> Ну и где они, твои конфигурации? Телепаты в отпуске.Простите)
Вообщем расклад такой
Внутренняя сеть 1филиала 10.168.10.0/24
Белый IP 1филиала A.A.A.A (Cisco)
Внутренняя сеть 2филиала 10.167.30.0/24
Белый IP 1филиала B.B.B.B (FreeBSD)
Сеть 192.168.226.0/30 Виртуальная для туннеля
Сначала настроил тунель между 2901 и FreeBSD
FreeBSD
# ifconfig gre0
gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> metric 0 mtu 1476
tunnel inet B.B.B.B --> A.A.A.A
inet 192.168.226.1 --> 192.168.226.2 netmask 0xfffffffc
Cisco
#sh int Tunnel226
Tunnel226 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.226.2/30
MTU 17854 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source A.A.A.A (GigabitEthernet0/1), destination B.B.B.B
Tunnel Subblocks:
src-track:
Tunnel226 source tracking subblock associated with GigabitEthernet0/1
Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1414 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "NPipsec")
Last input 01:15:12, output 02:48:43, output hang never
Last clearing of "show interface" counters 3d02h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 27
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
175 packets input, 19808 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
340 packets output, 40316 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
пинги ходят, но туннель не зашифрован, настраиваю шифрование
Cisco
R001(config)#crypto isakmp policy 226
R001(config-isakmp)#encryption aes
R001(config-isakmp)#group 2
R001(config-isakmp)#authentication pre-share
R001(config-isakmp)#hash md5
R001(config-isakmp)#lifetime 1800
R001(config-isakmp)#ex
R001(config)#crypto ipsec transform-set TUN esp-aes esp-md5-hmac
R001(cfg-crypto-trans)#ex
R001(config)#crypto keyring TUNkey
R001(conf-keyring)#pre-shared-key address B.B.B.B key 6 KEY
R001(conf-keyring)#ex
R001(config)#crypto isakmp profile TUNisakmp
% A profile is deemed incomplete until it has match identity statements
R001(conf-isa-prof)#keyring TUNkey
R001(conf-isa-prof)#match identity address B.B.B.B 255.255.255.255
R001(conf-isa-prof)#ex
R001(config)#crypto ipsec profile TUNipsec
R001(ipsec-profile)#set isakmp-profile TUNisakmp
R001(ipsec-profile)#set transform-set TUN
R001(ipsec-profile)#set security-association lifetime seconds 1800
R001(ipsec-profile)#set pfs group2
R001(ipsec-profile)#ex
R001(config)#interface Tunnel226
R001(config-if)#tunnel protection ipsec profile TUNipsec
R001(config-if)#ex
FreeBSD
racoon.conf
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/key.txt";
log info;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per.
phase1 30 sec;
phase2 15 sec;
}
listen
{
isakmp B.B.B.B [500];
}
remote A.A.A.A [500]
{
exchange_mode main;
doi ipsec_doi;
situation identity_only;
my_identifier address A.A.A.A;
peers_identifier address B.B.B.B;
lifetime time 1800 sec;
passive off;
proposal_check obey;
generate_policy off;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 1800 sec;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1800 sec;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
ipsec.conf
spdflush;
spdadd B.B.B.B/32 A.A.A.A/32 gre -P out ipsec esp/tunnel/B.B.B.B-A.A.A.A/require;
spdadd A.A.A.A/32 B.B.B.B/32 gre -P in ipsec esp/tunnel/A.A.A.A-B.B.B.B/require;
key.txt
A.A.A.A KEY
После всего проверяю
FreeBSD
#setkey -D
B.B.B.B A.A.A.A
esp mode=tunnel spi=2960835401(0xb07ac349) reqid=0(0x00000000)
E: rijndael-cbc 4073e513 474fc7e2 4639e032 f2734cb5
A: hmac-md5 699296ad 5060dae0 021eb768 c503d603
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Apr 28 16:12:11 2014 current: Apr 28 16:32:43 2014
diff: 1232(s) hard: 1800(s) soft: 1440(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=4108 refcnt=1
A.A.A.A B.B.B.B
esp mode=tunnel spi=42248152(0x0284a7d8) reqid=0(0x00000000)
E: rijndael-cbc b122e7ac 49fd3486 92477e7a c10984d0
A: hmac-md5 68b10538 fda865c0 50aa0232 c81c4f71
seq=0x00000005 replay=4 flags=0x00000000 state=mature
created: Apr 28 16:12:11 2014 current: Apr 28 16:32:43 2014
diff: 1232(s) hard: 1800(s) soft: 1440(s)
last: Apr 28 16:12:39 2014 hard: 0(s) soft: 0(s)
current: 720(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 5 hard: 0 soft: 0
sadb_seq=0 pid=4108 refcnt=1
на
Cisco
R001#show crypto ipsec sa
interface: Tunnel226
Crypto map tag: Tunnel226-head-0, local addr A.A.A.A
protected vrf: (none)
local ident (addr/mask/prot/port): (A.A.A.A/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (B.B.B.B/255.255.255.255/47/0)
current_peer B.B.B.B port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: A.A.A.A, remote crypto endpt.: B.B.B.B
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x284A7D8(42248152)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xB07AC349(2960835401)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2035, flow_id: Onboard VPN:35, sibling_flags 80004040, crypto map: Tunnel226-head-0
sa timing: remaining key lifetime (k/sec): (4168436/461)
IV size: 16 bytes
replay detection support: Y
ecn bit support: N status: off
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x284A7D8(42248152)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2036, flow_id: Onboard VPN:36, sibling_flags 80004040, crypto map: Tunnel226-head-0
sa timing: remaining key lifetime (k/sec): (4168436/461)
IV size: 16 bytes
replay detection support: Y
ecn bit support: N status: off
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
В логах FreeBSD
2014-04-28 16:12:10: INFO: ISAKMP-SA established B.B.B.B[500]-A.A.A.A[500] spi:a66b494730e6740d:7cdcd206642a99ae
2014-04-28 16:12:10: INFO: respond new phase 2 negotiation: B.B.B.B[500]<=>A.A.A.A[500]
2014-04-28 16:12:11: INFO: IPsec-SA established: ESP/Tunnel B.B.B.B[500]->A.A.A.A[500] spi=42248152(0x284a7d8)
2014-04-28 16:12:11: INFO: IPsec-SA established: ESP/Tunnel B.B.B.B[500]->A.A.A.A[500] spi=2960835401(0xb07ac349)
2014-04-28 16:36:12: INFO: IPsec-SA expired: ESP/Tunnel A.A.A.A[500]->B.B.B.B[500] spi=42248152(0x284a7d8)
как то так. пинги не проходят и не могу понять почему. очень надеюсь на вашу помощь