Jump to content

Cisco IPSEC + openswan Какая-то фигня....

Cisco 3725. Конфиг.

no aaa new-model
ip subnet-zero
ip cef
ip name-server
ip audit po max-events 100
no crypto xauth FastEthernet0/0.30
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key testkey address _IP1_ no-xauth
crypto isakmp aggressive-mode disable
crypto ipsec transform-set gw5 ah-sha-hmac esp-3des esp-md5-hmac 
crypto ipsec transform-set aes esp-aes esp-sha-hmac 
crypto ipsec transform-set 3des esp-3des esp-sha-hmac 
crypto ipsec transform-set des esp-des 
no crypto ipsec nat-transparency udp-encaps
crypto map vpns local-address FastEthernet0/0.30
crypto map vpns 20 ipsec-isakmp 
description GW5-test
set peer _IP1_
set transform-set gw5 aes 3des des 
set pfs group2
match address 102
reverse-route remote-peer
interface FastEthernet0/0
no ip address
speed auto
no mop enabled
interface FastEthernet0/0.10
interface FastEthernet0/0.30
encapsulation dot1Q 30 native
ip address MYIP
ip nat outside
crypto map vpns
interface Serial0/0
no ip address
no fair-queue
interface FastEthernet0/1
description Office
no ip address
duplex auto
speed auto
interface FastEthernet0/1.10
encapsulation dot1Q 10 native
ip address
ip nat inside
ip nat inside source list nat interface FastEthernet0/0.30 overload
ip classless
ip route MYROUTE
no ip http server
no ip http secure-server
ip access-list extended nat
deny   ip log-input
permit ip any log-input
deny   ip any any
logging trap debugging
logging source-interface FastEthernet0/1.10
access-list 102 permit ip log-input


Соединение типа устанавливается ( swan говорит что tunnel established ).

При попытке сделать например пинг - пусто.

core#show cry is sa

dst src state conn-id slot



core#sh ip ro

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route


Gateway of last resort is to network


MYNET/30 is subnetted, 1 subnets

C MYNET is directly connected, FastEthernet0/0.30

S [1/0] via IP

IPNET/32 is subnetted, 1 subnets

S IP [1/0] via, FastEthernet0/0.30

C is directly connected, FastEthernet0/1.10

S* [1/0] via


В чем может быть косяк ?

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this