Cisco 2811 vs 871 сломаная маршрутизация :: В помощь системному администратору

У меня есть куча цисок объеденных по ipsec, до сегодняшнего утра всё было хорошо. Потом с какого-то перепугу машины в филиалах перестали видеть ЦО, точнее видят они только внутренний ip-адрес главной циски и ещё пару ip-адресов. Если перезагрузить циску ЦО то пинги ходят примерно минуть 10-20 после чего всё начинается сначала. angry.gif

Я уже перечитал кучу, информации кое-что пробовал, но ничего не помогло. На данный момент имею кашу в голове и не решённую проблему. blink.gif

Сразу предупреждаю, циски я знаю плохо, эту сеть настраивал другой (с ним на данный момент связи нет) я лишь описывал новые туннели и копировал конфиги на новые циски по образу и подобию уже готовых. unsure.gif

в логе вижу следующее

Код:

*Jul 24 2008 21:10:08.835 GMT+11: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Jul 24 2008 21:10:08.835 GMT+11: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Jul 24 2008 21:10:11.851 GMT+11: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=87.225.8.50, prot=50, spi=0x3126A23E(824615486), srcaddr=213.27.33.76

конфиг циски в ЦО

Код:

!
version 12.4
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname Khv-CO-GW
!
boot-start-marker
boot-end-marker
!
logging buffered 131072 debugging
enable secret 5 $1$poof$LVyuDovxD9cxNqJ9KDmAZ1
!
aaa new-model
!
!
aaa authentication banner
Kraton Khabarovsk. Cisco 2811.

aaa authentication username-prompt "login: "
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
clock timezone GMT+10 10
clock summer-time GMT+11 recurring last Sun Mar 3:00 last Sun Oct 3:00
!
!
ip cef
!
!
ip domain name kraton.ru
ip name-server 194.85.113.245
ip name-server 194.85.113.244
ip name-server 87.241.223.68
ip name-server 81.17.2.171
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 2
no l2tp tunnel authentication
!
vpdn-group PPTP
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
session-limit 32
!
!
class-map match-all Bronze-In
match access-group name Bronze
class-map match-all Gold-In
match access-group name Gold
class-map match-all Silver-In
match access-group name Silver
class-map match-all Gold-Out
match ip precedence 5
class-map match-all Bronze-Out
match ip precedence 1
class-map match-all Silver-Out
match ip precedence 3
!
!
policy-map VPDN-Output
class Gold-Out
class Silver-Out
bandwidth percent 30
class Bronze-Out
bandwidth percent 30
class class-default
fair-queue
policy-map Inet-Output
class Gold-Out
class Silver-Out
bandwidth percent 45
class Bronze-Out
bandwidth percent 30
class class-default
fair-queue
policy-map LAN-Input
class Gold-In
set ip precedence 5
class Silver-In
set ip precedence 3
class Bronze-In
set ip precedence 1
class class-default
set ip precedence 0
policy-map VPDN-Input
class Gold-In
set ip precedence 5
class Silver-In
set ip precedence 3
class Bronze-In
set ip precedence 1
class class-default
set ip precedence 0
!
!
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key KraTonKey address xx.xx.xx.xx
crypto isakmp key L2TPKraTonKey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set Tunnel-AES esp-aes 256 esp-sha-hmac
mode transport require
crypto ipsec transform-set Tunnel-AES-Comp esp-aes 256 esp-sha-hmac comp-lzs
mode transport require
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile Tunnel-IPSec
set transform-set Tunnel-AES
!
crypto ipsec profile Tunnel-IPSec-Comp
set transform-set Tunnel-AES-Comp
!
!
crypto dynamic-map L2TP 1
set transform-set 3DES
!
!
crypto map Dsv-ADSL 1 ipsec-isakmp dynamic L2TP
!
crypto map Office-LAN 1 ipsec-isakmp dynamic L2TP
!
!
!
interface Loopback0
ip address 192.168.64.1 255.255.255.255
!
interface Tunnel0
description msk-ofc01-c-01
bandwidth 1024
ip address 192.168.63.5 255.255.255.252
ip access-group Tunnel-ACL in
ip mtu 1412
qos pre-classify
tunnel source FastEthernet0/1.2
tunnel destination xx.xx.xx.xx
tunnel protection ipsec profile Tunnel-IPSec-Comp
!
interface FastEthernet0/0
description Khabarovsk Central Office LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto map Office-LAN
service-policy input LAN-Input
!
interface FastEthernet0/1
bandwidth 10240
no ip address
duplex auto
speed auto
service-policy output Inet-Output
!
interface FastEthernet0/1.1
description Khv-CO-Switch
encapsulation dot1Q 2
ip address 192.168.64.221 255.255.255.252
!
interface FastEthernet0/1.2
description Dsv-ADSL
encapsulation dot1Q 3
ip address xx.xx.xx.xx xx.xx.xx.xx
ip nat outside
ip virtual-reassembly
crypto map Dsv-ADSL
!
interface FastEthernet0/1.3
description VTK 10Mbit
encapsulation dot1Q 4
ip nat outside
ip virtual-reassembly
shutdown
!
interface FastEthernet0/1.4
description ENFORTA
encapsulation dot1Q 5
ip address xx.xx.xx.xx xx.xx.xx.xx
ip nat outside
ip virtual-reassembly
!
interface Virtual-Template1
bandwidth 1024
ip unnumbered Loopback0
ip access-group VPDN-PPTP in
qos pre-classify
peer default ip address pool PPTP-User
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
service-policy input VPDN-Input
!
interface Virtual-Template2
bandwidth 1024
ip unnumbered Loopback0
ip access-group VPDN-PPTP in
qos pre-classify
peer default ip address pool PPTP-User
ppp authentication ms-chap ms-chap-v2
service-policy input VPDN-Input
!
router ospf 1
router-id 192.168.0.1
log-adjacency-changes
area 0 range 192.168.64.0 255.255.255.0
area 1 range 192.168.0.0 255.255.240.0
area 2 range 192.168.16.0 255.255.240.0
area 3 range 192.168.32.0 255.255.240.0
area 4 range 192.168.48.0 255.255.240.0
passive-interface FastEthernet0/0
passive-interface Virtual-Template1
network 192.168.0.0 0.0.15.255 area 1
network 192.168.16.0 0.0.15.255 area 2
network 192.168.32.0 0.0.15.255 area 3
network 192.168.48.0 0.0.15.255 area 4
network 192.168.64.0 0.0.0.255 area 0
!
ip local pool PPTP-User 192.168.64.224 192.168.64.254
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
!
no ip http server
no ip http secure-server
ip nat inside source list Dsv-ADSL-NAT interface FastEthernet0/1.2 overload
ip nat inside source list Enforta-NAT interface FastEthernet0/1.4 overload
ip nat inside source static tcp 192.168.0.25 2312 interface FastEthernet0/1.2 2312
ip nat inside source static tcp 192.168.0.3 21 interface FastEthernet0/1.2 21
ip nat inside source static tcp 192.168.0.3 4000 interface FastEthernet0/1.2 4000
ip nat inside source static tcp 192.168.0.3 110 interface FastEthernet0/1.2 110
ip nat inside source static tcp 192.168.0.3 25 interface FastEthernet0/1.2 25
!
ip access-list extended Bronze
permit tcp any any eq 2312
permit tcp any eq 2312 any
ip access-list extended Dsv-ADSL-NAT
deny ip any 192.168.0.0 0.0.255.255
permit tcp host 192.168.0.30 host 212.19.29.1 eq 666
permit tcp host 192.168.0.30 host 212.19.29.1 eq 667
permit tcp host 192.168.0.31 host 212.19.29.1 eq 666
permit tcp host 192.168.0.31 host 212.19.29.1 eq 667
permit tcp host 192.168.0.32 host 212.19.29.1 eq 666
permit tcp host 192.168.0.32 host 212.19.29.1 eq 667
permit tcp host 192.168.0.29 host 87.225.32.186 eq 6667
permit udp host 192.168.0.145 host 212.19.29.58 eq 87
permit tcp host 192.168.0.3 any eq smtp
permit tcp host 192.168.0.3 any eq pop3
permit tcp host 192.168.0.3 eq smtp any
permit tcp host 192.168.0.3 eq pop3 any
permit ip host 192.168.0.26 any
permit ip host 192.168.0.11 any
ip access-list extended Enforta-NAT
deny ip any 192.168.0.0 0.0.255.255
permit ip host 192.168.0.3 any
permit ip host 192.168.0.17 any
ip access-list extended LAN
permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip host 192.168.0.3 any
permit tcp host 192.168.0.30 host 212.19.29.1
permit tcp host 192.168.0.31 host 212.19.29.1
permit tcp host 192.168.0.32 host 212.19.29.1
permit tcp host 192.168.0.25 eq 2312 any
deny ip any any
ip access-list extended Silver
permit udp any any eq 1604
permit udp any eq 1604 any
permit tcp any any eq 1494
permit tcp any eq 1494 any
permit tcp any any eq 3389
permit tcp any eq 3389 any
permit tcp any any eq 4899
permit tcp any eq 4899 any
ip access-list extended Tunnel-ACL
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.31
permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.24.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 192.168.64.0 0.0.0.255
permit udp 192.168.0.0 0.0.255.255 eq 1604 192.168.0.0 0.0.255.255
permit udp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 eq 1604
permit tcp 192.168.0.0 0.0.255.255 eq 1494 192.168.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 eq 1494
permit tcp 192.168.0.0 0.0.255.255 eq 3389 192.168.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 eq 3389
permit tcp 192.168.0.0 0.0.255.255 eq 4899 192.168.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 eq 4899
permit ospf any any
deny ip any any
permit ip 192.168.47.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended VPDN-PPTP
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.31
permit ip 192.168.0.0 0.0.255.255 192.168.64.0 0.0.0.255
permit udp 192.168.0.0 0.0.255.255 eq 1604 192.168.0.0 0.0.255.255
permit udp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 eq 1604
permit tcp 192.168.0.0 0.0.255.255 eq 1494 192.168.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 eq 1494
permit tcp 192.168.0.0 0.0.255.255 eq 3389 192.168.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 eq 3389
permit tcp 192.168.0.0 0.0.255.255 eq 4899 192.168.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 eq 4899
deny ip any any
!
access-list 1 permit 80.237.41.211
access-list 1 permit 192.168.0.26
access-list 1 permit 192.168.0.27
access-list 1 permit 192.168.0.29
access-list 1 permit 192.168.0.17
access-list 99 permit 192.168.0.29
snmp-server community public RO 99
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179576
ntp server 62.117.76.141
ntp server 62.117.76.142
!
end

это типичный конфиг циски в филиале

Код:

!
! Last configuration change at 05:02:40 GMT+5 Thu Jun 5 2008 by admin
! NVRAM config last updated at 05:02:42 GMT+5 Thu Jun 5 2008 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname ekt-m01-c-01
!
boot-start-marker
boot-end-marker
!
logging buffered 131072
enable secret 5 $1$poof$LVyuDovxD9cxNqJ9KDmAZ1
!
aaa new-model
!
!
aaa authentication banner
Kraton Ekaterinburg sklad Router Cisco 871.

aaa authentication username-prompt "login: "
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone GMT+5 5
clock summer-time GMT+5 recurring last Sun Mar 3:00 last Sun Oct 3:00
!
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key KraTonKey address xx.xx.xx.xx
crypto isakmp key KraTonKey address xx.xx.xx.xx
!
!
crypto ipsec transform-set Tunnel-AES esp-aes 256 esp-sha-hmac
mode transport require
crypto ipsec transform-set Tunnel-AES-Comp esp-aes 256 esp-sha-hmac comp-lzs
mode transport require
!
crypto ipsec profile Tunnel-IPSec
set transform-set Tunnel-AES
!
crypto ipsec profile Tunnel-IPSec-Comp
set transform-set Tunnel-AES-Comp
!
!
!
!
ip cef
!
!
no ip domain lookup
ip domain name kraton.ru
ip name-server 81.17.0.3
ip name-server 81.17.0.8
!
!
!
username admin privilege 15 secret 5 zzzzzzzzzzzzzzzzzzzz
archive
log config
hidekeys
!
!
!
class-map match-all Bronze-In
match access-group name Bronze
class-map match-all Gold-In
match access-group name Gold
class-map match-all Silver-In
match access-group name Silver
class-map match-all Gold-Out
match ip precedence 5
class-map match-all Bronze-Out
match ip precedence 1
class-map match-all Silver-Out
match ip precedence 3
!
!
policy-map LAN-Input
class Gold-In
set ip precedence 5
class Silver-In
set ip precedence 3
class Bronze-In
set ip precedence 1
class class-default
set ip precedence 0
policy-map DSL
class Gold-Out
class Silver-Out
bandwidth percent 30
class Bronze-Out
bandwidth percent 30
class class-default
fair-queue
!
!
!
!
interface Tunnel0
description Khv-CO-GW
bandwidth 1024
ip address 192.168.47.10 255.255.255.252
ip mtu 1400
tunnel source FastEthernet4
tunnel destination xx.xx.xx.xx
tunnel protection ipsec profile Tunnel-IPSec-Comp
!
interface Tunnel1
description ekt-s01-c-01
bandwidth 1024
ip address 192.168.47.1 255.255.255.252
tunnel source FastEthernet4
tunnel destination xx.xx.xx.xx
tunnel protection ipsec profile Tunnel-IPSec
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
bandwidth 1024
ip address xx.xx.xx.xx xx.xx.xx.xx
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy output DSL
!
interface Vlan1
ip address 192.168.45.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy input LAN-Input
!
router ospf 1
router-id 192.168.45.1
log-adjacency-changes
passive-interface Vlan1
network 192.168.32.0 0.0.15.255 area 3
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
!
no ip http server
no ip http secure-server
ip nat inside source list Ekt-Inet-NAT interface FastEthernet4 overload
!
ip access-list extended Bronze
permit tcp any any eq 2312
permit tcp any eq 2312 any
ip access-list extended Ekt-Inet-NAT
ip access-list extended LAN
ip access-list extended Silver
permit udp any any eq 1604
permit udp any eq 1604 any
permit tcp any any eq 1494
permit tcp any eq 1494 any
permit tcp any any eq 3389
permit tcp any eq 3389 any
permit tcp any any eq 4899
permit tcp any eq 4899 any
permit tcp any any eq pop3
permit tcp any any eq smtp
permit tcp any eq pop3 any
permit tcp any eq smtp any
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17174982
ntp server 192.168.64.1

!
webvpn cef
end

пробовал делать

Код:

clear crypto isakmp
clear crypto sa
и
crypto isakmp invalid-spi-recovery

не помогло

Модерирует : lynx, Crash_Master, dg, emx, ShriEkeR
Версия для печати • Подписаться • Добавить в закладки