VPN работает но show crypto ничего не показывает , fet, 15-Янв-09, 13:36 [смотреть все]VPN по Ipsec запустился удаленный офис работает с базой,но как на 1 так и на 2 циске команда show crypto ipsec sa interface tunnel 1 показывает :interface: Tunnel1 Crypto map tag: myvpn, local addr. 154.154.154.154 protected vrf: local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0) current_peer: 122.122.122.122:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 154.154.154.154, remote crypto endpt.: 122.122.122.122 path mtu 1514, media mtu 1514 current outbound spi: 0 inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: Как-бы не активный VPN? Кто-нить знает в чем засада??? Спасибо!
|
- VPN работает но show crypto ничего не показывает , gagner, 17:08 , 15-Янв-09 (1)
- VPN работает но show crypto ничего не показывает , Eduard_k, 16:23 , 16-Янв-09 (2)
- VPN работает но show crypto ничего не показывает , fet, 18:13 , 23-Янв-09 (3)
>я предпочитаю смотреть VPN по sh cry se [remote peer] >по show crypto ipsec sa interface на активные сессии выводится несколько pgdn >херни, которая по информативности ничем не отличается от sh cry se. > )) CISCO831#show crypto session Crypto session current status Interface: Tunnel1 Session status: DOWN Peer: 122.122.122.122/500 IPSEC FLOW: permit 47 host 192.168.0.1 host 192.168.1.1 Active SAs: 0, origin: crypto map IPSEC FLOW: permit 47 host 192.168.0.1 host 192.168.1.1 Active SAs: 0, origin: crypto map CISCO831#show interfaces tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Ethernet1 (154.154.154.154) MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 154.154.154.154 (Ethernet1), destination 122.122.122.122 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled Tunnel TTL 255 Checksumming of packets enabled, fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:00:02, output 00:05:20, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 3537380 packets input, 1135348181 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 3892213 packets output, 744086129 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out CISCO831#ping 192.168.1.100 (Это внутр.ип сервера в европе а пинг из алмааты) Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 168/175/180 ms Типа все работает но sh cry se показывает DOWN- какие мысли??? Это конфиг-они эдинтичны(почти-сам понимаешь) CISCO831#show configuration Using 4912 out of 131072 bytes ! ! Last configuration change at 19:59:45 GMT Wed Jan 21 2009 by fet ! NVRAM config last updated at 19:59:54 GMT Wed Jan 21 2009 by fet ! version 12.3 no service pad service tcp-keepalives-in service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname CISCO831! boot-start-marker boot-end-marker ! no logging console ! clock timezone GMT 6 no aaa new-model ip subnet-zero ip dhcp excluded-address 192.168.0.1 192.168.0.10 ip dhcp excluded-address 192.168.0.100 192.168.0.254 ! ip dhcp pool DHCP-LAN import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 212.19.149.226 212.19.149.227 lease 14 ! ! ip domain name CISCO831.kz ip name-server 212.19.149.226 ip name-server 212.19.149.227 ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall ftp ip inspect name firewall realaudio ip inspect name firewall smtp ip inspect name firewall streamworks ip inspect name firewall vdolive ip inspect name firewall tftp ip inspect name firewall rcmd ip inspect name firewall http ip ips po max-events 100 ip ssh version 2 no ftp-server write-enable password encryption aes ! ! ! ! class-map match-any www ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto isakmp key 6 xxxxx address 122.122.122.122 ! ! crypto ipsec transform-set xxxxx-yyyyy esp-des esp-md5-hmac ! crypto map myvpn 10 ipsec-isakmp set peer 122.122.122.122 set transform-set xxxxx-yyyyy match address 111 ! ! ! interface Tunnel1 ip unnumbered Ethernet1 tunnel source Ethernet1 tunnel destination 122.122.122.122 tunnel checksum crypto map myvpn ! interface Null0 no ip unreachables ! interface Ethernet0 description ***LAN Interface*** ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly no cdp enable hold-queue 32 in ! interface Ethernet1 description *** WAN Interface *** ip address 154.154.154.154 255.255.255.252 ip access-group incoming in ip mask-reply no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly no ip split-horizon duplex auto no cdp enable crypto map myvpn ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 154.154.154.153 ip route 192.168.1.0 255.255.255.0 Tunnel1 no ip http server no ip http secure-server ip nat service fullrange tcp port 511 ip nat inside source list 102 interface Ethernet1 overload ip nat inside source route-map nonat pool DHCP-LAN overload ! ! ip access-list extended incoming permit tcp any any eq domain permit udp any any eq domain deny icmp any any redirect permit udp any any eq ntp permit tcp any any eq pop3 smtp www 443 permit tcp any eq domain any permit udp any eq domain any permit icmp any any echo permit icmp any any echo-reply permit tcp any any eq www pop3 smtp permit udp any eq ntp any permit udp host 122.122.122.122 eq isakmp host 154.154.154.154 log permit esp host 122.122.122.122 host 154.154.154.154 log permit gre host 122.122.122.122 host 154.154.154.154 log permit ip host 122.122.122.122 any log deny tcp any eq 5938 any eq 5938 deny tcp any eq 12975 any log permit tcp any any established log deny ip any any log ip access-list extended ssh deny ip any any log access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 111 permit gre host 192.168.0.1 host 192.168.1.1 no cdp run route-map nonat permit 10 match ip address 102 ! ! control-plane ! ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 - VPN работает но show crypto ничего не показывает , fet, 18:15 , 23-Янв-09 (4)
>я предпочитаю смотреть VPN по sh cry se [remote peer] >по show crypto ipsec sa interface на активные сессии выводится несколько pgdn >херни, которая по информативности ничем не отличается от sh cry se. > )) >я предпочитаю смотреть VPN по sh cry se [remote peer] >по show crypto ipsec sa interface на активные сессии выводится несколько pgdn >херни, которая по информативности ничем не отличается от sh cry se. > )) CISCO831#show crypto session Crypto session current status Interface: Tunnel1 Session status: DOWN Peer: 122.122.122.122/500 IPSEC FLOW: permit 47 host 192.168.0.1 host 192.168.1.1 Active SAs: 0, origin: crypto map IPSEC FLOW: permit 47 host 192.168.0.1 host 192.168.1.1 Active SAs: 0, origin: crypto map CISCO831#show interfaces tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Ethernet1 (154.154.154.154) MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 154.154.154.154 (Ethernet1), destination 122.122.122.122 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled Tunnel TTL 255 Checksumming of packets enabled, fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:00:02, output 00:05:20, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 3537380 packets input, 1135348181 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 3892213 packets output, 744086129 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out CISCO831#ping 192.168.1.100 (Это внутр.ип сервера в европе а пинг из алмааты) Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 168/175/180 ms Типа все работает но sh cry se показывает DOWN- какие мысли??? Это конфиг-они эдинтичны(почти-сам понимаешь) CISCO831#show configuration Using 4912 out of 131072 bytes ! ! Last configuration change at 19:59:45 GMT Wed Jan 21 2009 by fet ! NVRAM config last updated at 19:59:54 GMT Wed Jan 21 2009 by fet ! version 12.3 no service pad service tcp-keepalives-in service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname CISCO831! boot-start-marker boot-end-marker ! no logging console ! clock timezone GMT 6 no aaa new-model ip subnet-zero ip dhcp excluded-address 192.168.0.1 192.168.0.10 ip dhcp excluded-address 192.168.0.100 192.168.0.254 ! ip dhcp pool DHCP-LAN import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 212.19.149.226 212.19.149.227 lease 14 ! ! ip domain name CISCO831.kz ip name-server 212.19.149.226 ip name-server 212.19.149.227 ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall ftp ip inspect name firewall realaudio ip inspect name firewall smtp ip inspect name firewall streamworks ip inspect name firewall vdolive ip inspect name firewall tftp ip inspect name firewall rcmd ip inspect name firewall http ip ips po max-events 100 ip ssh version 2 no ftp-server write-enable password encryption aes ! ! ! ! class-map match-any www ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto isakmp key 6 xxxxx address 122.122.122.122 ! ! crypto ipsec transform-set xxxxx-yyyyy esp-des esp-md5-hmac ! crypto map myvpn 10 ipsec-isakmp set peer 122.122.122.122 set transform-set xxxxx-yyyyy match address 111 ! ! ! interface Tunnel1 ip unnumbered Ethernet1 tunnel source Ethernet1 tunnel destination 122.122.122.122 tunnel checksum crypto map myvpn ! interface Null0 no ip unreachables ! interface Ethernet0 description ***LAN Interface*** ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly no cdp enable hold-queue 32 in ! interface Ethernet1 description *** WAN Interface *** ip address 154.154.154.154 255.255.255.252 ip access-group incoming in ip mask-reply no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly no ip split-horizon duplex auto no cdp enable crypto map myvpn ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 154.154.154.153 ip route 192.168.1.0 255.255.255.0 Tunnel1 no ip http server no ip http secure-server ip nat service fullrange tcp port 511 ip nat inside source list 102 interface Ethernet1 overload ip nat inside source route-map nonat pool DHCP-LAN overload ! ! ip access-list extended incoming permit tcp any any eq domain permit udp any any eq domain deny icmp any any redirect permit udp any any eq ntp permit tcp any any eq pop3 smtp www 443 permit tcp any eq domain any permit udp any eq domain any permit icmp any any echo permit icmp any any echo-reply permit tcp any any eq www pop3 smtp permit udp any eq ntp any permit udp host 122.122.122.122 eq isakmp host 154.154.154.154 log permit esp host 122.122.122.122 host 154.154.154.154 log permit gre host 122.122.122.122 host 154.154.154.154 log permit ip host 122.122.122.122 any log deny tcp any eq 5938 any eq 5938 deny tcp any eq 12975 any log permit tcp any any established log deny ip any any log ip access-list extended ssh deny ip any any log access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 111 permit gre host 192.168.0.1 host 192.168.1.1 no cdp run route-map nonat permit 10 match ip address 102 ! ! control-plane ! ! line con 0 exec-timeout 120 0 no modem enable stopbits 1
|