[end44]

Цитата kim-aa:

Нужно понимать, что именно вы хотите сотворить: »

Думаю именно вариант с клиент-серверным соединением мне подойдет больше. Говорю это с неуверенностью, так как мне не важно как это организованно, но важно что бы работало.

Только не совсем понятно: циска будет работать за натом или все же придется поизвращаться?

[end44]

upp

[cameron]

end44,
какой конфиг вам написать?
вы не сообщили никаких данных.
в случае с джунипером
edit
commit and-quit
конфиг готов.

[end44]

local site A------Cisco (DHCP)----------Internet----------(static IP) Juniper------local site B

Local site A - 192.168.0.0/24 - локальная сеть со стороны А
Cisco 871w {IOS 12.4(9)} (dhcp) - 89.169.129.129/24 - адрес, выдаваемый провайдером по дхцп
Juniper ssg140 {screenos 6.3.0} (static IP) - 80.80.80.80/28 - статический адрес со стороны джунипера
Local site B - 192.168.1.0/24 - локальная сеть со стороны В

На джунипере: статический адрес - untrust zone, локальная сеть - trust zone (есть еще dmz, но это думаю не важно)

Железки тестовые, поэтому могу крутить как угодно. Если нужны еще какие то данные, обязательно напишу.

З.Ы. Нужен любой впн туннель, который только возможно построить с использованием этого железа.

[cameron]

http://kb.juniper.net/kb/documents/p...n_wo_IPSec.pdf
http://www.cisco.com/en/US/docs/ios/.../gtvoltun.html
https://supportforums.cisco.com/thread/212269

[end44]

Спасибо, полезные ссылки, хотя до этого я L2TP не рассматривал вообще.

Хотелось бы уточнить: на джунипере я поднимаю сервер для подключения клиентов по впн, а циску, собственно, как клиента? правильно ли я понимаю?

[cameron]

Цитата end44:

хотя до этого я L2TP не рассматривал вообще. »

интересно почему - судя по документации ваш SSG не может быть сервером PPTP.

Цитата end44:

правильно ли я понимаю? »

да

[end44]

Может, я просто не обращал на это внимание, если честно. Почему то изначально не рассматривал L2TP.

[end44]

Поднял джунипер, циска пока не дается.
Конфиг джунипера:

unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg pptp enable
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "corp-cis"
set admin password "nBvsIHr2EalMceIFKsRK75HtAjCgEn"
set admin user "artem" password "nMd4GBryFfLOcD3LHsGPJRFtZDLPSn" privilege "all"
set admin user "itcher" password "nJ1eNtr8FWUAcMmGNseIh7GtSYN/En" privilege "all"
set admin http redirect
set admin mail alert
set admin mail server-name "mail.corp.ru"
set admin mail mail-addr1 "Fedosov.Artem@corp.ru"
set admin mail traffic-log
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen tcp-sweep
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 172.16.0.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 91.211.*.*/28
set interface ethernet0/2 route
set interface ethernet0/2 gateway 91.211.*.*
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface vlan1 manage mtrace
set interface ethernet0/2 monitor track-ip ip
unset interface ethernet0/2 monitor track-ip dynamic
set interface ethernet0/0 dhcp server service
set interface ethernet0/0 dhcp server enable
set interface ethernet0/0 dhcp server option gateway 192.168.1.1
set interface ethernet0/0 dhcp server option netmask 255.255.255.0
set interface ethernet0/0 dhcp server option dns1 91.211.*.*
set interface ethernet0/0 dhcp server option dns2 91.211.*.*
set interface ethernet0/0 dhcp server ip 192.168.1.33 to 192.168.1.126
unset interface ethernet0/0 dhcp server config next-server-ip
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 91.211.*.*
set dns host dns2 91.211.*.*
set dns host dns3 0.0.0.0
set address "Trust" "Local_LAN" 192.168.1.0 255.255.255.0
set address "DMZ" "Local_DMZ" 172.16.0.0 255.255.255.0
set ippool "IpPool" 10.10.100.10 10.10.100.20
set user "1" uid 2
set user "1" ike-id fqdn "1" share-limit 5
set user "1" type ike l2tp xauth
set user "1" password "yqqIc02lN/Of4EsevlCkWZGRaHnxj4MoaA=="
unset user "1" type auth
set user "1" "enable"
set user "4" uid 4
set user "4" ike-id u-fqdn "4" share-limit 1
set user "4" type ike l2tp xauth
set user "4" password "gUS7jDHsNVmrqksdBsCIubwpPhn9aJyofQ=="
unset user "4" type auth
set user "4" "enable"
set user "Igor" uid 7
set user "Igor" ike-id fqdn "12" share-limit 1
set user "Igor" type ike l2tp xauth
set user "Igor" password "mE17IxDyNyXUXrsaIoCJwZmtDFnftMLwJA=="
unset user "Igor" type auth
set user "Igor" "enable"
set user "cisco871w" uid 9
set user "cisco871w" ike-id fqdn "871w" share-limit 1
set user "cisco871w" type ike l2tp xauth
set user "cisco871w" password "3E61A2/FNKTK10s7QqCEr87a47ndCbF+Ug=="
unset user "cisco871w" type auth
set user "cisco871w" "enable"
set user-group "4_test" id 2
set user-group "4_test" user "4"
set user-group "4_test" user "Igor"
set user-group "Branch_office" id 4
set user-group "Branch_office" user "cisco871w"
set user-group "many_id's" id 3
set user-group "many_id's" user "1"
set crypto-policy
exit
set ike gateway "testing" dialup "4_test" Aggr outgoing-interface "ethernet0/2" preshare "hHUSznvBNhsrQesDw2CSY3LLLCnMKJKoDw==" proposal "pre-g2-3des-md5"
unset ike gateway "testing" nat-traversal udp-checksum
set ike gateway "testing" nat-traversal keepalive-frequency 8
set ike gateway "testing" xauth server "Local" user "Igor"
unset ike gateway "testing" xauth do-edipi-auth
set ike gateway "many_id's" dialup "many_id's" Aggr outgoing-interface "ethernet0/2" preshare "gYvMFjP8NYgv4HsHi3CcgqK+QMn7wC4Y9Q==" proposal "pre-g2-3des-md5"
set ike gateway "many_id's" nat-traversal udp-checksum
set ike gateway "many_id's" nat-traversal keepalive-frequency 8
set ike gateway "many_id's" xauth server "Local" user-group "many_id's"
unset ike gateway "many_id's" xauth do-edipi-auth
set ike gateway "Br_of" dialup "Branch_office" Aggr outgoing-interface "ethernet0/2" preshare "1ejM7mueNmY2tMsyO5CKOrvSIKnBqCAZKQ==" proposal "pre-g2-3des-md5"
set ike gateway "Br_of" nat-traversal udp-checksum
set ike gateway "Br_of" nat-traversal keepalive-frequency 8
set ike gateway "Br_of" xauth server "Local" user-group "Branch_office"
unset ike gateway "Br_of" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "IpPool"
set xauth default dns1 91.211.*.*
set xauth default dns2 91.211.*.*
set xauth default auth server "Local" chap
set vpn "4_test" gateway "testing" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "4_test" monitor source-interface ethernet0/0
set vpn "many" gateway "many_id's" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "many" monitor source-interface ethernet0/0
set vpn "Br_of_IKE" gateway "Br_of" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "Br_of_IKE" monitor source-interface ethernet0/0
set l2tp default dns1 91.211.*.*
set l2tp default dns2 91.211.*.*
set l2tp default ippool "IpPool"
set l2tp default ppp-auth chap
set di service HTTP failed_logins 2
set url protocol websense
exit
set policy id 4 name "Branche offices" from "Untrust" to "Trust" "Dial-Up VPN" "Local_LAN" "ANY" tunnel vpn "Br_of_IKE" id 0x8 log count
set policy id 4
exit
set policy id 2 from "Untrust" to "Trust" "Dial-Up VPN" "Local_LAN" "ANY" tunnel vpn "4_test" id 0x6 log count
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 3 from "Untrust" to "Trust" "Dial-Up VPN" "Local_LAN" "ANY" tunnel vpn "many" id 0x9 log count
set policy id 3
exit
set log module system level error destination webtrends
set log module system level warning destination webtrends
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ssl encrypt 3des sha-1
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0185102011000829"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Конфиг циски:


871w#sh run
Building configuration...

Current configuration : 1659 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 871w
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$QntA$ZDfD02Q6YP9lVVm9RM1uI0
enable password q1w2e3r4
!
no aaa new-model
!
resource policy
!
no ip routing
no ip cef
!
!
!
!
!
username artem privilege 15 secret 5 $1$rcWG$CG9e7oHmlh4OYDb1IxysG0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key NG=H9MKX address 91.211.*.*
!
!
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to91.211.*.*
set peer 91.211.*.*
set transform-set esp-3des-md5
match address 100
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
ip address dhcp
no ip route-cache
speed auto
full-duplex
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
!
ip http server
no ip http secure-server
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
snmp-server community 871w RO
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password q1w2e3r4
login
!
scheduler max-task-time 5000
end

Туннель естественно не поднимается. Знаю что есть ошибки, укажите на них пожалуйста.