IPSEC cisco+freebsd
- From
- Dmitriy Romanov (2:478/37.1)
- To
- All (2:5054/37.63)
- Date
- 2009-07-29T12:26:46Z
- Area
- RU.CISCO
Привет All!
В общем есть сервак под фрей. С другими фрями там ипсек настроен и
работает. Пытаемся привязать киску.
Тунель не поднимается.
периодически ругается на вот такую фигню
*Mar 2 23:37:45.811: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify
failed for connection id=2006 local=192.168.250.4 remote=192.168.250.3 spi=34297C8B seqno=00000073
Вот ее конфиг (скипнуты голосовые
настройки).
Using 3118 out of 29688 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco_tests
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
# скип
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key testpass address 192.168.250.3
!
!
crypto ipsec transform-set ts-tunnel esp-3des esp-sha-hmac
mode transport
!
crypto map cm-tunnel 1 ipsec-isakmp
set peer 192.168.250.3
set security-association lifetime seconds 86400
set transform-set ts-tunnel
set pfs group2
match address cm-acl-tunnel
!
!
!
!
interface Tunnel1
ip address 192.168.201.42 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1500
no ip route-cache cef
no ip route-cache
tunnel source 192.168.250.4
tunnel destination 192.158.250.3
tunnel mode ipip
!
interface FastEthernet0/0
ip address 192.168.103.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.250.4 255.255.255.248
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map cm-tunnel
!
router ospf 10
log-adjacency-changes
passive-interface default
no passive-interface Tunnel1
network 192.168.103.0 0.0.0.255 area 192.168.103.0
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended cm-acl-tunnel
permit ipinip host 192.168.250.4 host 192.168.250.3
permit ipinip host 192.168.250.3 host 192.168.250.4
!
!
!
!
control-plane
!
!
!
# скип
!
sip-ua
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
login local
transport input telnet
!
!
end
ну и вот на всяк случай
cisco_tests#sh crypto isakmp sa
dst src state conn-id slot status
192.168.250.4 192.168.250.3 QM_IDLE 1 0 ACTIVE
cisco_tests#sh crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: cm-tunnel, local addr 192.168.250.4
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.250.3/255.255.255.255/4/0)
remote ident (addr/mask/prot/port): (192.168.250.4/255.255.255.255/4/0)
current_peer 192.168.250.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.250.4, remote crypto endpt.: 192.168.250.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.250.4/255.255.255.255/4/0)
remote ident (addr/mask/prot/port): (192.168.250.3/255.255.255.255/4/0)
current_peer 192.168.250.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 218, #pkts decrypt: 218, #pkts verify: 218
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.250.4, remote crypto endpt.: 192.168.250.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x2F99004(49909764)
inbound esp sas:
spi: 0x34297C8B(875134091)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2006, flow_id: SW:6, crypto map: cm-tunnel
sa timing: remaining key lifetime (k/sec): (4403970/27333)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2F99004(49909764)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2005, flow_id: SW:5, crypto map: cm-tunnel
sa timing: remaining key lifetime (k/sec): (4403988/27333)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
cisco_tests#
На сем разрешите письмо закончить. Elec.
--- Таймыр 2.00
* Origin: В свинарнике не стыдно быть свиньей (2:478/37.1)
SEEN-BY: 46/50 450/186 1024 451/30 452/25 154 463/68 469/418 478/0 37 4614/20
SEEN-BY: 4615/21 5000/5000 5001/100 5001 5002/89 5003/58 5004/58 5010/126
SEEN-BY: 5011/13 5012/9 30 46 5015/28 5019/26 5020/175 400 545 715 758 830
SEEN-BY: 5020/1042 1641 1721 2238 4441 5021/29 5022/128 5023/11 5025/3 750
SEEN-BY: 5026/49 5027/12 5029/60 5030/115 500 830 966 1256 1900 5033/21
SEEN-BY: 5035/18 38 5042/12 13 5045/7 5049/96 5051/40 5052/4 5054/1 4 8 9 28
SEEN-BY: 5054/30 36 37 67 75 81 89 5058/42 999 5059/37 5062/10 5063/3 5070/156
SEEN-BY: 5075/35 5077/70 5080/31 68 80 111 237 1003 5083/1 5084/9 61 5085/13
SEEN-BY: 5085/131 5090/108 5093/55 5095/20 5096/18 6001/10 6004/3 6009/3
SEEN-BY: 6055/2 6078/0 1 6083/12
�PATH: 478/37 5020/830 5080/1003 5020/4441 545 5054/1 37