forum.opennet.ru

Составление сообщения

Исходное сообщение

"CISCO 891 ipsec DLINK dsr-1000"
Отправлено KomaLex, 09-Окт-16 16:13

Здравствуйте.  нужно объеденить две сети. В одно в качестве шлюза cisco 891 во второй dlink dsr-1000
настройки dlink

Policy Name ikcpolicy

Policy Type Auto Policy

IP Protocol Version IPv4

IKE Version IKEv1

L2TP Mode None

IPSec Mode Tunnel Mode

Select Local Gateway
wan1
Remote Endpoint

IP Address / FQDN
x.x.30.214

Enable Mode Config Disabled

Enable NetBIOS Disabled

Enable RollOver Disabled

Protocol ESP

Enable DHCP Disabled

Local IP

Local Start IP Address
172.22.32.1

Local Subnet Mask
255.255.254.0

Remote IP

Remote Start IP Address
192.168.11.1

Remote Subnet Mask
255.255.255.0

Enable Keepalive Disabled

Phase1(IKE SA Parameters)
Exchange Mode Main

Direction / Type Both

Nat Traversal off

Local Identifier Type

Remote Identifier Type

Encryption Algorithm
DES
Authentication Algorithm
SHA-1
Authentication Method Pre-Shared key

Pre-Shared Key secret_key

Diffie-Hellman (DH) Group Group 2 (1024 bit)

SA-Lifetime 86400

Enable Dead Peer Detection Disabled

Extended Authentication None








Phase2-(Auto Policy Parameters)
SA Lifetime 3600 Seconds

Encryption Algorithm

DES
Integrity Algorithm
SHA-1 ON
PFS Key Group Disabled
настройки cisco
crypto keyring wgsecret
  pre-shared-key address 0.0.0.0 0.0.0.0 key secret_key
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp profile WGprofile
   keyring wgsecret
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set WGTS esp-des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map WGDM 10
set transform-set WGTS
set isakmp-profile WGprofile
match address WGCLUBNET
reverse-route
!
!
!
crypto map WGMap 10 ipsec-isakmp dynamic WGDM
!
!
!
!
!
interface Loopback1
ip address 10.11.12.1 255.255.255.0
ip nat enable
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Virtual-Template1
ip address 10.11.11.1 255.255.255.0
peer default ip address pool vpnpool
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap ms-chap-v2
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname 381035811
ppp chap password 7 050E050B2443480C13
ppp pap sent-username 381035811 password 7 050E050B2443480C13
no cdp enable
crypto map WGMap
!
ip local pool vpnpool 10.11.11.32 10.11.11.127
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 122 interface Dialer1 overload
ip nat inside source static tcp 192.168.11.6 22 x.x.30.214 22 extendable
ip nat inside source static tcp 192.168.11.6 80 x.x.30.214 80 extendable
ip nat inside source static tcp 192.168.11.5 3389 x.x.30.214 33891 extendable
ip nat inside source static tcp 192.168.11.22 3389 x.x.30.214 33892 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.22.32.0 255.255.254.0 Dialer1
!
ip access-list extended WGCLUBNET
permit ip host x.x.30.214 host x.x.54.66
permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255
!
dialer-list 1 protocol ip permit
!
!
access-list 23 permit 192.168.11.0 0.0.0.255
access-list 122 permit ip 192.168.11.0 0.0.0.255 any
!

фаза 1 проходит, фаза 2 нет. Вот что пишет в логи длинк:
Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found.
Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: accept a request to establish IKE-SA: x.x.30.214
Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0]
а вот логи cisco

*Oct  9 11:34:45.078: ISAKMP (2003): received packet from 195.206.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct  9 11:34:45.078: ISAKMP: set new node -598716224 to QM_IDLE
*Oct  9 11:34:45.078: ISAKMP:(2003): processing HASH payload. message ID = 3696251072
*Oct  9 11:34:45.078: ISAKMP:(2003): processing SA payload. message ID = 3696251072
*Oct  9 11:34:45.078: ISAKMP:(2003):Checking IPSec proposal 1
*Oct  9 11:34:45.078: ISAKMP: transform 1, ESP_DES
*Oct  9 11:34:45.078: ISAKMP:   attributes in transform:
*Oct  9 11:34:45.078: ISAKMP:      SA life type in seconds
*Oct  9 11:34:45.078: ISAKMP:      SA life duration (basic) of 3600
*Oct  9 11:34:45.078: ISAKMP:      encaps is 1 (Tunnel)
*Oct  9 11:34:45.078: ISAKMP:      authenticator is HMAC-SHA
*Oct  9 11:34:45.078: ISAKMP:(2003):atts are acceptable.
*Oct  9 11:34:45.078: IPSEC(validate_proposal_request): proposal part #1
*Oct  9 11:34:45.078: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct  9 11:34:45.082: ISAKMP:(2003): IPSec policy invalidated proposal with error 32
*Oct  9 11:34:45.082: ISAKMP:(2003): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)
*Oct  9 11:34:45.082: ISAKMP: set new node 1773506091 to QM_IDLE
cisco-gw#sh run
*Oct  9 11:34:45.082: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2371042928, message ID = 1773506091
*Oct  9 11:34:45.082: ISAKMP:(2003): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE
*Oct  9 11:34:45.082: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Oct  9 11:34:45.082: ISAKMP:(2003):purging node 1773506091
*Oct  9 11:34:45.082: ISAKMP:(2003):deleting node -598716224 error TRUE reason "QM rejected"
*Oct  9 11:34:45.082: ISAKMP:(2003):Node 3696251072, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct  9 11:34:45.082: ISAKMP:(2003):Old State = IKE_QM_READY  New State = IKE_QM_READY
cisco-gw#sh run
*Oct  9 11:34:55.110: ISAKMP (2003): received packet from 195.206.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct  9 11:34:55.110: ISAKMP:(2003): phase 2 packet is a duplicate of a previous packet.
*Oct  9 11:34:55.110: ISAKMP:(2003): retransmitting due to retransmit phase 2
*Oct  9 11:34:55.110: ISAKMP:(2003): Quick Mode is being processed. Ignoring retransmission
Судя по ошибкам и гуглению по этим ошибкам что то не так с access листами, но вот что. Помогите разобраться. Уже неделю тунель поднять не могу. Все перепробовал.

Исходное сообщение
"CISCO 891 ipsec DLINK dsr-1000" Отправлено KomaLex, 09-Окт-16 16:13
Здравствуйте. нужно объеденить две сети. В одно в качестве шлюза cisco 891 во второй dlink dsr-1000 настройки dlink Policy Name ikcpolicy Policy Type Auto Policy IP Protocol Version IPv4 IKE Version IKEv1 L2TP Mode None IPSec Mode Tunnel Mode Select Local Gateway wan1 Remote Endpoint IP Address / FQDN x.x.30.214 Enable Mode Config Disabled Enable NetBIOS Disabled Enable RollOver Disabled Protocol ESP Enable DHCP Disabled Local IP Local Start IP Address 172.22.32.1 Local Subnet Mask 255.255.254.0 Remote IP Remote Start IP Address 192.168.11.1 Remote Subnet Mask 255.255.255.0 Enable Keepalive Disabled Phase1(IKE SA Parameters) Exchange Mode Main Direction / Type Both Nat Traversal off Local Identifier Type Remote Identifier Type Encryption Algorithm DES Authentication Algorithm SHA-1 Authentication Method Pre-Shared key Pre-Shared Key secret_key Diffie-Hellman (DH) Group Group 2 (1024 bit) SA-Lifetime 86400 Enable Dead Peer Detection Disabled Extended Authentication None Phase2-(Auto Policy Parameters) SA Lifetime 3600 Seconds Encryption Algorithm DES Integrity Algorithm SHA-1 ON PFS Key Group Disabled настройки cisco crypto keyring wgsecret pre-shared-key address 0.0.0.0 0.0.0.0 key secret_key ! crypto isakmp policy 10 authentication pre-share group 2 crypto isakmp profile WGprofile keyring wgsecret match identity address 0.0.0.0 ! ! crypto ipsec transform-set WGTS esp-des esp-sha-hmac mode tunnel ! ! ! crypto dynamic-map WGDM 10 set transform-set WGTS set isakmp-profile WGprofile match address WGCLUBNET reverse-route ! ! ! crypto map WGMap 10 ipsec-isakmp dynamic WGDM ! ! ! ! ! interface Loopback1 ip address 10.11.12.1 255.255.255.0 ip nat enable ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 no ip address ! interface FastEthernet5 no ip address ! interface FastEthernet6 no ip address ! interface FastEthernet7 no ip address ! interface FastEthernet8 no ip address duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Virtual-Template1 ip address 10.11.11.1 255.255.255.0 peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ppp authentication pap chap ms-chap ms-chap-v2 ! interface GigabitEthernet0 no ip address shutdown duplex auto speed auto ! interface Vlan1 ip address 192.168.11.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Async1 no ip address encapsulation slip ! interface Dialer1 ip address negotiated ip mtu 1452 ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp chap hostname 381035811 ppp chap password 7 050E050B2443480C13 ppp pap sent-username 381035811 password 7 050E050B2443480C13 no cdp enable crypto map WGMap ! ip local pool vpnpool 10.11.11.32 10.11.11.127 ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 122 interface Dialer1 overload ip nat inside source static tcp 192.168.11.6 22 x.x.30.214 22 extendable ip nat inside source static tcp 192.168.11.6 80 x.x.30.214 80 extendable ip nat inside source static tcp 192.168.11.5 3389 x.x.30.214 33891 extendable ip nat inside source static tcp 192.168.11.22 3389 x.x.30.214 33892 extendable ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 172.22.32.0 255.255.254.0 Dialer1 ! ip access-list extended WGCLUBNET permit ip host x.x.30.214 host x.x.54.66 permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255 ! dialer-list 1 protocol ip permit ! ! access-list 23 permit 192.168.11.0 0.0.0.255 access-list 122 permit ip 192.168.11.0 0.0.0.255 any ! фаза 1 проходит, фаза 2 нет. Вот что пишет в логи длинк: Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found. Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: accept a request to establish IKE-SA: x.x.30.214 Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214. Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214. Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0] а вот логи cisco Oct 9 11:34:45.078: ISAKMP (2003): received packet from 195.206.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 9 11:34:45.078: ISAKMP: set new node -598716224 to QM_IDLE Oct 9 11:34:45.078: ISAKMP:(2003): processing HASH payload. message ID = 3696251072 Oct 9 11:34:45.078: ISAKMP:(2003): processing SA payload. message ID = 3696251072 Oct 9 11:34:45.078: ISAKMP:(2003):Checking IPSec proposal 1 Oct 9 11:34:45.078: ISAKMP: transform 1, ESP_DES Oct 9 11:34:45.078: ISAKMP: attributes in transform: Oct 9 11:34:45.078: ISAKMP: SA life type in seconds Oct 9 11:34:45.078: ISAKMP: SA life duration (basic) of 3600 Oct 9 11:34:45.078: ISAKMP: encaps is 1 (Tunnel) Oct 9 11:34:45.078: ISAKMP: authenticator is HMAC-SHA Oct 9 11:34:45.078: ISAKMP:(2003):atts are acceptable. Oct 9 11:34:45.078: IPSEC(validate_proposal_request): proposal part #1 Oct 9 11:34:45.078: IPSEC(initialize_sas): invalid IPv4 proxy IDs Oct 9 11:34:45.082: ISAKMP:(2003): IPSec policy invalidated proposal with error 32 Oct 9 11:34:45.082: ISAKMP:(2003): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66) Oct 9 11:34:45.082: ISAKMP: set new node 1773506091 to QM_IDLE cisco-gw#sh run Oct 9 11:34:45.082: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2371042928, message ID = 1773506091 Oct 9 11:34:45.082: ISAKMP:(2003): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE Oct 9 11:34:45.082: ISAKMP:(2003):Sending an IKE IPv4 Packet. Oct 9 11:34:45.082: ISAKMP:(2003):purging node 1773506091 Oct 9 11:34:45.082: ISAKMP:(2003):deleting node -598716224 error TRUE reason "QM rejected" Oct 9 11:34:45.082: ISAKMP:(2003):Node 3696251072, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Oct 9 11:34:45.082: ISAKMP:(2003):Old State = IKE_QM_READY New State = IKE_QM_READY cisco-gw#sh run Oct 9 11:34:55.110: ISAKMP (2003): received packet from 195.206.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 9 11:34:55.110: ISAKMP:(2003): phase 2 packet is a duplicate of a previous packet. Oct 9 11:34:55.110: ISAKMP:(2003): retransmitting due to retransmit phase 2 Oct 9 11:34:55.110: ISAKMP:(2003): Quick Mode is being processed. Ignoring retransmission Судя по ошибкам и гуглению по этим ошибкам что то не так с access листами, но вот что. Помогите разобраться. Уже неделю тунель поднять не могу. Все перепробовал.

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

> Здравствуйте.  нужно объеденить две сети. В одно в качестве шлюза cisco 
> 891 во второй dlink dsr-1000 
> настройки dlink

> [code] 
> Policy Name ikcpolicy

> Policy Type Auto Policy

> IP Protocol Version IPv4

> IKE Version IKEv1

> L2TP Mode None

> IPSec Mode Tunnel Mode

> Select Local Gateway 
>  wan1

> Remote Endpoint

> IP Address / FQDN 
> x.x.30.214

> Enable Mode Config Disabled

> Enable NetBIOS Disabled

> Enable RollOver Disabled

> Protocol ESP

> Enable DHCP Disabled

> Local IP

> Local Start IP Address 
> 172.22.32.1

> Local Subnet Mask 
> 255.255.254.0

> Remote IP

> Remote Start IP Address 
> 192.168.11.1

> Remote Subnet Mask 
> 255.255.255.0

> Enable Keepalive Disabled

> Phase1(IKE SA Parameters) 
> Exchange Mode Main

> Direction / Type Both

> Nat Traversal off

> Local Identifier Type

> Remote Identifier Type

> Encryption Algorithm 
> DES 
> Authentication Algorithm 
> SHA-1

> Authentication Method Pre-Shared key

> Pre-Shared Key secret_key

> Diffie-Hellman (DH) Group Group 2 (1024 bit)

> SA-Lifetime 86400

> Enable Dead Peer Detection Disabled

> Extended Authentication None

> Phase2-(Auto Policy Parameters) 
> SA Lifetime 3600 Seconds

> Encryption Algorithm

> DES

> Integrity Algorithm 
> SHA-1 ON

> PFS Key Group Disabled 
> [/code]

> настройки cisco 
> [code]

> crypto keyring wgsecret 
>   pre-shared-key address 0.0.0.0 0.0.0.0 key secret_key 
> !
> crypto isakmp policy 10 
>  authentication pre-share 
>  group 2 
> crypto isakmp profile WGprofile 
>    keyring wgsecret 
>    match identity address 0.0.0.0 
> !
> !
> crypto ipsec transform-set WGTS esp-des esp-sha-hmac 
>  mode tunnel 
> !
> !
> !
> crypto dynamic-map WGDM 10 
>  set transform-set WGTS 
>  set isakmp-profile WGprofile 
>  match address WGCLUBNET 
>  reverse-route 
> !
> !
> !
> crypto map WGMap 10 ipsec-isakmp dynamic WGDM 
> !
> !
> !
> !
> !
> interface Loopback1 
>  ip address 10.11.12.1 255.255.255.0 
>  ip nat enable 
> !
> interface FastEthernet0 
>  no ip address 
> !
> interface FastEthernet1 
>  no ip address 
> !
> interface FastEthernet2 
>  no ip address 
> !
> interface FastEthernet3 
>  no ip address 
> !
> interface FastEthernet4 
>  no ip address 
> !
> interface FastEthernet5 
>  no ip address 
> !
> interface FastEthernet6 
>  no ip address 
> !
> interface FastEthernet7 
>  no ip address 
> !
> interface FastEthernet8 
>  no ip address 
>  duplex auto 
>  speed auto 
>  pppoe enable group global 
>  pppoe-client dial-pool-number 1 
> !
> interface Virtual-Template1 
>  ip address 10.11.11.1 255.255.255.0 
>  peer default ip address pool vpnpool 
>  no keepalive 
>  ppp encrypt mppe auto 
>  ppp authentication pap chap ms-chap ms-chap-v2 
> !
> interface GigabitEthernet0 
>  no ip address 
>  shutdown 
>  duplex auto 
>  speed auto 
> !
> interface Vlan1 
>  ip address 192.168.11.1 255.255.255.0 
>  ip nat inside 
>  ip virtual-reassembly in 
> !
> interface Async1 
>  no ip address 
>  encapsulation slip 
> !
> interface Dialer1 
>  ip address negotiated 
>  ip mtu 1452 
>  ip nat outside 
>  ip virtual-reassembly in 
>  encapsulation ppp 
>  dialer pool 1 
>  dialer-group 1 
>  ppp authentication pap chap callin 
>  ppp chap hostname 381035811 
>  ppp chap password 7 050E050B2443480C13 
>  ppp pap sent-username 381035811 password 7 050E050B2443480C13 
>  no cdp enable 
>  crypto map WGMap 
> !
> ip local pool vpnpool 10.11.11.32 10.11.11.127 
> ip forward-protocol nd 
> no ip http server 
> no ip http secure-server 
> !
> !
> ip nat inside source list 122 interface Dialer1 overload 
> ip nat inside source static tcp 192.168.11.6 22 x.x.30.214 22 extendable 
> ip nat inside source static tcp 192.168.11.6 80 x.x.30.214 80 extendable 
> ip nat inside source static tcp 192.168.11.5 3389 x.x.30.214 33891 extendable 
> ip nat inside source static tcp 192.168.11.22 3389 x.x.30.214 33892 extendable 
> ip route 0.0.0.0 0.0.0.0 Dialer1 
> ip route 172.22.32.0 255.255.254.0 Dialer1 
> !
> ip access-list extended WGCLUBNET 
>  permit ip host x.x.30.214 host x.x.54.66 
>  permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255 
> !
> dialer-list 1 protocol ip permit 
> !
> !
> access-list 23 permit 192.168.11.0 0.0.0.255 
> access-list 122 permit ip 192.168.11.0 0.0.0.255 any 
> !
> [/code]

> фаза 1 проходит, фаза 2 нет. Вот что пишет в логи длинк: 
 
> [code]

> Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify 
> message from x.x.30.214[500].No phase2 handle found.
> Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: accept a 
> request to establish IKE-SA: x.x.30.214 
> Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found 
> for x.x.30.214.
> Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found 
> for x.x.30.214.
> Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new 
> phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0] 
> [/code]

> а вот логи cisco 
> [code] 
> *Oct  9 11:34:45.078: ISAKMP (2003): received packet from 195.206.54.66 dport 500 
> sport 500 Global (R) QM_IDLE 
> *Oct  9 11:34:45.078: ISAKMP: set new node -598716224 to QM_IDLE 
> *Oct  9 11:34:45.078: ISAKMP:(2003): processing HASH payload. message ID = 3696251072 
 
> *Oct  9 11:34:45.078: ISAKMP:(2003): processing SA payload. message ID = 3696251072 
 
> *Oct  9 11:34:45.078: ISAKMP:(2003):Checking IPSec proposal 1 
> *Oct  9 11:34:45.078: ISAKMP: transform 1, ESP_DES 
> *Oct  9 11:34:45.078: ISAKMP:   attributes in transform: 
> *Oct  9 11:34:45.078: ISAKMP:      SA life 
> type in seconds 
> *Oct  9 11:34:45.078: ISAKMP:      SA life 
> duration (basic) of 3600 
> *Oct  9 11:34:45.078: ISAKMP:      encaps is 
> 1 (Tunnel) 
> *Oct  9 11:34:45.078: ISAKMP:      authenticator is 
> HMAC-SHA 
> *Oct  9 11:34:45.078: ISAKMP:(2003):atts are acceptable.
> *Oct  9 11:34:45.078: IPSEC(validate_proposal_request): proposal part #1 
> *Oct  9 11:34:45.078: IPSEC(initialize_sas): invalid IPv4 proxy IDs 
> *Oct  9 11:34:45.082: ISAKMP:(2003): IPSec policy invalidated proposal with error 32 
 
> *Oct  9 11:34:45.082: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 
> x.x.30.214 remote x.x.54.66) 
> *Oct  9 11:34:45.082: ISAKMP: set new node 1773506091 to QM_IDLE 
> cisco-gw#sh run 
> *Oct  9 11:34:45.082: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 
>         spi 2371042928, message ID 
> = 1773506091 
> *Oct  9 11:34:45.082: ISAKMP:(2003): sending packet to x.x.54.66 my_port 500 peer_port 
> 500 (R) QM_IDLE 
> *Oct  9 11:34:45.082: ISAKMP:(2003):Sending an IKE IPv4 Packet.
> *Oct  9 11:34:45.082: ISAKMP:(2003):purging node 1773506091 
> *Oct  9 11:34:45.082: ISAKMP:(2003):deleting node -598716224 error TRUE reason "QM rejected" 
 
> *Oct  9 11:34:45.082: ISAKMP:(2003):Node 3696251072, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 
 
> *Oct  9 11:34:45.082: ISAKMP:(2003):Old State = IKE_QM_READY  New State = 
> IKE_QM_READY 
> cisco-gw#sh run 
> *Oct  9 11:34:55.110: ISAKMP (2003): received packet from 195.206.54.66 dport 500 
> sport 500 Global (R) QM_IDLE 
> *Oct  9 11:34:55.110: ISAKMP:(2003): phase 2 packet is a duplicate of 
> a previous packet.
> *Oct  9 11:34:55.110: ISAKMP:(2003): retransmitting due to retransmit phase 2 
> *Oct  9 11:34:55.110: ISAKMP:(2003): Quick Mode is being processed. Ignoring retransmission 
 
> [/code]

> Судя по ошибкам и гуглению по этим ошибкам что то не так 
> с access листами, но вот что. Помогите разобраться. Уже неделю тунель 
> поднять не могу. Все перепробовал.

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру