Организация IPSec VPN ( cisco-2811 dlink DFL-800 )

[galaxer]

Dlink DFL-800 Был настроен на удаленной машине (другой внешний реальник). В нем был настроен впн и он работал с DLINK DFL-1500
Пришла пора поменять DFL-1500 на циску 2811, т.к встала задача надежности и экономии траффика (т.е. wccp и сквид).
Не получается настроить IPSec. Подскажите.
Схема такая:

(local net1 + DMZ1) <--> ( Catalyst vlan 1 + vlan 2 ) <--> ( cisco 2811 + 2*dot1q + nat + vpn ) <--> DFL-800 ( nat + vpn ) <--> (Local net2)

local net1 = 192.168.46.0/24
DMZ = 10.1.1.0/29
local net2 = 192.168.1.0/24
Cisco local ip = 192.168.46.1 and 10.1.1.1
Cisco wan ip = "Cis_WAN_IP"
DFL-800 local ip = 192.168.1.1
DFL-800 wan ip = "DFL800_WAN_IP"
Cisco wan ip gateway= "Cis_WAN_IP_GW"


LOGS:

Код: Выделить всё

gw#show crypto isakmp sa
dst             src             state          conn-id slot status
"Cis_WAN_IP"   "DFL800_WAN_IP"  QM_IDLE              2    0 ACTIVE

Код: Выделить всё

gw#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: DFL800-1, local addr "Cis_WAN_IP"

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.46.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer "DFL800_WAN_IP" port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: "Cis_WAN_IP", remote crypto endpt.: "DFL800_WAN_IP"
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Код: Выделить всё

gw#sh crypto ipsec transform-set
Transform set COT: { esp-3des  }
   will negotiate = { Tunnel,  },

Код: Выделить всё

gw#sh crypto map
Crypto Map "DFL800-1" 10 ipsec-isakmp
    Description: Descriptoin of the crypto map statement policy
    Peer = "DFL800_WAN_IP"
    Extended IP access list VPN_ACL
        access-list VPN_ACL permit ip 192.168.46.0 0.0.0.255 192.168.1.0 0.0.0.255
        access-list VPN_ACL deny ip any any
    Current peer: "DFL800_WAN_IP"
    Security association lifetime: 4608000 kilobytes/28800 seconds
    PFS (Y/N): Y
    DH group:  group2
    Transform sets={
        COT,
    }
    Interfaces using crypto map DFL800-1:
        FastEthernet0/0

Код: Выделить всё

gw#sh running-config

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2  
crypto isakmp key 123456 address "DFL800_WAN_IP"
!        
!        
crypto ipsec transform-set COT esp-3des
!        
crypto map DFL800-1 10 ipsec-isakmp
description Descriptoin of the crypto map statement policy
set peer "DFL800_WAN_IP"
set security-association lifetime seconds 28800
set transform-set COT
set pfs group2
match address VPN_ACL

interface FastEthernet0/0
description Link to Internet
ip address "Cis_WAN_IP" 255.255.255.224
ip nat outside
ip virtual-reassembly
ip route-cache policy
ip route-cache flow
ip policy route-map ROUTEMAP
duplex auto
speed auto
crypto map DFL800-1
!        
interface FastEthernet0/1
description Link to Lan
no ip address
ip virtual-reassembly
ip route-cache policy
no ip route-cache cef
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
!        
interface FastEthernet0/1.1
description DMZ1
encapsulation dot1Q 1 native
ip address 192.168.46.1 255.255.255.0
ip wccp web-cache redirect in
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!        
interface FastEthernet0/1.2
description DMZ2
encapsulation dot1Q 2
ip address 10.1.1.1 255.255.255.248
ip nat inside
ip virtual-reassembly
no snmp trap link-status


no ip classless
ip route 0.0.0.0 0.0.0.0 "Cis_WAN_IP_GW"
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.46.3 9510
!        
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.46.5 22 "Cis_WAN_IP" 22 extendable
ip nat inside source static tcp 192.168.46.5 8080 "Cis_WAN_IP" 8080 extendable
ip nat inside source static 10.1.1.2 ""Cis_WAN_IP"+1" # for natting local ip to real ip
!        
ip access-list extended VPN_ACL
permit ip 192.168.46.0 0.0.0.255 192.168.1.0 0.0.0.255
deny   ip any any
!        
access-list 1 remark SDM_ACL Category=18
access-list 1 permit 192.168.46.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.7
access-list 1 permit 192.168.1.0 0.0.0.255
route-map ROUTEMAP permit 10
match ip address 108
set interface Loopback0 FastEthernet0/1

Спасибо

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[Totem]

с PIXом не получилось с ISA тоже

[galaxer]

Я таки тогда настроил. НО у меня сейчас есть одна маленькая проблемка. Нетфлоу не считает юдипи!!!

Код: Выделить всё

gw1.eninnet.local#show ip cache flow | include 208.67.222.222  
Fa0/1.1       192.168.46.28   Null          208.67.222.222  11 04F0 0035     1 
Fa0/1.1       192.168.46.28   Null          208.67.222.222  11 04F1 0035     1 
Fa0/1.1       192.168.46.28   Null          208.67.222.222  11 04E4 0035     1

Код: Выделить всё

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname gw1.xxxxxx.local
!
boot-start-marker
boot-end-marker
!
enable password 7 xxxx
!
no aaa new-model
!
resource policy
!
clock timezone Moscow 3
clock summer-time Moscow recurring last Sun Mar 2:00 last Sun Oct 2:00
clock calendar-valid
ip subnet-zero
ip wccp web-cache
ip tcp synwait-time 10
!
!
ip cef
!
!
ip domain name xxxxxxx.local
ip name-server #1
ip name-server #2
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
!
username xxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxx
username xxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxx
username xxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxxx
!         
! 
crypto logging session
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp key eninnet address "remote external ip"
crypto isakmp keepalive 3600
crypto isakmp aggressive-mode disable
crypto ipsec optional retry 3600
!
!
crypto ipsec transform-set COT esp-3des esp-md5-hmac 
!
crypto map DFL800-1 10 ipsec-isakmp 
 set peer "remote external ip"
 set security-association lifetime seconds 28800
 set transform-set COT 
 match address VPN_ACL
!
!
!
interface Loopback1
 ip address 10.10.8.1 255.255.255.0
 ip route-cache policy
 ip route-cache flow
!
interface Loopback10
 ip address 10.10.10.2 255.255.255.0
 ip route-cache policy
 ip route-cache flow
!
interface FastEthernet0/0
 description internet
 ip address WAN
 ip nat outside
 ip virtual-reassembly
 ip route-cache policy
 ip policy route-map MAP
 duplex auto
 speed auto
 crypto map DFL800-1
!
interface FastEthernet0/1
 description lan
 no ip address
 ip virtual-reassembly
 ip route-cache policy
 no ip route-cache cef
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 description DMZ1
 encapsulation dot1Q 1 native
 ip address 192.168.46.0 255.244.255.0
 no ip redirects
 no ip unreachables
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
!
interface FastEthernet0/1.2
 description DMZ2
 encapsulation dot1Q 2
 ip address 10.1.1.0 255.255.255.x
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
!
interface Virtual-Template1 
 no ip address
 peer default ip address pool pptp_pool
 no keepalive
 ppp encrypt mppe auto
 ppp authentication ms-chap
!
ip local pool pptp_pool PPTP-POOL
ip classless
ip route 0.0.0.0 0.0.0.0 my_gw
!
no ip http server
no ip http secure-server
ip nat inside source list ENIN_ROUTE_ACL interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.46.5 22 wan_ip 22 extendable
ip nat inside source static tcp 192.168.46.2 3389 wan_ip 3389 extendable
ip nat inside source static tcp 192.168.46.5 8080 wan_ip 8080 extendable
ip nat inside source static 10.1.1.2 wan_ip2
!
ip access-list extended ENIN_ROUTE_ACL
 deny   ip any host 255.255.255.255
 deny   ip host 255.255.255.255 any
 deny   ip 192.168.46.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.46.0 0.0.0.255 any
 permit ip 10.1.1.0 0.0.0.7 any
ip access-list extended VPN_ACL
 permit ip 192.168.46.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended wccp-list
 permit tcp 192.168.46.0 0.0.0.255 any eq www
 deny   ip any any
!
access-list 108 permit ip any 192.168.46.0 0.0.0.255
access-list 108 deny   ip any any
route-map MAP permit 1
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password 7 xxxxxxxxxxxxxxxxxxxx
 login
 transport input telnet ssh
line vty 5 15
 privilege level 15
 password 7 xxxxxxxxxxxxxxxxxxxx
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180145
ntp server 192.168.46.5
!
end