 |
|
Страница 1 из 1
|
[ Сообщений: 20 ] |
|
DMVPN - проблема прохождения IPSec через провайдера
| Автор |
Сообщение |
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
Доброго времени суток! имеется 2811 настроен в качестве Хаба для DMVPN-облака, подключен к провайдеру. имеется 851 настроен как спок, подключается к тому же провайдеру, но в бранче. 1. сначала 851 стоит в центральном офисе, проверяем работу DMVPN - все отлично, тунель есть, nhrp мапит адреса, ipsec устанавливается, маршрутизация есть. 2. уносим 851 в бранч № 1 - ситуация та же, DMVPN работает. 3. уносим 851 в бранч № 2 (никакие настройки не меняются) - ipsec не пропускает трафик, если отключить ipsec (no tunnel protection ipsec profile DMVPN на тунеле DMVPN), то работает. Понятно что проблема на уровне провайдера. Но провайдер злой и безальтернативный, поэтому очень желательно знать куда его тыкнуть мордой.. Я пока непонимаю что может так повлиять на работу ipsec... Может у кого-то будут соображения? Далее приведу некоторые "дебаги". симптомы в Бранч№2 более подробно: ipsec включен:
Код: HUB#sho run int tu 0
Building configuration...
Current configuration : 438 bytes
!
interface Tunnel0
description DMVPN-over-L2_Domain
ip address 192.168.254.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication dsfasdf
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 1
keepalive 3 3
tunnel source FastEthernet0/0.200
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel ttl 10
tunnel protection ipsec profile DMVPN
end
Branch#sho run int tu 0
Building configuration...
Current configuration : 507 bytes
!
interface Tunnel0
description DMVPN-over-L2_Domain
ip address 192.168.254.3 255.255.255.0
no ip redirects
ip nhrp authentication dsfasdf
ip nhrp map 192.168.254.1 172.18.1.9
ip nhrp map multicast 172.18.1.9
ip nhrp network-id 1
ip nhrp nhs 192.168.254.1
ip nhrp registration no-unique
ip nhrp cache non-authoritative
keepalive 3 3
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel ttl 10
tunnel protection ipsec profile DMVPN
end
Код: HUB#sho ip nhrp br
Target Via NBMA Mode Intfc Claimed
пинг тунельного интерфейса 851го
Код: HUB#debug nhrp
HUB#ping 192.168.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.3, timeout is 2 seconds:
Jan 14 21:30:46.878 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 14 21:30:46.878 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 14 21:30:46.878 MSK: NHRP: No node found.
Jan 14 21:30:46.890 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 14 21:30:46.890 MSK: NHRP: No node found.
Jan 14 21:30:46.890 MSK: NHRP: Attempting to send packet via DEST 192.168.254.3
Jan 14 21:30:46.890 MSK: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84
Jan 14 21:30:46.890 MSK: src: 192.168.254.1, dst: 192.168.254.3
Jan 14 21:30:46.890 MSK: NHRP: Encapsulation failed for destination 192.168.254.3 out Tunnel0.
Jan 14 21:30:48.530 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 14 21:30:48.530 MSK: NHRP: No node found.
Jan 14 21:30:48.530 MSK: NHRP: Attempting to send packet via DEST 192.168.254.3
Jan 14 21:30:48.530 MSK: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84
Jan 14 21:30:48.530 MSK: src: 192.168.254.1, dst: 192.168.254.3
Jan 14 21:30:48.530 MSK: NHRP: Encapsulation failed for destination 192.168.254.3 out Tunnel0
Jan 14 21:30:48.878 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 14 21:30:48.878 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 14 21:30:48.878 MSK: NHRP: No node found..
Jan 14 21:30:50.878 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 14 21:30:50.878 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 14 21:30:50.878 MSK: NHRP: No node found..
Jan 14 21:30:51.950 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 14 21:30:51.950 MSK: NHRP: No node found.
Jan 14 21:30:51.950 MSK: NHRP: Attempting to send packet via DEST 192.168.254.3
Jan 14 21:30:51.950 MSK: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84
Jan 14 21:30:51.950 MSK: src: 192.168.254.1, dst: 192.168.254.3
Jan 14 21:30:51.950 MSK: NHRP: Encapsulation failed for destination 192.168.254.3 out Tunnel0
Jan 14 21:30:52.878 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 14 21:30:52.878 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 14 21:30:52.878 MSK: NHRP: No node found..
Jan 14 21:30:54.878 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 14 21:30:54.878 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 14 21:30:54.878 MSK: NHRP: No node found..
Success rate is 0 percent (0/5)
Код: HUB#sho ip nhrp brief
Target Via NBMA Mode Intfc Claimed
192.168.254.3/32 192.168.254.3 incomplete
Код: HUB#sho crypto isakmp sa
dst src state conn-id slot status
172.18.1.9 172.18.1.62 QM_IDLE 13 0 ACTIVE
172.18.1.9 172.18.1.62 MM_NO_STATE 12 0 ACTIVE (deleted)
Код: HUB#sho crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.18.1.9
protected vrf: (none)
local ident (addr/mask/prot/port): (172.18.1.9/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.18.1.62/255.255.255.255/47/0)
current_peer 172.18.1.62 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 156, #pkts encrypt: 156, #pkts digest: 156
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.18.1.9, remote crypto endpt.: 172.18.1.62
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.200
current outbound spi: 0x7AB8B238(2058924600)
inbound esp sas:
spi: 0xDAC93291(3670618769)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 3002, flow_id: NETGX:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4448346/3510)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7AB8B238(2058924600)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 3001, flow_id: NETGX:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4448346/3510)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
выключаю ipsec:
Код: HUB(config-int)#no tunnel protection ipsec profile DMVPN
Branch(config-int)#no tunnel protection ipsec profile DMVPN
Код: HUB#sho ip nhrp brief
Target Via NBMA Mode Intfc Claimed
192.168.254.3/32 192.168.254.3 172.18.1.62 dynamic Tu0 < >
Код: branch#sho ip nhrp brief
Target Via NBMA Mode Intfc Claimed
192.168.254.1/32 192.168.254.1 172.18.1.9 static Tu0 < >
Последний раз редактировалось GByte 14 янв 2011, 14:26, всего редактировалось 1 раз.
|
| 14 янв 2011, 14:21 |
 
|
|
|
imperorr
Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 4526
|
debug cry isakmp
debug cry ipsec
|
| 14 янв 2011, 14:25 |
|
|
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
Код: Branch#debug crypto isakmp
Crypto ISAKMP debugging is on
Branch#debug crypto ipsec
Crypto IPSEC debugging is on
Branch#clear crypto isakmp
Код: Jan 14 20:43:30.805: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
Jan 14 20:43:30.805: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Jan 14 20:43:30.805: IPSEC(recalculate_mtu): reset sadb_root 82955B14 mtu to 1500
Jan 14 20:43:30.805: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.18.1.62, remote= 172.18.1.9,
local_proxy= 172.18.1.62/255.255.255.255/47/0 (type=1),
remote_proxy= 172.18.1.9/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jan 14 20:43:30.809: ISAKMP:(0): SA request profile is (NULL)
Jan 14 20:43:30.809: ISAKMP: Created a peer struct for 172.18.1.9, peer port 500
Jan 14 20:43:30.809: ISAKMP: New peer created peer = 0x824B2274 peer_handle = 0x8000001F
Jan 14 20:43:30.809: ISAKMP: Locking peer struct 0x824B2274, refcount 1 for isakmp_initiator
Jan 14 20:43:30.809: ISAKMP: local port 500, remote port 500
Jan 14 20:43:30.809: ISAKMP: set new node 0 to QM_IDLE
Jan 14 20:43:30.809: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82AC75B8
Jan 14 20:43:30.809: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jan 14 20:43:30.809: ISAKMP:(0):found peer pre-shared key matching 172.18.1.9
Jan 14 20:43:30.809: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jan 14 20:43:30.809: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jan 14 20:43:30.809: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jan 14 20:43:30.809: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jan 14 20:43:30.809: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jan 14 20:43:30.809: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Jan 14 20:43:30.809: ISAKMP:(0): beginning Main Mode exchange
Jan 14 20:43:30.809: ISAKMP:(0): sending packet to 172.18.1.9 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 14 20:43:30.809: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jan 14 20:43:30.853: ISAKMP (0:0): received packet from 172.18.1.9 dport 500 sport 500 Global (I) MM_NO_STATE
Jan 14 20:43:30.853: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 14 20:43:30.853: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jan 14 20:43:30.853: ISAKMP:(0): processing SA payload. message ID = 0
Jan 14 20:43:30.853: ISAKMP:(0): processing vendor id payload
Jan 14 20:43:30.853: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 14 20:43:30.853: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 14 20:43:30.853: ISAKMP:(0):found peer pre-shared key matching 172.18.1.9
Jan 14 20:43:30.853: ISAKMP:(0): local preshared key found
Jan 14 20:43:30.853: ISAKMP : Scanning profiles for xauth ...
Jan 14 20:43:30.853: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jan 14 20:43:30.853: ISAKMP: encryption 3DES-CBC
Jan 14 20:43:30.853: ISAKMP: hash SHA
Jan 14 20:43:30.853: ISAKMP: default group 2
Jan 14 20:43:30.853: ISAKMP: auth pre-share
Jan 14 20:43:30.853: ISAKMP: life type in seconds
Jan 14 20:43:30.853: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jan 14 20:43:30.853: ISAKMP:(0):atts are acceptable. Next payload is 0
Jan 14 20:43:30.857: ISAKMP:(0): processing vendor id payload
Jan 14 20:43:30.857: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 14 20:43:30.857: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 14 20:43:30.857: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 14 20:43:30.857: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jan 14 20:43:30.857: ISAKMP:(0): sending packet to 172.18.1.9 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jan 14 20:43:30.857: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jan 14 20:43:30.857: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 14 20:43:30.857: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jan 14 20:43:30.909: ISAKMP (0:0): received packet from 172.18.1.9 dport 500 sport 500 Global (I) MM_SA_SETUP
Jan 14 20:43:30.909: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 14 20:43:30.909: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jan 14 20:43:30.913: ISAKMP:(0): processing KE payload. message ID = 0
Jan 14 20:43:30.953: ISAKMP:(0): processing NONCE payload. message ID = 0
Jan 14 20:43:30.953: ISAKMP:(0):found peer pre-shared key matching 172.18.1.9
Jan 14 20:43:30.957: ISAKMP:(2025): processing vendor id payload
Jan 14 20:43:30.957: ISAKMP:(2025): vendor ID is Unity
Jan 14 20:43:30.957: ISAKMP:(2025): processing vendor id payload
Jan 14 20:43:30.957: ISAKMP:(2025): vendor ID is DPD
Jan 14 20:43:30.957: ISAKMP:(2025): processing vendor id payload
Jan 14 20:43:30.957: ISAKMP:(2025): speaking to another IOS box!
Jan 14 20:43:30.957: ISAKMP:(2025):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 14 20:43:30.957: ISAKMP:(2025):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jan 14 20:43:30.957: ISAKMP:(2025):Send initial contact
Jan 14 20:43:30.957: ISAKMP:(2025):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jan 14 20:43:30.957: ISAKMP (0:2025): ID payload
next-payload : 8
type : 1
address : 172.18.1.62
protocol : 17
port : 500
length : 12
Jan 14 20:43:30.957: ISAKMP:(2025):Total payload length: 12
Jan 14 20:43:30.957: ISAKMP:(2025): sending packet to 172.18.1.9 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jan 14 20:43:30.957: ISAKMP:(2025):Sending an IKE IPv4 Packet.
Jan 14 20:43:30.961: ISAKMP:(2025):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 14 20:43:30.961: ISAKMP:(2025):Old State = IKE_I_MM4 New State = IKE_I_MM5
Jan 14 20:43:30.965: ISAKMP (0:2025): received packet from 172.18.1.9 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 14 20:43:30.965: ISAKMP:(2025): processing ID payload. message ID = 0
Jan 14 20:43:30.965: ISAKMP (0:2025): ID payload
next-payload : 8
type : 1
address : 172.18.1.9
protocol : 17
port : 500
length : 12
Jan 14 20:43:30.965: ISAKMP:(0):: peer matches *none* of the profiles
Jan 14 20:43:30.969: ISAKMP:(2025): processing HASH payload. message ID = 0
Jan 14 20:43:30.969: ISAKMP:(2025):SA authentication status:
authenticated
Jan 14 20:43:30.969: ISAKMP:(2025):SA has been authenticated with 172.18.1.9
Jan 14 20:43:30.969: ISAKMP: Trying to insert a peer 172.18.1.62/172.18.1.9/500/, and inserted successfully 824B2274.
Jan 14 20:43:30.969: ISAKMP:(2025):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 14 20:43:30.969: ISAKMP:(2025):Old State = IKE_I_MM5 New State = IKE_I_MM6
Jan 14 20:43:30.969: ISAKMP:(2025):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 14 20:43:30.969: ISAKMP:(2025):Old State = IKE_I_MM6 New State = IKE_I_MM6
Jan 14 20:43:30.969: ISAKMP:(2025):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 14 20:43:30.969: ISAKMP:(2025):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Jan 14 20:43:30.969: ISAKMP:(2025):beginning Quick Mode exchange, M-ID of -1921446704
Jan 14 20:43:30.973: ISAKMP:(2025):QM Initiator gets spi
Jan 14 20:43:30.973: ISAKMP:(2025): sending packet to 172.18.1.9 my_port 500 peer_port 500 (I) QM_IDLE
Jan 14 20:43:30.973: ISAKMP:(2025):Sending an IKE IPv4 Packet.
Jan 14 20:43:30.973: ISAKMP:(2025):Node -1921446704, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jan 14 20:43:30.973: ISAKMP:(2025):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jan 14 20:43:30.973: ISAKMP:(2025):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jan 14 20:43:30.973: ISAKMP:(2025):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jan 14 20:43:30.981: ISAKMP (0:2025): received packet from 172.18.1.9 dport 500 sport 500 Global (I) QM_IDLE
Jan 14 20:43:30.981: ISAKMP:(2025): processing HASH payload. message ID = -1921446704
Jan 14 20:43:30.981: ISAKMP:(2025): processing SA payload. message ID = -1921446704
Jan 14 20:43:30.981: ISAKMP:(2025):Checking IPSec proposal 1
Jan 14 20:43:30.981: ISAKMP: transform 1, ESP_3DES
Jan 14 20:43:30.981: ISAKMP: attributes in transform:
Jan 14 20:43:30.981: ISAKMP: encaps is 2 (Transport)
Jan 14 20:43:30.981: ISAKMP: SA life type in seconds
Jan 14 20:43:30.981: ISAKMP: SA life duration (basic) of 3600
Jan 14 20:43:30.981: ISAKMP: SA life type in kilobytes
Jan 14 20:43:30.981: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Jan 14 20:43:30.981: ISAKMP:(2025):atts are acceptable.
Jan 14 20:43:30.981: IPSEC(validate_proposal_request): proposal part #1
Jan 14 20:43:30.981: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.18.1.62, remote= 172.18.1.9,
local_proxy= 172.18.1.62/255.255.255.255/47/0 (type=1),
remote_proxy= 172.18.1.9/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jan 14 20:43:30.981: Crypto mapdb : proxy_match
src addr : 172.18.1.62
dst addr : 172.18.1.9
protocol : 47
src port : 0
dst port : 0
Jan 14 20:43:30.981: ISAKMP:(2025): processing NONCE payload. message ID = -1921446704
Jan 14 20:43:30.981: ISAKMP:(2025): processing ID payload. message ID = -1921446704
Jan 14 20:43:30.981: ISAKMP:(2025): processing ID payload. message ID = -1921446704
Jan 14 20:43:30.985: ISAKMP:(2025): Creating IPSec SAs
Jan 14 20:43:30.985: inbound SA from 172.18.1.9 to 172.18.1.62 (f/i) 0/ 0
(proxy 172.18.1.9 to 172.18.1.62)
Jan 14 20:43:30.985: has spi 0x491B5669 and conn_id 0
Jan 14 20:43:30.985: lifetime of 3600 seconds
Jan 14 20:43:30.985: lifetime of 4608000 kilobytes
Jan 14 20:43:30.985: outbound SA from 172.18.1.62 to 172.18.1.9 (f/i) 0/0
(proxy 172.18.1.62 to 172.18.1.9)
Jan 14 20:43:30.985: has spi 0x8DF50AC4 and conn_id 0
Jan 14 20:43:30.985: lifetime of 3600 seconds
Jan 14 20:43:30.985: lifetime of 4608000 kilobytes
Jan 14 20:43:30.985: ISAKMP:(2025): sending packet to 172.18.1.9 my_port 500 peer_port 500 (I) QM_IDLE
Jan 14 20:43:30.985: ISAKMP:(2025):Sending an IKE IPv4 Packet.
Jan 14 20:43:30.985: ISAKMP:(2025):deleting node -1921446704 error FALSE reason "No Error"
Jan 14 20:43:30.985: ISAKMP:(2025):Node -1921446704, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jan 14 20:43:30.985: ISAKMP:(2025):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
Jan 14 20:43:30.985: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jan 14 20:43:30.985: Crypto mapdb : proxy_match
src addr : 172.18.1.62
dst addr : 172.18.1.9
protocol : 47
src port : 0
dst port : 0
Jan 14 20:43:30.989: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 172.18.1.9
Jan 14 20:43:30.989: IPSEC(policy_db_add_ident): src 172.18.1.62, dest 172.18.1.9, dest_port 0
Jan 14 20:43:30.989: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.18.1.62, sa_proto= 50,
sa_spi= 0x491B5669(1226528361),
sa_trans= esp-3des , sa_conn_id= 49
Jan 14 20:43:30.989: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.18.1.9, sa_proto= 50,
sa_spi= 0x8DF50AC4(2381646532),
sa_trans= esp-3des , sa_conn_id= 50
Jan 14 20:43:30.989: IPSEC(update_current_outbound_sa): updated peer 172.18.1.9 current outbound sa to SPI 8DF50AC4
Jan 14 20:43:35.001: ISAKMP:(0):purging node -1610574156
Jan 14 20:43:45.001: ISAKMP:(0):purging SA., sa=81FADD00, delme=81FADD00
|
| 14 янв 2011, 14:36 |
|
|
|
imperorr
Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 4526
|
Настройки ISAKMP и IPSEC с обеих сторон в студию!
И зачем это?
tunnel path-mtu-discovery
tunnel ttl 10
|
| 14 янв 2011, 14:49 |
|
|
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
imperorr писал(а): И зачем это?
tunnel path-mtu-discovery
tunnel ttl 10 ttl ставил на всякий, чтобы пакеты тунеля не убегали далеко. tunnel path-mtu-discovery - чтобы не высчитывать mtu. Код: HUB#sho run | i isakmp
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key Vasya111 address 0.0.0.0 0.0.0.0
Код: HUB#sho run | i ipsec
crypto ipsec transform-set DMVPN-TR esp-3des
crypto ipsec profile DMVPN
set transform-set DMVPN-TR
tunnel protection ipsec profile DMVPN
Код: Branch#sho run | i isakmp
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key Vasya111 address 0.0.0.0 0.0.0.0
Код: Branch#sho run | i ipsec
crypto ipsec transform-set DMVPN-TR esp-3des
crypto ipsec profile DMVPN
set transform-set DMVPN-TR
tunnel protection ipsec profile DMVPN
|
| 14 янв 2011, 15:08 |
|
|
|
imperorr
Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 4526
|
mtu 1400!
crypto ipsec transform-set DMVPN-TR esp-3des - откуда взял))
обычно так
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
Тут на форуме, где-то была тема с работающим конфигом)
Локалка это одно, а интернет другое!
|
| 14 янв 2011, 15:24 |
|
|
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
Настраивал по руководству, видимо не досмотрел... грешен, ipsec еще очень плохо понимаю... Буду благодарен за ссылку на лучший по вашему мнению документ по ipsec'у  строку mode trasport просто забыл написать... поправил конфиги: Код: crypto logging session
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key Vasya111 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DMVPN-TR esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN-TR
!
результат: на Хабе: Код: #sho crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.18.1.9
protected vrf: (none)
local ident (addr/mask/prot/port): (172.18.1.9/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.18.1.62/255.255.255.255/47/0)
current_peer 172.18.1.62 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.18.1.9, remote crypto endpt.: 172.18.1.62
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.200
current outbound spi: 0xD8ED1E8A(3639418506)
inbound esp sas:
spi: 0x276C2302(661398274)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 3004, flow_id: NETGX:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4400215/3296)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD8ED1E8A(3639418506)
Код: #sho cry isakmp sa
dst src state conn-id slot status
172.18.1.9 172.18.1.62 QM_IDLE 3 0 ACTIVE
на Споке: Код: #sho crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.18.1.62
protected vrf: (none)
local ident (addr/mask/prot/port): (172.18.1.62/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.18.1.9/255.255.255.255/47/0)
current_peer 172.18.1.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 182, #pkts encrypt: 182, #pkts digest: 182
#pkts decaps: 117, #pkts decrypt: 117, #pkts verify: 117
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.18.1.62, remote crypto endpt.: 172.18.1.9
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x276C2302(661398274)
inbound esp sas:
spi: 0xD8ED1E8A(3639418506)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 55, flow_id: Motorola SEC 1.0:55, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4390884/3323)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x276C2302(661398274)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 56, flow_id: Motorola SEC 1.0:56, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4390875/3323)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Код: #sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.18.1.9 172.18.1.62 QM_IDLE 2028 0 ACTIVE
IPv6 Crypto ISAKMP SA
Однако пинга нет... Код: HUB#sho ip nhrp brief
Target Via NBMA Mode Intfc Claimed
192.168.254.3/32 192.168.254.3 incomplete
HUB#debug nhrp
HUB#ter mon
HUB#ping 192.168.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.3, timeout is 2 seconds:
Jan 15 01:04:35.032 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 15 01:04:35.032 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 15 01:04:35.032 MSK: NHRP: No node found..
Jan 15 01:04:37.032 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 15 01:04:37.032 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 15 01:04:37.032 MSK: NHRP: No node found..
Jan 15 01:04:39.032 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 15 01:04:39.032 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 15 01:04:39.032 MSK: NHRP: No node found..
Jan 15 01:04:41.032 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 15 01:04:41.032 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 15 01:04:41.032 MSK: NHRP: No node found..
Jan 15 01:04:43.032 MSK: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 1
Jan 15 01:04:43.032 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 15 01:04:43.032 MSK: NHRP: No node found..
Success rate is 0 percent (0/5)
HUB#
Jan 15 01:04:45.292 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 15 01:04:45.292 MSK: NHRP: No node found.
Jan 15 01:04:45.292 MSK: NHRP: Attempting to send packet via DEST 192.168.254.3
Jan 15 01:04:45.292 MSK: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84
Jan 15 01:04:45.292 MSK: src: 192.168.254.1, dst: 192.168.254.3
Jan 15 01:04:45.292 MSK: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
Jan 15 01:04:45.292 MSK: shtl: 4(NSAP), sstl: 0(NSAP)
Jan 15 01:04:45.292 MSK: (M) flags: "router auth src-stable", reqid: 6
Jan 15 01:04:45.292 MSK: src NBMA: 172.18.1.9
Jan 15 01:04:45.292 MSK: src protocol: 192.168.254.1, dst protocol: 192.168.254.3
Jan 15 01:04:45.292 MSK: (C-1) code: no error(0)
Jan 15 01:04:45.292 MSK: prefix: 0, mtu: 1514, hd_time: 7200
Jan 15 01:04:45.292 MSK: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
Jan 15 01:04:45.292 MSK: NHRP: Encapsulation failed for destination 192.168.254.3 out Tunnel0
Jan 15 01:05:09.900 MSK: NHRP: Checking for delayed event 0.0.0.0/192.168.254.3 on list (Tunnel0).
Jan 15 01:05:09.900 MSK: NHRP: No node found.
проблема не в маршрутизации. Код: Branch#sho ip route 192.168.254.1
Routing entry for 192.168.254.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Tunnel0
Route metric is 0, traffic share count is 1
Код: HUB#sho ip route 192.168.254.3
Routing entry for 192.168.254.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via eigrp 1
Routing Descriptor Blocks:
* directly connected, via Tunnel0
Route metric is 0, traffic share count is 1
|
| 14 янв 2011, 15:56 |
|
|
|
imperorr
Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 4526
|
С ipsec все ок.
А вот nhrp...
С обоих концов
sh ip nhrp
sh int tunnel0
без tunnel protection ipsec profile DMVPN с обоих концов
пинг работает?
по ipsec дать, ничего, не могу, сам не знаю, как он работает.
|
| 14 янв 2011, 16:39 |
|
|
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
Без tunnel protection все работает. Код: Branch#sho ip nhrp
192.168.254.1/32 via 192.168.254.1, Tunnel0 created 08:32:49, never expire
Type: static, Flags: used
NBMA address: 172.18.1.9
Код: HUB#sho int tu 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Description: DMVPN-over-L2_Domain
Internet address is 192.168.254.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (3 sec), retries 3
Tunnel source 172.18.1.9 (FastEthernet0/0.200), destination UNKNOWN
Tunnel protocol/transport multi-GRE/IP
Key 0x1, sequencing disabled
Checksumming of packets disabled
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "DMVPN")
Last input 05:42:30, output 04:34:14, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
3980 packets input, 519577 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
4657 packets output, 415212 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Код: Branch#sho int tu 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Description: DMVPN-over-L2_Domain
Internet address is 192.168.254.3/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (3 sec), retries 3
Tunnel source 172.18.1.62 (FastEthernet4), destination UNKNOWN
Tunnel protocol/transport multi-GRE/IP
Key 0x1, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 10
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "DMVPN")
Last input 04:50:24, output 00:00:28, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2428 packets input, 216580 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
7588 packets output, 969409 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Код: HUB#sho run int tu 0
Building configuration...
Current configuration : 424 bytes
!
interface Tunnel0
description DMVPN-over-L2_Domain
ip address 192.168.254.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication vasya111
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 1
keepalive 3 3
tunnel source FastEthernet0/0.200
tunnel mode gre multipoint
tunnel key 1
tunnel ttl 10
tunnel protection ipsec profile DMVPN
end
Код: Branch#sho run int tu 0
Building configuration...
Current configuration : 493 bytes
!
interface Tunnel0
description DMVPN-over-L2_Domain
ip address 192.168.254.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication vasya111
ip nhrp map 192.168.254.1 172.18.1.9
ip nhrp map multicast 172.18.1.9
ip nhrp network-id 1
ip nhrp nhs 192.168.254.1
ip nhrp registration no-unique
ip nhrp cache non-authoritative
keepalive 3 3
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 1
tunnel ttl 10
tunnel protection ipsec profile DMVPN
end
|
| 14 янв 2011, 21:04 |
|
|
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
Еще попробовал сделать финт ушами - прописал nhrp-мапинг на хабе для nbma-адреса спока, но это не помогло.
|
| 15 янв 2011, 04:06 |
|
|
|
Fedia
Супермодератор
Зарегистрирован: 01 окт 2008, 12:24
Сообщения: 4438
|
Если в одном офисе цепляется, а в другом - нет, то предположу, что дело может быть
1. Провайдер где-то делает РАТ. Адрес, с которым регается второй спок совпадает с адресом на интерфейсе?
2. Провайдер режет какие-то протоколы. Или не пропускает пакеты большого размера.
|
| 15 янв 2011, 17:13 |
|
|
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
Fedia писал(а): Если в одном офисе цепляется, а в другом - нет, то предположу, что дело может быть
1. Провайдер где-то делает РАТ. Адрес, с которым регается второй спок совпадает с адресом на интерфейсе?
2. Провайдер режет какие-то протоколы. Или не пропускает пакеты большого размера. 1. Да, адреса совпадают. 2. #sho crypto ipsec sa показывает на Хабе только encryption, на споке и encryption и decryption. Из вышеперечисленного предполагаю, что всетаки режет. Вопрос что режет? Провайдер вредный, поэтому приходится самим выяснять...
|
| 15 янв 2011, 18:36 |
|
|
|
imperorr
Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 4526
|
Так у тебя VPN предоставленный провайдером?
Tunnel source 172.18.1.62 (FastEthernet4), destination UNKNOWN
Tunnel source 172.18.1.9 (FastEthernet0/0.200), destination UNKNOWN
|
| 17 янв 2011, 09:31 |
|
|
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
Нет, у провайдера мы берем только подключение точек к их сети и сети Интернет.
ВПН организуем сами.
Проблема в том, что провайдер безальтернативный и вредный.
На встречу клиенту не идет, искать в чем проблема не хочет, приходится самим... Почему и обратился сюда на форум.
|
| 17 янв 2011, 09:54 |
|
|
|
imperorr
Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 4526
|
По факту у тебя VPN через сеть прова)
172.18.1.62 и 172.18.1.9 частные адреса.
Покажи трассировку с одного адреса на другой.
|
| 17 янв 2011, 12:48 |
|
|
|
Fedia
Супермодератор
Зарегистрирован: 01 окт 2008, 12:24
Сообщения: 4438
|
Ну это же DMVPN
Там протокол NHRP свяжет реальный адрес , который выдал пров с частным 172
|
| 17 янв 2011, 12:53 |
|
|
|
imperorr
Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 4526
|
Да у него походу оба частные.
Покажи интерфейсы WAN с обеих cisco)
|
| 17 янв 2011, 12:58 |
|
|
|
Fedia
Супермодератор
Зарегистрирован: 01 окт 2008, 12:24
Сообщения: 4438
|
А, да, логично. Тогда работать не будет.
|
| 17 янв 2011, 15:15 |
|
|
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
да, адреса там из частного диапазона.
с провайдером похоже нашли общий язык.
по результатам отпишусь.
|
| 19 янв 2011, 13:52 |
|
|
|
GByte
Зарегистрирован: 18 ноя 2009, 20:20
Сообщения: 260
|
Разобрались в проблеме - провайдер фильтрует трафик. Всем огромное спасибо за помощь!
|
| 30 янв 2011, 00:53 |
|
|
|
|
Страница 1 из 1
|
[ Сообщений: 20 ] |
|
Кто сейчас на конференции |
Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 0 |
|
Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения
|
|
|
