Cisco 861 problem z isakmp

Wszystkie rozmowy związane z problemem z hardwarem, supportowanymi funkcjonalnościami, wydajnością urządzeń itp.
Wiadomość
Autor
Dantespl
newbie
newbie
Posty: 1
Rejestracja: 22 lis 2014, 08:41

Cisco 861 problem z isakmp

#1

#1 Post autor: Dantespl »

Witam,
Mam problem z zestawieniem tuneli (a). Pierwszym tunelem był tunel do pol jednak po dodaniu reguły dla "vec" nie ma możliwości zestawienia połączenia do "pol" . Tunel "vec" zestawia się

Attribute Value
Router Model 861
Image Name c860-universalk9-mz.150-1.M3.bin
IOS Version 15.0(1)M3
Hostname gate2

Kod: Zaznacz cały

Building configuration...

Current configuration : 6606 bytes
!
! Last configuration change at 01:32:12 Warsaw Mon Mar 1 1993 by sadmin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gate2
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 $*******************
!
no aaa new-model
memory-size iomem 10
clock timezone Warsaw 1
!

ip source-route
!
!
!
!
no ip cef
ip domain name s*******
ip name-server 8.8.8.8
!
!
license udi pid CISCO861-K9 sn FCZ143993T6
!
!

!
!
ip ssh time-out 60
ip ssh authentication-retries 2
! 
!
crypto isakmp policy 4
 encr aes 256
 hash sha
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr aes 256
 hash sha
 authentication pre-share
 group 2
 lifetime 1440
!
crypto isakmp policy 6
 encr aes 256
 hash sha
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key n******* address 212.*.**.**
crypto isakmp key c******* address 88.**.**.**
!
!
crypto ipsec transform-set vec esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set plus-aes256-sha esp-aes 256 esp-sha-hmac 
crypto ipsec df-bit clear
no crypto ipsec nat-transparency udp-encaps
!
crypto map internet 5 ipsec-isakmp 
 description tunnel do vec
 set peer 88.**.**.**
 set transform-set vec 
 match address 110
 reverse-route static
crypto map internet 6 ipsec-isakmp 
 description tunnel do polk
 set peer 212.**.**.**
 set transform-set plus-aes256-sha 
 match address polk
 reverse-route static
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 80.**.**.** 255.255.255.240
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map internet
!         
interface Vlan1
 ip address 10.1.4.1 255.255.255.0 secondary
 ip address 80.**.**.** 255.255.255.240
!
ip forward-protocol nd
ip http server
ip http access-class 99
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 80.**.**.1
ip route 80.**.**.1 255.255.255.255 FastEthernet4
ip route 80.**.**.2 255.255.255.255 FastEthernet4
ip route 80.**.**.3 255.255.255.255 FastEthernet4
ip route 80.**.**.4 255.255.255.255 FastEthernet4
ip route 80.**.**.8 255.255.255.255 FastEthernet4
ip route 80.**.**.9 255.255.255.255 FastEthernet4
!
ip access-list extended polk
 remark siec polk
 permit ip host 80.**.**.5 host 212.*.**.77
 permit ip host 80.**.**.6 host 212.*.**.77
 permit ip host 80.**.**.7 host 212.*.**.77
 permit ip host 80.**.**.5 host 212.*.**.193
 permit ip host 80.**.**.6 host 212.*.**.193
 permit ip host 80.**.**.7 host 212.*.**.193
 permit ip host 80.**.**.5 host 212.*.***.12
 permit ip host 80.**.**.6 host 212.*.***.12
 permit ip host 80.**.**.7 host 212.*.***.12
 permit ip host 80.**.**.5 host 212.*.***.206
 permit ip host 80.**.**.6 host 212.*.***.206
 permit ip host 80.**.**.7 host 212.*.***.206
 permit ip host 80.**.**.5 host 212.*.***.10
 permit ip host 80.**.**.6 host 212.*.***.10
 permit ip host 80.**.**.7 host 212.*.***.10
 permit ip host 80.**.**.5 host 212.*.***.22
 permit ip host 80.**.**.6 host 212.*.***.22
 permit ip host 80.**.**.7 host 212.*.***.22
!
access-list 1 permit 80.**.**.5
access-list 1 permit 80.**.**.7
access-list 1 permit 80.**.**.6
access-list 1 permit 80.**.**.8
access-list 20 permit 89.***.***.238
access-list 20 permit 80.***.**.0 0.0.0.31
access-list 110 permit ip 10.1.4.0 0.0.0.255 10.25.100.0 0.0.0.255
snmp-server community public RO
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 20 in
 login local
 transport input ssh
!
scheduler max-task-time 5000
end
błąd jaki się pojawia to

Kod: Zaznacz cały

Checking the tunnel status...	Down
    Encapsulation :0	
    Decapsulation :0	
    Send Error :0	
    Received Error :0	
Checking interface status...	Successful
    Interface :FastEthernet4	
    Interface physical status :Up	
    Line protocol status :Up	
Checking the configuration...	Successful
    Checking IPSec	
    Crypto map name : internet	
    Sequence number : 6	
    Crypto map type : Static	
    Peer : Configured	
    Transform set : Configured	
    Interesting traffic : Configured	
    IPSec configuration status : Valid	
    Checking IKE	
    IKE Policies : Configured	
    Policies with pre shared key authentication method : Configured	
    Global pre shared key with wild cards : Not configured	
    Pre-shared key for 212.2.102.235 Configured	
    IKE configuration status : Valid	
Checking Routing...	Successful
    Peer :212.2.102.235:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.5:Valid(Route exists in routing table)	
    Traffic destination :212.2.96.77:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.6:Valid(Route exists in routing table)	
    Traffic destination :212.2.96.77:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.7:Valid(Route exists in routing table)	
    Traffic destination :212.2.96.77:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.5:Valid(Route exists in routing table)	
    Traffic destination :212.2.98.193:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.6:Valid(Route exists in routing table)	
    Traffic destination :212.2.98.193:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.7:Valid(Route exists in routing table)	
    Traffic destination :212.2.98.193:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.5:Valid(Route exists in routing table)	
    Traffic destination :212.2.119.12:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.6:Valid(Route exists in routing table)	
    Traffic destination :212.2.119.12:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.7:Valid(Route exists in routing table)	
    Traffic destination :212.2.119.12:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.5:Valid(Route exists in routing table)	
    Traffic destination :212.2.103.206:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.6:Valid(Route exists in routing table)	
    Traffic destination :212.2.103.206:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.7:Valid(Route exists in routing table)	
    Traffic destination :212.2.103.206:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.5:Valid(Route exists in routing table)	
    Traffic destination :212.2.119.10:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.6:Valid(Route exists in routing table)	
    Traffic destination :212.2.119.10:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.7:Valid(Route exists in routing table)	
    Traffic destination :212.2.119.10:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.5:Valid(Route exists in routing table)	
    Traffic destination :212.2.123.22:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.6:Valid(Route exists in routing table)	
    Traffic destination :212.2.123.22:Valid(Routed through the crypto interface)	
    Traffic source :80.82.19.7:Valid(Route exists in routing table)	
    Traffic destination :212.2.123.22:Valid(Routed through the crypto interface)	
Checking peer connectivity...	Successful
    Peer :212.2.102.235:Successful	
Checking NAT...	Successful
Checking Firewall...	Successful
Debugging the VPN connection ...	Completed
Checking the tunnel status...	Down
    Encapsulation :0	
    Decapsulation :0	
    Send Error :0	
    Received Error :0
EDIT: Do listingów konfiguracji, show, debug, etc używamy znaczników

Kod: Zaznacz cały

 :!:
Seba
Ostatnio zmieniony 01 sty 1970, 01:00 przez Dantespl, łącznie zmieniany 3 razy.

przemek_z
wannabe
wannabe
Posty: 56
Rejestracja: 13 lut 2011, 11:57
Lokalizacja: Gdynia

#2

#2 Post autor: przemek_z »

Hej,

Domena enkrypcyjna nie pokrywa się z adresem peer-a po drugiej stronie dla polk?

Pozdro

ODPOWIEDZ