!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.252
access-list outside_1_cryptomap extended permit ip 10.10.1.0 255.255.255.0 10.10
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.3.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
Соединение поднялось, но пакеты не ходят(
packet-tracer input inside icmp 10.10.1.5 1 1 10.10.2.7 detail
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc9bf9b68, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x6d86c, cs_id=0xc6b83d30, reverse, flags=0x0, protocol=0
src ip=10.10.1.0, mask=255.255.255.0, port=0
dst ip=10.10.2.0, mask=255.255.255.0, port=0, dscp=0x0
packet-tracer input outside icmp 10.10.2.7 1 1 10.10.1.5 detail
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9e13988, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x9cee4, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.10.2.0, mask=255.255.255.0, port=0
dst ip=10.10.1.0, mask=255.255.255.0, port=0, dscp=0x0
# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.3.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE