman group: Group 2 (1024 bit) Time Rekeying: ON Security Association Lifetime: 3600 seconds Kbyte Rekeying: ON Rekey After Sending: 100000 Kbytes Remote Network 'EMWH' IP Subnets: Subnet: 192.168.104.0/255.255.255.0 Local Network 'Internal' IP Subnets: Subnet: 171.10.1.0/255.255.255.0 Логи с Cisco *Oct 12 08:50:44.147: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (N) NEW SA *Oct 12 08:50:44.147: ISAKMP: Created a peer struct for office ip, peer port 500 *Oct 12 08:50:44.147: ISAKMP: New peer created peer = 0x8440DA30 peer_handle = 0x80000008 *Oct 12 08:50:44.147: ISAKMP: Locking peer struct 0x8440DA30, refcount 1 for crypto_isakmp_process_block *Oct 12 08:50:44.147: ISAKMP: local port 500, remote port 500 *Oct 12 08:50:44.147: ISAKMP  0):insert sa successfully sa = 84630040*Oct 12 08:50:44.147: ISAKMP 0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Oct 12 08:50:44.147: ISAKMP 0):Old State = IKE_READY New State = IKE_R_MM1*Oct 12 08:50:44.147: ISAKMP 0): processing SA payload. message ID = 0 *Oct 12 08:50:44.147: ISAKMP 0): processing vendor id payload*Oct 12 08:50:44.147: ISAKMP 0): processing IKE frag vendor id payload*Oct 12 08:50:44.147: ISAKMP 0):Support for IKE Fragmentation not enabled*Oct 12 08:50:44.147: ISAKMP 0): processing vendor id payload*Oct 12 08:50:44.147: ISAKMP 0): vendor ID seems Unity/DPD but major 194 mismatch*Oct 12 08:50:44.147: ISAKMP 0): processing vendor id payload*Oct 12 08:50:44.147: ISAKMP 0): vendor ID seems Unity/DPD but major 123 mismatch*Oct 12 08:50:44.151: ISAKMP 0): vendor ID is NAT-T v2*Oct 12 08:50:44.151: ISAKMP 0): processing vendor id payload*Oct 12 08:50:44.151: ISAKMP 0): vendor ID seems Unity/DPD but major 184 mismatch*Oct 12 08:50:44.151: ISAKMP 0):found peer pre-shared key matching office ip*Oct 12 08:50:44.151: ISAKMP 0): local preshared key found*Oct 12 08:50:44.151: ISAKMP : Scanning profiles for xauth ... *Oct 12 08:50:44.151: ISAKMP 0):Checking ISAKMP transform 1 against priority 1 policy*Oct 12 08:50:44.151: ISAKMP: encryption 3DES-CBC *Oct 12 08:50:44.151: ISAKMP: hash MD5 *Oct 12 08:50:44.151: ISAKMP: default group 2 *Oct 12 08:50:44.151: ISAKMP: auth pre-share *Oct 12 08:50:44.151: ISAKMP: life type in seconds *Oct 12 08:50:44.151: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 12 08:50:44.151: ISAKMP 0):atts are acceptable. Next payload is 0*Oct 12 08:50:44.151: ISAKMP 0):Acceptable atts:actual life: 0*Oct 12 08:50:44.151: ISAKMP 0):Acceptable atts:life: 0*Oct 12 08:50:44.151: ISAKMP 0):Fill atts in sa vpi_length:4*Oct 12 08:50:44.151: ISAKMP 0):Fill atts in sa life_in_seconds:28800*Oct 12 08:50:44.151: ISAKMP 0):Returning Actual lifetime: 28800*Oct 12 08:50:44.151: ISAKMP 0)::Started lifetime timer: 28800.*Oct 12 08:50:44.151: ISAKMP 0): processing vendor id payload*Oct 12 08:50:44.151: ISAKMP 0): processing IKE frag vendor id payload*Oct 12 08:50:44.151: ISAKMP 0):Support for IKE Fragmentation not enabled*Oct 12 08:50:44.151: ISAKMP 0): processing vendor id payload*Oct 12 08:50:44.151: ISAKMP 0): vendor ID seems Unity/DPD but major 194 mismatch*Oct 12 08:50:44.151: ISAKMP 0): processing vendor id payload*Oct 12 08:50:44.151: ISAKMP 0): vendor ID seems Unity/DPD but major 123 mismatch*Oct 12 08:50:44.151: ISAKMP 0): vendor ID is NAT-T v2*Oct 12 08:50:44.155: ISAKMP 0): processing vendor id payload*Oct 12 08:50:44.155: ISAKMP 0): vendor ID seems Unity/DPD but major 184 mismatch*Oct 12 08:50:44.155: ISAKMP 0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE*Oct 12 08:50:44.155: ISAKMP 0):Old State = IKE_R_MM1 New State = IKE_R_MM1*Oct 12 08:50:44.155: ISAKMP 0): constructed NAT-T vendor-02 ID*Oct 12 08:50:44.155: ISAKMP 0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP*Oct 12 08:50:44.155: ISAKMP 0):Sending an IKE IPv4 Packet.*Oct 12 08:50:44.155: ISAKMP 0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Oct 12 08:50:44.155: ISAKMP 0):Old State = IKE_R_MM1 New State = IKE_R_MM2*Oct 12 08:50:45.239: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP *Oct 12 08:50:45.239: ISAKMP 0): phase 1 packet is a duplicate of a previous packet.*Oct 12 08:50:45.239: ISAKMP 0): retransmitting due to retransmit phase 1*Oct 12 08:50:45.739: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP...*Oct 12 08:50:45.739: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Oct 12 08:50:45.739: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP*Oct 12 08:50:45.739: ISAKMP 0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP*Oct 12 08:50:45.739: ISAKMP 0):Sending an IKE IPv4 Packet.*Oct 12 08:50:47.227: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP *Oct 12 08:50:47.227: ISAKMP 0): phase 1 packet is a duplicate of a previous packet.*Oct 12 08:50:47.227: ISAKMP 0): retransmitting due to retransmit phase 1*Oct 12 08:50:47.727: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP...*Oct 12 08:50:47.727: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 *Oct 12 08:50:47.727: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP*Oct 12 08:50:47.727: ISAKMP 0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP*Oct 12 08:50:47.727: ISAKMP 0):Sending an IKE IPv4 Packet.*Oct 12 08:50:51.227: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP *Oct 12 08:50:51.227: ISAKMP 0): phase 1 packet is a duplicate of a previous packet.*Oct 12 08:50:51.227: ISAKMP 0): retransmitting due to retransmit phase 1*Oct 12 08:50:51.727: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP...*Oct 12 08:50:51.727: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Oct 12 08:50:51.727: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP*Oct 12 08:50:51.727: ISAKMP 0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP*Oct 12 08:50:51.727: ISAKMP 0):Sending an IKE IPv4 Packet.*Oct 12 08:50:59.231: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP *Oct 12 08:50:59.231: ISAKMP 0): phase 1 packet is a duplicate of a previous packet.*Oct 12 08:50:59.231: ISAKMP 0): retransmitting due to retransmit phase 1*Oct 12 08:50:59.731: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP...*Oct 12 08:50:59.731: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 *Oct 12 08:50:59.731: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP*Oct 12 08:50:59.731: ISAKMP 0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP*Oct 12 08:50:59.731: ISAKMP 0):Sending an IKE IPv4 Packet.*Oct 12 08:51:09.731: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP...*Oct 12 08:51:09.731: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 *Oct 12 08:51:09.731: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP*Oct 12 08:51:09.731: ISAKMP 0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP*Oct 12 08:51:09.731: ISAKMP 0):Sending an IKE IPv4 Packet.*Oct 12 08:51:15.235: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP *Oct 12 08:51:15.235: ISAKMP 0): phase 1 packet is a duplicate of a previous packet.*Oct 12 08:51:15.235: ISAKMP 0): retransmitting due to retransmit phase 1*Oct 12 08:51:15.735: ISAKMP 0): retransmitting phase 1 MM_SA_SETUP...*Oct 12 08:51:15.735: ISAKMP 0):peer does not do paranoid keepalives.*Oct 12 08:51:15.735: ISAKMP 0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer office ip)*Oct 12 08:51:15.735: ISAKMP 0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer office ip)*Oct 12 08:51:15.735: ISAKMP: Unlocking peer struct 0x8440DA30 for isadb_mark_sa_deleted(), count 0 *Oct 12 08:51:15.735: ISAKMP: Deleting peer node by peer_reap for office ip: 8440DA30 *Oct 12 08:51:15.735: ISAKMP 0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL*Oct 12 08:51:15.735: ISAKMP 0):Old State = IKE_R_MM2 New State = IKE_DEST_SA*Oct 12 08:51:15.735: IPSEC(key_engine): got a queue event with 1 KMI message(s) |
|
|
------- Отправлено: 12:39, 12-10-2009 |
|
Сообщения: 526
|
Профиль | Сайт | Отправить PM | Цитировать Забыл добавить - когда я выключаю роутинг (no ip routing ), то построение тунеля доходит до второй фазы.
Но вторая фаза не прокатывает - пишет - не соответствие. |
|
------- Отправлено: 14:40, 12-10-2009 | #2 |
Назгул Сообщения: 2633
|
Профиль | Отправить PM | Цитировать Цитата Aleksey Potapov:
office ip = DNS name или office ip = IP ? |
|
|
------- Отправлено: 20:18, 12-10-2009 | #3 |
|
Сообщения: 526
|
Профиль | Сайт | Отправить PM | Цитировать Office ip = ip
|
|
------- Отправлено: 23:11, 12-10-2009 | #4 |
|
Назгул Сообщения: 2633
|
Профиль | Отправить PM | Цитировать 1)
Приведите пожалуйста результаты: Cisco: sh int Win: ipconfig /all 2) Для ISA ROUTE PRINT 3) Цитата Aleksey Potapov:
Судя по описанию Vlan1, это внутренний логический интерфейс. Зачем вы заворачиваете на него трафик (судя по всему это трафик к внутренней сети главного офиса)? У Вас ведь криптокарта прикреплена к внешнему интерфейсу, Цитата Aleksey Potapov:
|
|||
|
------- Отправлено: 09:51, 13-10-2009 | #5 |
|
Сообщения: 526
|
Профиль | Сайт | Отправить PM | Цитировать 1)
emwhgt01#sh int FastEthernet0 is up, line protocol is up Hardware is Fast Ethernet, address is 0022.557e.fd4f (bia 0022.557e.fd4f) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input 3d17h, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 44194 packets input, 9732508 bytes, 0 no buffer Received 24244 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 173201 packets output, 13605475 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet1 is up, line protocol is down Hardware is Fast Ethernet, address is 0022.557e.fd50 (bia 0022.557e.fd50) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet2 is up, line protocol is down Hardware is Fast Ethernet, address is 0022.557e.fd51 (bia 0022.557e.fd51) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet3 is up, line protocol is down Hardware is Fast Ethernet, address is 0022.557e.fd52 (bia 0022.557e.fd52) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out FastEthernet4 is up, line protocol is up Hardware is PQUICC_FEC, address is 0022.557e.fd59 (bia 0022.557e.fd59) Internet address is branch external ip/24 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:03, output 00:00:35, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 20449 packets input, 1725347 bytes Received 15227 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 7759 packets output, 2154843 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 2018 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out NVI0 is up, line protocol is up Hardware is NVI Interface is unnumbered. Using address of FastEthernet4 (branch external ip) MTU 1514 bytes, BW 56 Kbit/sec, DLY 5000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation UNKNOWN, loopback not set Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 0022.557e.fd4f (bia 0022.557e.fd4f) Internet address is 192.168.104.254/24 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 44170 packets input, 9558788 bytes, 0 no buffer Received 24286 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 7124 packets output, 1227226 bytes, 0 underruns 0 output errors, 1 interface resets 835 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out ipconfig /all с клиента в бранче C:\Users\Administrator>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : EMWHHV01 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter EMWH(NIC2): Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection ith I/O Acceleration #2 Physical Address. . . . . . . . . : 00-15-17-11-79-C9 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Ethernet adapter EMWH(NIC1): Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection ith I/O Acceleration Physical Address. . . . . . . . . : 00-15-17-11-79-C8 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.104.97(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.104.254 DNS Servers . . . . . . . . . . . : 192.168.104.98 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter Local Area Connection* 8: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : isatap.{36B5AB38-88A2-4A48-BFC5-3339FE9B F16} Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 9: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : isatap.{975EF10D-826A-430B-A59C-55D44578 C73} Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 11: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 02-00-54-55-4E-01 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:d5c7:a2d6:2874:3bbf:3f57:979e(Pre erred) Link-local IPv6 Address . . . . . : fe80::2874:3bbf:3f57:979e%15(Preferred) Default Gateway . . . . . . . . . : :: NetBIOS over Tcpip. . . . . . . . : Disabled 2) Y:\>route print IPv4 Route Table =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 30 48 d4 d5 3b ...... Intel(R) PRO/1000 PL Network Connection - TM Miniport 0x3 ...00 30 48 d4 d5 3a ...... Intel(R) PRO/1000 PM Network Connection - TM Miniport 0x10004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 office ip office ip 10 81.211.xx.xx 255.255.xx.xx office ip office ip 10 office ip 255.255.255.255 127.0.0.1 127.0.0.1 10 81.255.255.255 255.255.255.255 office ip office ip 10 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 128.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 50 128.0.0.3 255.255.255.255 128.0.0.1 128.0.0.1 1 171.10.1.0 255.255.255.0 171.10.1.254 171.10.1.254 20 171.10.1.254 255.255.255.255 127.0.0.1 127.0.0.1 20 171.10.255.255 255.255.255.255 171.10.1.254 171.10.1.254 20 224.0.0.0 240.0.0.0 office ip office ip 10 224.0.0.0 240.0.0.0 171.10.1.254 171.10.1.254 20 255.255.255.255 255.255.255.255 office ip office ip 1 255.255.255.255 255.255.255.255 171.10.1.254 171.10.1.254 1 Default Gateway: ISP gateway =========================================================================== Persistent Routes: None 3) Задача - заворачивать весь трафик в туннель. Не отрицаю, что ошибся. Направьте на путь истинный. |
|
------- Отправлено: 10:13, 13-10-2009 | #6 |
|
Назгул Сообщения: 2633
|
Профиль | Отправить PM | Цитировать 1) Представлте пожалуйста с Cisco
show ip interface brief 2) Так как внешние адреса в результатах вы скрываете, ответьте на вопрос: У вас точно на Cisco и на ISA внешние интерфейсы обладают реальными IP и пакеты IP SEC не подвергаются в дальнейшем NAT-преобразованию? Просто у Вас стоит в политике Cisco строка: Цитата Aleksey Potapov:
Комбинация esp-md5-hmac означает как шифрацию payload (транспортируемого содержимого) в esp, и кроме этого подпись заголовков. Естественно при NAT проверка не пройдет 2) В ISA я не специалист. По Cisco, настройки я разберу чуть попозжа( сейчас занят) - дабы Вы поняли суть процесса и действующие операторы для Cisco IOS |
|
|
------- Отправлено: 14:27, 13-10-2009 | #7 |
|
Сообщения: 526
|
Профиль | Сайт | Отправить PM | Цитировать 2. Да, там внешние реальные ip адреса. Тоесть между хостами nat отсутствует.
|
|
------- Отправлено: 14:29, 13-10-2009 | #8 |
|
Назгул Сообщения: 2633
|
Профиль | Отправить PM | Цитировать 3) Синтаксис команды crypto ipsec transform-set
http://www.cisco.com/en/US/docs/ios/...html#wp1057372 На этапе настройки часто отключают шифрацию вовсе. Это будет вот так crypto ipsec transform-set ESP-NULL esp-null crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel tooffice set peer office ip set security-association lifetime kilobytes 10000 set security-association idle-time 3600 set transform-set ESP-NULL match address 102 2) Попробуйте оставить просто 3DES crypto ipsec transform-set ESP-3DES esp-3des crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel tooffice set peer office ip set security-association lifetime kilobytes 10000 set security-association idle-time 3600 set transform-set ESP-3DES match address 102 |
|
------- Отправлено: 14:37, 13-10-2009 | #9 |
|
Сообщения: 526
|
Профиль | Сайт | Отправить PM | Цитировать kim-aa, Вот тоолько на isa сервере шифрование отключить нельзя.
|
|
------- Отправлено: 14:43, 13-10-2009 | #10 |
|
|
Участник сейчас на форуме |
 |
Участник вне форума |
 |
Автор темы |
 |
Сообщение прикреплено |
| |||||
| Название темы | Автор | Информация о форуме | Ответов | Последнее сообщение | |
| Cisco - VPN IPSEC | Aleksey Potapov | Сетевое оборудование | 4 | 08-12-2008 00:13 | |
| VPN на FreeBSD через ipsec и ADSL | some-bastardo | Программное обеспечение Linux и FreeBSD | 2 | 14-10-2008 17:28 | |
| VPN - Cisco PIX - Internet - ISA Server - Cisco PIX VPN | rrew | Сетевое оборудование | 0 | 26-09-2008 09:31 | |
| Cisco - Cisco 871 и издевательства над l2tp+\- Ipsec | Gudy | Сетевое оборудование | 0 | 06-08-2008 19:54 | |
| Cisco - ISA 2004 не хочет дружить с cisco 851 через IPsec | Gudy | Сетевое оборудование | 26 | 15-11-2007 16:33 | |
|
|
Время: 09:29. | © OSzone.net 2001-
|
|
Powered by: vBulletin Copyright ©2000 - 2025, Jelsoft Enterprises Ltd. |
