forum.opennet.ru

Составление сообщения

Исходное сообщение

"Не могу поднять VPN IPSec tunnel между CISCO 2821 и Linux"
Отправлено lesha4ever, 22-Июл-09 18:12

Добрый день. Нужно поднять VPN IPSec tunnel между CISCO 2821 и Linux чтобы пробросит сетку удаленную 192.168.0.0/24 и 10.0.1.0/24
Первая фаза проходит успешно, а вот на втором этапе циска предлагает
Jul 22 16:13:44 10.1.1.1 135367:     local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
Jul 22 16:13:44 10.1.1.1 135368:     remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
то есть вместо нужных адресов сетей подставляет 0.0.0.0, на что ракун с другой стороны соответственно ругается, потому что с стороны ракуна описаны правила на определенные сети.
Jul 22 16:12:37 mon racoon: ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in
Jul 22 16:12:37 mon racoon: ERROR: failed to get proposal for responder.
Jul 22 16:12:37 mon racoon: ERROR: failed to pre-process packet.
Конфиг циски (на ней параллельно живут и работают ВПН для виндовых клиентов):
X.X.X.X - внешний адрес Linux
Y.Y.Y.Y - внешний адрес Cisco
выкладываю часть, которая относится к ВПНам.
vpdn enable
vpdn logging
!
vpdn-group VPDN-L2TP
! Default L2TP VPDN group
accept-dialin
  protocol l2tp
  virtual-template 1
lcp renegotiation on-mismatch
no l2tp tunnel authentication
!
vpdn-group VPDN-PPTP
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 2
pptp tunnel echo 10
ip pmtu
ip mtu adjust
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key SECRETKEY address X.X.X.X
crypto isakmp key SECRETKEY address 0.0.0.0 0.0.0.0
crypto ipsec transform-set L2TP esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set L2TP_V ah-sha-hmac esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set SITE_TO_SITE esp-3des esp-md5-hmac
!
crypto ipsec profile SITE_TO_SITE
set transform-set SITE_TO_SITE
set pfs group2
!
!
crypto dynamic-map L2TP_D 10
set transform-set L2TP L2TP_V
!
crypto dynamic-map SITE_TO_SITE 20
set peer X.X.X.X
set pfs group2
match address CRYPTO_ACL_IPSec
!
!
crypto map L2TP 20 ipsec-isakmp dynamic L2TP_D
crypto map L2TP 30 ipsec-isakmp dynamic SITE_TO_SITE
!
crypto map S_T_S 1 ipsec-isakmp dynamic SITE_TO_SITE
!
!
interface Tunnel0
description VPN tunnel - not work(((
bandwidth 128
ip address 10.0.1.1 255.255.255.0
ip access-group sdm_tunnel0_in in
ip mtu 1476
shutdown
tunnel source GigabitEthernet0/0
tunnel destination X.X.X.X
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile SITE_TO_SITE
!
interface Loopback0
description Virtual interface for remote Windows VPN connect
ip address 10.1.5.1 255.255.255.0
ip access-group sdm_loopback0_in in
ip inspect SDM_LOW in
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address Y.Y.Y.Y 255.255.255.240
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map L2TP
!
!
interface Virtual-Template1
ip unnumbered Loopback0
ip access-group VPN_L2TP in
peer default ip address pool vpnpool2
ppp mtu adaptive
ppp authentication ms-chap-v2
ppp ipcp dns 10.1.1.10
!
interface Virtual-Template2
description $FW_OUTSIDE$
ip unnumbered Loopback0
ip access-group VPN_PPTP in
autodetect encapsulation ppp
peer default ip address pool vpnpool2
ppp encrypt mppe auto
ppp authentication ms-chap-v2
ppp ipcp dns 10.1.1.10
!
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload

Конфиг Линукса
[root@mon]~# cat /etc/setkey.conf
#!/sbin/setkey -f
flush;
spdflush;
#out
spdadd 192.168.0.0/24[any] 10.0.1.0/24[any] any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
spdadd 10.0.1.0/24[any] 192.168.0.0/24[any] any -P in  ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/require;
remote Y.Y.Y.Y
{
        exchange_mode main, aggressive;
        doi ipsec_doi;
        situation identity_only;
        my_identifier address X.X.X.X;
        nonce_size 16;
        initial_contact off;
        proposal_check obey;
        support_proxy on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo address 192.168.0.0/24 any address 10.0.1.0/24 any {
        pfs_group modp1024; # pfs_group modp768;
        encryption_algorithm 3des, des;
        authentication_algorithm hmac_md5, hmac_sha1;
        compression_algorithm deflate;
        }

Лог ракуна
Jul 22 16:52:18 mon racoon: INFO: respond new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Jul 22 16:52:18 mon racoon: INFO: begin Identity Protection mode.
Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: CISCO-UNITY
Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: DPD
Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jul 22 16:52:18 mon racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Jul 22 16:52:18 mon racoon: INFO: ISAKMP-SA established X.X.X.X[500]-Y.Y.Y.Y[500] spi:1f36d2df755b22ad:4d20d3f57f82697a
Jul 22 16:52:18 mon racoon: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Jul 22 16:52:18 mon racoon: ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in
Jul 22 16:52:18 mon racoon: ERROR: failed to get proposal for responder.
Jul 22 16:52:18 mon racoon: ERROR: failed to pre-process packet.

Лог циски
Jul 22 16:52:09 10.1.1.1 138156: 093970: Jul 22 15:52:09.764 PCTime: CRYPTO_SS(TUNNEL SEC): Application started listening
Jul 22 16:52:09 10.1.1.1 138157: 093971: Jul 22 15:52:09.764 PCTime: insert of map into mapdb AVL failed, map + ace pair already exists on the mapd
b
Jul 22 16:52:09 10.1.1.1 138158: 093972: Jul 22 15:52:09.768 PCTime: is_up: 0 state: 4 sub state: 1 line: 0 has_route: False
Jul 22 16:52:09 10.1.1.1 138159: 093973: Jul 22 15:52:09.768 PCTime: CRYPTO_SS(TUNNEL SEC): Active open, socket info: local Y.Y.Y.Y 0.0.0.0/
0.0.0.0/0, remote X.X.X.X 0.0.0.0/0.0.0.0/0,  prot 0, ifc Tu0
Jul 22 16:52:09 10.1.1.1 138160: 093974: Jul 22 15:52:09.768 PCTime: IPSEC(sa_request): ,
Jul 22 16:52:09 10.1.1.1 138161:   (key eng. msg.) OUTBOUND
Jul 22 16:52:09 10.1.1.1 138162: local= Y.Y.Y.Y, remote= X.X.X.X,
Jul 22 16:52:09 10.1.1.1 138163:     local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
Jul 22 16:52:09 10.1.1.1 138164:     remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
Jul 22 16:52:09 10.1.1.1 138165:     protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
Jul 22 16:52:09 10.1.1.1 138166:     lifedur= 3600s and 4608000kb,
Jul 22 16:52:09 10.1.1.1 138167:     spi= 0xA67AC3A6(2793063334), conn_id= 0, keysize= 0, flags= 0x400B
Jul 22 16:52:09 10.1.1.1 138168: 093975: Jul 22 15:52:09.768 PCTime: ISAKMP: received ke message (1/1)
Jul 22 16:52:09 10.1.1.1 138169: 093976: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jul 22 16:52:09 10.1.1.1 138170: 093977: Jul 22 15:52:09.768 PCTime: ISAKMP: Created a peer struct for X.X.X.X, peer port 500
Jul 22 16:52:09 10.1.1.1 138171: 093978: Jul 22 15:52:09.768 PCTime: ISAKMP: New peer created peer = 0x44571EB4 peer_handle = 0x800003B2
Jul 22 16:52:09 10.1.1.1 138172: 093979: Jul 22 15:52:09.768 PCTime: ISAKMP: Locking peer struct 0x44571EB4, IKE refcount 1 for isakmp_initiator
Jul 22 16:52:10 10.1.1.1 138173: 093980: Jul 22 15:52:09.768 PCTime: ISAKMP: local port 500, remote port 500
Jul 22 16:52:10 10.1.1.1 138174: 093981: Jul 22 15:52:09.768 PCTime: ISAKMP: set new node 0 to QM_IDLE
Jul 22 16:52:10 10.1.1.1 138175: 093982: Jul 22 15:52:09.768 PCTime: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4474CDB
0
Jul 22 16:52:10 10.1.1.1 138176: 093983: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jul 22 16:52:10 10.1.1.1 138177: 093984: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0):Looking for a matching key for X.X.X.X in default
Jul 22 16:52:10 10.1.1.1 138178: 093985: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0): : success
Jul 22 16:52:10 10.1.1.1 138179: 093986: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching X.X.X.X
Jul 22 16:52:10 10.1.1.1 138180: 093987: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jul 22 16:52:10 10.1.1.1 138181: 093988: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jul 22 16:52:10 10.1.1.1 138182: 093989: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jul 22 16:52:10 10.1.1.1 138183: 093990: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jul 22 16:52:10 10.1.1.1 138184: 093991: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1
Jul 22 16:52:10 10.1.1.1 138185:
Jul 22 16:52:10 10.1.1.1 138186: 093992: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jul 22 16:52:10 10.1.1.1 138187: 093993: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): sending packet to X.X.X.X my_port 500 peer_port 500
(I) MM_NO_STATE
Jul 22 16:52:10 10.1.1.1 138188: 093994: Jul 22 15:52:09.832 PCTime: ISAKMP (0:0): received packet from X.X.X.X dport 500 sport 500 Global (
I) MM_NO_STATE
Jul 22 16:52:10 10.1.1.1 138189: 093995: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 22 16:52:10 10.1.1.1 138190: 093996: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2
Jul 22 16:52:10 10.1.1.1 138191:
Jul 22 16:52:10 10.1.1.1 138192: 093997: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jul 22 16:52:10 10.1.1.1 138193: 093998: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jul 22 16:52:10 10.1.1.1 138194: 093999: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): vendor ID is DPD
Jul 22 16:52:10 10.1.1.1 138195: 094000: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Looking for a matching key for X.X.X.X in default
Jul 22 16:52:10 10.1.1.1 138196: 094001: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): : success
Jul 22 16:52:10 10.1.1.1 138197: 094002: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching X.X.X.X
Jul 22 16:52:10 10.1.1.1 138198: 094003: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): local preshared key found
Jul 22 16:52:10 10.1.1.1 138199: 094004: Jul 22 15:52:09.832 PCTime: ISAKMP : Scanning profiles for xauth ... S_T_S
Jul 22 16:52:10 10.1.1.1 138200: 094005: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Jul 22 16:52:10 10.1.1.1 138201: 094006: Jul 22 15:52:09.832 PCTime: ISAKMP:      encryption 3DES-CBC
Jul 22 16:52:10 10.1.1.1 138202: 094007: Jul 22 15:52:09.832 PCTime: ISAKMP:      hash MD5
Jul 22 16:52:10 10.1.1.1 138203: 094008: Jul 22 15:52:09.832 PCTime: ISAKMP:      default group 2
Jul 22 16:52:10 10.1.1.1 138204: 094009: Jul 22 15:52:09.832 PCTime: ISAKMP:      auth pre-share
Jul 22 16:52:10 10.1.1.1 138205: 094010: Jul 22 15:52:09.832 PCTime: ISAKMP:      life type in seconds
Jul 22 16:52:10 10.1.1.1 138206: 094011: Jul 22 15:52:09.832 PCTime: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Jul 22 16:52:10 10.1.1.1 138207: 094012: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Jul 22 16:52:10 10.1.1.1 138208: 094013: Jul 22 15:52:09.832 PCTime: CryptoEngine0: generating alg parameter for connid 28
Jul 22 16:52:10 10.1.1.1 138209: 094014: Jul 22 15:52:09.860 PCTime: CRYPTO_ENGINE: Dh phase 1 status: 0
Jul 22 16:52:10 10.1.1.1 138210: 094015: Jul 22 15:52:09.860 PCTime: CRYPTO_ENGINE: Dh phase 1 status: OK
Jul 22 16:52:10 10.1.1.1 138211: 094016: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1): processing vendor id payload
Jul 22 16:52:10 10.1.1.1 138212: 094017: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1): vendor ID is DPD
Jul 22 16:52:10 10.1.1.1 138213: 094018: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 22 16:52:10 10.1.1.1 138214: 094019: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2
Jul 22 16:52:10 10.1.1.1 138215:
Jul 22 16:52:10 10.1.1.1 138216: 094020: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500
(I) MM_SA_SETUP
Jul 22 16:52:10 10.1.1.1 138217: 094021: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 22 16:52:10 10.1.1.1 138218: 094022: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3
Jul 22 16:52:10 10.1.1.1 138219:
Jul 22 16:52:10 10.1.1.1 138220: 094023: Jul 22 15:52:09.896 PCTime: ISAKMP (0:134217756): received packet from X.X.X.X dport 500 sport 500
Global (I) MM_SA_SETUP
Jul 22 16:52:10 10.1.1.1 138221: 094024: Jul 22 15:52:09.896 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 22 16:52:10 10.1.1.1 138222: 094025: Jul 22 15:52:09.896 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4
Jul 22 16:52:10 10.1.1.1 138223:
Jul 22 16:52:10 10.1.1.1 138224: 094026: Jul 22 15:52:09.896 PCTime: ISAKMP:(0:28:SW:1): processing KE payload. message ID = 0
Jul 22 16:52:10 10.1.1.1 138225: 094027: Jul 22 15:52:09.896 PCTime: CryptoEngine0: generating alg parameter for connid 0
Jul 22 16:52:10 10.1.1.1 138226: 094028: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1): processing NONCE payload. message ID = 0
Jul 22 16:52:10 10.1.1.1 138227: 094029: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:0:N/A:0):Looking for a matching key for X.X.X.X in default
Jul 22 16:52:10 10.1.1.1 138228: 094030: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:0:N/A:0): : success
Jul 22 16:52:10 10.1.1.1 138229: 094031: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1):found peer pre-shared key matching X.X.X.X
Jul 22 16:52:10 10.1.1.1 138230: 094032: Jul 22 15:52:09.924 PCTime: CryptoEngine0: create ISAKMP SKEYID for conn id 28
Jul 22 16:52:10 10.1.1.1 138231: 094033: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1):SKEYID state generated
Jul 22 16:52:10 10.1.1.1 138232: 094034: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 22 16:52:10 10.1.1.1 138233: 094035: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4
Jul 22 16:52:10 10.1.1.1 138234:
Jul 22 16:52:10 10.1.1.1 138235: 094036: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Send initial contact
Jul 22 16:52:10 10.1.1.1 138236: 094037: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):SA is doing pre-shared key authentication using id type ID_
IPV4_ADDR
Jul 22 16:52:10 10.1.1.1 138237: 094038: Jul 22 15:52:09.928 PCTime: ISAKMP (0:134217756): ID payload
Jul 22 16:52:10 10.1.1.1 138238:        next-payload : 8
Jul 22 16:52:10 10.1.1.1 138239:        type         : 1
Jul 22 16:52:10 10.1.1.1 138240:        address      : Y.Y.Y.Y
Jul 22 16:52:10 10.1.1.1 138241:        protocol     : 17
Jul 22 16:52:10 10.1.1.1 138242:        port         : 500
Jul 22 16:52:10 10.1.1.1 138243:        length       : 12
Jul 22 16:52:10 10.1.1.1 138244: 094039: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Total payload length: 12
Jul 22 16:52:10 10.1.1.1 138245: 094040: Jul 22 15:52:09.928 PCTime: CryptoEngine0: generate hmac context for conn id 28
Jul 22 16:52:10 10.1.1.1 138246: 094041: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500
(I) MM_KEY_EXCH
Jul 22 16:52:10 10.1.1.1 138247: 094042: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 22 16:52:10 10.1.1.1 138248: 094043: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5
Jul 22 16:52:10 10.1.1.1 138249:
Jul 22 16:52:10 10.1.1.1 138250: 094044: Jul 22 15:52:09.940 PCTime: ISAKMP (0:134217756): received packet from X.X.X.X dport 500 sport 500
Global (I) MM_KEY_EXCH
Jul 22 16:52:10 10.1.1.1 138251: 094045: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1): processing ID payload. message ID = 0
Jul 22 16:52:10 10.1.1.1 138252: 094046: Jul 22 15:52:09.940 PCTime: ISAKMP (0:134217756): ID payload
Jul 22 16:52:11 10.1.1.1 138253:        next-payload : 8
Jul 22 16:52:11 10.1.1.1 138254:        type         : 1
Jul 22 16:52:11 10.1.1.1 138255:
Jul 22 16:52:11 10.1.1.1 138256:        address      : X.X.X.X
Jul 22 16:52:11 10.1.1.1 138257:        protocol     : 17
Jul 22 16:52:11 10.1.1.1 138258:        port         : 500
Jul 22 16:52:11 10.1.1.1 138259:        length       : 12
Jul 22 16:52:11 10.1.1.1 138260: 094047: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):: peer matches *none* of the profiles
Jul 22 16:52:11 10.1.1.1 138261: 094048: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1): processing HASH payload. message ID = 0
Jul 22 16:52:11 10.1.1.1 138262: 094049: Jul 22 15:52:09.940 PCTime: CryptoEngine0: generate hmac context for conn id 28
Jul 22 16:52:11 10.1.1.1 138263: 094050: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):SA authentication status:
Jul 22 16:52:11 10.1.1.1 138264:        authenticated
Jul 22 16:52:11 10.1.1.1 138265: 094051: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):SA has been authenticated with X.X.X.X
Jul 22 16:52:11 10.1.1.1 138266: 094052: Jul 22 15:52:09.940 PCTime: ISAKMP: Trying to insert a peer Y.Y.Y.Y/X.X.X.X/500/,
Jul 22 16:52:11 10.1.1.1 138267:  and inserted successfully 44571EB4.
Jul 22 16:52:11 10.1.1.1 138268: 094053: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 22 16:52:11 10.1.1.1 138269: 094054: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6
Jul 22 16:52:11 10.1.1.1 138270:
Jul 22 16:52:11 10.1.1.1 138271: 094055: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 22 16:52:11 10.1.1.1 138272: 094056: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6
Jul 22 16:52:11 10.1.1.1 138273:
Jul 22 16:52:11 10.1.1.1 138274: 094057: Jul 22 15:52:09.944 PCTime: CryptoEngine0: clear dh number for conn id 19
Jul 22 16:52:11 10.1.1.1 138275: 094058: Jul 22 15:52:09.944 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 22 16:52:11 10.1.1.1 138276: 094059: Jul 22 15:52:09.944 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
Jul 22 16:52:11 10.1.1.1 138277:
Jul 22 16:52:11 10.1.1.1 138278: 094060: Jul 22 15:52:09.944 PCTime: ISAKMP:(0:28:SW:1):beginning Quick Mode exchange, M-ID of -625100548
Jul 22 16:52:11 10.1.1.1 138279: 094061: Jul 22 15:52:09.944 PCTime: CryptoEngine0: generating alg parameter for connid 28
Jul 22 16:52:11 10.1.1.1 138280: 094062: Jul 22 15:52:09.968 PCTime: CRYPTO_ENGINE: Dh phase 1 status: 0
Jul 22 16:52:11 10.1.1.1 138281: 094063: Jul 22 15:52:09.968 PCTime: CRYPTO_ENGINE: Dh phase 1 status: OK
Jul 22 16:52:11 10.1.1.1 138282: 094064: Jul 22 15:52:09.968 PCTime: CryptoEngine0: generate hmac context for conn id 28
Jul 22 16:52:11 10.1.1.1 138283: 094065: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500
(I) QM_IDLE
Jul 22 16:52:11 10.1.1.1 138284: 094066: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Node -625100548, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jul 22 16:52:11 10.1.1.1 138285: 094067: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jul 22 16:52:11 10.1.1.1 138286: 094068: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jul 22 16:52:11 10.1.1.1 138287: 094069: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Jul 22 16:52:11 10.1.1.1 138288:
Jul 22 16:52:11 10.1.1.1 138289: 094070: Jul 22 15:52:11.764 PCTime: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
Jul 22 16:52:12 10.1.1.1 138290: 094071: Jul 22 15:52:11.764 PCTime: is_up: 0 state: 4 sub state: 1 line: 0 has_route: False

Исходное сообщение
"Не могу поднять VPN IPSec tunnel между CISCO 2821 и Linux" Отправлено lesha4ever, 22-Июл-09 18:12
Добрый день. Нужно поднять VPN IPSec tunnel между CISCO 2821 и Linux чтобы пробросит сетку удаленную 192.168.0.0/24 и 10.0.1.0/24 Первая фаза проходит успешно, а вот на втором этапе циска предлагает Jul 22 16:13:44 10.1.1.1 135367: local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), Jul 22 16:13:44 10.1.1.1 135368: remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), то есть вместо нужных адресов сетей подставляет 0.0.0.0, на что ракун с другой стороны соответственно ругается, потому что с стороны ракуна описаны правила на определенные сети. Jul 22 16:12:37 mon racoon: ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in Jul 22 16:12:37 mon racoon: ERROR: failed to get proposal for responder. Jul 22 16:12:37 mon racoon: ERROR: failed to pre-process packet. Конфиг циски (на ней параллельно живут и работают ВПН для виндовых клиентов): X.X.X.X - внешний адрес Linux Y.Y.Y.Y - внешний адрес Cisco выкладываю часть, которая относится к ВПНам. vpdn enable vpdn logging ! vpdn-group VPDN-L2TP ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 lcp renegotiation on-mismatch no l2tp tunnel authentication ! vpdn-group VPDN-PPTP ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 2 pptp tunnel echo 10 ip pmtu ip mtu adjust ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 ! crypto isakmp policy 30 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key SECRETKEY address X.X.X.X crypto isakmp key SECRETKEY address 0.0.0.0 0.0.0.0 crypto ipsec transform-set L2TP esp-3des esp-md5-hmac mode transport crypto ipsec transform-set L2TP_V ah-sha-hmac esp-3des esp-sha-hmac mode transport crypto ipsec transform-set SITE_TO_SITE esp-3des esp-md5-hmac ! crypto ipsec profile SITE_TO_SITE set transform-set SITE_TO_SITE set pfs group2 ! ! crypto dynamic-map L2TP_D 10 set transform-set L2TP L2TP_V ! crypto dynamic-map SITE_TO_SITE 20 set peer X.X.X.X set pfs group2 match address CRYPTO_ACL_IPSec ! ! crypto map L2TP 20 ipsec-isakmp dynamic L2TP_D crypto map L2TP 30 ipsec-isakmp dynamic SITE_TO_SITE ! crypto map S_T_S 1 ipsec-isakmp dynamic SITE_TO_SITE ! ! interface Tunnel0 description VPN tunnel - not work((( bandwidth 128 ip address 10.0.1.1 255.255.255.0 ip access-group sdm_tunnel0_in in ip mtu 1476 shutdown tunnel source GigabitEthernet0/0 tunnel destination X.X.X.X tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile SITE_TO_SITE ! interface Loopback0 description Virtual interface for remote Windows VPN connect ip address 10.1.5.1 255.255.255.0 ip access-group sdm_loopback0_in in ip inspect SDM_LOW in ! interface GigabitEthernet0/0 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_WAN$$FW_OUTSIDE$$ETH-WAN$ ip address Y.Y.Y.Y 255.255.255.240 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled crypto map L2TP ! ! interface Virtual-Template1 ip unnumbered Loopback0 ip access-group VPN_L2TP in peer default ip address pool vpnpool2 ppp mtu adaptive ppp authentication ms-chap-v2 ppp ipcp dns 10.1.1.10 ! interface Virtual-Template2 description $FW_OUTSIDE$ ip unnumbered Loopback0 ip access-group VPN_PPTP in autodetect encapsulation ppp peer default ip address pool vpnpool2 ppp encrypt mppe auto ppp authentication ms-chap-v2 ppp ipcp dns 10.1.1.10 ! ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload Конфиг Линукса [root@mon]~# cat /etc/setkey.conf #!/sbin/setkey -f flush; spdflush; #out spdadd 192.168.0.0/24[any] 10.0.1.0/24[any] any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require; spdadd 10.0.1.0/24[any] 192.168.0.0/24[any] any -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/require; remote Y.Y.Y.Y { exchange_mode main, aggressive; doi ipsec_doi; situation identity_only; my_identifier address X.X.X.X; nonce_size 16; initial_contact off; proposal_check obey; support_proxy on; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } sainfo address 192.168.0.0/24 any address 10.0.1.0/24 any { pfs_group modp1024; # pfs_group modp768; encryption_algorithm 3des, des; authentication_algorithm hmac_md5, hmac_sha1; compression_algorithm deflate; } Лог ракуна Jul 22 16:52:18 mon racoon: INFO: respond new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jul 22 16:52:18 mon racoon: INFO: begin Identity Protection mode. Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: CISCO-UNITY Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: DPD Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Jul 22 16:52:18 mon racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Jul 22 16:52:18 mon racoon: INFO: ISAKMP-SA established X.X.X.X[500]-Y.Y.Y.Y[500] spi:1f36d2df755b22ad:4d20d3f57f82697a Jul 22 16:52:18 mon racoon: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jul 22 16:52:18 mon racoon: ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in Jul 22 16:52:18 mon racoon: ERROR: failed to get proposal for responder. Jul 22 16:52:18 mon racoon: ERROR: failed to pre-process packet. Лог циски Jul 22 16:52:09 10.1.1.1 138156: 093970: Jul 22 15:52:09.764 PCTime: CRYPTO_SS(TUNNEL SEC): Application started listening Jul 22 16:52:09 10.1.1.1 138157: 093971: Jul 22 15:52:09.764 PCTime: insert of map into mapdb AVL failed, map + ace pair already exists on the mapd b Jul 22 16:52:09 10.1.1.1 138158: 093972: Jul 22 15:52:09.768 PCTime: is_up: 0 state: 4 sub state: 1 line: 0 has_route: False Jul 22 16:52:09 10.1.1.1 138159: 093973: Jul 22 15:52:09.768 PCTime: CRYPTO_SS(TUNNEL SEC): Active open, socket info: local Y.Y.Y.Y 0.0.0.0/ 0.0.0.0/0, remote X.X.X.X 0.0.0.0/0.0.0.0/0, prot 0, ifc Tu0 Jul 22 16:52:09 10.1.1.1 138160: 093974: Jul 22 15:52:09.768 PCTime: IPSEC(sa_request): , Jul 22 16:52:09 10.1.1.1 138161: (key eng. msg.) OUTBOUND Jul 22 16:52:09 10.1.1.1 138162: local= Y.Y.Y.Y, remote= X.X.X.X, Jul 22 16:52:09 10.1.1.1 138163: local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), Jul 22 16:52:09 10.1.1.1 138164: remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), Jul 22 16:52:09 10.1.1.1 138165: protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), Jul 22 16:52:09 10.1.1.1 138166: lifedur= 3600s and 4608000kb, Jul 22 16:52:09 10.1.1.1 138167: spi= 0xA67AC3A6(2793063334), conn_id= 0, keysize= 0, flags= 0x400B Jul 22 16:52:09 10.1.1.1 138168: 093975: Jul 22 15:52:09.768 PCTime: ISAKMP: received ke message (1/1) Jul 22 16:52:09 10.1.1.1 138169: 093976: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) Jul 22 16:52:09 10.1.1.1 138170: 093977: Jul 22 15:52:09.768 PCTime: ISAKMP: Created a peer struct for X.X.X.X, peer port 500 Jul 22 16:52:09 10.1.1.1 138171: 093978: Jul 22 15:52:09.768 PCTime: ISAKMP: New peer created peer = 0x44571EB4 peer_handle = 0x800003B2 Jul 22 16:52:09 10.1.1.1 138172: 093979: Jul 22 15:52:09.768 PCTime: ISAKMP: Locking peer struct 0x44571EB4, IKE refcount 1 for isakmp_initiator Jul 22 16:52:10 10.1.1.1 138173: 093980: Jul 22 15:52:09.768 PCTime: ISAKMP: local port 500, remote port 500 Jul 22 16:52:10 10.1.1.1 138174: 093981: Jul 22 15:52:09.768 PCTime: ISAKMP: set new node 0 to QM_IDLE Jul 22 16:52:10 10.1.1.1 138175: 093982: Jul 22 15:52:09.768 PCTime: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4474CDB 0 Jul 22 16:52:10 10.1.1.1 138176: 093983: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode. Jul 22 16:52:10 10.1.1.1 138177: 093984: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0):Looking for a matching key for X.X.X.X in default Jul 22 16:52:10 10.1.1.1 138178: 093985: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0): : success Jul 22 16:52:10 10.1.1.1 138179: 093986: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching X.X.X.X Jul 22 16:52:10 10.1.1.1 138180: 093987: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID Jul 22 16:52:10 10.1.1.1 138181: 093988: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID Jul 22 16:52:10 10.1.1.1 138182: 093989: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID Jul 22 16:52:10 10.1.1.1 138183: 093990: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Jul 22 16:52:10 10.1.1.1 138184: 093991: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 Jul 22 16:52:10 10.1.1.1 138185: Jul 22 16:52:10 10.1.1.1 138186: 093992: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange Jul 22 16:52:10 10.1.1.1 138187: 093993: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE Jul 22 16:52:10 10.1.1.1 138188: 093994: Jul 22 15:52:09.832 PCTime: ISAKMP (0:0): received packet from X.X.X.X dport 500 sport 500 Global ( I) MM_NO_STATE Jul 22 16:52:10 10.1.1.1 138189: 093995: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jul 22 16:52:10 10.1.1.1 138190: 093996: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2 Jul 22 16:52:10 10.1.1.1 138191: Jul 22 16:52:10 10.1.1.1 138192: 093997: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 Jul 22 16:52:10 10.1.1.1 138193: 093998: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): processing vendor id payload Jul 22 16:52:10 10.1.1.1 138194: 093999: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): vendor ID is DPD Jul 22 16:52:10 10.1.1.1 138195: 094000: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Looking for a matching key for X.X.X.X in default Jul 22 16:52:10 10.1.1.1 138196: 094001: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): : success Jul 22 16:52:10 10.1.1.1 138197: 094002: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching X.X.X.X Jul 22 16:52:10 10.1.1.1 138198: 094003: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): local preshared key found Jul 22 16:52:10 10.1.1.1 138199: 094004: Jul 22 15:52:09.832 PCTime: ISAKMP : Scanning profiles for xauth ... S_T_S Jul 22 16:52:10 10.1.1.1 138200: 094005: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy Jul 22 16:52:10 10.1.1.1 138201: 094006: Jul 22 15:52:09.832 PCTime: ISAKMP: encryption 3DES-CBC Jul 22 16:52:10 10.1.1.1 138202: 094007: Jul 22 15:52:09.832 PCTime: ISAKMP: hash MD5 Jul 22 16:52:10 10.1.1.1 138203: 094008: Jul 22 15:52:09.832 PCTime: ISAKMP: default group 2 Jul 22 16:52:10 10.1.1.1 138204: 094009: Jul 22 15:52:09.832 PCTime: ISAKMP: auth pre-share Jul 22 16:52:10 10.1.1.1 138205: 094010: Jul 22 15:52:09.832 PCTime: ISAKMP: life type in seconds Jul 22 16:52:10 10.1.1.1 138206: 094011: Jul 22 15:52:09.832 PCTime: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Jul 22 16:52:10 10.1.1.1 138207: 094012: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 Jul 22 16:52:10 10.1.1.1 138208: 094013: Jul 22 15:52:09.832 PCTime: CryptoEngine0: generating alg parameter for connid 28 Jul 22 16:52:10 10.1.1.1 138209: 094014: Jul 22 15:52:09.860 PCTime: CRYPTO_ENGINE: Dh phase 1 status: 0 Jul 22 16:52:10 10.1.1.1 138210: 094015: Jul 22 15:52:09.860 PCTime: CRYPTO_ENGINE: Dh phase 1 status: OK Jul 22 16:52:10 10.1.1.1 138211: 094016: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1): processing vendor id payload Jul 22 16:52:10 10.1.1.1 138212: 094017: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1): vendor ID is DPD Jul 22 16:52:10 10.1.1.1 138213: 094018: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jul 22 16:52:10 10.1.1.1 138214: 094019: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2 Jul 22 16:52:10 10.1.1.1 138215: Jul 22 16:52:10 10.1.1.1 138216: 094020: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_SA_SETUP Jul 22 16:52:10 10.1.1.1 138217: 094021: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jul 22 16:52:10 10.1.1.1 138218: 094022: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3 Jul 22 16:52:10 10.1.1.1 138219: Jul 22 16:52:10 10.1.1.1 138220: 094023: Jul 22 15:52:09.896 PCTime: ISAKMP (0:134217756): received packet from X.X.X.X dport 500 sport 500 Global (I) MM_SA_SETUP Jul 22 16:52:10 10.1.1.1 138221: 094024: Jul 22 15:52:09.896 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jul 22 16:52:10 10.1.1.1 138222: 094025: Jul 22 15:52:09.896 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4 Jul 22 16:52:10 10.1.1.1 138223: Jul 22 16:52:10 10.1.1.1 138224: 094026: Jul 22 15:52:09.896 PCTime: ISAKMP:(0:28:SW:1): processing KE payload. message ID = 0 Jul 22 16:52:10 10.1.1.1 138225: 094027: Jul 22 15:52:09.896 PCTime: CryptoEngine0: generating alg parameter for connid 0 Jul 22 16:52:10 10.1.1.1 138226: 094028: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1): processing NONCE payload. message ID = 0 Jul 22 16:52:10 10.1.1.1 138227: 094029: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:0:N/A:0):Looking for a matching key for X.X.X.X in default Jul 22 16:52:10 10.1.1.1 138228: 094030: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:0:N/A:0): : success Jul 22 16:52:10 10.1.1.1 138229: 094031: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1):found peer pre-shared key matching X.X.X.X Jul 22 16:52:10 10.1.1.1 138230: 094032: Jul 22 15:52:09.924 PCTime: CryptoEngine0: create ISAKMP SKEYID for conn id 28 Jul 22 16:52:10 10.1.1.1 138231: 094033: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1):SKEYID state generated Jul 22 16:52:10 10.1.1.1 138232: 094034: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jul 22 16:52:10 10.1.1.1 138233: 094035: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4 Jul 22 16:52:10 10.1.1.1 138234: Jul 22 16:52:10 10.1.1.1 138235: 094036: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Send initial contact Jul 22 16:52:10 10.1.1.1 138236: 094037: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):SA is doing pre-shared key authentication using id type ID_ IPV4_ADDR Jul 22 16:52:10 10.1.1.1 138237: 094038: Jul 22 15:52:09.928 PCTime: ISAKMP (0:134217756): ID payload Jul 22 16:52:10 10.1.1.1 138238: next-payload : 8 Jul 22 16:52:10 10.1.1.1 138239: type : 1 Jul 22 16:52:10 10.1.1.1 138240: address : Y.Y.Y.Y Jul 22 16:52:10 10.1.1.1 138241: protocol : 17 Jul 22 16:52:10 10.1.1.1 138242: port : 500 Jul 22 16:52:10 10.1.1.1 138243: length : 12 Jul 22 16:52:10 10.1.1.1 138244: 094039: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Total payload length: 12 Jul 22 16:52:10 10.1.1.1 138245: 094040: Jul 22 15:52:09.928 PCTime: CryptoEngine0: generate hmac context for conn id 28 Jul 22 16:52:10 10.1.1.1 138246: 094041: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_KEY_EXCH Jul 22 16:52:10 10.1.1.1 138247: 094042: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jul 22 16:52:10 10.1.1.1 138248: 094043: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5 Jul 22 16:52:10 10.1.1.1 138249: Jul 22 16:52:10 10.1.1.1 138250: 094044: Jul 22 15:52:09.940 PCTime: ISAKMP (0:134217756): received packet from X.X.X.X dport 500 sport 500 Global (I) MM_KEY_EXCH Jul 22 16:52:10 10.1.1.1 138251: 094045: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1): processing ID payload. message ID = 0 Jul 22 16:52:10 10.1.1.1 138252: 094046: Jul 22 15:52:09.940 PCTime: ISAKMP (0:134217756): ID payload Jul 22 16:52:11 10.1.1.1 138253: next-payload : 8 Jul 22 16:52:11 10.1.1.1 138254: type : 1 Jul 22 16:52:11 10.1.1.1 138255: Jul 22 16:52:11 10.1.1.1 138256: address : X.X.X.X Jul 22 16:52:11 10.1.1.1 138257: protocol : 17 Jul 22 16:52:11 10.1.1.1 138258: port : 500 Jul 22 16:52:11 10.1.1.1 138259: length : 12 Jul 22 16:52:11 10.1.1.1 138260: 094047: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):: peer matches none of the profiles Jul 22 16:52:11 10.1.1.1 138261: 094048: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1): processing HASH payload. message ID = 0 Jul 22 16:52:11 10.1.1.1 138262: 094049: Jul 22 15:52:09.940 PCTime: CryptoEngine0: generate hmac context for conn id 28 Jul 22 16:52:11 10.1.1.1 138263: 094050: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):SA authentication status: Jul 22 16:52:11 10.1.1.1 138264: authenticated Jul 22 16:52:11 10.1.1.1 138265: 094051: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):SA has been authenticated with X.X.X.X Jul 22 16:52:11 10.1.1.1 138266: 094052: Jul 22 15:52:09.940 PCTime: ISAKMP: Trying to insert a peer Y.Y.Y.Y/X.X.X.X/500/, Jul 22 16:52:11 10.1.1.1 138267: and inserted successfully 44571EB4. Jul 22 16:52:11 10.1.1.1 138268: 094053: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jul 22 16:52:11 10.1.1.1 138269: 094054: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6 Jul 22 16:52:11 10.1.1.1 138270: Jul 22 16:52:11 10.1.1.1 138271: 094055: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jul 22 16:52:11 10.1.1.1 138272: 094056: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6 Jul 22 16:52:11 10.1.1.1 138273: Jul 22 16:52:11 10.1.1.1 138274: 094057: Jul 22 15:52:09.944 PCTime: CryptoEngine0: clear dh number for conn id 19 Jul 22 16:52:11 10.1.1.1 138275: 094058: Jul 22 15:52:09.944 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jul 22 16:52:11 10.1.1.1 138276: 094059: Jul 22 15:52:09.944 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Jul 22 16:52:11 10.1.1.1 138277: Jul 22 16:52:11 10.1.1.1 138278: 094060: Jul 22 15:52:09.944 PCTime: ISAKMP:(0:28:SW:1):beginning Quick Mode exchange, M-ID of -625100548 Jul 22 16:52:11 10.1.1.1 138279: 094061: Jul 22 15:52:09.944 PCTime: CryptoEngine0: generating alg parameter for connid 28 Jul 22 16:52:11 10.1.1.1 138280: 094062: Jul 22 15:52:09.968 PCTime: CRYPTO_ENGINE: Dh phase 1 status: 0 Jul 22 16:52:11 10.1.1.1 138281: 094063: Jul 22 15:52:09.968 PCTime: CRYPTO_ENGINE: Dh phase 1 status: OK Jul 22 16:52:11 10.1.1.1 138282: 094064: Jul 22 15:52:09.968 PCTime: CryptoEngine0: generate hmac context for conn id 28 Jul 22 16:52:11 10.1.1.1 138283: 094065: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500 (I) QM_IDLE Jul 22 16:52:11 10.1.1.1 138284: 094066: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Node -625100548, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Jul 22 16:52:11 10.1.1.1 138285: 094067: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Jul 22 16:52:11 10.1.1.1 138286: 094068: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Jul 22 16:52:11 10.1.1.1 138287: 094069: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jul 22 16:52:11 10.1.1.1 138288: Jul 22 16:52:11 10.1.1.1 138289: 094070: Jul 22 15:52:11.764 PCTime: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up Jul 22 16:52:12 10.1.1.1 138290: 094071: Jul 22 15:52:11.764 PCTime: is_up: 0 state: 4 sub state: 1 line: 0 has_route: False

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	> Добрый день. Нужно поднять VPN IPSec tunnel между CISCO 2821 и Linux > чтобы пробросит сетку удаленную 192.168.0.0/24 и 10.0.1.0/24 > Первая фаза проходит успешно, а вот на втором этапе циска предлагает > Jul 22 16:13:44 10.1.1.1 135367: local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), > Jul 22 16:13:44 10.1.1.1 135368: remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), > то есть вместо нужных адресов сетей подставляет 0.0.0.0, на что ракун с > другой стороны соответственно ругается, потому что с стороны ракуна описаны правила > на определенные сети. > Jul 22 16:12:37 mon racoon: ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any > dir=in > Jul 22 16:12:37 mon racoon: ERROR: failed to get proposal for responder. > Jul 22 16:12:37 mon racoon: ERROR: failed to pre-process packet. > Конфиг циски (на ней параллельно живут и работают ВПН для виндовых клиентов): > X.X.X.X - внешний адрес Linux > Y.Y.Y.Y - внешний адрес Cisco > выкладываю часть, которая относится к ВПНам. > vpdn enable > vpdn logging > ! > vpdn-group VPDN-L2TP > ! Default L2TP VPDN group > accept-dialin > protocol l2tp > virtual-template 1 > lcp renegotiation on-mismatch > no l2tp tunnel authentication > ! > vpdn-group VPDN-PPTP > ! Default PPTP VPDN group > accept-dialin > protocol pptp > virtual-template 2 > pptp tunnel echo 10 > ip pmtu > ip mtu adjust > ! > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > ! > crypto isakmp policy 20 > encr 3des > authentication pre-share > group 2 > ! > crypto isakmp policy 30 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key SECRETKEY address X.X.X.X > crypto isakmp key SECRETKEY address 0.0.0.0 0.0.0.0 > crypto ipsec transform-set L2TP esp-3des esp-md5-hmac > mode transport > crypto ipsec transform-set L2TP_V ah-sha-hmac esp-3des esp-sha-hmac > mode transport > crypto ipsec transform-set SITE_TO_SITE esp-3des esp-md5-hmac > ! > crypto ipsec profile SITE_TO_SITE > set transform-set SITE_TO_SITE > set pfs group2 > ! > ! > crypto dynamic-map L2TP_D 10 > set transform-set L2TP L2TP_V > ! > crypto dynamic-map SITE_TO_SITE 20 > set peer X.X.X.X > set pfs group2 > match address CRYPTO_ACL_IPSec > ! > ! > crypto map L2TP 20 ipsec-isakmp dynamic L2TP_D > crypto map L2TP 30 ipsec-isakmp dynamic SITE_TO_SITE > ! > crypto map S_T_S 1 ipsec-isakmp dynamic SITE_TO_SITE > ! > ! > interface Tunnel0 > description VPN tunnel - not work((( > bandwidth 128 > ip address 10.0.1.1 255.255.255.0 > ip access-group sdm_tunnel0_in in > ip mtu 1476 > shutdown > tunnel source GigabitEthernet0/0 > tunnel destination X.X.X.X > tunnel mode ipsec ipv4 > tunnel path-mtu-discovery > tunnel protection ipsec profile SITE_TO_SITE > ! > interface Loopback0 > description Virtual interface for remote Windows VPN connect > ip address 10.1.5.1 255.255.255.0 > ip access-group sdm_loopback0_in in > ip inspect SDM_LOW in > ! > interface GigabitEthernet0/0 > description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_WAN$$FW_OUTSIDE$$ETH-WAN$ > ip address Y.Y.Y.Y 255.255.255.240 > ip access-group 101 in > ip verify unicast reverse-path > no ip redirects > no ip unreachables > no ip proxy-arp > ip inspect DEFAULT100 out > ip nat outside > ip virtual-reassembly > ip route-cache flow > duplex auto > speed auto > no mop enabled > crypto map L2TP > ! > ! > interface Virtual-Template1 > ip unnumbered Loopback0 > ip access-group VPN_L2TP in > peer default ip address pool vpnpool2 > ppp mtu adaptive > ppp authentication ms-chap-v2 > ppp ipcp dns 10.1.1.10 > ! > interface Virtual-Template2 > description $FW_OUTSIDE$ > ip unnumbered Loopback0 > ip access-group VPN_PPTP in > autodetect encapsulation ppp > peer default ip address pool vpnpool2 > ppp encrypt mppe auto > ppp authentication ms-chap-v2 > ppp ipcp dns 10.1.1.10 > ! > ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload > Конфиг Линукса > [root@mon]~# cat /etc/setkey.conf > #!/sbin/setkey -f > flush; > spdflush; > #out > spdadd 192.168.0.0/24[any] 10.0.1.0/24[any] any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require; > spdadd 10.0.1.0/24[any] 192.168.0.0/24[any] any -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/require; > remote Y.Y.Y.Y > { > exchange_mode main, aggressive; > doi ipsec_doi; > situation identity_only; > my_identifier address X.X.X.X; > nonce_size 16; > initial_contact off; > proposal_check obey; > support_proxy on; > proposal { > > encryption_algorithm 3des; > > hash_algorithm md5; > > authentication_method pre_shared_key; > > dh_group 2; > } > } > sainfo address 192.168.0.0/24 any address 10.0.1.0/24 any { > pfs_group modp1024; # pfs_group > modp768; > encryption_algorithm 3des, des; > authentication_algorithm hmac_md5, hmac_sha1; > compression_algorithm deflate; > } > Лог ракуна > Jul 22 16:52:18 mon racoon: INFO: respond new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] > Jul 22 16:52:18 mon racoon: INFO: begin Identity Protection mode. > Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 > Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 > Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 > Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: CISCO-UNITY > Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: DPD > Jul 22 16:52:18 mon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt > Jul 22 16:52:18 mon racoon: WARNING: ignore INITIAL-CONTACT notification, because it is > only accepted after phase1. > Jul 22 16:52:18 mon racoon: INFO: ISAKMP-SA established X.X.X.X[500]-Y.Y.Y.Y[500] spi:1f36d2df755b22ad:4d20d3f57f82697a > Jul 22 16:52:18 mon racoon: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] > Jul 22 16:52:18 mon racoon: ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any > dir=in > Jul 22 16:52:18 mon racoon: ERROR: failed to get proposal for responder. > Jul 22 16:52:18 mon racoon: ERROR: failed to pre-process packet. > Лог циски > Jul 22 16:52:09 10.1.1.1 138156: 093970: Jul 22 15:52:09.764 PCTime: CRYPTO_SS(TUNNEL SEC): > Application started listening > Jul 22 16:52:09 10.1.1.1 138157: 093971: Jul 22 15:52:09.764 PCTime: insert of > map into mapdb AVL failed, map + ace pair already exists > on the mapd > b > Jul 22 16:52:09 10.1.1.1 138158: 093972: Jul 22 15:52:09.768 PCTime: is_up: 0 > state: 4 sub state: 1 line: 0 has_route: False > Jul 22 16:52:09 10.1.1.1 138159: 093973: Jul 22 15:52:09.768 PCTime: CRYPTO_SS(TUNNEL SEC): > Active open, socket info: local Y.Y.Y.Y 0.0.0.0/ > 0.0.0.0/0, remote X.X.X.X 0.0.0.0/0.0.0.0/0, prot 0, ifc Tu0 > Jul 22 16:52:09 10.1.1.1 138160: 093974: Jul 22 15:52:09.768 PCTime: IPSEC(sa_request): > , > Jul 22 16:52:09 10.1.1.1 138161: (key eng. msg.) OUTBOUND > Jul 22 16:52:09 10.1.1.1 138162: local= Y.Y.Y.Y, remote= X.X.X.X, > Jul 22 16:52:09 10.1.1.1 138163: local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), > Jul 22 16:52:09 10.1.1.1 138164: remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), > Jul 22 16:52:09 10.1.1.1 138165: protocol= ESP, transform= > esp-3des esp-md5-hmac (Tunnel), > Jul 22 16:52:09 10.1.1.1 138166: lifedur= 3600s and > 4608000kb, > Jul 22 16:52:09 10.1.1.1 138167: spi= 0xA67AC3A6(2793063334), conn_id= > 0, keysize= 0, flags= 0x400B > Jul 22 16:52:09 10.1.1.1 138168: 093975: Jul 22 15:52:09.768 PCTime: ISAKMP: received > ke message (1/1) > Jul 22 16:52:09 10.1.1.1 138169: 093976: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0): > SA request profile is (NULL) > Jul 22 16:52:09 10.1.1.1 138170: 093977: Jul 22 15:52:09.768 PCTime: ISAKMP: Created > a peer struct for X.X.X.X, peer port 500 > Jul 22 16:52:09 10.1.1.1 138171: 093978: Jul 22 15:52:09.768 PCTime: ISAKMP: New > peer created peer = 0x44571EB4 peer_handle = 0x800003B2 > Jul 22 16:52:09 10.1.1.1 138172: 093979: Jul 22 15:52:09.768 PCTime: ISAKMP: Locking > peer struct 0x44571EB4, IKE refcount 1 for isakmp_initiator > Jul 22 16:52:10 10.1.1.1 138173: 093980: Jul 22 15:52:09.768 PCTime: ISAKMP: local > port 500, remote port 500 > Jul 22 16:52:10 10.1.1.1 138174: 093981: Jul 22 15:52:09.768 PCTime: ISAKMP: set > new node 0 to QM_IDLE > Jul 22 16:52:10 10.1.1.1 138175: 093982: Jul 22 15:52:09.768 PCTime: ISAKMP: Find > a dup sa in the avl tree during calling isadb_insert sa > = 4474CDB > 0 > Jul 22 16:52:10 10.1.1.1 138176: 093983: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0):Can > not start Aggressive mode, trying Main mode. > Jul 22 16:52:10 10.1.1.1 138177: 093984: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0):Looking > for a matching key for X.X.X.X in default > Jul 22 16:52:10 10.1.1.1 138178: 093985: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0): > : success > Jul 22 16:52:10 10.1.1.1 138179: 093986: Jul 22 15:52:09.768 PCTime: ISAKMP:(0:0:N/A:0):found > peer pre-shared key matching X.X.X.X > Jul 22 16:52:10 10.1.1.1 138180: 093987: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): > constructed NAT-T vendor-07 ID > Jul 22 16:52:10 10.1.1.1 138181: 093988: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): > constructed NAT-T vendor-03 ID > Jul 22 16:52:10 10.1.1.1 138182: 093989: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): > constructed NAT-T vendor-02 ID > Jul 22 16:52:10 10.1.1.1 138183: 093990: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0):Input > = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM > Jul 22 16:52:10 10.1.1.1 138184: 093991: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0):Old > State = IKE_READY New State = IKE_I_MM1 > Jul 22 16:52:10 10.1.1.1 138185: > Jul 22 16:52:10 10.1.1.1 138186: 093992: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): > beginning Main Mode exchange > Jul 22 16:52:10 10.1.1.1 138187: 093993: Jul 22 15:52:09.772 PCTime: ISAKMP:(0:0:N/A:0): > sending packet to X.X.X.X my_port 500 peer_port 500 > (I) MM_NO_STATE > Jul 22 16:52:10 10.1.1.1 138188: 093994: Jul 22 15:52:09.832 PCTime: ISAKMP (0:0): > received packet from X.X.X.X dport 500 sport 500 Global ( > I) MM_NO_STATE > Jul 22 16:52:10 10.1.1.1 138189: 093995: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Input > = IKE_MESG_FROM_PEER, IKE_MM_EXCH > Jul 22 16:52:10 10.1.1.1 138190: 093996: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Old > State = IKE_I_MM1 New State = IKE_I_MM2 > Jul 22 16:52:10 10.1.1.1 138191: > Jul 22 16:52:10 10.1.1.1 138192: 093997: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): > processing SA payload. message ID = 0 > Jul 22 16:52:10 10.1.1.1 138193: 093998: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): > processing vendor id payload > Jul 22 16:52:10 10.1.1.1 138194: 093999: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): > vendor ID is DPD > Jul 22 16:52:10 10.1.1.1 138195: 094000: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Looking > for a matching key for X.X.X.X in default > Jul 22 16:52:10 10.1.1.1 138196: 094001: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): > : success > Jul 22 16:52:10 10.1.1.1 138197: 094002: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):found > peer pre-shared key matching X.X.X.X > Jul 22 16:52:10 10.1.1.1 138198: 094003: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0): > local preshared key found > Jul 22 16:52:10 10.1.1.1 138199: 094004: Jul 22 15:52:09.832 PCTime: ISAKMP : > Scanning profiles for xauth ... S_T_S > Jul 22 16:52:10 10.1.1.1 138200: 094005: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):Checking > ISAKMP transform 1 against priority 10 policy > Jul 22 16:52:10 10.1.1.1 138201: 094006: Jul 22 15:52:09.832 PCTime: ISAKMP: > encryption 3DES-CBC > Jul 22 16:52:10 10.1.1.1 138202: 094007: Jul 22 15:52:09.832 PCTime: ISAKMP: > hash MD5 > Jul 22 16:52:10 10.1.1.1 138203: 094008: Jul 22 15:52:09.832 PCTime: ISAKMP: > default group 2 > Jul 22 16:52:10 10.1.1.1 138204: 094009: Jul 22 15:52:09.832 PCTime: ISAKMP: > auth pre-share > Jul 22 16:52:10 10.1.1.1 138205: 094010: Jul 22 15:52:09.832 PCTime: ISAKMP: > life type in seconds > Jul 22 16:52:10 10.1.1.1 138206: 094011: Jul 22 15:52:09.832 PCTime: ISAKMP: > life duration (VPI) of 0x0 0x1 > 0x51 0x80 > Jul 22 16:52:10 10.1.1.1 138207: 094012: Jul 22 15:52:09.832 PCTime: ISAKMP:(0:0:N/A:0):atts > are acceptable. Next payload is 0 > Jul 22 16:52:10 10.1.1.1 138208: 094013: Jul 22 15:52:09.832 PCTime: CryptoEngine0: generating > alg parameter for connid 28 > Jul 22 16:52:10 10.1.1.1 138209: 094014: Jul 22 15:52:09.860 PCTime: CRYPTO_ENGINE: Dh > phase 1 status: 0 > Jul 22 16:52:10 10.1.1.1 138210: 094015: Jul 22 15:52:09.860 PCTime: CRYPTO_ENGINE: Dh > phase 1 status: OK > Jul 22 16:52:10 10.1.1.1 138211: 094016: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1): > processing vendor id payload > Jul 22 16:52:10 10.1.1.1 138212: 094017: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1): > vendor ID is DPD > Jul 22 16:52:10 10.1.1.1 138213: 094018: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE > Jul 22 16:52:10 10.1.1.1 138214: 094019: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_I_MM2 New State = IKE_I_MM2 > Jul 22 16:52:10 10.1.1.1 138215: > Jul 22 16:52:10 10.1.1.1 138216: 094020: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1): > sending packet to X.X.X.X my_port 500 peer_port 500 > (I) MM_SA_SETUP > Jul 22 16:52:10 10.1.1.1 138217: 094021: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE > Jul 22 16:52:10 10.1.1.1 138218: 094022: Jul 22 15:52:09.860 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_I_MM2 New State = IKE_I_MM3 > Jul 22 16:52:10 10.1.1.1 138219: > Jul 22 16:52:10 10.1.1.1 138220: 094023: Jul 22 15:52:09.896 PCTime: ISAKMP (0:134217756): > received packet from X.X.X.X dport 500 sport 500 > Global (I) MM_SA_SETUP > Jul 22 16:52:10 10.1.1.1 138221: 094024: Jul 22 15:52:09.896 PCTime: ISAKMP:(0:28:SW:1):Input > = IKE_MESG_FROM_PEER, IKE_MM_EXCH > Jul 22 16:52:10 10.1.1.1 138222: 094025: Jul 22 15:52:09.896 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_I_MM3 New State = IKE_I_MM4 > Jul 22 16:52:10 10.1.1.1 138223: > Jul 22 16:52:10 10.1.1.1 138224: 094026: Jul 22 15:52:09.896 PCTime: ISAKMP:(0:28:SW:1): > processing KE payload. message ID = 0 > Jul 22 16:52:10 10.1.1.1 138225: 094027: Jul 22 15:52:09.896 PCTime: CryptoEngine0: generating > alg parameter for connid 0 > Jul 22 16:52:10 10.1.1.1 138226: 094028: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1): > processing NONCE payload. message ID = 0 > Jul 22 16:52:10 10.1.1.1 138227: 094029: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:0:N/A:0):Looking > for a matching key for X.X.X.X in default > Jul 22 16:52:10 10.1.1.1 138228: 094030: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:0:N/A:0): > : success > Jul 22 16:52:10 10.1.1.1 138229: 094031: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1):found > peer pre-shared key matching X.X.X.X > Jul 22 16:52:10 10.1.1.1 138230: 094032: Jul 22 15:52:09.924 PCTime: CryptoEngine0: create > ISAKMP SKEYID for conn id 28 > Jul 22 16:52:10 10.1.1.1 138231: 094033: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1):SKEYID > state generated > Jul 22 16:52:10 10.1.1.1 138232: 094034: Jul 22 15:52:09.924 PCTime: ISAKMP:(0:28:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE > Jul 22 16:52:10 10.1.1.1 138233: 094035: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_I_MM4 New State = IKE_I_MM4 > Jul 22 16:52:10 10.1.1.1 138234: > Jul 22 16:52:10 10.1.1.1 138235: 094036: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Send > initial contact > Jul 22 16:52:10 10.1.1.1 138236: 094037: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):SA > is doing pre-shared key authentication using id type ID_ > IPV4_ADDR > Jul 22 16:52:10 10.1.1.1 138237: 094038: Jul 22 15:52:09.928 PCTime: ISAKMP (0:134217756): > ID payload > Jul 22 16:52:10 10.1.1.1 138238: > next-payload : 8 > Jul 22 16:52:10 10.1.1.1 138239: > type : 1 > Jul 22 16:52:10 10.1.1.1 138240: > address : Y.Y.Y.Y > Jul 22 16:52:10 10.1.1.1 138241: > protocol : 17 > Jul 22 16:52:10 10.1.1.1 138242: > port : 500 > Jul 22 16:52:10 10.1.1.1 138243: > length : 12 > Jul 22 16:52:10 10.1.1.1 138244: 094039: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Total > payload length: 12 > Jul 22 16:52:10 10.1.1.1 138245: 094040: Jul 22 15:52:09.928 PCTime: CryptoEngine0: generate > hmac context for conn id 28 > Jul 22 16:52:10 10.1.1.1 138246: 094041: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1): > sending packet to X.X.X.X my_port 500 peer_port 500 > (I) MM_KEY_EXCH > Jul 22 16:52:10 10.1.1.1 138247: 094042: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE > Jul 22 16:52:10 10.1.1.1 138248: 094043: Jul 22 15:52:09.928 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_I_MM4 New State = IKE_I_MM5 > Jul 22 16:52:10 10.1.1.1 138249: > Jul 22 16:52:10 10.1.1.1 138250: 094044: Jul 22 15:52:09.940 PCTime: ISAKMP (0:134217756): > received packet from X.X.X.X dport 500 sport 500 > Global (I) MM_KEY_EXCH > Jul 22 16:52:10 10.1.1.1 138251: 094045: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1): > processing ID payload. message ID = 0 > Jul 22 16:52:10 10.1.1.1 138252: 094046: Jul 22 15:52:09.940 PCTime: ISAKMP (0:134217756): > ID payload > Jul 22 16:52:11 10.1.1.1 138253: > next-payload : 8 > Jul 22 16:52:11 10.1.1.1 138254: > type : 1 > Jul 22 16:52:11 10.1.1.1 138255: > Jul 22 16:52:11 10.1.1.1 138256: > address : X.X.X.X > Jul 22 16:52:11 10.1.1.1 138257: > protocol : 17 > Jul 22 16:52:11 10.1.1.1 138258: > port : 500 > Jul 22 16:52:11 10.1.1.1 138259: > length : 12 > Jul 22 16:52:11 10.1.1.1 138260: 094047: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):: > peer matches none of the profiles > Jul 22 16:52:11 10.1.1.1 138261: 094048: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1): > processing HASH payload. message ID = 0 > Jul 22 16:52:11 10.1.1.1 138262: 094049: Jul 22 15:52:09.940 PCTime: CryptoEngine0: generate > hmac context for conn id 28 > Jul 22 16:52:11 10.1.1.1 138263: 094050: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):SA > authentication status: > Jul 22 16:52:11 10.1.1.1 138264: > authenticated > Jul 22 16:52:11 10.1.1.1 138265: 094051: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):SA > has been authenticated with X.X.X.X > Jul 22 16:52:11 10.1.1.1 138266: 094052: Jul 22 15:52:09.940 PCTime: ISAKMP: Trying > to insert a peer Y.Y.Y.Y/X.X.X.X/500/, > Jul 22 16:52:11 10.1.1.1 138267: and inserted successfully 44571EB4. > Jul 22 16:52:11 10.1.1.1 138268: 094053: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Input > = IKE_MESG_FROM_PEER, IKE_MM_EXCH > Jul 22 16:52:11 10.1.1.1 138269: 094054: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_I_MM5 New State = IKE_I_MM6 > Jul 22 16:52:11 10.1.1.1 138270: > Jul 22 16:52:11 10.1.1.1 138271: 094055: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE > Jul 22 16:52:11 10.1.1.1 138272: 094056: Jul 22 15:52:09.940 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_I_MM6 New State = IKE_I_MM6 > Jul 22 16:52:11 10.1.1.1 138273: > Jul 22 16:52:11 10.1.1.1 138274: 094057: Jul 22 15:52:09.944 PCTime: CryptoEngine0: clear > dh number for conn id 19 > Jul 22 16:52:11 10.1.1.1 138275: 094058: Jul 22 15:52:09.944 PCTime: ISAKMP:(0:28:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE > Jul 22 16:52:11 10.1.1.1 138276: 094059: Jul 22 15:52:09.944 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_I_MM6 New State = IKE_P1_COMPLETE > Jul 22 16:52:11 10.1.1.1 138277: > Jul 22 16:52:11 10.1.1.1 138278: 094060: Jul 22 15:52:09.944 PCTime: ISAKMP:(0:28:SW:1):beginning > Quick Mode exchange, M-ID of -625100548 > Jul 22 16:52:11 10.1.1.1 138279: 094061: Jul 22 15:52:09.944 PCTime: CryptoEngine0: generating > alg parameter for connid 28 > Jul 22 16:52:11 10.1.1.1 138280: 094062: Jul 22 15:52:09.968 PCTime: CRYPTO_ENGINE: Dh > phase 1 status: 0 > Jul 22 16:52:11 10.1.1.1 138281: 094063: Jul 22 15:52:09.968 PCTime: CRYPTO_ENGINE: Dh > phase 1 status: OK > Jul 22 16:52:11 10.1.1.1 138282: 094064: Jul 22 15:52:09.968 PCTime: CryptoEngine0: generate > hmac context for conn id 28 > Jul 22 16:52:11 10.1.1.1 138283: 094065: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1): > sending packet to X.X.X.X my_port 500 peer_port 500 > (I) QM_IDLE > Jul 22 16:52:11 10.1.1.1 138284: 094066: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Node > -625100548, Input = IKE_MESG_INTERNAL, IKE_INIT_QM > Jul 22 16:52:11 10.1.1.1 138285: 094067: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_QM_READY New State = IKE_QM_I_QM1 > Jul 22 16:52:11 10.1.1.1 138286: 094068: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE > Jul 22 16:52:11 10.1.1.1 138287: 094069: Jul 22 15:52:09.968 PCTime: ISAKMP:(0:28:SW:1):Old > State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE > Jul 22 16:52:11 10.1.1.1 138288: > Jul 22 16:52:11 10.1.1.1 138289: 094070: Jul 22 15:52:11.764 PCTime: %LINK-3-UPDOWN: Interface > Tunnel0, changed state to up > Jul 22 16:52:12 10.1.1.1 138290: 094071: Jul 22 15:52:11.764 PCTime: is_up: 0 > state: 4 sub state: 1 line: 0 has_route: False
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру