psyside
Зарегистрирован: 31 янв 2020, 11:44 Сообщения: 4
|
Добрый день, ребята. Нужна помощь компетентных в DMVPN GRE Собираю стенд из 3 роутеров. Hub c1841 (hw: c1841-advsecurityk9-mz.124-25f.bin пробовал и на c181x-advipservicesk9-mz.124-15.T6.bin ) Spoke C1811 (hw: c181x-advipservicesk9-mz.150-1.M7.bin пробовал и на c1841-advsecurityk9-mz.124-2.T1.bin) C1803 - иммитация провайдера, терминирую линковые сети и она же шлюз для хаба и спока.
Цель - на споке организовать подключение к 2 разным провайдерам и тем самым иметь резерв. Схема прилагается Реализовать на IP SLA. Но до этого возникла проблема в том, что TUNNEL 1 ни в какую не хочет работать. адреса туннеля не пингуются ( в отличии от Tun0). Отсюда и проблема, как только падает Fa1.6 то вся сеть ложится. По Tun0 VPN прекрасно работает и хосты видят друг друга. Есть возможность накатить софты из серии c181x-adventerprisek9-mz.151-3.T1.bin и c1841-advipservicesk9-mz.151-4.M1.bin соответственно. Не дошел до различий advsecurity, adventerprise и advipservices. Может проблема в этом? Играл с параметрами самих туннелей, но ведь все идентично... Один работает, другой нет...
Конфиги
HUB#sh run Building configuration...
Current configuration : 2166 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname HUB ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! no ip domain lookup ! ! ! ! ! controller E1 0/0/0 ! controller E1 0/0/1 ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key tatsam address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set TRANSFORM-DMVPN esp-3des esp-md5-hmac mode transport ! crypto ipsec profile DMVPN set transform-set TRANSFORM-DMVPN ! ! ! ! interface Tunnel0 ip address 192.168.50.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication cisco1 ip nhrp map multicast dynamic ip nhrp network-id 999 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf cost 200 ip ospf hello-interval 30 ip ospf priority 10 ip ospf 1 area 0 load-interval 30 tunnel source FastEthernet0/0.3 tunnel mode gre multipoint tunnel key 999 tunnel protection ipsec profile DMVPN ! interface Tunnel1 ip address 192.168.51.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication cisco2 ip nhrp map multicast dynamic ip nhrp network-id 1000 ip ospf network broadcast ip ospf cost 300 ip ospf hello-interval 30 ip ospf priority 10 ip ospf 1 area 0 load-interval 30 tunnel source FastEthernet0/0.3 tunnel mode gre multipoint tunnel key 1000 tunnel protection ipsec profile DMVPN ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 192.168.2.2 255.255.255.0 ip ospf mtu-ignore ! interface FastEthernet0/1 description LAN ip address 10.0.0.1 255.255.255.0 no ip proxy-arp duplex auto speed auto ! router ospf 1 router-id 10.10.10.10 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 0 network 192.168.50.0 0.0.0.255 area 0 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.1 ! ip http server no ip http secure-server ! disable-eadi ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login ! scheduler allocate 20000 1000 end
HUB#sh crypto isa sa dst src state conn-id slot status 192.168.2.2 192.168.20.2 QM_IDLE 3 0 ACTIVE 192.168.2.2 192.168.1.2 QM_IDLE 47 0 ACTIVE 192.168.2.2 192.168.1.2 MM_NO_STATE 46 0 ACTIVE (deleted)
Периодически на хабе выходит *Mar 10 12:45:32.339: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.2.2, prot=50, spi=0xEBDBDD8B(3957054859), srcaddr=192.168.1.2 хотя пинги между хостами не падают.
SPOKE#sh run Building configuration...
Current configuration : 3860 bytes ! version 15.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SPOKE ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ! ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup no ipv6 cef ! multilink bundle-name authenticated ! ! ! license udi pid CISCO1811/K9 sn FHK104410H6 archive log config hidekeys vtp domain LAN vtp mode transparent ! ! vlan 2,6,10 ! ! track 1 ip sla 1 reachability delay down 10 up 5 ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key tatsam address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set TRANSFORM-DMVPN esp-3des esp-md5-hmac mode transport ! crypto ipsec profile DMVPN set transform-set TRANSFORM-DMVPN ! ! ! ! ! ! interface Tunnel0 ip address 192.168.50.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication cisco1 ip nhrp map multicast 192.168.2.2 ip nhrp map 192.168.50.1 192.168.2.2 ip nhrp network-id 999 ip nhrp nhs 192.168.50.1 ip nhrp registration no-unique ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf cost 200 ip ospf hello-interval 30 ip ospf priority 0 load-interval 30 tunnel source FastEthernet1.6 tunnel mode gre multipoint tunnel key 999 tunnel protection ipsec profile DMVPN ! ! interface Tunnel1 ip address 192.168.51.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication cisco2 ip nhrp map multicast 192.168.2.2 ip nhrp map 192.168.51.1 192.168.2.2 ip nhrp network-id 1000 ip nhrp nhs 192.168.51.1 ip nhrp registration no-unique ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf cost 300 ip ospf hello-interval 30 ip ospf priority 0 load-interval 30 tunnel source FastEthernet0 tunnel mode gre multipoint tunnel key 1000 tunnel protection ipsec profile DMVPN ! ! interface FastEthernet0 bandwidth 2000 ip address 192.168.1.2 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! ! interface FastEthernet1 no ip address ip nat outside ip virtual-reassembly duplex auto speed auto ! ! interface FastEthernet1.6 description ISP1_MEGAFON bandwidth 1000 encapsulation dot1Q 6 ip address 192.168.20.2 255.255.255.0 ip nat outside ip virtual-reassembly ! interface FastEthernet2 switchport access vlan 10 ! ! interface FastEthernet3 ! ! interface FastEthernet4 ! ! interface FastEthernet5 ! ! interface FastEthernet6 ! ! interface FastEthernet7 ! ! interface FastEthernet8 ! ! interface FastEthernet9 ! ! interface Vlan1 no ip address shutdown ! ! interface Vlan10 ip address 10.10.0.1 255.255.255.0 no ip proxy-arp ip nat inside no ip virtual-reassembly ! ! interface Async1 no ip address encapsulation slip ! ! router ospf 1 router-id 1.1.1.1 log-adjacency-changes network 10.10.0.0 0.0.0.255 area 0 network 192.168.50.0 0.0.0.255 area 0 network 192.168.51.0 0.0.0.255 area 0 ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source route-map ISP1 interface FastEthernet1.6 overload ip nat inside source route-map ISP2 interface FastEthernet0 overload ip route 0.0.0.0 0.0.0.0 192.168.20.1 100 track 1 ip route 0.0.0.0 0.0.0.0 192.168.1.1 200 ! ip access-list extended NAT deny ip 10.10.0.0 0.0.0.255 10.0.0.0 0.255.255.255 permit ip 10.10.0.0 0.0.0.255 any deny ip any any ! ip sla 1 icmp-echo 192.168.2.2 source-interface FastEthernet1.6 frequency 20 ip sla schedule 1 life forever start-time now ! ! ! ! route-map ISP2 permit 10 match ip address NAT match interface FastEthernet0 ! route-map ISP1 permit 10 match ip address NAT match interface FastEthernet1.6 ! ! ! control-plane ! ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login ! end
Имитация падения канала
SPOKE#debug tunnel Tunnel Interface debugging is on SPOKE# *Mar 10 11:40:31.075: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 Это логи ICMP с хостов. *Mar 10 11:40:31.495: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:32.071: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:32.507: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:33.071: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:33.519: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:34.067: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:34.527: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:35.067: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:35.539: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:36.067: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:36.551: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:37.063: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:37.571: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:38.063: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:42.819: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:45.155: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down *Mar 10 11:40:46.155: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to down *Mar 10 11:40:47.811: Tunnel0: adjacency fixup, 192.168.20.2->192.168.2.2(tableid 0), tos set to 0x0 *Mar 10 11:40:48.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down *Mar 10 11:40:48.271: %OSPF-5-ADJCHG: Process 1, Nbr 10.10.10.10 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached *Mar 10 11:40:48.271: FIBtunnel: Tu0: unstacking 192.168.50.1 *Mar 10 11:41:09.043: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
Далее тишина..
со стороны хаба HUB#debug tunnel Tunnel Interface debugging is on HUB# *Mar 10 13:01:18.527: Tunnel1: GRE/IP to classify 192.168.1.2->192.168.2.2 (len=134 type=0x2001 ttl=253 tos=0xC0) *Mar 10 13:01:18.527: Tunnel1: GRE/IP to decaps 192.168.1.2->192.168.2.2 (len=134 ttl=253) *Mar 10 13:01:18.527: Tunnel1: GRE decapsulated NHRP packet (linktype=74, len=106) *Mar 10 13:01:18.527: Tunnel1 count tx, adding 28 encap bytes *Mar 10 13:01:19.355: Tunnel1: GRE/IP to classify 192.168.1.2->192.168.2.2 (len=134 type=0x2001 ttl=253 tos=0xC0) *Mar 10 13:01:19.355: Tunnel1: GRE/IP to decaps 192.168.1.2->192.168.2.2 (len=134 ttl=253) *Mar 10 13:01:19.355: Tunnel1: GRE decapsulated NHRP packet (linktype=74, len=106) *Mar 10 13:01:19.355: Tunnel1 count tx, adding 28 encap bytes *Mar 10 13:01:21.323: Tunnel1: GRE/IP to classify 192.168.1.2->192.168.2.2 (len=134 type=0x2001 ttl=253 tos=0xC0) *Mar 10 13:01:21.323: Tunnel1: GRE/IP to decaps 192.168.1.2->192.168.2.2 (len=134 ttl=253) *Mar 10 13:01:21.323: Tunnel1: GRE decapsulated NHRP packet (linktype=74, len=106) *Mar 10 13:01:21.323: Tunnel1 count tx, adding 28 encap bytes *Mar 10 13:01:24.671: Tunnel1: GRE/IP to classify 192.168.1.2->192.168.2.2 (len=134 type=0x2001 ttl=253 tos=0xC0) *Mar 10 13:01:24.671: Tunnel1: GRE/IP to decaps 192.168.1.2->192.168.2.2 (len=134 ttl=253) *Mar 10 13:01:24.671: Tunnel1: GRE decapsulated NHRP packet (linktype=74, len=106) *Mar 10 13:01:24.671: Tunnel1 count tx, adding 28 encap bytes *Mar 10 13:01:30.779: Tunnel1: GRE/IP to classify 192.168.1.2->192.168.2.2 (len=134 type=0x2001 ttl=253 tos=0xC0) *Mar 10 13:01:30.779: Tunnel1: GRE/IP to decaps 192.168.1.2->192.168.2.2 (len=134 ttl=253) *Mar 10 13:01:30.779: Tunnel1: GRE decapsulated NHRP packet (linktype=74, len=106) *Mar 10 13:01:30.779: Tunnel1 count tx, adding 28 encap bytes *Mar 10 13:01:36.307: Tunnel1 count tx, adding 28 encap bytes *Mar 10 13:01:44.547: Tunnel1: GRE/IP to classify 192.168.1.2->192.168.2.2 (len=134 type=0x2001 ttl=253 tos=0xC0) *Mar 10 13:01:44.551: Tunnel1: GRE/IP to decaps 192.168.1.2->192.168.2.2 (len=134 ttl=253) *Mar 10 13:01:44.551: Tunnel1: GRE decapsulated NHRP packet (linktype=74, len=106) *Mar 10 13:01:44.551: Tunnel1 count tx, adding 28 encap bytes *Mar 10 13:01:45.399: Tunnel1: GRE/IP to classify 192.168.1.2->192.168.2.2 (len=104 type=0x800 ttl=253 tos=0xC0) *Mar 10 13:01:45.399: Tunnel1: GRE/IP to decaps 192.168.1.2->192.168.2.2 (len=104 ttl=253) *Mar 10 13:01:45.399: Tunnel1: GRE decapsulated IP packet (linktype=7, len=76) *Mar 10 13:01:45.399: Tunnel1 count tx, adding 28 encap bytes
во время дебага пуляю ICMP запросы с обоих хостов, чтоб была попытка соединения.
Если удалить первый роут на споке (который с track1) и удалить Tun0 все равно тунельный интерфейс дальней стороны не доступен (думал может мешают друг другу. Но в то же время ip интерфейса удаленного роутера 192.168.2.2 и 192.168.1.2 друг друга пингуют. Т.е. nhrp интерфейсы то доступны, но тунель не строится...
Помогите пожалуйста выяснить причину.
Вложения:
vpn.jpg [ 44.16 КБ | Просмотров: 3616 ]
|