Добрый день, коллеги.
Прошу помощи в настройке VPN тоннеля между кошками 1760 для передачи голоса между филиалами. схема следующая:
АТС->E1->Cisco1760->LAN->wifi router->WAN->Internet->WAN->wifi router->LAN->Cisco1760->E1->ATC.
Проблема заключается в том, что ВПН тоннель минут через 10-15 ложится и ни пинги ни вызовы не проходят. Может что не так в настройках??
настройки R1:
Building configuration...
Current configuration : 2970 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Server
!
boot-start-marker
boot system flash:c1700-adventerprisek9-mz.123-12.bin
boot-end-marker
!
enable secret 5 $1$vZZu$3dX2ONYgfqcKiPDgEXEWk.
!
username operator privilege 15 password 7 000D000D165A1F0303
tdm clock E1 0/0 both export line
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
voice-card 0
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip domain name router_1.cus
ip audit po max-events 100
no ftp-server write-enable
isdn switch-type primary-net5
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
h323
sip
!
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 g729br8
codec preference 4 g729r8
codec preference 5 g726r16
!
!
!
!
!
!
!
!
!
!
!
!
controller E1 0/0
framing NO-CRC4
pri-group timeslots 1-31
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 12345 address 1.1.1.20
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 2.2.2.10
tunnel destination 1.1.1.20
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 2.2.2.10 255.255.255.0
ip nat outside
speed auto
!
interface Serial0/0:15
no ip address
no logging event link-status
isdn switch-type primary-net5
isdn protocol-emulate network
isdn incoming-voice voice
isdn negotiate-bchan
isdn outgoing ie redirecting-number
no cdp enable
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.100
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 192.168.2.0 255.255.255.0 172.16.0.2
!
ip http server
no ip http secure-server
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
voice-port 0/0:15
!
!
dial-peer cor custom
!
!
!
dial-peer voice 200 voip
incoming called-number .%
destination-pattern ^65[5-9]..$
voice-class codec 1
session protocol sipv2
session target ipv4:192.168.2.1:5060
dtmf-relay cisco-rtp rtp-nte h245-signal h245-alphanumeric
no vad
!
dial-peer voice 10 pots
destination-pattern ^65020$
direct-inward-dial
port 0/0:15
!
dial-peer voice 201 voip
incoming called-number .%
destination-pattern ^6[6-9]...$
voice-class codec 1
session protocol sipv2
session target ipv4:192.168.2.1:5060
dtmf-relay cisco-rtp rtp-nte h245-signal h245-alphanumeric
no vad
Настройки R2:
Building configuration...
Current configuration : 2733 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Client
!
boot-start-marker
boot system flash:c1700-adventerprisek9-mz.123-12.bin
boot-end-marker
!
enable secret 5 $1$0E4K$8t/SyvkT9BLiHjPLiG4q4/
!
username operator privilege 15 password 0 iskratel
tdm clock E1 0/0 both export line
tdm clock E1 0/1 both import E1 0/0 internal
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
voice-card 0
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip domain name router_2.cus
ip audit po max-events 100
no ftp-server write-enable
isdn switch-type primary-net5
!
!
!
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 g729br8
codec preference 4 g729r8
codec preference 5 g726r16
!
!
!
!
!
!
!
!
!
!
!
!
controller E1 0/0
framing NO-CRC4
pri-group timeslots 1-31
!
controller E1 0/1
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 12345 address 2.2.2.10
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 1.1.1.20
tunnel destination 2.2.2.10
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 1.1.1.20 255.255.255.0
ip nat outside
speed auto
!
interface Serial0/0:15
no ip address
no logging event link-status
isdn switch-type primary-net5
isdn protocol-emulate network
isdn incoming-voice voice
isdn negotiate-bchan
no cdp enable
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.100
ip route 192.168.1.0 255.255.255.0 172.16.0.1
!
ip http server
no ip http secure-server
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
!
voice-port 0/0:15
!
!
dial-peer cor custom
!
!
!
dial-peer voice 200 pots
destination-pattern ^65[5-9]..$
direct-inward-dial
port 0/0:15
!
dial-peer voice 120 voip
incoming called-number .%
destination-pattern ^65020$
voice-class codec 1
session protocol sipv2
session target ipv4:192.168.1.1:5060
dtmf-relay cisco-rtp rtp-nte h245-signal h245-alphanumeric
no vad
!
dial-peer voice 201 pots
destination-pattern ^6[6-9]...$
direct-inward-dial
port 0/0:15
Выдает ошибку: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 2.2.2.10 failed its sanity check or is malformed
debag cry ipsec: IPSEC(epa_des_crypt): decrypted packet failed SA identity check