Есть вот такая сеть с двумя cisco роутерами
На 871 такой конфиг:
871version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname V871_router
!
boot-start-marker
boot-end-marker
!
enable secret 5 secret
!
no aaa new-model
!
resource policy
!
clock timezone Moscow 3
clock summer-time Moscow recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.99
ip dhcp excluded-address 10.1.1.200
!
ip dhcp pool LAN
network 10.1.1.0 255.255.255.0
dns-server 10.1.1.1
default-router 10.1.1.1
!
!
ip domain name router.com
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip multicast-routing
ip ssh version 2
ip ddns update method DNSupdate
HTTP
add http://zzzzz:login@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
remove http://zzzzzzz:login@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
interval maximum 1 0 0 0
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pptp
rotary-group 0
initiate-to ip 192.168.117.249
!
vpdn-group VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
username user secret 5 secret
archive
log config
logging enable
hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key my_key address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MYSET ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto dynamic-map hq-vpn 10
set security-association lifetime seconds 28800
set transform-set MYSET
match address 100
!
!
!
!
crypto map VPNMAP 1 ipsec-isakmp dynamic hq-vpn
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
mac-address 0015.5898.dd6a
ip address dhcp client-id FastEthernet4
ip access-group RDP in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool VPN
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap ms-chap-v2
!
interface Vlan1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Dialer0
mtu 1440
ip ddns update hostname router.ddns.com
ip ddns update DNSupdate
ip address negotiated
ip pim dense-mode
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
dialer in-band
dialer idle-timeout 0
dialer string kerch.net
dialer vpdn
dialer-group 1
no cdp enable
ppp chap hostname login
ppp chap password 0 passwd
crypto map VPNMAP
!
ip local pool VPN 10.1.1.50 10.1.1.75
ip default-gateway 10.1.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.0.0 FastEthernet4 dhcp
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 10.1.1.200 445 interface FastEthernet4 445
ip nat inside source static tcp 10.1.1.200 139 interface FastEthernet4 139
ip nat inside source static tcp 10.1.1.200 138 interface FastEthernet4 138
ip nat inside source static tcp 10.1.1.200 137 interface FastEthernet4 137
ip nat inside source route-map INTERNET interface Dialer0 overload
ip nat inside source route-map LOCAL interface FastEthernet4 overload
ip nat inside source static tcp 10.1.1.200 3389 interface FastEthernet4 3389
!
ip access-list standard INSIDE_NAT
permit 10.1.1.0 0.0.0.255
!
ip access-list extended RDP
permit tcp host 192.168.104.109 any eq 3389
permit tcp host 192.168.138.152 any eq 3389
permit tcp host 192.168.74.130 any eq 3389
permit tcp host 192.168.138.152 any range 137 139
permit tcp host 192.168.138.152 any eq 445
permit tcp host 192.168.74.130 any range 137 139
permit tcp host 192.168.74.130 any eq 445
deny tcp any any eq 3389 log
deny tcp any any range 137 139
deny tcp any any eq 445
permit ip any any
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map INTERNET permit 10
match ip address INSIDE_NAT
match interface Dialer0
!
route-map LOCAL permit 10
match ip address INSIDE_NAT
match interface FastEthernet4
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175059
ntp master
ntp server 67.215.65.132
ntp server 91.236.251.12
end
Тоннель между роутерами поднимается успешно, но трафик между сетями не идет.
Пропинговать что-то в другой сети не получается.
Что не так и как это исправить?