forum.opennet.ru

Составление сообщения

Исходное сообщение

"IPsec Pix-Router"
Отправлено Regnalos, 28-Июн-07 09:46

>на пиксе
>debug crypto ipsec 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  b.b.b.2
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  b.b.b.2
IPSEC(key_engine_sa_req): setting timer running retry <1>

После посылки пакетов из локальной сети со стороны пикса появляется следующее:
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x5f5e371f(1600010015) for SA
        from  b.b.b.2 to   a.a.a.61 for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= b.b.b.2, src= a.a.a.61,
    dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
    src_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= a.a.a.61, src= b.b.b.2,
    dest_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4),
    src_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x5f5e371f(1600010015), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= a.a.a.61, dest= b.b.b.2,
    src_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4),
    dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x8e225368(2384614248), conn_id= 2, keysize= 0, flags= 0x4
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= b.b.b.2, src= a.a.a.61,
    dest_proxy= 192.168.103.0/255.255.255.0/0/0 (type=4),
    src_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= b.b.b.2, src= a.a.a.61,
    dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
    src_proxy= 192.168.103.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
-----------------------------------------------------------------------------
>debug crypto isakmp 3
ISAKMP msg received
crypto_isakmp_process_block:src:b.b.b.2, dest:a.a.a.61 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:isadb_search returned sa = 0xa2d24c
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
compute_quick_mode_iv:
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x74a728, len 144
des_encdec:
validate_payload: len 172
valid_payload:
valid_payload:
valid_sa:
valid_transform:
valid_payload:
valid_payload:
valid_payload:
OAK_QM exchange
oakley_process_quick_mode:
ipsec_db_get_ipsec_sa_list:
verify_qm_hash:
ipsec_db_get_ipsec_sa_list:
OAK_QM_IDLE
process_isakmp_packet:
process_sa: mess_id 0x5c92175a
ISAKMP (0): processing SA payload. message ID = 1553078106
check_ipsec_proposal:
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 3600
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
check_prop: acceptable = 1
snoop_id_payloads:
ISAKMP: IPSec policy invalidated proposal
delete_sa_offers:
ISAKMP (0): SA not acceptable!
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): sending NOTIFY message 14 protocol 3
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
compute_quick_mode_iv:
construct_header: message_id 0x59a3127d
ipsec_db_get_ipsec_sa_list:
construct_blank_hash:
construct_notify:
ipsec_db_get_ipsec_sa_list:
construct_qm_hash:
ipsec_db_get_ipsec_sa_list:
throw: mess_id 0x59a3127d
ipsec_db_get_ipsec_sa_list:
isakmp_ce_encrypt_payload: offset 28, length 124
pix_des_encrypt: data 0xaba5b4, len 104
des_encdec:
send_response:
isakmp_send: ip b.b.b.2, port 500
throw: no state, delete ipsec sa list
ipsec_db_delete_ipsec_sa_list:
ipsec_db_delete_sa_list_entry:
process_sa: DONE - status 0x2
delete_sa_offers:
process_payload failed 0x2
return status is IKMP_ERR_NO_RETRANS
PEER_REAPER_TIMER

---------------------------------------------------------------------------
>debug crypto ca 3
ничего не показал =(
>
>теминал на монитор и логи под кат.
насчёт логов... можно пояснить какие логи требуются?

Исходное сообщение
"IPsec Pix-Router" Отправлено Regnalos, 28-Июн-07 09:46
>на пиксе >debug crypto ipsec 3 IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with b.b.b.2 IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with b.b.b.2 IPSEC(key_engine_sa_req): setting timer running retry <1> После посылки пакетов из локальной сети со стороны пикса появляется следующее: IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x5f5e371f(1600010015) for SA from b.b.b.2 to a.a.a.61 for prot 3 IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= b.b.b.2, src= a.a.a.61, dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4), src_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 IPSEC(key_engine): got a queue event... IPSEC(initialize_sas): , (key eng. msg.) dest= a.a.a.61, src= b.b.b.2, dest_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4), src_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 3600s and 4608000kb, spi= 0x5f5e371f(1600010015), conn_id= 1, keysize= 0, flags= 0x4 IPSEC(initialize_sas): , (key eng. msg.) src= a.a.a.61, dest= b.b.b.2, src_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4), dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 3600s and 4608000kb, spi= 0x8e225368(2384614248), conn_id= 2, keysize= 0, flags= 0x4 IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= b.b.b.2, src= a.a.a.61, dest_proxy= 192.168.103.0/255.255.255.0/0/0 (type=4), src_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= b.b.b.2, src= a.a.a.61, dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4), src_proxy= 192.168.103.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 IPSEC(validate_transform_proposal): proxy identities not supported ----------------------------------------------------------------------------- >debug crypto isakmp 3 ISAKMP msg received crypto_isakmp_process_block:src:b.b.b.2, dest:a.a.a.61 spt:500 dpt:5 00 gen_cookie: fill_sa_key:isadb_search returned sa = 0xa2d24c ipsec_db_get_ipsec_sa_list: ipsec_db_add_ipsec_sa_list: ipsec_db_get_ipsec_sa_list: compute_quick_mode_iv: isakmp_ce_decrypt_payload: pix_des_decrypt: data 0x74a728, len 144 des_encdec: validate_payload: len 172 valid_payload: valid_payload: valid_sa: valid_transform: valid_payload: valid_payload: valid_payload: OAK_QM exchange oakley_process_quick_mode: ipsec_db_get_ipsec_sa_list: verify_qm_hash: ipsec_db_get_ipsec_sa_list: OAK_QM_IDLE process_isakmp_packet: process_sa: mess_id 0x5c92175a ISAKMP (0): processing SA payload. message ID = 1553078106 check_ipsec_proposal: ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts are acceptable. check_prop: acceptable = 1 snoop_id_payloads: ISAKMP: IPSec policy invalidated proposal delete_sa_offers: ISAKMP (0): SA not acceptable! ipsec_db_get_ipsec_sa_list: ISAKMP (0): sending NOTIFY message 14 protocol 3 ipsec_db_add_ipsec_sa_list: ipsec_db_get_ipsec_sa_list: compute_quick_mode_iv: construct_header: message_id 0x59a3127d ipsec_db_get_ipsec_sa_list: construct_blank_hash: construct_notify: ipsec_db_get_ipsec_sa_list: construct_qm_hash: ipsec_db_get_ipsec_sa_list: throw: mess_id 0x59a3127d ipsec_db_get_ipsec_sa_list: isakmp_ce_encrypt_payload: offset 28, length 124 pix_des_encrypt: data 0xaba5b4, len 104 des_encdec: send_response: isakmp_send: ip b.b.b.2, port 500 throw: no state, delete ipsec sa list ipsec_db_delete_ipsec_sa_list: ipsec_db_delete_sa_list_entry: process_sa: DONE - status 0x2 delete_sa_offers: process_payload failed 0x2 return status is IKMP_ERR_NO_RETRANS PEER_REAPER_TIMER --------------------------------------------------------------------------- >debug crypto ca 3 ничего не показал =( > >теминал на монитор и логи под кат. насчёт логов... можно пояснить какие логи требуются?

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру