Исходное сообщение
"vpn тунель между 2-мя Cisco 871 " Отправлено Александр, 11-Мрт-08 18:48
привожу в свой конфиги с логами, вышеперечисленные советы не помогли, если у кого есть мысли - пишите. ервый гейт с внешним IP ! Last configuration change at 18:01:14 Moscow Tue Mar 11 2008 by concord ! NVRAM config last updated at 16:31:16 Moscow Tue Mar 11 2008 by concord ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname stasova ! boot-start-marker boot-end-marker ! enable password ххх ! aaa new-model ! ! aaa authentication login clientauth local aaa authorization network groupauthor local ! ! aaa session-id common clock timezone Moscow 3 ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key ууу address 84.14.20.111 ! ! crypto ipsec transform-set basic esp-des esp-md5-hmac ! ! ! ! crypto map mymap 10 ipsec-isakmp set peer 84.14.20.111 set transform-set basic match address 102 ! ! crypto pki trustpoint TP-self-signed-2459862607 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2459862607 revocation-check none rsakeypair TP-self-signed-2459862607 ! ! ip cef ! username ххх password 0 ххх archive log config   hidekeys ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address 91.196.3.155 255.255.255.128 ip nat outside no ip virtual-reassembly duplex auto speed auto no cdp enable crypto map mymap ! interface Vlan1 ip address 192.168.69.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 91.196.3.129 permanent ! ip http server ip http secure-server ip dns server ip nat inside source list 1 interface FastEthernet4 overload ! access-list 1 permit 192.168.69.0 0.0.0.255 access-list 102 permit ip 192.168.69.0 0.0.0.255 192.168.68.0 0.0.0.255 access-list 102 remark Crypto ACL no cdp run ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 password ххх ! ! webvpn cef end ############################################################################################################ шлюз что за PATом - NATом office#show running-config Building configuration... Current configuration : 2239 bytes ! ! Last configuration change at 18:02:37 Moscow Tue Mar 11 2008 by concord ! NVRAM config last updated at 15:05:03 Moscow Fri Mar 7 2008 by concord ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname office ! boot-start-marker boot-end-marker ! enable password xxx ! aaa new-model ! ! aaa authentication login clientauth local aaa authorization network groupauthor local ! ! aaa session-id common clock timezone Moscow 3 ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key yyy address 91.196.3.155 ! ! crypto ipsec transform-set basic esp-des esp-md5-hmac ! ! crypto map mymap 10 ipsec-isakmp set peer 91.196.3.155 set transform-set basic match address 102 ! ! ! no ip source-route ip cef ! ! username ххх password 0 ххх archive log config   hidekeys ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address 192.168.222.2 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto no cdp enable crypto map mymap ! interface Vlan1 ip address 192.168.68.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 192.168.222.1 ! ip http server ip http secure-server ip dns server ip nat inside source list 1 interface FastEthernet4 overload ! access-list 1 permit 192.168.68.0 0.0.0.255 access-list 102 permit ip 192.168.68.0 0.0.0.255 192.168.69.0 0.0.0.255 access-list 102 remark Crypto ACL no cdp run ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 password xxx ! webvpn cef end ############################################################################################################ у обоих версия IOS одинаковая office#show version Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 16:47 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE office uptime is 4 days, 3 hours, 50 minutes System returned to ROM by reload at 14:22:04 Moscow Fri Feb 1 2008 System restarted at 14:35:46 Moscow Fri Mar 7 2008 System image file is "flash:c870-advsecurityk9-mz.124-15.T1.bin" Configuration register is 0x2102 ############################################################################################################ в качестве шлюза (192.168.222.1) - dlink 604 di на котором проброшены udp порты 4500 и 500 на 192.168.222.2 соответственно ############################################################################################################ на 871 что за натом office#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst             src             state          conn-id slot status IPv6 Crypto ISAKMP SA office#show crypto ipsec sa interface: FastEthernet4     Crypto map tag: mymap, local addr 192.168.222.2    protected vrf: (none)    local  ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)    remote ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)    current_peer 91.196.3.155 port 500      PERMIT, flags={origin_is_acl,}     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0     #pkts compressed: 0, #pkts decompressed: 0     #pkts not compressed: 0, #pkts compr. failed: 0     #pkts not decompressed: 0, #pkts decompress failed: 0     #send errors 0, #recv errors 0      local crypto endpt.: 192.168.222.2, remote crypto endpt.: 91.196.3.155      path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4      current outbound spi: 0x0(0)      inbound esp sas:      inbound ah sas:      inbound pcp sas:      outbound esp sas:      outbound ah sas:      outbound pcp sas: ############################################################################################################ на 871 что торчит лицом в иннет stasova#show crypto ipsec sa interface: FastEthernet4     Crypto map tag: mymap, local addr 91.196.3.155    protected vrf: (none)    local  ident (addr/mask/prot/port): (192.168.69.0/255.255.255.0/0/0)    remote ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)    current_peer 84.17.20.111 port 500      PERMIT, flags={origin_is_acl,}     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0     #pkts compressed: 0, #pkts decompressed: 0     #pkts not compressed: 0, #pkts compr. failed: 0     #pkts not decompressed: 0, #pkts decompress failed: 0     #send errors 0, #recv errors 0      local crypto endpt.: 91.196.3.155, remote crypto endpt.: 84.14.20.111      path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4      current outbound spi: 0x0(0)      inbound esp sas:      inbound ah sas:      inbound pcp sas:      outbound esp sas:      outbound ah sas:      outbound pcp sas: stasova#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst             src             state          conn-id slot status IPv6 Crypto ISAKMP SA stasova#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst             src             state          conn-id slot status IPv6 Crypto ISAKMP SA ########################################### в логах пусто #show debugging Generic IP:   IP packet debugging is on for access list 111 Cryptographic Subsystem:   Crypto ISAKMP Error debugging is on   Crypto ISAKMP High Availability debugging is on   Crypto IPSEC Error debugging is on   Crypto IPSEC High Availability debugging is on dot11:   dot11 Syslog debugging is on PKI:   verbose debug output debugging is on только выскачила ошибка, что там, что там:    IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because cryptomap is currently being created если у кого есть мысли по этому поводу и вермя, оставте телефон и скажите когда удобней позвонить, я обезательно с Вами свяжусь. ------------------------