Имя пользователя:
Пароль:  
Помощь | Регистрация | Забыли пароль?  | Правила  

Компьютерный форум OSzone.net » Железо » Сетевое оборудование » Cisco - Cisco - ipsec vpn - ISA

Ответить
Настройки темы
Cisco - Cisco - ipsec vpn - ISA

Аватара для Aleksey Potapov


Microsoft MVP (Desktop Experience)


Сообщения: 526
Благодарности: 17

Профиль | Сайт | Отправить PM | Цитировать


Изменения
Автор: Aleksey Potapov
Дата: 12-10-2009
Добрый день.
Появилась задача - седалть vpn ipsec тунель между двумя офисами.
В Главном стоит ISA Server 2006 на Windows Server 2003 r2
В Branch офисе стоит Cisco 871.

Конфиг с Cisco

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname emwhgt01
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable password service
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone Moscow 3
clock summer-time Moscow date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1042110583
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1042110583
revocation-check none
rsakeypair TP-self-signed-1042110583
!
!
crypto pki certificate chain TP-self-signed-1042110583
certificate self-signed 01 nvram:IOS-Self-Sig#11.cer
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 171.10.2.1 171.10.2.10
ip dhcp excluded-address 171.10.2.231 171.10.2.254
!
ip dhcp pool branch
import all
network 171.10.2.0 255.255.255.0
domain-name emviko.ru
dns-server 171.10.2.251 171.10.1.251
default-router 171.10.2.254
lease 8
!
!
ip cef
ip domain name emviko.ru
ip name-server 192.168.104.98
ip name-server 171.10.2.251
ip name-server 171.10.1.251
ntp server 82.98.86.179 prefer source Vlan1
!
!
!
!
username root privilege 15 password 0 service
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 12345 address office ip
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-MD5-SHA esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tooffice
set peer office ip
set security-association lifetime kilobytes 10000
set security-association idle-time 3600
set transform-set ESP-MD5-SHA
match address 102
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address branch ip 255.255.255.0
ip virtual-reassembly
speed auto
half-duplex
crypto map SDM_CMAP_1
!
interface Vlan1
ip address 192.168.104.254 255.255.255.0
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 branch gate
ip route 171.10.1.0 255.255.255.0 vlan1
ip http server
ip http secure-server
!
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.104.0 0.0.0.255 171.10.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.104.0 0.0.0.255 171.10.1.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.104.0 0.0.0.255 171.10.1.0 0.0.0.255
access-list 110 remark SDM_ACL Category=18
access-list 110 remark IPSec Rule
access-list 110 deny ip 192.168.104.0 0.0.0.255 171.10.1.0 0.0.0.255
access-list 110 deny ip 192.168.104.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password sservice
transport input telnet ssh
!
scheduler max-task-time 5000
end


Sh ver с Cisco

emwhgt01#sh ver
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Sat 20-Jun-09 02:20 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

emwhgt01 uptime is 2 days, 19 hours, 9 minutes
System returned to ROM by reload at 16:32:13 Moscow Fri Oct 9 2009
System image file is "flash:c870-advsecurityk9-mz.124-24.t1.bin"
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 871 (MPC8272) processor (revision 0x300) with 118784K/12288K bytes of memory.
Processor board ID FCZ122910CA
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102


Настройки с ISA Server

Local Tunnel Endpoint: Office IP
Remote Tunnel Endpoint: Branch IP

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: MD5
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (12345)
Security Association Lifetime: 28800 seconds


IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: MD5
Perfect Forward Secrecy: OFF
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 3600 seconds

Kbyte Rekeying: ON
Rekey After Sending: 100000 Kbytes

Remote Network 'EMWH' IP Subnets:
Subnet: 192.168.104.0/255.255.255.0

Local Network 'Internal' IP Subnets:
Subnet: 171.10.1.0/255.255.255.0

Логи с Cisco
*Oct 12 08:50:44.147: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (N) NEW SA
*Oct 12 08:50:44.147: ISAKMP: Created a peer struct for office ip, peer port 500
*Oct 12 08:50:44.147: ISAKMP: New peer created peer = 0x8440DA30 peer_handle = 0x80000008
*Oct 12 08:50:44.147: ISAKMP: Locking peer struct 0x8440DA30, refcount 1 for crypto_isakmp_process_block
*Oct 12 08:50:44.147: ISAKMP: local port 500, remote port 500
*Oct 12 08:50:44.147: ISAKMP0):insert sa successfully sa = 84630040
*Oct 12 08:50:44.147: ISAKMP0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 12 08:50:44.147: ISAKMP0):Old State = IKE_READY New State = IKE_R_MM1

*Oct 12 08:50:44.147: ISAKMP0): processing SA payload. message ID = 0
*Oct 12 08:50:44.147: ISAKMP0): processing vendor id payload
*Oct 12 08:50:44.147: ISAKMP0): processing IKE frag vendor id payload
*Oct 12 08:50:44.147: ISAKMP0):Support for IKE Fragmentation not enabled
*Oct 12 08:50:44.147: ISAKMP0): processing vendor id payload
*Oct 12 08:50:44.147: ISAKMP0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 12 08:50:44.147: ISAKMP0): processing vendor id payload
*Oct 12 08:50:44.147: ISAKMP0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 12 08:50:44.151: ISAKMP0): vendor ID is NAT-T v2
*Oct 12 08:50:44.151: ISAKMP0): processing vendor id payload
*Oct 12 08:50:44.151: ISAKMP0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 12 08:50:44.151: ISAKMP0):found peer pre-shared key matching office ip
*Oct 12 08:50:44.151: ISAKMP0): local preshared key found
*Oct 12 08:50:44.151: ISAKMP : Scanning profiles for xauth ...
*Oct 12 08:50:44.151: ISAKMP0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 12 08:50:44.151: ISAKMP: encryption 3DES-CBC
*Oct 12 08:50:44.151: ISAKMP: hash MD5
*Oct 12 08:50:44.151: ISAKMP: default group 2
*Oct 12 08:50:44.151: ISAKMP: auth pre-share
*Oct 12 08:50:44.151: ISAKMP: life type in seconds
*Oct 12 08:50:44.151: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Oct 12 08:50:44.151: ISAKMP0):atts are acceptable. Next payload is 0
*Oct 12 08:50:44.151: ISAKMP0):Acceptable atts:actual life: 0
*Oct 12 08:50:44.151: ISAKMP0):Acceptable atts:life: 0
*Oct 12 08:50:44.151: ISAKMP0):Fill atts in sa vpi_length:4
*Oct 12 08:50:44.151: ISAKMP0):Fill atts in sa life_in_seconds:28800
*Oct 12 08:50:44.151: ISAKMP0):Returning Actual lifetime: 28800
*Oct 12 08:50:44.151: ISAKMP0)::Started lifetime timer: 28800.

*Oct 12 08:50:44.151: ISAKMP0): processing vendor id payload
*Oct 12 08:50:44.151: ISAKMP0): processing IKE frag vendor id payload
*Oct 12 08:50:44.151: ISAKMP0):Support for IKE Fragmentation not enabled
*Oct 12 08:50:44.151: ISAKMP0): processing vendor id payload
*Oct 12 08:50:44.151: ISAKMP0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 12 08:50:44.151: ISAKMP0): processing vendor id payload
*Oct 12 08:50:44.151: ISAKMP0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 12 08:50:44.151: ISAKMP0): vendor ID is NAT-T v2
*Oct 12 08:50:44.155: ISAKMP0): processing vendor id payload
*Oct 12 08:50:44.155: ISAKMP0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 12 08:50:44.155: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 12 08:50:44.155: ISAKMP0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Oct 12 08:50:44.155: ISAKMP0): constructed NAT-T vendor-02 ID
*Oct 12 08:50:44.155: ISAKMP0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 12 08:50:44.155: ISAKMP0):Sending an IKE IPv4 Packet.
*Oct 12 08:50:44.155: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 12 08:50:44.155: ISAKMP0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Oct 12 08:50:45.239: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 12 08:50:45.239: ISAKMP0): phase 1 packet is a duplicate of a previous packet.
*Oct 12 08:50:45.239: ISAKMP0): retransmitting due to retransmit phase 1
*Oct 12 08:50:45.739: ISAKMP0): retransmitting phase 1 MM_SA_SETUP...
*Oct 12 08:50:45.739: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Oct 12 08:50:45.739: ISAKMP0): retransmitting phase 1 MM_SA_SETUP
*Oct 12 08:50:45.739: ISAKMP0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 12 08:50:45.739: ISAKMP0):Sending an IKE IPv4 Packet.
*Oct 12 08:50:47.227: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 12 08:50:47.227: ISAKMP0): phase 1 packet is a duplicate of a previous packet.
*Oct 12 08:50:47.227: ISAKMP0): retransmitting due to retransmit phase 1
*Oct 12 08:50:47.727: ISAKMP0): retransmitting phase 1 MM_SA_SETUP...
*Oct 12 08:50:47.727: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Oct 12 08:50:47.727: ISAKMP0): retransmitting phase 1 MM_SA_SETUP
*Oct 12 08:50:47.727: ISAKMP0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 12 08:50:47.727: ISAKMP0):Sending an IKE IPv4 Packet.
*Oct 12 08:50:51.227: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 12 08:50:51.227: ISAKMP0): phase 1 packet is a duplicate of a previous packet.
*Oct 12 08:50:51.227: ISAKMP0): retransmitting due to retransmit phase 1
*Oct 12 08:50:51.727: ISAKMP0): retransmitting phase 1 MM_SA_SETUP...
*Oct 12 08:50:51.727: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Oct 12 08:50:51.727: ISAKMP0): retransmitting phase 1 MM_SA_SETUP
*Oct 12 08:50:51.727: ISAKMP0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 12 08:50:51.727: ISAKMP0):Sending an IKE IPv4 Packet.
*Oct 12 08:50:59.231: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 12 08:50:59.231: ISAKMP0): phase 1 packet is a duplicate of a previous packet.
*Oct 12 08:50:59.231: ISAKMP0): retransmitting due to retransmit phase 1
*Oct 12 08:50:59.731: ISAKMP0): retransmitting phase 1 MM_SA_SETUP...
*Oct 12 08:50:59.731: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 12 08:50:59.731: ISAKMP0): retransmitting phase 1 MM_SA_SETUP
*Oct 12 08:50:59.731: ISAKMP0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 12 08:50:59.731: ISAKMP0):Sending an IKE IPv4 Packet.
*Oct 12 08:51:09.731: ISAKMP0): retransmitting phase 1 MM_SA_SETUP...
*Oct 12 08:51:09.731: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Oct 12 08:51:09.731: ISAKMP0): retransmitting phase 1 MM_SA_SETUP
*Oct 12 08:51:09.731: ISAKMP0): sending packet to office ip my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 12 08:51:09.731: ISAKMP0):Sending an IKE IPv4 Packet.
*Oct 12 08:51:15.235: ISAKMP (0): received packet from office ip dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 12 08:51:15.235: ISAKMP0): phase 1 packet is a duplicate of a previous packet.
*Oct 12 08:51:15.235: ISAKMP0): retransmitting due to retransmit phase 1
*Oct 12 08:51:15.735: ISAKMP0): retransmitting phase 1 MM_SA_SETUP...
*Oct 12 08:51:15.735: ISAKMP0):peer does not do paranoid keepalives.

*Oct 12 08:51:15.735: ISAKMP0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer office ip)
*Oct 12 08:51:15.735: ISAKMP0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer office ip)
*Oct 12 08:51:15.735: ISAKMP: Unlocking peer struct 0x8440DA30 for isadb_mark_sa_deleted(), count 0
*Oct 12 08:51:15.735: ISAKMP: Deleting peer node by peer_reap for office ip: 8440DA30
*Oct 12 08:51:15.735: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 12 08:51:15.735: ISAKMP0):Old State = IKE_R_MM2 New State = IKE_DEST_SA

*Oct 12 08:51:15.735: IPSEC(key_engine): got a queue event with 1 KMI message(s)

-------
MVP | MCP Club lead, Moscow | http://potapale.wordpress.com


Отправлено: 12:39, 12-10-2009

 

Аватара для Aleksey Potapov


Microsoft MVP (Desktop Experience)


Сообщения: 526
Благодарности: 17

Профиль | Сайт | Отправить PM | Цитировать


Забыл добавить - когда я выключаю роутинг (no ip routing ), то построение тунеля доходит до второй фазы.
Но вторая фаза не прокатывает - пишет - не соответствие.

-------
MVP | MCP Club lead, Moscow | http://potapale.wordpress.com


Отправлено: 14:40, 12-10-2009 | #2



Для отключения данного рекламного блока вам необходимо зарегистрироваться или войти с учетной записью социальной сети.

Если же вы забыли свой пароль на форуме, то воспользуйтесь данной ссылкой для восстановления пароля.


Аватара для kim-aa

Назгул


Сообщения: 2633
Благодарности: 345

Профиль | Отправить PM | Цитировать


Цитата Aleksey Potapov:
office ip »
Что Вы используете в настройках для идентификации?

office ip = DNS name
или
office ip = IP
?

-------
Мы овладеваем более высоким стилем спора. Спор без фактов. Спор на темпераменте. Спор, переходящий от голословного утверждения на личность партнера. (c)Жванецкий


Отправлено: 20:18, 12-10-2009 | #3


Аватара для Aleksey Potapov


Microsoft MVP (Desktop Experience)


Сообщения: 526
Благодарности: 17

Профиль | Сайт | Отправить PM | Цитировать


Office ip = ip

-------
MVP | MCP Club lead, Moscow | http://potapale.wordpress.com


Отправлено: 23:11, 12-10-2009 | #4


Аватара для kim-aa

Назгул


Сообщения: 2633
Благодарности: 345

Профиль | Отправить PM | Цитировать


1)
Приведите пожалуйста результаты:

Cisco:
sh int

Win:
ipconfig /all


2) Для ISA
ROUTE PRINT

3)
Цитата Aleksey Potapov:
interface Vlan1
ip address 192.168.104.254 255.255.255.0

ip route 171.10.1.0 255.255.255.0 vlan1 »
Вот эта строчка маршрутизации мне не понятна.

Судя по описанию Vlan1, это внутренний логический интерфейс.
Зачем вы заворачиваете на него трафик (судя по всему это трафик к внутренней сети главного офиса)?

У Вас ведь криптокарта прикреплена к внешнему интерфейсу,

Цитата Aleksey Potapov:
interface FastEthernet4
ip address branch ip 255.255.255.0
ip virtual-reassembly
speed auto
half-duplex
crypto map SDM_CMAP_1 »
а до внешнего интерфейса трафик согласно правилам, вряд ли дойдет.

-------
Мы овладеваем более высоким стилем спора. Спор без фактов. Спор на темпераменте. Спор, переходящий от голословного утверждения на личность партнера. (c)Жванецкий


Отправлено: 09:51, 13-10-2009 | #5


Аватара для Aleksey Potapov


Microsoft MVP (Desktop Experience)


Сообщения: 526
Благодарности: 17

Профиль | Сайт | Отправить PM | Цитировать


1)
emwhgt01#sh int
FastEthernet0 is up, line protocol is up
Hardware is Fast Ethernet, address is 0022.557e.fd4f (bia 0022.557e.fd4f)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 3d17h, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
44194 packets input, 9732508 bytes, 0 no buffer
Received 24244 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
173201 packets output, 13605475 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet1 is up, line protocol is down
Hardware is Fast Ethernet, address is 0022.557e.fd50 (bia 0022.557e.fd50)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet2 is up, line protocol is down
Hardware is Fast Ethernet, address is 0022.557e.fd51 (bia 0022.557e.fd51)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet3 is up, line protocol is down
Hardware is Fast Ethernet, address is 0022.557e.fd52 (bia 0022.557e.fd52)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0022.557e.fd59 (bia 0022.557e.fd59)
Internet address is branch external ip/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:03, output 00:00:35, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
20449 packets input, 1725347 bytes
Received 15227 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
7759 packets output, 2154843 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
2018 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
NVI0 is up, line protocol is up
Hardware is NVI
Interface is unnumbered. Using address of FastEthernet4 (branch external ip)
MTU 1514 bytes, BW 56 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation UNKNOWN, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0022.557e.fd4f (bia 0022.557e.fd4f)
Internet address is 192.168.104.254/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
44170 packets input, 9558788 bytes, 0 no buffer
Received 24286 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
7124 packets output, 1227226 bytes, 0 underruns
0 output errors, 1 interface resets
835 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out


ipconfig /all с клиента в бранче
C:\Users\Administrator>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : EMWHHV01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter EMWH(NIC2):

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection
ith I/O Acceleration #2
Physical Address. . . . . . . . . : 00-15-17-11-79-C9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter EMWH(NIC1):

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection
ith I/O Acceleration
Physical Address. . . . . . . . . : 00-15-17-11-79-C8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.104.97(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.104.254
DNS Servers . . . . . . . . . . . : 192.168.104.98
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{36B5AB38-88A2-4A48-BFC5-3339FE9B
F16}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{975EF10D-826A-430B-A59C-55D44578
C73}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:d5c7:a2d6:2874:3bbf:3f57:979e(Pre
erred)
Link-local IPv6 Address . . . . . : fe80::2874:3bbf:3f57:979e%15(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

2)
Y:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 30 48 d4 d5 3b ...... Intel(R) PRO/1000 PL Network Connection - TM
Miniport
0x3 ...00 30 48 d4 d5 3a ...... Intel(R) PRO/1000 PM Network Connection - TM
Miniport
0x10004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 office ip office ip 10
81.211.xx.xx 255.255.xx.xx office ip office ip 10
office ip 255.255.255.255 127.0.0.1 127.0.0.1 10
81.255.255.255 255.255.255.255 office ip office ip 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
128.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 50
128.0.0.3 255.255.255.255 128.0.0.1 128.0.0.1 1
171.10.1.0 255.255.255.0 171.10.1.254 171.10.1.254 20
171.10.1.254 255.255.255.255 127.0.0.1 127.0.0.1 20
171.10.255.255 255.255.255.255 171.10.1.254 171.10.1.254 20
224.0.0.0 240.0.0.0 office ip office ip 10
224.0.0.0 240.0.0.0 171.10.1.254 171.10.1.254 20
255.255.255.255 255.255.255.255 office ip office ip 1
255.255.255.255 255.255.255.255 171.10.1.254 171.10.1.254 1
Default Gateway: ISP gateway
===========================================================================
Persistent Routes:
None


3)
Задача - заворачивать весь трафик в туннель.
Не отрицаю, что ошибся. Направьте на путь истинный.

-------
MVP | MCP Club lead, Moscow | http://potapale.wordpress.com


Отправлено: 10:13, 13-10-2009 | #6


Аватара для kim-aa

Назгул


Сообщения: 2633
Благодарности: 345

Профиль | Отправить PM | Цитировать


1) Представлте пожалуйста с Cisco

show ip interface brief

2) Так как внешние адреса в результатах вы скрываете, ответьте на вопрос:
У вас точно на Cisco и на ISA внешние интерфейсы обладают реальными IP
и пакеты IP SEC не подвергаются в дальнейшем NAT-преобразованию?

Просто у Вас стоит в политике Cisco строка:
Цитата Aleksey Potapov:
crypto ipsec transform-set ESP-MD5-SHA esp-3des esp-md5-hmac

!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tooffice
set peer office ip
set security-association lifetime kilobytes 10000
set security-association idle-time 3600
set transform-set ESP-MD5-SHA
match address 102 »

Комбинация
esp-md5-hmac
означает как шифрацию payload (транспортируемого содержимого) в esp, и кроме этого подпись заголовков.

Естественно при NAT проверка не пройдет

2) В ISA я не специалист.

По Cisco, настройки я разберу чуть попозжа( сейчас занят) - дабы Вы поняли суть процесса и действующие операторы для Cisco IOS

-------
Мы овладеваем более высоким стилем спора. Спор без фактов. Спор на темпераменте. Спор, переходящий от голословного утверждения на личность партнера. (c)Жванецкий


Отправлено: 14:27, 13-10-2009 | #7


Аватара для Aleksey Potapov


Microsoft MVP (Desktop Experience)


Сообщения: 526
Благодарности: 17

Профиль | Сайт | Отправить PM | Цитировать


2. Да, там внешние реальные ip адреса. Тоесть между хостами nat отсутствует.

-------
MVP | MCP Club lead, Moscow | http://potapale.wordpress.com


Отправлено: 14:29, 13-10-2009 | #8


Аватара для kim-aa

Назгул


Сообщения: 2633
Благодарности: 345

Профиль | Отправить PM | Цитировать


3) Синтаксис команды crypto ipsec transform-set
http://www.cisco.com/en/US/docs/ios/...html#wp1057372

На этапе настройки часто отключают шифрацию вовсе.
Это будет вот так

crypto ipsec transform-set ESP-NULL esp-null

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tooffice
set peer office ip
set security-association lifetime kilobytes 10000
set security-association idle-time 3600
set transform-set ESP-NULL
match address 102

2) Попробуйте оставить просто 3DES

crypto ipsec transform-set ESP-3DES esp-3des

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tooffice
set peer office ip
set security-association lifetime kilobytes 10000
set security-association idle-time 3600
set transform-set ESP-3DES
match address 102

-------
Мы овладеваем более высоким стилем спора. Спор без фактов. Спор на темпераменте. Спор, переходящий от голословного утверждения на личность партнера. (c)Жванецкий


Отправлено: 14:37, 13-10-2009 | #9


Аватара для Aleksey Potapov


Microsoft MVP (Desktop Experience)


Сообщения: 526
Благодарности: 17

Профиль | Сайт | Отправить PM | Цитировать


kim-aa, Вот тоолько на isa сервере шифрование отключить нельзя.

-------
MVP | MCP Club lead, Moscow | http://potapale.wordpress.com


Отправлено: 14:43, 13-10-2009 | #10



Компьютерный форум OSzone.net » Железо » Сетевое оборудование » Cisco - Cisco - ipsec vpn - ISA

Участник сейчас на форуме Участник сейчас на форуме Участник вне форума Участник вне форума Автор темы Автор темы Шапка темы Сообщение прикреплено

Похожие темы
Название темы Автор Информация о форуме Ответов Последнее сообщение
Cisco - VPN IPSEC Aleksey Potapov Сетевое оборудование 4 08-12-2008 00:13
VPN на FreeBSD через ipsec и ADSL some-bastardo Программное обеспечение Linux и FreeBSD 2 14-10-2008 17:28
VPN - Cisco PIX - Internet - ISA Server - Cisco PIX VPN rrew Сетевое оборудование 0 26-09-2008 09:31
Cisco - Cisco 871 и издевательства над l2tp+\- Ipsec Gudy Сетевое оборудование 0 06-08-2008 19:54
Cisco - ISA 2004 не хочет дружить с cisco 851 через IPsec Gudy Сетевое оборудование 26 15-11-2007 16:33




 
Переход