Надо было организовать обмен трафиком между двумя хостами в разных vrf...
!
ip vrf VPN1
rd 200:202
route-target export 200:202
route-target import 200:255
route-target import 200:300
!
ip vrf VPN2
rd 200:251
route-target export 200:251
route-target import 200:300
!
ip route vrf VPN1 192.168.50.12 255.255.255.255 Vlan902 192.168.50.12
!
ip route vrf VPN2 192.168.150.132 255.255.255.255 Vlan697 192.168.150.132
!
!
interface Vlan902
description VPN2_Servers
ip vrf forwarding VPN2
ip address 192.168.50.1 255.255.255.128
!
interface Vlan697
description VPN1_Servers
ip vrf forwarding VPN1
ip address 192.168.150.129 255.255.255.224
!
ipsec VPN между cisco и linux через crypto profile (без crypto-map)
Стянуто отсюда:
http://community.livejournal.com/cisco_ru/239812.html
На кошке
crypto isakmp key 185d088b5c71daaab829c012f1ee1076 address 80.249.178.146
crypto ipsec transform-set 3DES.MD5.HMAC esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile VPN
set transform-set 3DES.MD5.HMAC
!
interface Tunnel3
description Tunnel to ep-gw
ip address 192.168.100.13 255.255.255.252
ip mtu 1400
shutdown
tunnel source FastEthernet0/0
tunnel destination 80.249.178.146
tunnel protection ipsec profile VPN
!
ip route 192.168.11.0 255.255.255.0 192.168.100.14
На линухе (debian)
/etc/network/interfaces
auto tun0
iface tun0 inet static
address 192.168.100.14
netmask 255.255.255.252
broadcast 192.168.100.15
up ifconfig tun0 multicast
pre-up ip tunnel add tun0 mode gre local 80.249.178.146 remote 80.249.xxx.194 ttl 255
pointopoint 192.168.100.1
post-up ip r a 192.168.1.0/24 via 192.168.100.1
pre-down ip r d 192.168.1.0/24 via 192.168.100.1
post-down ip link set tun0 down
post-down ip tunnel del tun0
/etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 80.249.178.146 80.249.xxx.194 gre -P out ipsec
esp/transport/80.249.178.146-80.249.xxx.194/require;
spdadd 80.249.xxx.194 80.249.178.146 gre -P in ipsec
esp/transport/80.249.xxx.194-80.249.178.146/require;
/etc/racoon/racoon.conf
remote 80.249.xxx.194 {
my_identifier address 80.249.178.146;
exchange_mode main,aggressive;
doi ipsec_doi;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
lifetime time 3600 sec;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
lifetime time 3600 sec;
}
http://community.livejournal.com/cisco_ru/239812.html
На кошке
crypto isakmp key 185d088b5c71daaab829c012f1ee1076 address 80.249.178.146
crypto ipsec transform-set 3DES.MD5.HMAC esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile VPN
set transform-set 3DES.MD5.HMAC
!
interface Tunnel3
description Tunnel to ep-gw
ip address 192.168.100.13 255.255.255.252
ip mtu 1400
shutdown
tunnel source FastEthernet0/0
tunnel destination 80.249.178.146
tunnel protection ipsec profile VPN
!
ip route 192.168.11.0 255.255.255.0 192.168.100.14
На линухе (debian)
/etc/network/interfaces
auto tun0
iface tun0 inet static
address 192.168.100.14
netmask 255.255.255.252
broadcast 192.168.100.15
up ifconfig tun0 multicast
pre-up ip tunnel add tun0 mode gre local 80.249.178.146 remote 80.249.xxx.194 ttl 255
pointopoint 192.168.100.1
post-up ip r a 192.168.1.0/24 via 192.168.100.1
pre-down ip r d 192.168.1.0/24 via 192.168.100.1
post-down ip link set tun0 down
post-down ip tunnel del tun0
/etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 80.249.178.146 80.249.xxx.194 gre -P out ipsec
esp/transport/80.249.178.146-80.249.xxx.194/require;
spdadd 80.249.xxx.194 80.249.178.146 gre -P in ipsec
esp/transport/80.249.xxx.194-80.249.178.146/require;
/etc/racoon/racoon.conf
remote 80.249.xxx.194 {
my_identifier address 80.249.178.146;
exchange_mode main,aggressive;
doi ipsec_doi;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
lifetime time 3600 sec;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
lifetime time 3600 sec;
}
Подписаться на:
Сообщения (Atom)