The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS


Индекс форумов
Составление сообщения

Исходное сообщение
"Разрывается IPSec канал"
Отправлено rvv80, 01-Июл-09 10:20 
Вот лог установки IPSec с циски 800:

Tue Jun 30 16:49:45 2009: <191>83933: Jun 30 16:49:44: crypto_engine: Generate public/private keypair
Tue Jun 30 16:53:35 2009: <191>83944: Jun 30 16:53:34: ISAKMP (0:2106): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>83945: Jun 30 16:53:34: ISAKMP: set new node 394346856 to QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>83946: Jun 30 16:53:34: crypto_engine: Decrypt IKE packet
Tue Jun 30 16:53:35 2009: <191>83947: Jun 30 16:53:34: crypto_engine: Generate IKE hash
Tue Jun 30 16:53:35 2009: <191>83948: Jun 30 16:53:34: ISAKMP:(2106): processing HASH payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83949: Jun 30 16:53:34: ISAKMP:(2106): processing SA payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83950: Jun 30 16:53:34: ISAKMP:(2106):Checking IPSec proposal 1
Tue Jun 30 16:53:35 2009: <191>83951: Jun 30 16:53:34: ISAKMP: transform 1, ESP_AES
Tue Jun 30 16:53:35 2009: <191>83952: Jun 30 16:53:34: ISAKMP:   attributes in transform:
Tue Jun 30 16:53:35 2009: <191>83953: Jun 30 16:53:34: ISAKMP:      encaps is 1 (Tunnel)
Tue Jun 30 16:53:35 2009: <191>83954: Jun 30 16:53:34: ISAKMP:      SA life type in seconds
Tue Jun 30 16:53:35 2009: <191>83955: Jun 30 16:53:34: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
Tue Jun 30 16:53:35 2009: <191>83956: Jun 30 16:53:34: ISAKMP:      SA life type in kilobytes
Tue Jun 30 16:53:35 2009: <191>83957: Jun 30 16:53:34: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Tue Jun 30 16:53:35 2009: <191>83958: Jun 30 16:53:34: ISAKMP:      authenticator is HMAC-SHA
Tue Jun 30 16:53:35 2009: <191>83959: Jun 30 16:53:34: ISAKMP:      key length is 128
Tue Jun 30 16:53:35 2009: <191>83960: Jun 30 16:53:34: ISAKMP:      group is 2
Tue Jun 30 16:53:35 2009: <191>83961: Jun 30 16:53:34: CryptoEngine0: validate proposal
Tue Jun 30 16:53:35 2009: <191>83962: Jun 30 16:53:34: ISAKMP:(2106):atts are acceptable.
Tue Jun 30 16:53:35 2009: <191>83963: Jun 30 16:53:34: IPSEC(validate_proposal_request): proposal part #1
Tue Jun 30 16:53:35 2009: <191>83964: Jun 30 16:53:34: IPSEC(validate_proposal_request): proposal part #1,
Tue Jun 30 16:53:35 2009: <191>83965:   (key eng. msg.) INBOUND
Tue Jun 30 16:53:35 2009: <191>83966: local= BB.BB.BB.BB, remote= AA.AA.AA.AA,
Tue Jun 30 16:53:35 2009: <191>83967:     local_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
Tue Jun 30 16:53:35 2009: <191>83968:     remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
Tue Jun 30 16:53:35 2009: <191>83969:     protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
Tue Jun 30 16:53:35 2009: <191>83970:     lifedur= 0s and 0kb,
Tue Jun 30 16:53:35 2009: <191>83971:     spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Tue Jun 30 16:53:35 2009: <191>83972: Jun 30 16:53:34: Crypto mapdb : proxy_match
Tue Jun 30 16:53:35 2009: <191>83973:     src addr     : 192.168.22.0
Tue Jun 30 16:53:35 2009: <191>83974:     dst addr     : 192.168.0.0
Tue Jun 30 16:53:35 2009: <191>83975:     protocol     : 0
Tue Jun 30 16:53:35 2009: <191>83976:     src port     : 0
Tue Jun 30 16:53:35 2009: <191>83977:     dst port     : 0
Tue Jun 30 16:53:35 2009: <191>83978: Jun 30 16:53:34: ISAKMP:(2106): processing NONCE payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83979: Jun 30 16:53:34: ISAKMP:(2106): processing KE payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83980: Jun 30 16:53:34: crypto_engine: Create DH shared secret
Tue Jun 30 16:53:35 2009: <191>83981: Jun 30 16:53:34: crypto_engine: Modular Exponentiation
Tue Jun 30 16:53:35 2009: <191>83982: Jun 30 16:53:34: ISAKMP:(2106): processing ID payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83983: Jun 30 16:53:34: ISAKMP:(2106): processing ID payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83984: Jun 30 16:53:34: ISAKMP:(2106):QM Responder gets spi
Tue Jun 30 16:53:35 2009: <191>83985: Jun 30 16:53:34: ISAKMP:(2106):Node 394346856, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Tue Jun 30 16:53:35 2009: <191>83986: Jun 30 16:53:34: ISAKMP:(2106):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Tue Jun 30 16:53:35 2009: <191>83987: Jun 30 16:53:34: crypto_engine: Generate IKE hash
Tue Jun 30 16:53:35 2009: <191>83988: Jun 30 16:53:34: crypto_engine: Generate IKE QM keys
Tue Jun 30 16:53:35 2009: <191>83989: Jun 30 16:53:34: crypto_engine: Create IPSec SA (by keys)
Tue Jun 30 16:53:35 2009: <191>83990: Jun 30 16:53:34: crypto_engine: Generate IKE QM keys
Tue Jun 30 16:53:35 2009: <191>83991: Jun 30 16:53:34: crypto_engine: Create IPSec SA (by keys)
Tue Jun 30 16:53:35 2009: <191>83992: Jun 30 16:53:34: crypto engine: deleting DH phase 2 SW:68
Tue Jun 30 16:53:35 2009: <191>83993: Jun 30 16:53:34: crypto_engine: Delete DH shared secret
Tue Jun 30 16:53:35 2009: <191>83994: Jun 30 16:53:34: crypto engine: deleting DH SW:66
Tue Jun 30 16:53:35 2009: <191>83995: Jun 30 16:53:34: ISAKMP:(2106): Creating IPSec SAs
Tue Jun 30 16:53:35 2009: <191>83996: Jun 30 16:53:34:         inbound SA from AA.AA.AA.AA to BB.BB.BB.BB (f/i)  0/ 0
Tue Jun 30 16:53:35 2009: <191>83997:         (proxy 192.168.0.0 to 192.168.22.0)
Tue Jun 30 16:53:35 2009: <191>83998: Jun 30 16:53:34:         has spi 0xF6CB4C26 and conn_id 0
Tue Jun 30 16:53:35 2009: <191>83999: Jun 30 16:53:34:         lifetime of 86400 seconds
Tue Jun 30 16:53:35 2009: <191>84000: Jun 30 16:53:34:         lifetime of 4608000 kilobytes
Tue Jun 30 16:53:35 2009: <191>84001: Jun 30 16:53:34:         outbound SA from BB.BB.BB.BB to AA.AA.AA.AA (f/i) 0/0
Tue Jun 30 16:53:35 2009: <191>84002:         (proxy 192.168.22.0 to 192.168.0.0)
Tue Jun 30 16:53:35 2009: <191>84003: Jun 30 16:53:34:         has spi  0x8D3CAECD and conn_id 0
Tue Jun 30 16:53:35 2009: <191>84004: Jun 30 16:53:34:         lifetime of 86400 seconds
Tue Jun 30 16:53:35 2009: <191>84005: Jun 30 16:53:34:         lifetime of 4608000 kilobytes
Tue Jun 30 16:53:35 2009: <191>84006: Jun 30 16:53:34: crypto_engine: Encrypt IKE packet
Tue Jun 30 16:53:35 2009: <191>84007: Jun 30 16:53:34: ISAKMP:(2106): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>84008: Jun 30 16:53:34: ISAKMP:(2106):Node 394346856, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Tue Jun 30 16:53:35 2009: <191>84009: Jun 30 16:53:34: ISAKMP:(2106):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
Tue Jun 30 16:53:35 2009: <191>84010: Jun 30 16:53:34: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Tue Jun 30 16:53:35 2009: <191>84011: Jun 30 16:53:34: Crypto mapdb : proxy_match
Tue Jun 30 16:53:35 2009: <191>84012:     src addr     : 192.168.22.0
Tue Jun 30 16:53:35 2009: <191>84013:     dst addr     : 192.168.0.0
Tue Jun 30 16:53:35 2009: <191>84014:     protocol     : 0
Tue Jun 30 16:53:35 2009: <191>84015:     src port     : 0
Tue Jun 30 16:53:35 2009: <191>84016:     dst port     : 0
Tue Jun 30 16:53:35 2009: <191>84017: Jun 30 16:53:34: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer AA.AA.AA.AA
Tue Jun 30 16:53:35 2009: <191>84018: Jun 30 16:53:34: IPSEC(create_sa): sa created,
Tue Jun 30 16:53:35 2009: <191>84019:   (sa) sa_dest= BB.BB.BB.BB, sa_proto= 50,
Tue Jun 30 16:53:35 2009: <191>84020:     sa_spi= 0xF6CB4C26(4140518438),
Tue Jun 30 16:53:35 2009: <191>84021:     sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 39
Tue Jun 30 16:53:35 2009: <191>84022: Jun 30 16:53:34: IPSEC(create_sa): sa created
Tue Jun 30 16:53:35 2009: <191>84023: ,
Tue Jun 30 16:53:35 2009: <191>84024:   (sa) sa_dest= AA.AA.AA.AA, sa_proto= 50,
Tue Jun 30 16:53:35 2009: <191>84025:     sa_spi= 0x8D3CAECD(2369564365),
Tue Jun 30 16:53:35 2009: <191>84026:     sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 40
Tue Jun 30 16:53:35 2009: <191>84027: Jun 30 16:53:34: IPSEC(early_age_out_sibling): sibling outbound SPI 2F491DAD expiring in 30 seconds
Tue Jun 30 16:53:35 2009: <191>84028: Jun 30 16:53:34: ISAKMP: set new node -677888029 to QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>84029: Jun 30 16:53:34: crypto_engine: Generate IKE hash
Tue Jun 30 16:53:35 2009: <191>84030: Jun 30 16:53:34: crypto_engine: Encrypt IKE packet
Tue Jun 30 16:53:35 2009: <191>84031: Jun 30 16:53:34: ISAKMP:(2106): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>84032: Jun 30 16:53:34: ISAKMP:(2106):purging node -677888029
Tue Jun 30 16:53:35 2009: <191>84033: Jun 30 16:53:34: ISAKMP:(2106):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
Tue Jun 30 16:53:35 2009: <191>84034: Jun 30 16:53:34: ISAKMP:(2106):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 16:53:35 2009: <191>84035:
Tue Jun 30 16:53:35 2009: <191>84036: Jun 30 16:53:35: crypto_engine: Delete DH
Tue Jun 30 16:53:35 2009: <191>84037: Jun 30 16:53:35: ISAKMP (0:2106): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>84038: Jun 30 16:53:35: crypto_engine: Decrypt IKE packet
Tue Jun 30 16:53:35 2009: <191>84039: Jun 30 16:53:35: crypto_engine: Generate IKE hash
Tue Jun 30 16:53:35 2009: <191>84040: Jun 30 16:53:35: ISAKMP:(2106):deleting node 394346856 error FALSE reason "QM done (await)"
Tue Jun 30 16:53:35 2009: <191>84041: Jun 30 16:53:35: ISAKMP:(2106):Node 394346856, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Tue Jun 30 16:53:35 2009: <191>84042: Jun 30 16:53:35: ISAKMP:(2106):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

Вроде бы все в норме, судя по логу устанавливается и вторая фаза, но канала нет...

 

Ваше сообщение
Имя*:
EMail:
Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:
 
При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру