Cisco IPSEC tunnel

Kazam

Posted May 31, 2010 · Report post

Доброго времени суток дамы и господа....

Прошу совета, схема такая:

два офиса-

1. основной (Cisco 2691)

2. удаленный (Cisco 2691)

1.

Building configuration...

Current configuration : 5121 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname shutdown
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***
enable password ***
!
aaa new-model
!
!
aaa authentication login default local none
aaa authentication ppp default local
aaa authorization network default none
!
aaa session-id common
clock timezone Ekb 5
ip cef
!
!
!
!
ip domain name office
l2tp-class akado
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username user password 0 pass
!
!
ip ssh port 3536 rotary 1
pseudowire-class class1
encapsulation l2tpv2
protocol l2tpv2 akado
ip local interface FastEthernet0/0
!
!
!
crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key *** address 10.1.124.95
!
!
crypto ipsec transform-set PEERS esp-aes esp-md5-hmac
!
crypto map IPSEC 100 ipsec-isakmp
set peer 10.1.124.95
set security-association idle-time 600
set transform-set PEERS
set pfs group1
match address ACL_IPSEC
!
!
!
!
interface FastEthernet0/0
mac-address 0019.5b88.bea1
ip address 10.1.159.47 255.255.255.0
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSEC
!
interface FastEthernet0/1
ip address 172.12.0.1 255.255.255.0 secondary
ip address 10.1.21.250 255.255.255.0 secondary
ip address 192.168.0.1 255.255.255.0
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
speed auto
half-duplex
no mop enabled
!
interface FastEthernet0/1.10
!
interface Virtual-PPP1
ip address negotiated
ip nat outside
ip virtual-reassembly
no cdp enable
ppp authentication chap callin
ppp chap hostname ***
ppp chap password 0 ***
pseudowire 10.0.0.72 10 pw-class class1
!
!
ip route 0.0.0.0 0.0.0.0 217.76.183.247
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 10.0.0.1 255.255.255.255 10.1.159.3
ip route 10.0.0.2 255.255.255.255 10.1.159.3
ip route 10.0.0.4 255.255.255.255 10.1.159.3
ip route 10.0.0.5 255.255.255.255 10.1.159.3
ip route 10.0.0.65 255.255.255.255 10.1.159.3
ip route 10.0.0.66 255.255.255.255 10.1.159.3
ip route 10.0.0.72 255.255.255.255 10.1.159.3
ip route 10.0.0.73 255.255.255.255 10.1.159.3
ip route 10.1.17.46 255.255.255.255 10.1.159.3
ip route 10.1.124.3 255.255.255.255 10.1.159.3
ip route 10.1.124.95 255.255.255.255 10.1.159.3
ip route 192.168.2.0 255.255.255.0 10.1.124.95
ip route 217.76.183.57 255.255.255.255 10.1.159.3
!
!
no ip http server
no ip http secure-server
ip nat Stateful id 1

ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source list 101 interface Virtual-PPP1 overload
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source list 103 interface Virtual-PPP1 overload

ip access-list extended ACL_IPSEC
permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip host 10.1.124.95 host 10.1.159.47
permit ip host 10.1.159.47 host 10.1.124.95
deny   ip any any
!

access-list 100 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 10.0.0.65
access-list 100 permit ip 192.168.0.0 0.0.255.255 217.76.184.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 217.76.183.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 10.0.0.72
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 10.0.0.73
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 10.0.0.74
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 10.0.0.75
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 10.0.0.2
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 10.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.255.255 host 10.1.124.95
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 172.12.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 172.12.0.0 0.0.255.255 host 10.0.0.65
access-list 102 permit ip 172.12.0.0 0.0.255.255 217.76.184.0 0.0.0.255
access-list 102 permit ip 172.12.0.0 0.0.255.255 217.76.183.0 0.0.0.255
access-list 102 permit ip 172.12.0.0 0.0.255.255 host 10.0.0.72
access-list 102 permit ip 172.12.0.0 0.0.255.255 host 10.0.0.73
access-list 102 permit ip 172.12.0.0 0.0.255.255 host 10.0.0.74
access-list 102 permit ip 172.12.0.0 0.0.255.255 host 10.0.0.75
access-list 102 permit ip 172.12.0.0 0.0.255.255 host 10.0.0.2
access-list 102 permit ip 172.12.0.0 0.0.255.255 host 10.0.0.1
access-list 103 permit ip 172.12.0.0 0.0.0.255 any
snmp-server community cisco RO

и удаленный офис

Current configuration : 4565 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker

boot-end-marker
!
enable secret 5 ***
enable password ***
!
aaa new-model
!
!
aaa authentication login default local none
aaa authentication ppp default local
aaa authorization network default none
!
aaa session-id common
clock timezone Ekb 5
ip cef
!
!
!
!
ip domain name office
l2tp-class akado
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username user password 0 pass
!
!
pseudowire-class class1
encapsulation l2tpv2
protocol l2tpv2 akado
ip local interface FastEthernet0/0
!
!
!
crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key ***** address 10.1.159.47
!
!
crypto ipsec transform-set PEERS esp-aes esp-md5-hmac
!
crypto map IPSEC 100 ipsec-isakmp
set peer 10.1.159.47
set security-association idle-time 600
set transform-set PEERS
set pfs group1
match address ACL_IPSEC
!
!
!
!
interface FastEthernet0/0
mac-address 0026.1868.f673
ip address 10.1.124.95 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSEC
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
half-duplex
no mop enabled
!
interface Virtual-PPP1
ip address negotiated
ip nat outside
ip virtual-reassembly
no cdp enable
ppp authentication chap callin
ppp chap hostname ***
ppp chap password 0 ****
pseudowire 10.0.0.72 10 pw-class class1
!
!
ip route 0.0.0.0 0.0.0.0 217.76.183.247
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 10.0.0.1 255.255.255.255 10.1.124.3
ip route 10.0.0.2 255.255.255.255 10.1.124.3
ip route 10.0.0.4 255.255.255.255 10.1.124.3
ip route 10.0.0.5 255.255.255.255 10.1.124.3
ip route 10.0.0.65 255.255.255.255 10.1.124.3
ip route 10.0.0.66 255.255.255.255 10.1.124.3
ip route 10.0.0.72 255.255.255.255 10.1.124.3
ip route 10.0.0.73 255.255.255.255 10.1.124.3
ip route 10.1.17.46 255.255.255.255 10.1.124.3
ip route 10.1.159.3 255.255.255.255 10.1.124.3
ip route 10.1.159.16 255.255.255.255 10.1.124.3
ip route 10.1.159.47 255.255.255.255 10.1.124.3
ip route 192.168.0.0 255.255.255.0 10.1.159.47
!
!
no ip http server
no ip http secure-server
ip nat Stateful id 1
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source list 101 interface Virtual-PPP1 overload

!
ip access-list extended ACL_IPSEC
permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip host 10.1.159.47 host 10.1.124.95
permit ip host 10.1.124.95 host 10.1.159.47
deny   ip any any
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 10.0.0.65
access-list 100 permit ip 192.168.2.0 0.0.0.255 217.76.184.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 217.76.183.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 10.0.0.72
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 10.0.0.73
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 10.0.0.74
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 10.0.0.75
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 10.0.0.2
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 10.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 host 10.0.0.65
access-list 100 permit ip 192.168.0.0 0.0.0.255 217.76.184.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 217.76.183.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 host 10.0.0.72
access-list 100 permit ip 192.168.0.0 0.0.0.255 host 10.0.0.73
access-list 100 permit ip 192.168.0.0 0.0.0.255 host 10.0.0.74
access-list 100 permit ip 192.168.0.0 0.0.0.255 host 10.0.0.75
access-list 100 permit ip 192.168.0.0 0.0.0.255 host 10.0.0.2
access-list 100 permit ip 192.168.0.0 0.0.0.255 host 10.0.0.1
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
snmp-server community cisco RO

PS досталось в наследие... задача организовать ipsec туннель ( увидеть из сети 192.168.0.0 сеть 192.168.2.0 и наоборот.. ))

shutdown#sh crypto isakmp sa
dst             src             state          conn-id slot status
10.1.124.95     10.1.159.47     QM_IDLE              1    0 ACTIVE

Share this post

Link to post

Share on other sites

Kazam

Posted May 31, 2010 · Report post

пофиксил так :

interface Tunnel10
ip unnumbered FastEthernet0/0
ip helper-address 192.168.0.243
ip directed-broadcast
tunnel source FastEthernet0/0
tunnel destination 10.1.159.47
!

и соотвественно:

ip route 192.168.0.0 255.255.255.0 Tunnel10

на второй стороне - зеркально.

Остался открытым вопрос, как теперь гнать netbios , dhcp и еще пару udp проколов через ip helper-address или есть альтернатива?

ЗЫ : сети 192.168.2.0/24 очень нужна связь с 192.168.0.243 ( домен, dhcp)

Share this post

Link to post

Share on other sites

Deac

Posted May 31, 2010 · Report post

Мост между физическим и туннельным интерфейсами не катит?

Sign In

Kazam

Share this post

Link to post

Share on other sites

Kazam

Share this post

Link to post

Share on other sites

Deac

Share this post

Link to post

Share on other sites

Join the conversation