fhntv_smart Posted May 1, 2014 (edited) · Report post Есть микротик. Реальный айпи 91.222.1.1. Локалка 192.168.0.0/19 Есть cisco asa 5505. Айпи 207.115.1.1. Локалка 192.168.88.0/24. Диапазоны локалок рядом, но не пересекаются... так что проблемы быть не должно. Поменять диапазоны очень сложно... да и смысл?. Нужно организовать тунель. Из всего великолепия, циска умеет только IP-sec. настройки циски: interface Vlan2 nameif outside security-level 0 ip address 207.115.1.1 255.255.255.248 ! interface Vlan12 nameif inside security-level 100 ip address 192.168.88.1 255.255.255.0 crypto ipsec transform-set tik-kh esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map dynmap 10 set transform-set transform-2 crypto map vpnmap 5 ipsec-isakmp dynamic dynmap crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 91.222.1.1 crypto map outside_map 1 set transform-set tik-kh crypto map outside_map 1 set nat-t-disable crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment terminal subject-name CN=ciscoasa crl configure crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 no crypto isakmp nat-traversal По файерволу все вроде разрешено, там визардом делал. настройки микротика: /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=\ 3des,aes-128 lifetime=30m name=default pfs-group=none /ip ipsec peer add address=207.115.1.1/32 auth-method=pre-shared-key dh-group=modp1024 \ disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \ exchange-mode=main generate-policy=yes hash-algorithm=md5 lifebytes=0 \ lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\ obey secret=caHqL2CohHsB send-initial-contact=yes /ip ipsec policy add action=encrypt disabled=yes dst-address=192.168.88.0/24 dst-port=any \ ipsec-protocols=esp level=unique priority=0 proposal=default protocol=all \ sa-dst-address=207.115.1.1 sa-src-address=91.222.1.1 src-address=\ 192.168.0.0/19 src-port=any tunnel=yes Подключение происходит: /ip ipsec remote-peers> print 0 local-address=91.222.1.1 remote-address=207.115.1.1 state=established side=responder established=28m57s /ip ipsec statistics> print in-errors: 0 in-buffer-errors: 0 in-header-errors: 0 in-no-states: 0 in-state-protocol-errors: 0 in-state-mode-errors: 0 in-state-sequence-errors: 0 in-state-expired: 0 in-state-mismatches: 0 in-state-invalid: 0 in-template-mismatches: 2 in-no-policies: 0 in-policy-blocked: 0 in-policy-errors: 0 out-errors: 0 out-bundle-errors: 0 out-bundle-check-errors: 0 out-no-states: 145 out-state-protocol-errors: 0 out-state-mode-errors: 0 out-state-sequence-errors: 0 out-state-expired: 0 out-policy-blocked: 0 out-policy-dead: 0 out-policy-errors: 0 с полиси политика такая. Либо я создаю... и оно не работает, либо оно добавляется само и тоже не работает. /ip ipsec policy> print Flags: X - disabled, D - dynamic, I - inactive 0 X src-address=192.168.0.0/19 src-port=any dst-address=192.168.88.0/24 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=91.222.1.1 sa-dst-address=207.115.1.1 proposal=default priority=0 1 D src-address=192.168.88.0/24 src-port=any dst-address=192.168.0.0/19 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=91.222.1.1 sa-dst-address=207.115.1.1 proposal=default priority=2 2 D src-address=192.168.88.0/24 src-port=any dst-address=192.168.0.0/19 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=91.222.1.1 sa-dst-address=207.115.1.1 proposal=default priority=2 3 D src-address=192.168.0.0/19 src-port=any dst-address=192.168.88.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=207.115.1.1 sa-dst-address=91.222.1.1 proposal=default priority=2 на циске show cry isa sa тоже что-то выдавало... но сейчас оно отвалилось, а восстанавливается оно по пол часа... ВОПРОС: Куда копать дальше? куда смотреть? Пинги в чужую сеть не идут. Помогите пожалуйста кто как может... Edited May 1, 2014 by fhntv_smart Share this post Link to post Share on other sites
myst Posted May 3, 2014 · Report post для начала попробовать cle cry sa на циске. Share this post Link to post Share on other sites
fhntv_smart Posted May 4, 2014 · Report post для начала попробовать cle cry sa на циске. ciscoasa(config)# clear crypto sa ^ ERROR: % Invalid input detected at '^' marker. ciscoasa(config)# clear crypto ipsec sa ciscoasa(config)# clear crypto isakmp sa проходит, ничего не меняется. Share this post Link to post Share on other sites
fhntv_smart Posted May 4, 2014 · Report post Вот что выдает цыска show crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 1, local addr: 207.115.1.1 access-list outside_1_cryptomap extended permit ip 192.168.88.0 255.255.255.0 192.168.0.0 255.255.224.0 local ident (addr/mask/prot/port): (192.168.88.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (kh-192/255.255.224.0/0/0) current_peer: 91.222.1.1 #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 207.115.1.1, remote crypto endpt.: 91.222.1.1 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 031D5759 current inbound spi : D5873214 inbound esp sas: spi: 0xD5873214 (3582407188) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 606208, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4374000/28740) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0x031D5759 (52254553) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 606208, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4373999/28740) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ciscoasa(config)# show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 91.222.1.1 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Share this post Link to post Share on other sites
myst Posted May 4, 2014 · Report post Ну значит IPSEC работает. Share this post Link to post Share on other sites
fhntv_smart Posted May 5, 2014 · Report post Ларчик то просто открывался. Работает. Просто с самого микротика пинг не шел. А с других компов в сети все ок. По мелочи что-то еще поменял... В общем, спасибо за сочувствие. Share this post Link to post Share on other sites
