Добрый деньПробую поднять ipsec и gre тоннели. Поднял ipsec тоннели к нужным subnets с openswan-- но не получается поднять к узлу 10.144.254.1 -- который является gre tunnel destination. Нужна помощь.
# ipsec tunnel to subnet 10.135.70.0 работает
# ipsec.conf:
conn cme1013570
rightsubnet=10.135.70.0/255.255.255.0
auto=start
leftsourceip=10.144.112.2
authby=secret
left=83.167.115.174
leftsubnet=10.144.112.0/255.255.255.0
keyingtries=0
type=tunnel
right=128.177.22.14
# subnets 10.135.71.0, 10.135.172.0 ... 10.1.63.0 тоже работают
# tunnel to 10.144.254.1 -- не работает -- "peer
# likes no proposal" error -- i used to get the same error with subnets
# mentioned above when i made mistakes in rightsubnet field of
#ipsec.conf file.
conn cme101442541
auto=add
authby=secret
left=83.167.115.174
leftsourceip=10.144.0.112
keyingtries=0
type=tunnel
right=128.177.22.14
rightsourceip=10.144.254.1
# cisco router configuration :
ip multicast-routing #(only required for MDP access)
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key VLaDiMiR
address 128.177.22.14
!
crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac
!
crypto map cmevpn 1 ipsec-isakmp
set peer 128.177.22.14
set transform-set cmevpn
match address 100
!
interface Loopback0 #(Leave interface shutdown if MDP access not
required)
ip address 10.144.0.112 255.255.255.255
shutdown
!
interface Tunnel0 #(Leave interface shutdown if MDP access not required)
ip address 10.144.2.154 255.255.255.252
ip pim sparse-mode
tunnel source 10.144.0.112
tunnel destination 10.144.254.1
shutdown
!
interface fa0/0
ip address 10.144.112.1 255.255.255.0
ip pim sparse-mode #(only required for MDP access)
duplex auto
speed auto
no cdp enable
!
interface fa0/1
ip address 83.167.115.174 255.255.255. x # (Customer public interface)
crypto map cmevpn
ip access-group 199 in
!
ip route 10.132.19.0 255.255.255.0 Tunnel0 #(only required for MDP
access)
#(the following route statements can be replaced with a default route
statement)
ip route 10.135.70.0 255.255.255.0 (ip address of corporate internet
router)
ip route 10.135.71.0 255.255.255.0 (ip address of corporate internet
router)
ip route 10.135.172.0 255.255.255.0 (ip address of corporate internet
router)
ip route 10.135.173.0 255.255.255.0 (ip address of corporate internet
router)
ip route 10.140.120.0 255.255.255.0 (ip address of corporate internet
router)
ip route 10.140.18.0 255.255.255.0 (ip address of corporate internet
router)
ip route 10.1.16.0 255.255.255.0 (ip address of corporate internet
router)
ip route 10.1.63.0 255.255.255.0 (ip address of corporate internet
router)
ip route 10.144.254.1 255.255.255.255 (ip address of corporate internet
router)
ip classless
no ip http server
no ip http secure-server
ip pim rp-addess 10.132.19.8 #(only required for MDP access)
ip mroute 10.132.19.0 255.255.255.0 tunnel0 #(only required for MDP
access)
access-list 100 permit ip 10.144.112.0 0.0.0.255 10.135.70.0 0.0.0.255
access-list 100 permit ip 10.144.112.0 0.0.0.255 10.135.71.0 0.0.0.255
access-list 100 permit ip 10.144.112.0 0.0.0.255 10.135.172.0 0.0.0.255
access-list 100 permit ip 10.144.112.0 0.0.0.255 10.135.173.0 0.0.0.255
access-list 100 permit ip 10.144.112.0 0.0.0.255 10.140.120.0 0.0.0.255
access-list 100 permit ip 10.144.112.0 0.0.0.255 10.140.18.0 0.0.0.255
access-list 100 permit ip 10.144.112.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 100 permit ip 10.144.112.0 0.0.0.255 10.1.63.0 0.0.0.255
access-list 100 permit gre host 10.144.0.112 host 10.144.254.1 #(only
required for MDP access)
access-list 199 permit gre host 10.144.254.1 host 10.144.0.112 #(only
required for MDP access)
access-list 199 permit ip 10.135.70.0 0.0.0.255 10.144.112.0 0.0.0.255
access-list 199 permit ip 10.135.71.0 0.0.0.255 10.144.112.0 0.0.0.255
access-list 199 permit ip 10.135.172.0 0.0.0.255 10.144.112.0 0.0.0.255
access-list 199 permit ip 10.135.173.0 0.0.0.255 10.144.112.0 0.0.0.255
access-list 199 permit ip 10.140.120.0 0.0.0.255 10.144.112.0 0.0.0.255
access-list 199 permit ip 10.1.18.0 0.0.0.255 10.144.112.0 0.0.0.255
access-list 199 permit ip 10.1.16.0 0.0.0.255 10.144.112.0 0.0.0.255
access-list 199 permit ip 10.1.63.0 0.0.0.255 10.144.112.0 0.0.0.255
access-list 199 permit udp any any eq isakmp
access-list 199 permit ahp any any
access-list 199 permit esp any any
# GRE info
----------------------------------------------------
GRE Tunnel Address (Vladimir): 10.144.2.154
GRE Tunnel Address (CME Group): 10.144.2.153
---
The RP IP: 10.132.19.8
---
Vladimir Tunnel Source IP: 10.144.0.112
CME Tunnel Source IP: 10.144.254.1 ( Tunnel Destination for Vladimir)
#Additional info
Certification Environment Connectivity
For ISAKMP, please use:
• 3DES for key encryption
• a hash algorithm of MD5 for data integrity
• Diffie-Hellman group 1 (Cisco Default)
• An SA lifetime of 86,400 seconds with no volume limit (Cisco default)
• a preshared key of VLaDiMiR
• aggressive mode turned off (Cisco default)
For IPSEC, please use:
• ESP-3DES for encryption and data integrity
• a hash algorithm of ESP-MD5 for data integrity
• no compression method (Cisco default)
• a lifetime of 3600 seconds with a volume limit of 4,608,000 kilobytes
(Cisco default)
The VPN Peer address for the CME is 128.177.22.14
Please source all traffic for the CME Cert Environment as 10.144.112.2 -
254
Вариант для распечатки
(ok) on 31-Янв-11, 14:39 
