Jump to content
Калькуляторы

cisco + ipsec + mikrotik Помогите побороть.

Есть микротик. Реальный айпи 91.222.1.1. Локалка 192.168.0.0/19

Есть cisco asa 5505. Айпи 207.115.1.1. Локалка 192.168.88.0/24.

Диапазоны локалок рядом, но не пересекаются... так что проблемы быть не должно.

Поменять диапазоны очень сложно... да и смысл?.

 

Нужно организовать тунель. Из всего великолепия, циска умеет только IP-sec.

настройки циски:

 
interface Vlan2
nameif outside
security-level 0
ip address 207.115.1.1 255.255.255.248
!
interface Vlan12
nameif inside
security-level 100
ip address 192.168.88.1 255.255.255.0

crypto ipsec transform-set tik-kh esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set transform-2
crypto map vpnmap 5 ipsec-isakmp dynamic dynmap
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 91.222.1.1
crypto map outside_map 1 set transform-set tik-kh
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal

По файерволу все вроде разрешено, там визардом делал.

 

настройки микротика:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=\
   3des,aes-128 lifetime=30m name=default pfs-group=none
/ip ipsec peer
add address=207.115.1.1/32 auth-method=pre-shared-key dh-group=modp1024 \
   disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
   exchange-mode=main generate-policy=yes hash-algorithm=md5 lifebytes=0 \
   lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
   obey secret=caHqL2CohHsB send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=yes dst-address=192.168.88.0/24 dst-port=any \
   ipsec-protocols=esp level=unique priority=0 proposal=default protocol=all \
   sa-dst-address=207.115.1.1 sa-src-address=91.222.1.1 src-address=\
   192.168.0.0/19 src-port=any tunnel=yes

Подключение происходит:

/ip ipsec remote-peers> print 
0 local-address=91.222.1.1 remote-address=207.115.1.1 state=established 
  side=responder established=28m57s 
/ip ipsec statistics> print 
                 in-errors: 0
          in-buffer-errors: 0
          in-header-errors: 0
              in-no-states: 0
  in-state-protocol-errors: 0
      in-state-mode-errors: 0
  in-state-sequence-errors: 0
          in-state-expired: 0
       in-state-mismatches: 0
          in-state-invalid: 0
    in-template-mismatches: 2
            in-no-policies: 0
         in-policy-blocked: 0
          in-policy-errors: 0
                out-errors: 0
         out-bundle-errors: 0
   out-bundle-check-errors: 0
             out-no-states: 145
 out-state-protocol-errors: 0
     out-state-mode-errors: 0
 out-state-sequence-errors: 0
         out-state-expired: 0
        out-policy-blocked: 0
           out-policy-dead: 0
         out-policy-errors: 0

с полиси политика такая. Либо я создаю... и оно не работает, либо оно добавляется само и тоже не работает.

 /ip ipsec policy> print 
Flags: X - disabled, D - dynamic, I - inactive 
0 X src-address=192.168.0.0/19 src-port=any dst-address=192.168.88.0/24 dst-port=any 
    protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes 
    sa-src-address=91.222.1.1 sa-dst-address=207.115.1.1 proposal=default 
    priority=0 

1 D src-address=192.168.88.0/24 src-port=any dst-address=192.168.0.0/19 dst-port=any 
    protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
    sa-src-address=91.222.1.1 sa-dst-address=207.115.1.1 proposal=default 
    priority=2 

2 D src-address=192.168.88.0/24 src-port=any dst-address=192.168.0.0/19 dst-port=any 
    protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
    sa-src-address=91.222.1.1 sa-dst-address=207.115.1.1 proposal=default 
    priority=2 

3 D src-address=192.168.0.0/19 src-port=any dst-address=192.168.88.0/24 dst-port=any 
    protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
    sa-src-address=207.115.1.1 sa-dst-address=91.222.1.1 proposal=default 
    priority=2 

на циске

show cry isa sa

тоже что-то выдавало... но сейчас оно отвалилось, а восстанавливается оно по пол часа...

 

ВОПРОС: Куда копать дальше? куда смотреть? Пинги в чужую сеть не идут.

Помогите пожалуйста кто как может...

Edited by fhntv_smart

Share this post


Link to post
Share on other sites

для начала попробовать cle cry sa на циске.

ciscoasa(config)# clear crypto sa
                               ^
ERROR: % Invalid input detected at '^' marker.

 

ciscoasa(config)# clear crypto ipsec sa
ciscoasa(config)# clear crypto isakmp sa

проходит, ничего не меняется.

Share this post


Link to post
Share on other sites

Вот что выдает цыска

 show crypto ipsec sa
interface: outside
   Crypto map tag: outside_map, seq num: 1, local addr: 207.115.1.1

     access-list outside_1_cryptomap extended permit ip 192.168.88.0 255.255.255.0 192.168.0.0 255.255.224.0
     local ident (addr/mask/prot/port): (192.168.88.0/255.255.255.0/0/0)
     remote ident (addr/mask/prot/port): (kh-192/255.255.224.0/0/0)
     current_peer: 91.222.1.1

     #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
     #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
     #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
     #send errors: 0, #recv errors: 0

     local crypto endpt.: 207.115.1.1, remote crypto endpt.: 91.222.1.1

     path mtu 1500, ipsec overhead 58, media mtu 1500
     current outbound spi: 031D5759
     current inbound spi : D5873214

   inbound esp sas:
     spi: 0xD5873214 (3582407188)
        transform: esp-3des esp-md5-hmac no compression
        in use settings ={L2L, Tunnel, }
        slot: 0, conn_id: 606208, crypto-map: outside_map
        sa timing: remaining key lifetime (kB/sec): (4374000/28740)
        IV size: 8 bytes
        replay detection support: Y
        Anti replay bitmap:
         0x00000000 0x00000001
   outbound esp sas:
     spi: 0x031D5759 (52254553)
        transform: esp-3des esp-md5-hmac no compression
        in use settings ={L2L, Tunnel, }
        slot: 0, conn_id: 606208, crypto-map: outside_map
        sa timing: remaining key lifetime (kB/sec): (4373999/28740)
        IV size: 8 bytes
        replay detection support: Y
        Anti replay bitmap:
         0x00000000 0x00000001

 

ciscoasa(config)# show crypto isakmp sa

  Active SA: 1
   Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 91.222.1.1
   Type    : L2L             Role    : initiator
   Rekey   : no              State   : MM_ACTIVE

Share this post


Link to post
Share on other sites

Ларчик то просто открывался.

Работает.

Просто с самого микротика пинг не шел. А с других компов в сети все ок.

По мелочи что-то еще поменял...

 

В общем, спасибо за сочувствие.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.