Jump to content
Калькуляторы

Cisco IPSEC + openswan Какая-то фигня....

Cisco 3725. Конфиг.

no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 192.168.0.223
ip audit po max-events 100
!
no crypto xauth FastEthernet0/0.30
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key testkey address _IP1_ 255.255.255.0 no-xauth
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set gw5 ah-sha-hmac esp-3des esp-md5-hmac 
crypto ipsec transform-set aes esp-aes esp-sha-hmac 
crypto ipsec transform-set 3des esp-3des esp-sha-hmac 
crypto ipsec transform-set des esp-des 
no crypto ipsec nat-transparency udp-encaps
!
crypto map vpns local-address FastEthernet0/0.30
crypto map vpns 20 ipsec-isakmp 
description GW5-test
set peer _IP1_
set transform-set gw5 aes 3des des 
set pfs group2
match address 102
reverse-route remote-peer
!
!
!
!
interface FastEthernet0/0
no ip address
speed auto
full-duplex
no mop enabled
!         
interface FastEthernet0/0.10
!
interface FastEthernet0/0.30
encapsulation dot1Q 30 native
ip address MYIP 255.255.255.252
ip nat outside
crypto map vpns
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
description Office
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10 native
ip address 192.168.0.252 255.255.255.0
ip nat inside
!
ip nat inside source list nat interface FastEthernet0/0.30 overload
ip classless
ip route 0.0.0.0 0.0.0.0 MYROUTE
!
no ip http server
no ip http secure-server
!
ip access-list extended nat
deny   ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255 log-input
permit ip 192.168.0.0 0.0.0.255 any log-input
deny   ip any any
!
logging trap debugging
logging source-interface FastEthernet0/1.10
logging 192.168.0.254
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255 log-input
!
end

 

Соединение типа устанавливается ( swan говорит что tunnel established ).

При попытке сделать например пинг - пусто.

core#show cry is sa

dst src state conn-id slot

MYIP IP QM_IDLE 102 0

 

core#sh ip ro

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 217.171.4.221 to network 0.0.0.0

 

MYNET/30 is subnetted, 1 subnets

C MYNET is directly connected, FastEthernet0/0.30

S 192.168.5.0/24 [1/0] via IP

IPNET/32 is subnetted, 1 subnets

S IP [1/0] via 0.0.0.0, FastEthernet0/0.30

C 192.168.0.0/24 is directly connected, FastEthernet0/1.10

S* 0.0.0.0/0 [1/0] via 217.171.4.221

 

В чем может быть косяк ?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this