Здравствуйте.

Пытаюсь настроить VPN между двумя 3845.
Не могу понять где ошибка. В конфиге наворочено уже много чего, потому выкладываю полностью.
Пинг не идет в тунель, а уходит в шлюз.

Прошу помочь найти ошибку, заранее большое спасибо.

ПЕРВАЯ

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C3845
!
boot-start-marker
boot system flash c3845-adventerprisek9-mz.151-4.M12a.bin
boot-end-marker
!
enable secret 5 ххх
!
no aaa new-model
!
clock timezone MSK 3 0
!
crypto pki token default removal timeout 0
!
dot11 syslog
ip source-route
!
ip cef
!
ip domain name C3845.ru
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script gsm "" "ATDT*99***1#" TIMEOUT 60 "CONNECT"
voice-card 0
!
license udi pid CISCO3845-MB sn FOC111209KZ
license accept end user agreement
username admin privilege 15 secret 5 ххх
!
redundancy
!
controller Cellular 0/1
!
ip ssh authentication-retries 5
ip ssh source-interface FastEthernet0/0/0
ip ssh version 2
!
track 1 ip sla 1 reachability
delay down 60 up 60
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 2.2.2.2
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set TS
match address VPN-TRAFFIC
!
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
crypto map CMAP
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface FastEthernet0/0/0
ip address 192.168.81.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
!
interface FastEthernet1/15
no ip address
!
interface Cellular0/1/0
ip address negotiated
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string gsm
dialer-group 1
async mode interactive
ppp chap hostname beeline
ppp chap password 0 beeline
ppp ipcp dns request
!
interface Cellular0/1/1
no ip address
encapsulation ppp
!
interface Vlan1
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local policy route-map echo_rm
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip alias 192.168.81.3 2001
ip nat inside source route-map isp1 interface GigabitEthernet0/0 overload
ip nat inside source route-map isp2 interface Cellular0/1/0 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.2 5 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0 254
ip route 192.168.10.0 255.255.255.0 192.168.81.1 3
ip route 192.168.60.0 255.255.255.0 GigabitEthernet0/0 5
ip route 192.168.61.0 255.255.255.0 GigabitEthernet0/0 4
!
ip access-list standard management
permit 192.168.81.100
permit 192.168.81.99
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.80.0 0.0.0.255 192.168.60.0 0.0.0.255
permit ip 192.168.81.0 0.0.0.255 192.168.61.0 0.0.0.255
ip access-list extended acl_nat_rules
permit ip 192.168.80.0 0.0.0.255 any
deny ip 192.168.80.0 0.0.0.255 192.168.60.0 0.0.0.255
deny ip 192.168.81.0 0.0.0.255 192.168.61.0 0.0.0.255
ip access-list extended echo_check
permit icmp any host 8.8.8.8 echo
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
ip sla schedule 1 life forever start-time now
access-list 1 permit any
dialer-list 1 protocol ip list 1
!
route-map echo_rm permit 10
match ip address echo_check
set ip next-hop 1.1.1.2
!
route-map isp2 permit 10
match ip address acl_nat_rules
match interface Cellular0/1/0
!
route-map isp1 permit 10
match ip address acl_nat_rules
match interface GigabitEthernet0/0
!
control-plane
!
mgcp profile default
!
line con 0
login local
line aux 0
login local
transport input telnet
line 0/1/0
exec-timeout 0 0
script dialer gsm
login local
modem InOut
no exec
transport input all
autoselect during-login
autoselect ppp
rxspeed 7200000
txspeed 5760000
line 0/1/1
no exec
rxspeed 7200000
txspeed 5760000
line vty 0 4
access-class management in
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 88.147.254.232 source Cellular0/1/0 version 2
event manager applet ISP_SWITCHED_20
event track 1 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat trans forced"
event manager applet BEE
event timer cron cron-entry "0 0 * * *"
action 1 cli command "ping 8.8.8.8 source Cellular0/1/0"
action 2 syslog priority informational msg "BEE ping"
!
end


ВТОРАЯ

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C3845
!
boot-start-marker
boot system flash c3845-adventerprisek9-mz.151-4.M12a.bin
boot-end-marker
!
enable secret 5 ххх
!
no aaa new-model
!
clock timezone MSK 3 0
!
crypto pki token default removal timeout 0
!
dot11 syslog
ip source-route
!
ip cef
!
ip domain name C3845.ru
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script gsm "" "ATDT*99***1#" TIMEOUT 60 "CONNECT"
voice-card 0
!
license udi pid CISCO3845-MB sn FOC10216TVV
username admin privilege 15 secret 5 ххх
!
redundancy
!
controller Cellular 0/1
!
ip ssh authentication-retries 5
ip ssh source-interface FastEthernet0/0/0
ip ssh version 2
!
track 1 ip sla 1 reachability
delay down 60 up 60
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 1.1.1.1
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TS
match address VPN-TRAFFIC
!
interface GigabitEthernet0/0
ip address 2.2.2.2 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
crypto map CMAP
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface FastEthernet0/0/0
ip address 192.168.61.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
!
interface FastEthernet1/15
no ip address
!
interface Cellular0/1/0
ip address negotiated
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string gsm
dialer-group 1
async mode interactive
ppp chap hostname beeline
ppp chap password 0 beeline
ppp ipcp dns request
!
interface Cellular0/1/1
no ip address
encapsulation ppp
!
interface Vlan1
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local policy route-map echo_rm
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip alias 192.168.61.3 2001
ip nat inside source route-map isp1 interface GigabitEthernet0/0 overload
ip nat inside source route-map isp2 interface Cellular0/1/0 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.3 5 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0 254
ip route 192.168.10.0 255.255.255.0 192.168.61.1 3
!
ip access-list standard management
permit 192.168.61.99
permit 192.168.61.100
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.60.0 0.0.0.255 192.168.80.0 0.0.0.255
permit ip 192.168.61.0 0.0.0.255 192.168.81.0 0.0.0.255
ip access-list extended acl_nat_rules
permit ip 192.168.60.0 0.0.0.255 any
deny ip 192.168.60.0 0.0.0.255 192.168.80.0 0.0.0.255
deny ip 192.168.61.0 0.0.0.255 192.168.81.0 0.0.0.255
ip access-list extended echo_check
permit icmp any host 8.8.8.8 echo
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
ip sla schedule 1 life forever start-time now
access-list 1 permit any
dialer-list 1 protocol ip list 1
!
route-map echo_rm permit 10
match ip address echo_check
set ip next-hop 2.2.2.3
!
route-map isp2 permit 10
match ip address acl_nat_rules
match interface Cellular0/1/0
!
route-map isp1 permit 10
match ip address acl_nat_rules
match interface GigabitEthernet0/0
!
control-plane
!
mgcp profile default
!
line con 0
login local
line aux 0
login local
transport input telnet
line 0/1/0
exec-timeout 0 0
script dialer gsm
login local
modem InOut
no exec
transport input all
autoselect during-login
autoselect ppp
rxspeed 7200000
txspeed 5760000
line 0/1/1
no exec
rxspeed 7200000
txspeed 5760000
line vty 0 4
access-class management in
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 88.147.254.232 source Cellular0/1/0 version 2
event manager applet ISP_SWITCHED_20
event track 1 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat trans forced"
event manager applet BEE
event timer cron cron-entry "0 0 * * *"
action 1 cli command "ping 8.8.8.8 source Cellular0/1/0"
action 2 syslog priority informational msg "BEE ping"
!
end

Это не отработает.


ip access-list extended acl_nat_rules
permit ip 192.168.80.0 0.0.0.255 any
deny ip 192.168.80.0 0.0.0.255 192.168.60.0 0.0.0.255

Прошу пояснить почему не отработает или написать как должно быть правильно написано правило с тем же функционалом. Заранее спасибо.

как я это понимаю:
натится весь трафик с 192.168.80.0 куда угодно, кроме то что идет на 192.168.60.0

Правило с "куда угодно" стоит выше = отработает раньше. То есть до deny дело не дойдёт.

К сожалению, не помогло

Изменил:

На первой
ip route 0.0.0.0 0.0.0.0 1.1.1.2 200 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0 201
ip route 192.168.10.0 255.255.255.0 192.168.81.1 10
ip route 192.168.60.0 255.255.255.0 GigabitEthernet0/0 60
ip route 192.168.61.0 255.255.255.0 GigabitEthernet0/0 61
ip access-list extended acl_nat_rules
deny ip 192.168.80.0 0.0.0.255 192.168.60.0 0.0.0.255
deny ip 192.168.81.0 0.0.0.255 192.168.61.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 any

На второй
ip route 0.0.0.0 0.0.0.0 2.2.2.3 200 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0 201
ip route 192.168.10.0 255.255.255.0 192.168.61.1 10
ip route 192.168.80.0 255.255.255.0 GigabitEthernet0/0 80
ip route 192.168.81.0 255.255.255.0 GigabitEthernet0/0 81
ip access-list extended acl_nat_rules
deny ip 192.168.60.0 0.0.0.255 192.168.80.0 0.0.0.255
deny ip 192.168.61.0 0.0.0.255 192.168.81.0 0.0.0.255
permit ip 192.168.60.0 0.0.0.255 any




Результат (на обоих результат аналогичный):
C3845#traceroute 192.168.61.1
Type escape sequence to abort.
Tracing the route to 192.168.61.1
VRF info: (vrf in name/id, vrf out name/id)
1 1.1.2.1 0 msec 0 msec 0 msec
2 1.1.2.2 4 msec 0 msec 0 msec
3 * * * (уходит в шлюз и далее)

C3845#show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 2.2.2.2 port 500
IPSEC FLOW: permit ip 192.168.80.0/255.255.255.0 192.168.60.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.81.0/255.255.255.0 192.168.61.0/255.255.255.0
Active SAs: 0, origin: crypto map

C3845PL#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:22 192.168.81.хх:5479 SSH-Server ESTABLIS
udp *:123 *:0 NTP LISTEN
udp *:4500 *:0 ISAKMP LISTEN
udp *:500 *:0 ISAKMP LISTEN

Прошу помочь, заранее спасибо

Разобрался

Проблема была в том, что на втором устройстве не была принята лицензия

C3845(config)#license accept end user agreement