форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка

Вариант для распечатки		Пред. тема | След. тема
Форумы Маршрутизаторы CISCO и др. оборудование. (Public)
Изначальное сообщение		[ Отслеживать ]

"Тоннель между Cisco 3845 и Cisco 1841"

Сообщение от antacid (ok) on 03-Окт-08, 09:56

Всем здравствуйте. Есть два вышеозначенных роутера, соединённых напрямую патчкордом, на обоих поднят IPSEC и очень нужен GRE-тоннель, вывод комманды #show int tun0: Cisco 1841 Tunnel0 is up, line protocol is up   Hardware is Tunnel   Description: ToMainOffice   Internet address is 10.50.2.2/24   MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation TUNNEL, loopback not set   Keepalive set (10 sec), retries 3   Tunnel source 10.100.2.2, destination 10.100.2.1   Tunnel protocol/transport GRE/IP     Key disabled, sequencing disabled     Checksumming of packets disabled   Tunnel TTL 255   Fast tunneling disabled   Tunnel transmit bandwidth 8000 (kbps)   Tunnel receive bandwidth 8000 (kbps)   Last input 00:00:04, output 00:00:03, output hang never   Last clearing of "show interface" counters never   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 151   Queueing strategy: fifo   Output queue: 0/0 (size/max)   5 minute input rate 0 bits/sec, 0 packets/sec   5 minute output rate 0 bits/sec, 0 packets/sec      7394 packets input, 354912 bytes, 0 no buffer      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort      7422 packets output, 357016 bytes, 0 underruns      0 output errors, 0 collisions, 0 interface resets      0 output buffer failures, 0 output buffers swapped out Cisco 3845 Tunnel2 is up, line protocol is down   Hardware is Tunnel   Description: MorozPLP   Internet address is 10.50.2.1/24   MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation TUNNEL, loopback not set   Keepalive set (10 sec), retries 3   Tunnel source 10.100.2.1 (Vlan12), destination 10.100.2.2   Tunnel protocol/transport GRE/IP     Key disabled, sequencing disabled     Checksumming of packets disabled   Tunnel TTL 255   Fast tunneling enabled   Tunnel transmit bandwidth 8000 (kbps)   Tunnel receive bandwidth 8000 (kbps)   Last input 00:00:09, output 00:00:01, output hang never   Last clearing of "show interface" counters never   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 47   Queueing strategy: fifo   Output queue: 0/0 (size/max)   5 minute input rate 0 bits/sec, 0 packets/sec   5 minute output rate 0 bits/sec, 0 packets/sec      14927 packets input, 716496 bytes, 0 no buffer      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort      15172 packets output, 728256 bytes, 0 underruns      0 output errors, 0 collisions, 0 interface resets      0 output buffer failures, 0 output buffers swapped out Почему в случае с 3845 "line protocol is down"? Что такое "Fast tunneling enabled/disabled", и как этой опцией управлять?

Высказать мнение | Ответить | Правка | Cообщить модератору

Сообщения по теме

[Сортировка по времени | RSS]

1. "Тоннель между Cisco 3845 и Cisco 1841"

Сообщение от Pistonov (ok) on 03-Окт-08, 11:46

>[оверквотинг удален] >0 overrun, 0 ignored, 0 abort >     15172 packets output, 728256 bytes, 0 underruns > >     0 output errors, 0 collisions, 0 interface >resets >     0 output buffer failures, 0 output buffers >swapped out > >Почему в случае с 3845 "line protocol is down"? >Что такое "Fast tunneling enabled/disabled", и как этой опцией управлять? Проверяйте маршрутизацию.

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

	2. "Тоннель между Cisco 3845 и Cisco 1841"
	Сообщение от antacid (ok) on 07-Окт-08, 11:52
	>[оверквотинг удален] >> >>     0 output errors, 0 collisions, 0 interface >>resets >>     0 output buffer failures, 0 output buffers >>swapped out >> >>Почему в случае с 3845 "line protocol is down"? >>Что такое "Fast tunneling enabled/disabled", и как этой опцией управлять? > >Проверяйте маршрутизацию. проверил, выяснилось, что не работает ipsec :) перенастроил, всё равно не работает ping router1 -> router2 router1#debug crypto isakmp *Oct  7 07:15:58.907: ISAKMP: received ke message (1/1) *Oct  7 07:15:58.907: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) *Oct  7 07:15:58.907: ISAKMP: Created a peer struct for 10.100.2.1, peer port 500 *Oct  7 07:15:58.911: ISAKMP: New peer created peer = 0x637F639C peer_handle = 0x80000007 *Oct  7 07:15:58.911: ISAKMP: Locking peer struct 0x637F639C, IKE refcount 1 for isakmp_initiator *Oct  7 07:15:58.911: ISAKMP: local port 500, remote port 500 *Oct  7 07:15:58.911: ISAKMP: set new node 0 to QM_IDLE *Oct  7 07:15:58.911: insert sa successfully sa = 63D2DA18 *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode. *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.100.2.1 in default *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):No pre-shared key with 10.100.2.1! *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1 *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange *Oct  7 07:15:58.911: ISAKMP:(0:0:N/A:0): sending packet to 10.100.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE *Oct  7 07:15:58.915: ISAKMP (0:0): received packet from 10.100.2.1 dport 500 sport 500 Global (I) MM_NO_STATE *Oct  7 07:15:58.915: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected. *Oct  7 07:15:58.915: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1 *Oct  7 07:15:58.915: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Oct  7 07:15:58.915: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM1 *Oct  7 07:15:58.915: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.100.2.1 router2#debug crypto isakmp # *Oct  7 07:50:09.295: ISAKMP (0:0): received packet from 10.100.2.2 dport 500 sport 500 Global (N) NEW SA *Oct  7 07:50:09.295: ISAKMP: Created a peer struct for 10.100.2.2, peer port 500 *Oct  7 07:50:09.299: ISAKMP: New peer created peer = 0x631D274C peer_handle = 0x80000009 *Oct  7 07:50:09.299: ISAKMP: Locking peer struct 0x631D274C, IKE refcount 1 for crypto_isakmp_process_block *Oct  7 07:50:09.299: ISAKMP: local port 500, remote port 500 *Oct  7 07:50:09.299: insert sa successfully sa = 63829FD8 *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1 *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing vendor id payload *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch *Oct  7 07:50:09.299: ISAKMP (0:0): vendor ID is NAT-T v7 *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing vendor id payload *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3 *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): processing vendor id payload *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2 *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.100.2.2 in default *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): : success *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.100.2.2 *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0): local preshared key found *Oct  7 07:50:09.299: ISAKMP : Scanning profiles for xauth ... *Oct  7 07:50:09.299: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 110 policy *Oct  7 07:50:09.299: ISAKMP:      encryption DES-CBC *Oct  7 07:50:09.303: ISAKMP:      hash SHA *Oct  7 07:50:09.303: ISAKMP:      default group 1 *Oct  7 07:50:09.303: ISAKMP:      auth RSA sig *Oct  7 07:50:09.303: ISAKMP:      life type in seconds *Oct  7 07:50:09.303: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 *Oct  7 07:50:09.303: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! *Oct  7 07:50:09.303: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0 *Oct  7 07:50:09.303: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy *Oct  7 07:50:09.303: ISAKMP:      encryption DES-CBC *Oct  7 07:50:09.303: ISAKMP:      hash SHA *Oct  7 07:50:09.303: ISAKMP:      default group 1 *Oct  7 07:50:09.303: ISAKMP:      auth RSA sig *Oct  7 07:50:09.303: ISAKMP:      life type in seconds *Oct  7 07:50:09.303: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 *Oct  7 07:50:09.303: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 *Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): processing vendor id payload *Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch *Oct  7 07:50:09.335: ISAKMP (0:134217729): vendor ID is NAT-T v7 *Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): processing vendor id payload *Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch *Oct  7 07:50:09.335: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3 *Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): processing vendor id payload *Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch *Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2 *Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1 *Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID *Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1): sending packet to 10.100.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP *Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct  7 07:50:09.339: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2 *Oct  7 07:50:09.383: ISAKMP (0:134217729): received packet from 10.100.2.2 dport 500 sport 500 Global (R) MM_S                A_SETUP *Oct  7 07:50:09.383: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct  7 07:50:09.383: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3 *Oct  7 07:50:09.383: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0 *Oct  7 07:50:09.423: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0 *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):SKEYID state generated *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): processing vendor id payload *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): vendor ID is Unity *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): processing vendor id payload *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): vendor ID is DPD *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): processing vendor id payload *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): speaking to another IOS box! *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3 *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1): sending packet to 10.100.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct  7 07:50:09.427: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4 *Oct  7 07:50:09.643: ISAKMP (0:134217729): received packet from 10.100.2.2 dport 500 sport 500 Global (R) MM_K                EY_EXCH *Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5 *Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0 *Oct  7 07:50:09.643: ISAKMP (0:134217729): ID payload         next-payload : 9         type         : 1         address      : 10.100.2.2         protocol     : 17         port         : 500         length       : 12 *Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles *Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1): processing SIG payload. message ID = 0 *Oct  7 07:50:09.643: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed. *Oct  7 07:50:09.643:  ISAKMP (0:134217729): process_rsa_sig: Querying key pair failed. *Oct  7 07:50:09.647: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct  7 07:50:09.647: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5 *Oct  7 07:50:09.647: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: reset_retransmiss                ion Что они от меня хотят? Спасибо.
	Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

	3. "Тоннель между Cisco 3845 и Cisco 1841"
	Сообщение от max2k1 (??) on 08-Окт-08, 13:49
	>*Oct  7 07:50:09.643: ISAKMP (0:134217729): ID payload >*Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles >*Oct  7 07:50:09.643: ISAKMP:(0:1:SW:1): processing SIG payload. message ID = 0 > >*Oct  7 07:50:09.643: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed. >*Oct  7 07:50:09.643:  ISAKMP (0:134217729): process_rsa_sig: Querying key pair failed. >Что они от меня хотят? >Спасибо. Либо крипто-карты не совпадают, либо ключи, либо и то и то.
	Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

	4. "Тоннель между Cisco 3845 и Cisco 1841"
	Сообщение от max2k1 (??) on 08-Окт-08, 13:58
	Пример конфига для организации GRE over IPSEC. Роутер A: crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.2 ! crypto ipsec transform-set some_set esp-3des esp-sha-hmac mode transport ! crypto ipsec profile some_profile set transform-set some_set ! interface Tunnel0 ip address 10.50.2.1 255.255.255.252 ip mtu 1400 tunnel source 10.100.2.1 tunnel destination 10.100.2.2 tunnel protection ipsec profile some_profile end Роутер B: crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.1 ! crypto ipsec transform-set some_set esp-3des esp-sha-hmac mode transport ! crypto ipsec profile some_profile set transform-set some_set ! interface Tunnel0 ip address 10.50.2.2 255.255.255.252 ip mtu 1400 tunnel source 10.100.2.2 tunnel destination 10.100.2.1 tunnel protection ipsec profile some_profile end
	Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

	5. "Тоннель между Cisco 3845 и Cisco 1841"
	Сообщение от Eduard_k (ok) on 08-Окт-08, 18:58
	>[оверквотинг удален] >crypto ipsec profile some_profile > set transform-set some_set >! >interface Tunnel0 > ip address 10.50.2.2 255.255.255.252 > ip mtu 1400 > tunnel source 10.100.2.2 > tunnel destination 10.100.2.1 > tunnel protection ipsec profile some_profile >end tunnel mode ipsec ipv4 на туннельных интерфейсах
	Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

	6. "Тоннель между Cisco 3845 и Cisco 1841"
	Сообщение от Eduard_k (ok) on 08-Окт-08, 19:06
	>[оверквотинг удален] >>! >>interface Tunnel0 >> ip address 10.50.2.2 255.255.255.252 >> ip mtu 1400 >> tunnel source 10.100.2.2 >> tunnel destination 10.100.2.1 >> tunnel protection ipsec profile some_profile >>end > >tunnel mode ipsec ipv4 на туннельных интерфейсах сорри на дебаг внимание не обратил. crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.1 no-xauth
	Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

	7. "Тоннель между Cisco 3845 и Cisco 1841"
	Сообщение от antacid (ok) on 08-Окт-08, 23:17
	>[оверквотинг удален] >>> ip mtu 1400 >>> tunnel source 10.100.2.2 >>> tunnel destination 10.100.2.1 >>> tunnel protection ipsec profile some_profile >>>end >> >>tunnel mode ipsec ipv4 на туннельных интерфейсах > >сорри на дебаг внимание не обратил. >crypto isakmp key SOMEVERYSECRETKEY address 10.100.2.1 no-xauth Господа, у всех прошу прощения, всё из-за невнимательности, ключ, на втором роутере, прописал на его же интерфейс. Всем огромное спасибо.
	Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить	Индекс форумов | Темы | Пред. тема | След. тема
Оцените тред (1=ужас, 5=супер)? [ 1 | 2 | 3 | 4 | 5 ] [Рекомендовать для помещения в FAQ]