отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
cancel
Объявления
99
Просмотры
0
Полезный материал
2
Ответы
fgafurov29
Beginner

Cisco 2 провайдер, Asa 2 провайдер, как настроит VPN Site-to-Site

Доброго времени суток.

Если есть возможность, то дайте знать как настроит резервный ВПН соединения между головным офисом и других точек. На данный момент ВНП работает в шатаном режиме без проблем, но требуется настроит резерв для авто переключения. Я еще новичок, не которые настройки требебует дороботки.

Спасибо.

ASA головной офис (основной 10.10.10.10 и резерв 20.20.20.20)

: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
enable password $sha512$5000$ABVTvElxIRPAHeE8fBBlhw==$1oXWx05sZhlfRNNn6YRgkg== pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.10.10.10. 255.255.255.248
!
interface GigabitEthernet1/2
nameif outside2
security-level 0
ip address 20.20.20.20 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network REMOTE_IS
subnet 192.168.10.0 255.255.255.192
object network LAN_GO
subnet 192.168.0.0 255.255.0.0
object network Proxy_server
subnet 2.2.2.0 255.255.255.252
object network REMOTE_I
subnet 192.168.11.0 255.255.255.192
object network All_lan_GO
subnet 0.0.0.0 0.0.0.0
object network REMOTE_K
subnet 192.168.12.32 255.255.255.224
object network REMOTE_DJ.R
subnet 192.168.13.0 255.255.255.192
object network REMOTE_P
subnet 192.168.14.0 255.255.255.224
object network REMOTE_D
subnet 192.168.15.128 255.255.255.128
object network REMOTE_TEST
subnet 192.168.16.16 255.255.255.248
object-group network DM_INLINE_NETWORK_1
network-object object LAN_GO
network-object object Proxy_server
object-group network DM_INLINE_NETWORK_5
network-object object LAN_GO
network-object object Proxy_server
object-group network DM_INLINE_NETWORK_7
network-object object LAN_GO
network-object object Proxy_server
object-group network DM_INLINE_NETWORK_8
network-object object LAN_GO
network-object object Proxy_server
object-group network DM_INLINE_NETWORK_10
network-object object LAN_GO
network-object object Proxy_server
object-group network DM_INLINE_NETWORK_11
network-object object LAN_GO
network-object object Proxy_server
access-list outside_cryptomap_1 extended permit ip object All_lan_GO object REMOTE_IS
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object All_lan_GO object REMOTE_K
access-list outside_cryptomap_4 extended permit ip object All_lan_GO object REMOTE_I
access-list outside_cryptomap_11 extended permit ip object All_lan_GO object REMOTE_TEST
access-list outside_cryptomap_5 extended permit ip object All_lan_GO object REMOTE_DJ.R
access-list outside_cryptomap_6 extended permit ip object All_lan_GO object REMOTE_P
access-list outside_cryptomap_7 extended permit ip object All_lan_GO object REMOTE_D
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu outside2 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384

no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.0.2 1
route outside 10.10.8.2 255.255.255.255 10.10.10.1
route outside 10.10.7.2 255.255.255.255 10.10.10.1 1
route outside 10.10.6.2 255.255.255.255 10.10.10.1 1
route outside 10.10.5.2 255.255.255.255 10.10.10.1 1
route outside 10.10.4.2 255.255.255.255 10.10.10.1 1
route outside 10.10.3.2 255.255.255.255 10.10.10.1 1
route outside 10.10.2.2 255.255.255.255 10.10.10.1 1
route outside 10.10.1.2 255.255.255.255 10.10.10.1 1
route outside 192.168.13.0 255.255.255.192 10.10.10.1 1
route outside 192.168.10.0 255.255.255.192 10.10.10.1 1
route outside 192.168.11.0 255.255.255.192 10.10.10.1 1
route outside 192.168.14.0 255.255.255.224 10.10.10.1 1
route outside 192.168.16.16 255.255.255.240 10.10.10.1 1
route outside 192.168.12.32 255.255.255.224 10.10.10.1 1
route outside 192.168.15.128 255.255.255.128 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.66.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.41.32 255.255.255.255 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
sysopt noproxyarp inside
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set IST_GO esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ISF_GO esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set KBD_GO esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set DJR_GO esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set PJK_GO esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set DH_GO esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TEST_GO esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal TEST_GO_R
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 10.10.2.2
crypto map outside_map 1 set ikev1 transform-set IST_GO
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer 10.10.4.2
crypto map outside_map 2 set ikev1 transform-set KBD_GO
crypto map outside_map 3 match address outside_cryptomap_4
crypto map outside_map 3 set peer 10.10.7.2
crypto map outside_map 3 set ikev1 transform-set ISF_GO
crypto map outside_map 4 match address outside_cryptomap_2
crypto map outside_map 4 set peer 10.10.5.2
crypto map outside_map 4 set ikev1 transform-set TEST_GO
crypto map outside_map 5 match address outside_cryptomap_5
crypto map outside_map 5 set peer 10.10.3.2
crypto map outside_map 5 set ikev1 transform-set DJR_GO
crypto map outside_map 6 match address outside_cryptomap_6
crypto map outside_map 6 set peer 10.10.8.2
crypto map outside_map 6 set ikev1 transform-set PJK_GO
crypto map outside_map 7 match address outside_cryptomap_7
crypto map outside_map 7 set peer 10.10.6.2
crypto map outside_map 7 set ikev1 transform-set DH_GO
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d30930699ff
61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable outside2
crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_10.10.8.2 internal
group-policy GroupPolicy_10.10.8.2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_10.10.4.2 internal
group-policy GroupPolicy_10.10.4.2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_10.10.2.2 internal
group-policy GroupPolicy_10.10.2.2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_10.10.3.2 internal
group-policy GroupPolicy_10.10.3.2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_10.10.6.2 internal
group-policy GroupPolicy_10.10.6.2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_10.10.5.2 internal
group-policy GroupPolicy_10.10.5.2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha5wQ==$CWzx76yle0mjmEwVtV1EGQ== pbkdf2 privilege 15
tunnel-group 10.10.2.2 type ipsec-l2l
tunnel-group 10.10.2.2 general-attributes
default-group-policy GroupPolicy_10.10.2.2
tunnel-group 10.10.2.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 10.10.4.2 type ipsec-l2l
tunnel-group 10.10.4.2 general-attributes
default-group-policy GroupPolicy_10.10.4.2
tunnel-group 10.10.4.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 10.10.7.2 type ipsec-l2l
tunnel-group 10.10.7.2 general-attributes
default-group-policy GroupPolicy1
tunnel-group 10.10.7.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 10.10.5.2 type ipsec-l2l
tunnel-group 10.10.5.2 general-attributes
default-group-policy GroupPolicy_10.10.5.2
tunnel-group 10.10.5.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 10.10.3.2 type ipsec-l2l
tunnel-group 10.10.3.2 general-attributes
default-group-policy GroupPolicy_10.10.3.2
tunnel-group 10.10.3.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 10.10.8.2 type ipsec-l2l
tunnel-group 10.10.8.2 general-attributes
default-group-policy GroupPolicy_10.10.8.2
tunnel-group 10.10.8.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 10.10.6.2 type ipsec-l2l
tunnel-group 10.10.6.2 general-attributes
default-group-policy GroupPolicy_10.10.6.2
tunnel-group 10.10.6.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:818f360c7d14c97b96d5269db6f1ec1a
: end

================================================================

Cisco 800  доп. офис ( основной10.10.5.2 и резерв 10.10.1.2)

Router#sh run
Building configuration...

Current configuration : 2743 bytes
!
! Last configuration change at 10:44:51 UTC Tue Oct 12 2021
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
no aaa new-model
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.69.17
!
ip dhcp pool TEST_DHCP
import all
network 192.168.69.16 255.255.255.248
default-router 192.168.69.17
dns-server 192.168.70.1 192.168.70.2
domain-name arvand.local
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FCZ185090XX
!
!
!
!
!
!
!
track 8 ip sla 1 reachability
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ******** address 10.10.10.10
!
!
crypto ipsec transform-set SET_GO esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map GO_MAP 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set SET_GO
match address TEST
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
description RIMARY LINK TO ISP 1
ip address 10.10.5.2 255.255.255.248
duplex auto
speed auto
crypto map GO_MAP
!
interface GigabitEthernet0
switchport access vlan 2
no ip address
crypto map GO_MAP
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description BACKUP LINK TO ISP 2
ip address 10.10.1.2 255.255.255.0
duplex auto
speed auto
crypto map GO_MAP
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.69.17 255.255.255.248
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat source list TEST interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 8
ip route 0.0.0.0 0.0.0.0 10.10.1.1 25
!
ip access-list extended TEST
permit ip 192.168.69.16 0.0.0.15 any
!
ip sla auto discovery
ip sla 1
icmp-echo 10.10.10.10 source-ip 10.10.5.2
ip sla schedule 1 life forever start-time now
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

 

 

2 ОТВЕТ 2
Sergey Lisitsin
Collaborator

Добрый день,

 

Возможности ASA по организации резервного соединения VPN ограничены. Я думаю, что лучшим решением будет переход от policy-based VPN модели к tunnel-based. При этом у Вас появится возможность манипулировать выбором канала с помощью протокола маршрутизации.

Oleg Volkov
Contributor

Вариант 1, в crypto map set peer указываете два IP (на той стороне которая будет коннектится к ASA с резерным провайдером)

Ну а на асе где резрв делаете IP SLA проверку доступности и переключение маршрута по умолчанию + еще кое что ну и IKE включаете на обоих интерфейсах

Вариант 2 как уже сказали уходить на Tunnel интерфейсы с недавних пор аса их умеет

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog