VPN Preshared Keys

Wiadomość

borekbp · #1

A ja z zapytaniem, "bo tunel się nie podnosi"... ;-/

Zarknijcie na configi poniższe a następnie wyjaśnijcie proszę dlaczego ten nieszczęsny tunel nie chce się podnieść...

Problem:
*Mar 4 15:37:19.378: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /172.16.1.3, src_addr= 10.1.0.2, prot= 1

Peer 1 conf:
Kon# show run
hostname Kon
!
boot system flash:c3825-advsecurityk9-mz.124-12.bin
boot system flash:c3825-spservicesk9-mz.123-11.T8.bin
boot-end-marker
!
no aaa new-model
no network-clock-participate wic 0
ip cef
!
ip domain name borek.pl
!
controller E1 0/0/0
!
crypto isakmp policy 110
hash md5
authentication pre-share
crypto isakmp key borek address 192.168.200.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set kon_tr_set esp-des esp-md5-hmac
!
crypto map kon_cr_map 110 ipsec-isakmp
set peer 192.168.200.2
set transform-set kon_tr_set
set pfs group1
match address 110
!
interface GigabitEthernet0/0
description ISP
ip address 192.168.200.1 255.255.255.0
duplex full
speed 1000
media-type rj45
no keepalive
crypto map kon_cr_map
!
interface GigabitEthernet0/1
description LAN
ip address 10.1.0.1 255.255.255.0
duplex auto
speed auto
media-type rj45
no keepalive
!
ip route 172.16.1.0 255.255.255.0 192.168.200.2
!
ip http server
no ip http secure-server
!
access-list 110 permit icmp 10.1.0.0 0.0.0.255 172.16.200.0 0.0.0.255
!
end

Peer 2 conf:
Waw#show run
hostname Waw

no aaa new-model
ip cef
!
crypto pki trustpoint TP-self-signed-2731605517
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2731605517
revocation-check none
rsakeypair TP-self-signed-2731605517
!
crypto isakmp policy 110
hash md5
authentication pre-share
crypto isakmp key borek address 192.168.200.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set waw_tr_set esp-des esp-md5-hmac
!
crypto map waw_cr_map 110 ipsec-isakmp
set peer 192.168.200.1
set transform-set waw_tr_set
set pfs group1
match address 110
!
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 192.168.200.2 255.255.255.0
duplex full
speed 1000
media-type rj45
no keepalive
crypto map waw_cr_map
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
no keepalive
!
ip route 10.1.0.0 255.255.255.0 192.168.200.1
!
ip http server
ip http secure-server
!
access-list 110 permit icmp 172.16.1.0 0.0.0.255 10.1.0.0 0.0.0.255

end

Znalazłem taką podpowiedź na cisco.com: (ale i tak nie wiem co zrobić, żeby zadziałało).

The received packet matched the encryption (crypto) map ACL, but the packet is not IPSec-encapsulated. The IPSec peer is sending unencapsulated packets. There may simply be a policy setup error on the peer. This activity could be considered a hostile event.

Jakby ktoś znalazł czas na analizę i odpowiedź - z góry mu dziękuję.
Pozdrawiam forumowiczów

sebu · #2

zobacz na Peer 1:

access-list 110 permit icmp 10.1.0.0 0.0.0.255 172.16.200.0 0.0.0.255

chyba powinna byc siec 172.16.1.0

puczek · #3

ACLs musza byc symetryczne.

borekbp · #4

Niby człowiek czyta 100 razy, że ACL'ki powinny być "lustrzane" a paluch się i tak "opsnie" i wpisze te "200".

Dzięki za pomoc i spostrzegawczość.

Waw#show crypto isakmp sa
dst src state conn-id slot status
192.168.200.2 192.168.200.1 QM_IDLE 1 0 ACTIVE

Waw#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: waw_cr_map, local addr 192.168.200.2

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/1/0)
current_peer 192.168.200.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 101, #pkts encrypt: 101, #pkts digest: 101
#pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101