A ja z zapytaniem, "bo tunel się nie podnosi"... ;-/
Zarknijcie na configi poniższe a następnie wyjaśnijcie proszę dlaczego ten nieszczęsny tunel nie chce się podnieść...
Problem:
*Mar 4 15:37:19.378: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /172.16.1.3, src_addr= 10.1.0.2, prot= 1
Peer 1 conf:
Kon# show run
hostname Kon
!
boot system flash:c3825-advsecurityk9-mz.124-12.bin
boot system flash:c3825-spservicesk9-mz.123-11.T8.bin
boot-end-marker
!
no aaa new-model
no network-clock-participate wic 0
ip cef
!
ip domain name borek.pl
!
controller E1 0/0/0
!
crypto isakmp policy 110
hash md5
authentication pre-share
crypto isakmp key borek address 192.168.200.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set kon_tr_set esp-des esp-md5-hmac
!
crypto map kon_cr_map 110 ipsec-isakmp
set peer 192.168.200.2
set transform-set kon_tr_set
set pfs group1
match address 110
!
interface GigabitEthernet0/0
description ISP
ip address 192.168.200.1 255.255.255.0
duplex full
speed 1000
media-type rj45
no keepalive
crypto map kon_cr_map
!
interface GigabitEthernet0/1
description LAN
ip address 10.1.0.1 255.255.255.0
duplex auto
speed auto
media-type rj45
no keepalive
!
ip route 172.16.1.0 255.255.255.0 192.168.200.2
!
ip http server
no ip http secure-server
!
access-list 110 permit icmp 10.1.0.0 0.0.0.255 172.16.200.0 0.0.0.255
!
end
Peer 2 conf:
Waw#show run
hostname Waw
no aaa new-model
ip cef
!
crypto pki trustpoint TP-self-signed-2731605517
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2731605517
revocation-check none
rsakeypair TP-self-signed-2731605517
!
crypto isakmp policy 110
hash md5
authentication pre-share
crypto isakmp key borek address 192.168.200.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set waw_tr_set esp-des esp-md5-hmac
!
crypto map waw_cr_map 110 ipsec-isakmp
set peer 192.168.200.1
set transform-set waw_tr_set
set pfs group1
match address 110
!
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 192.168.200.2 255.255.255.0
duplex full
speed 1000
media-type rj45
no keepalive
crypto map waw_cr_map
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
no keepalive
!
ip route 10.1.0.0 255.255.255.0 192.168.200.1
!
ip http server
ip http secure-server
!
access-list 110 permit icmp 172.16.1.0 0.0.0.255 10.1.0.0 0.0.0.255
end
Znalazłem taką podpowiedź na cisco.com: (ale i tak nie wiem co zrobić, żeby zadziałało).
The received packet matched the encryption (crypto) map ACL, but the packet is not IPSec-encapsulated. The IPSec peer is sending unencapsulated packets. There may simply be a policy setup error on the peer. This activity could be considered a hostile event.
Jakby ktoś znalazł czas na analizę i odpowiedź - z góry mu dziękuję.
Pozdrawiam forumowiczów
VPN Preshared Keys
- sebu
- CCIE / Instruktor CNAP
- Posty: 843
- Rejestracja: 03 cze 2005, 02:08
- Lokalizacja: Warsaw, Poland
- Kontakt:
zobacz na Peer 1:
chyba powinna byc siec 172.16.1.0access-list 110 permit icmp 10.1.0.0 0.0.0.255 172.16.200.0 0.0.0.255
Jesteś ambitnym inżynierem i szukasz ciekawych projektów? Zapraszamy do współpracy w ramach NetFormers (stałej i projektowej). Info na PRV.
Work: http://netformers.pl
Linked-in: http://www.linkedin.com/in/strzelak
Work: http://netformers.pl
Linked-in: http://www.linkedin.com/in/strzelak
działa
Niby człowiek czyta 100 razy, że ACL'ki powinny być "lustrzane" a paluch się i tak "opsnie" i wpisze te "200".
Dzięki za pomoc i spostrzegawczość.
Waw#show crypto isakmp sa
dst src state conn-id slot status
192.168.200.2 192.168.200.1 QM_IDLE 1 0 ACTIVE
Waw#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: waw_cr_map, local addr 192.168.200.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/1/0)
current_peer 192.168.200.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 101, #pkts encrypt: 101, #pkts digest: 101
#pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101
Dzięki za pomoc i spostrzegawczość.
Waw#show crypto isakmp sa
dst src state conn-id slot status
192.168.200.2 192.168.200.1 QM_IDLE 1 0 ACTIVE
Waw#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: waw_cr_map, local addr 192.168.200.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/1/0)
current_peer 192.168.200.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 101, #pkts encrypt: 101, #pkts digest: 101
#pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101