OpenForum RSS: �� IPSEC ��

�� IPSEC �� (ss2707)

Wed, 07 Jul 2010 12:00:44 GMT

�� . :)

��

ip route 10.0.2.0 255.255.255.0 192.168.2.1

ip nat inside source list 110 interface FastEthernet0/1 overload
access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 110 permit ip 10.0.1.0 0.0.0.255 any

�� IPSEC �� (karen durinyan)

Wed, 07 Jul 2010 11:40:17 GMT

>[�� ]
>#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>#pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368"
>
>strochek vidno chto u vas tol'ko decaps paket@, to est' pakiti vixodyat
>is ipsec tunelja, no tuda ne vxodjat.
>
>u menja 2 predlozhenie.
>1. kak skazal na vremja udalite access-group iz tun interfeisax.
>2. postavte /30 network na tun interfeisax (eto pomozhet uvidet tun ip
>v traceroute a ne peer ip, cto delajet legche trablesuting.)

esho zametil...
peremestite "crypto map MSK-TEST" iz tun6 k FastEthernet0/1

�� IPSEC �� (karen durinyan)

Wed, 07 Jul 2010 11:15:38 GMT

>[�� ]
>lifetime (k/sec): (4501043/203)
> IV size: 16 bytes
>
> replay detection support: Y
>
> Status: ACTIVE
>
> outbound ah sas:
>
> outbound pcp sas:

jasno. no iz
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368"

strochek vidno chto u vas tol'ko decaps paket@, to est' pakiti vixodyat is ipsec tunelja, no tuda ne vxodjat.

u menja 2 predlozhenie.
1. kak skazal na vremja udalite access-group iz tun interfeisax.
2. postavte /30 network na tun interfeisax (eto pomozhet uvidet tun ip v traceroute a ne peer ip, cto delajet legche trablesuting.)

�� IPSEC �� (ss2707)

Wed, 07 Jul 2010 10:04:09 GMT

>>[�� ]
>3. 10.1.6.17 ne popodaet v MSK-TEST ACL

� ��. :( �� :

traceroute � �� 10.0.1.17
traceroute to 10.0.2.17 (10.0.2.17), 30 hops max, 40 byte packets using UDP
1 10.0.1.1 (10.0.1.1) 0.854 ms 0.862 ms 1.965 ms
2 192.168.2.1 (192.168.2.1) 2.402 ms 6.567 ms 9.843 ms
3 10.0.2.17 (10.0.2.17) 12.256 ms 8.601 ms 6.955 ms
traceroute � �� 10.0.2.17
traceroute to 10.0.1.17 (10.0.1.17), 30 hops max, 40 byte packets using UDP
1 10.0.1.1 (10.0.1.1) 0.854 ms 0.862 ms 1.965 ms
2 * * *
3 * * *

�� IPSEC �� (ss2707)

Wed, 07 Jul 2010 09:55:07 GMT

>>[�� ]
>1. iz vashego traceroute ja ne vizhu chto ipsec tunnel ustanovlen tak
>kak ja vizhu tam peer address chto v principe ne dolzhen
>bit tam.
>
>2. esli vse taki ja ne prav na schet 1. :) uberite
>"ip access-group INET in" iz tun6 interfeisa na vremja dlja testa.

interface: Tunnel6
Crypto map tag: MSK-TEST, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
current_peer 192.168.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1476, ip m

�� IPSEC �� (karen durinyan)

Wed, 07 Jul 2010 09:36:18 GMT

>[�� ]
>
>1. iz vashego traceroute ja ne vizhu chto ipsec tunnel ustanovlen tak
>kak ja vizhu tam peer address chto v principe ne dolzhen
>bit tam.
>
>2. esli vse taki ja ne prav na schet 1. :) uberite
>"ip access-group INET in" iz tun6 interfeisa na vremja dlja testa.
>
>
>udachi

3. 10.1.6.17 ne popodaet v MSK-TEST ACL

�� IPSEC �� (karen durinyan)

Wed, 07 Jul 2010 09:28:30 GMT

>[�� ]
>ip access-list extended LAN_INTERFACE
> permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
> permit ip 10.0.1.0 0.0.0.255 host 192.168.2.1
>!
>ip access-list extended WAN_INTERFACE
> permit ip 192.168.2.1 host 192.168.1.1
> permit esp 192.168.2.1 host 192.168.1.1
> permit gre 192.168.2.1 host 192.168.1.1
>!
>ip route 10.0.2.0 255.255.255.0 Tunnel6

privet.

1. iz vashego traceroute ja ne vizhu chto ipsec tunnel ustanovlen tak kak ja vizhu tam peer address chto v principe ne dolzhen bit tam.

2. esli vse taki ja ne prav na schet 1. :) uberite "ip access-group INET in" iz tun6 interfeisa na vremja dlja testa.

udachi

OpenForum RSS: �������� �������� IPSEC ������

�������� �������� IPSEC ������ (ss2707)

�������� �������� IPSEC ������ (karen durinyan)

�������� �������� IPSEC ������ (karen durinyan)

�������� �������� IPSEC ������ (ss2707)

�������� �������� IPSEC ������ (ss2707)

�������� �������� IPSEC ������ (karen durinyan)

�������� �������� IPSEC ������ (karen durinyan)

OpenForum RSS: �� IPSEC ��

�� IPSEC �� (ss2707)

�� IPSEC �� (karen durinyan)

�� IPSEC �� (karen durinyan)

�� IPSEC �� (ss2707)

�� IPSEC �� (ss2707)

�� IPSEC �� (karen durinyan)

�� IPSEC �� (karen durinyan)