CISCO+microtik+ipsec=VPN
Добавлено: 07 мар 2013, 20:13
есть CISCO с белым ип xxx.xxx.xxx.xxx/32, за ней подсеть 192.168.240.0/24, настроен cripto-map априори рабочий с параметрами
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
SHA
crypto ipsec transform-set TRANS01 esp-3des esp-sha-hmac
есть microtik rb750ub, за ним подсеть 10.33.18.0/24
на микротике вбиваю параметры
/ip ipsec peer
add address=xxх.xxх.xxх.xxх/32 auth-method=pre-shared-key comment=remote-peer dh-group=modp1024 disabled=no dpd-interval=5s dpd-maximum-failures=10 enc-algorithm=3des \
exchange-mode=aggressive generate-policy=no hash-algorithm=sh1 lifebytes=0 lifetime=1h my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=obey secret=mycesret\
derkey send-initial-contact=yes
/ip ipsec proposal
add auth-algorithms=sh1 disabled=no enc-algorithms=3des lifetime=86400s name=tset1 pfs-group=non
/ip ipsec policy
add action=encrypt comment="servers vlan" disabled=no dst-address=192.168.240.0/24 dst-port=any ipsec-protocols=esp level=unique priority=1 proposal=tset protocol=all \
sa-dst-address=xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=10.33.18.0/24 src-port=any tunnel=yes
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.240.0/24 src-address=10.33.18.0/24 place-before 0
по идее в remote peer должно быть соединение..... его нет...куда копать?
руководствовался вот этим http://twistedminds.ru/2012/08/s2s-ipse ... tik-cisco/
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
SHA
crypto ipsec transform-set TRANS01 esp-3des esp-sha-hmac
есть microtik rb750ub, за ним подсеть 10.33.18.0/24
на микротике вбиваю параметры
/ip ipsec peer
add address=xxх.xxх.xxх.xxх/32 auth-method=pre-shared-key comment=remote-peer dh-group=modp1024 disabled=no dpd-interval=5s dpd-maximum-failures=10 enc-algorithm=3des \
exchange-mode=aggressive generate-policy=no hash-algorithm=sh1 lifebytes=0 lifetime=1h my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=obey secret=mycesret\
derkey send-initial-contact=yes
/ip ipsec proposal
add auth-algorithms=sh1 disabled=no enc-algorithms=3des lifetime=86400s name=tset1 pfs-group=non
/ip ipsec policy
add action=encrypt comment="servers vlan" disabled=no dst-address=192.168.240.0/24 dst-port=any ipsec-protocols=esp level=unique priority=1 proposal=tset protocol=all \
sa-dst-address=xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=10.33.18.0/24 src-port=any tunnel=yes
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.240.0/24 src-address=10.33.18.0/24 place-before 0
по идее в remote peer должно быть соединение..... его нет...куда копать?
руководствовался вот этим http://twistedminds.ru/2012/08/s2s-ipse ... tik-cisco/