Adesso però il problema che non riesco nemmeno a debuggare è che il tunnel è su ma non pingo nè da una parte nè dall'altra.
Evidentemente mi manca qualcosa, ma cosa?
Vi posto la config (limitatamente a quello che concerne vpn e affini...)
Non ci vuole una route statica, un qualcosa... boh?
Mi piacerebbe avere qualche strumento per debuggare, ma nè debug crypto isakmp nè ipsec mi dicono nulla di utile...
Codice: Seleziona tutto
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp key ********** address zzz.zzz.zzz.zzz no-xauth
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set Zyxel esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Brescia
set peer zzz.zzz.zzz.zzz
set transform-set Zyxel
match address 101
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address ccc.ccc.ccc.ccc 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip mroute-cache
snmp trap ip verify drop-rate
pvc 8/35
oam-pvc manage
oam retry 5 5 1
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
ip nat pool NAT-1 nat.nat.nat.nat nat.nat.nat.nat netmask 255.255.255.248
!
access-list 100 deny ip 192.168.0.0 0.0.0.255 172.24.1.64 0.0.0.63
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.24.1.64 0.0.0.63
!
route-map SDM_RMAP_1 permit 1
Codice: Seleziona tutto
interface: ATM0.1
Crypto map tag: SDM_CMAP_1, local addr ccc.ccc.ccc.ccc
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.24.1.64/255.255.255.192/0/0)
current_peer zzz.zzz.zzz.zzz port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: ccc.ccc.ccc.ccc, remote crypto endpt.: zzz.zzz.zzz.zzz
path mtu 4470, ip mtu 4470, ip mtu idb ATM0.1
current outbound spi: 0x0(0)
E, se dovesse servire anche uno show crypto session
Codice: Seleziona tutto
Crypto session current status
Interface: ATM0.1
Session status: UP-ACTIVE
Peer: zzz.zzz.zzz.zzz port 500
IKE SA: local ccc.ccc.ccc.ccc/500 remote zzz.zzz.zzz.zzz/500 Active
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 172.24.1.64/255.255.255.192
Active SAs: 2, origin: crypto map
Codice: Seleziona tutto
SR520#ping 172.24.1.113 (è l'ip interno del router remoto)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.1.113, timeout is 2 seconds:
....U
Success rate is 0 percent (0/5)