none
Вопрос по сетям, VPN RRS feed

  • Вопрос

  • Комрады, нужна помощь, кто шарит в Cisco.

    В общем, ситуация такая есть ASA 5515 с одной стороны, и Kerio с другой. Строю VPN туннель IPSec с pre-shared key. Туннель становится, но трафик в обе стороны не идет. Уже не знаю копать. Вот конфиг

    ASA Version 9.5(1)
    !
    hostname ASA-2
    domain-name ****************
    enable password ************** encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd ****************** encrypted
    names
    !
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    ip address ************* 255.255.252.0
    !
    interface GigabitEthernet0/1
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/2
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/2.1
    vlan 1
    nameif vlan1
    security-level 0
    ip address ************* 255.255.255.0
    !
    interface GigabitEthernet0/2.2
    vlan 20
    nameif vlan20
    security-level 0
    ip address ************** 255.255.255.0
    !
    interface GigabitEthernet0/2.3
    no vlan
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/4
    nameif Backup(gars)
    security-level 0
    ip address bbb.bbb.bbb.bbb 255.255.255.240
    !
    interface GigabitEthernet0/5
    nameif Megafon
    security-level 0
    ip address aaa.aaa.aaa.aaa 255.255.255.240
    !
    interface Management0/0
    management-only
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    boot system disk0:/asa951-smp-k8.bin
    ftp mode passive
    clock timezone MSK/MSD 3
    clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name mangazeya.local
    object network NETWORK_OBJ_10.10.120.0_24
    subnet 10.10.120.0 255.255.255.0
    object network NETWORK_OBJ_192.168.68.0_22
    subnet 192.168.68.0 255.255.252.0
    access-list Megafon_cryptomap extended permit ip 192.168.68.0 255.255.252.0 10.10.120.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu vlan1 1500
    mtu vlan20 1500
    mtu management 1500
    mtu Megafon 1500
    mtu Backup(gars) 1500
    no failover
    no monitor-interface service-module
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-751.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,Megafon) source static NETWORK_OBJ_192.168.68.0_22 NETWORK_OBJ_192.168.68.0_22 destination static NETWORK_OBJ_10.10.120.0_24 NETWORK_OBJ_10.10.120.0_24 no-proxy-arp route-lookup
    nat (inside,Backup(gars)) source static NETWORK_OBJ_192.168.68.0_22 NETWORK_OBJ_192.168.68.0_22 destination static NETWORK_OBJ_10.10.120.0_24 NETWORK_OBJ_10.10.120.0_24 no-proxy-arp route-lookup
    route Megafon 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aaa 1 track 1
    route Backup(gars) 0.0.0.0 0.0.0.0 bbb.bbb.bbb.bbb 254
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http ********* 255.255.255.0 management
    http ********* 255.255.252.0 inside
    no snmp-server location
    no snmp-server contact
    sla monitor 1
    type echo protocol ipIcmpEcho 8.8.8.8 interface Megafon
    num-packets 3
    frequency 10
    sla monitor schedule 1 life forever start-time now

    crypto map Megafon_map 1 match address Megafon_cryptomap
    crypto map Megafon_map 1 set peer aaa.aaa.aaa.aaa
    crypto map Megafon_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map Megafon_map 1 set reverse-route
    crypto map Megafon_map interface Megafon
    crypto ca trustpool policy
    crypto ikev1 enable Megafon
    crypto ikev1 enable Backup(gars)
    crypto ikev1 policy 10
    !
    track 1 rtr 1 reachability
    telnet timeout 5
    ssh stricthostkeycheck
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group14-sha1
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    !
    tls-proxy maximum-session 500
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
    group-policy GroupPolicy_aaa.aaa.aaa.aaa internal
    group-policy GroupPolicy_aaa.aaa.aaa.aaa attributes
    vpn-tunnel-protocol ikev1
    dynamic-access-policy-record DfltAccessPolicy
    username lankey password *************** encrypted privilege 15
    tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
    tunnel-group aaa.aaa.aaa.aaa general-attributes
    default-group-policy GroupPolicy_aaa.aaa.aaa.aaa
    tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:20423bfc002f13ac52283774a1713c21
    : end
    ASA-2#

    Вот что говорит Cisco о состоянии туннеля

    ASA-2# sh vpn-sessiondb detail l2l

    Session Type: LAN-to-LAN Detailed

    Connection   : aaaaaaaaaaaa
    Index        : 122                    IP Addr      : 185.6.172.106
    Protocol     : IKEv1 IPsec
    Encryption   : IKEv1: (1)3DES  IPsec: (1)3DES
    Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1
    Bytes Tx     : 0                      Bytes Rx     : 3192
    Login Time   : 16:24:43 MSK/MDD Tue Aug 29 2017
    Duration     : 0h:07m:28s

    IKEv1 Tunnels: 1
    IPsec Tunnels: 1

    IKEv1:
      Tunnel ID    : 122.1
      UDP Src Port : 500                    UDP Dst Port : 500
      IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
      Encryption   : 3DES                   Hashing      : SHA1
      Rekey Int (T): 10800 Seconds          Rekey Left(T): 10352 Seconds
      D/H Group    : 5
      Filter Name  :

    IPsec:
      Tunnel ID    : 122.2
      Local Addr   : 192.168.68.0/255.255.252.0/0/0
      Remote Addr  : 10.10.120.0/255.255.255.0/0/0
      Encryption   : 3DES                   Hashing      : SHA1
      Encapsulation: Tunnel
      Rekey Int (T): 3600 Seconds           Rekey Left(T): 3153 Seconds
      Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607997 K-Bytes
      Idle Time Out: 30 Minutes             Idle TO nbsp; Bytes Tx     : 0                      Bytes Rx     : 3192
      Pkts Tx      : 0                      Pkts Rx      : 63

    Трансфер байты пусто, это настораживает, но причину понять не могу.

    29 августа 2017 г. 13:36