forum.opennet.ru - "проблема с ipsec и двумя кошками =(" (3)

форумы

помощь

поиск

регистрация

майллист

вход/выход

слежка

"проблема с ipsec и двумя кошками =("

Форумы Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[ Отслеживать ]

"проблема с ipsec и двумя кошками =("		+/–
Сообщение от Osirix (ok) on 28-Июн-07, 22:43
Здравствуйте многоуважаемые. Поднимаю ipsec между двумя кошкам и вроде бы все поднимается и работает но только при условии прохождения первого пакета с нужной стороны. Поясняю подробнее на примерах. Шифруем траф между сетями 10.0.0.0/24 и 10.0.254.0/24. Канал поднят между двумя loopback интерфейсами. На физических интерфейсах так же реальные ипы. Поле настройки как и полагается сессии опущены Interface: Loopback0 Session status: DOWN Если я на пытаюсь пинговать с 10.0.0.10 -> 10.0.254.1 то пинги не идут но сессии переходят в состояние Interface: Loopback0 Session status: UP-IDLE И это с обоих сторон. Как только я пускаю пинг с 10.0.254.1 на 10.0.0.10 то сесии сразу становятся активными и начинают ходить пинги. Interface: Loopback0 Session status: UP-ACTIVE Peer: 80.250.218.2 port 500 IKE SA: local 82.148.15.64/500 remote 80.250.218.2/500 Active То есть начинает все сразу работать если я пущу пакеты с всегде одной стороны. Хоть пинги оставляй что бы канал не падал. =( Надеюсь я понятно объяснил суть проблемы. Теперь дам частично конфиги железок сторона где сеть 10.0.0.0/24 crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 3600 crypto isakmp key superkey address 82.148.15.64 no-xauth crypto ipsec transform-set BRANCH_VPN esp-aes 256 esp-sha-hmac crypto map VPN local-address Loopback1 crypto map VPN client configuration address respond crypto map VPN 41 ipsec-isakmp description MO_BACKUP set peer 82.148.15.64 set transform-set BRANCH_VPN match address VPN_MO_BACKUP reverse-route remote-peer 82.148.15.64 static ip access-list extended VPN_MO_BACKUP permit ip 10.0.0.0 0.0.0.255 10.0.254.0 0.0.0.255 permit ip host 80.250.218.2 host 82.148.15.64 Конфиг второй стороны crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 3600 crypto isakmp key superkey address 80.250.218.2 no-xauth crypto ipsec transform-set BRANCH_VPN esp-aes 256 esp-sha-hmac crypto map VPN local-address Loopback0 crypto map VPN client configuration address respond crypto map VPN 10 ipsec-isakmp set peer 80.250.218.2 set transform-set BRANCH_VPN set pfs group2 match address VPN_MO9 reverse-route remote-peer 80.250.218.2 static ip access-list extended VPN_MO9 permit ip host 82.148.15.64 host 80.250.218.2 permit ip 10.0.254.0 0.0.0.255 10.0.0.0 0.0.0.255 Конфиги раельные но сильно урезанные. Вроде как все абсолютно нормально но не работает как хочется хотя все роуты нормально светятся и все пакеты между реальными интерфейсами маршрутера ходят без проблем. По сему вопрос скорее теоритический. Почему возможна ситуация когда если с одной стороны начинаешь пинговать то тунель поднимается сразу и пакеты бегают, но если на положенной сессии начать пинговать с другой стороны сессия переходит в UP-IDLE но пакеты не ходят до первого пакета с другой стороны??? Я уже голову сломал. Неделю бьюсь. Все варианты ACL перепробовал но ничего не помогает =(((
Высказать мнение \| Ответить \| Правка \| Cообщить модератору

Оглавление

проблема с ipsec и двумя кошками =(, Osirix, 22:49 , 28-Июн-07, (1)

проблема с ipsec и двумя кошками =(, Osirix, 12:09 , 29-Июн-07, (2)

проблема с ipsec и двумя кошками =(, Alexey, 10:55 , 13-Мрт-10, (3)

Сообщения по теме [Сортировка по времени | RSS]

1. "проблема с ipsec и двумя кошками =(" +/–

Сообщение от Osirix (ok) on 28-Июн-07, 22:49

Вот логи установки соединения той стороны которая 10.0.254.0/24
Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):deleting SA reason "No reason" state (R) QM_IDLE       (peer 80.250.218.2)
Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):deleting node 687874368 error FALSE reason "Informational (in) state 1"
Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):deleting SA reason "No reason" state (R) QM_IDLE       (peer 80.250.218.2)
Jun 28 18:10:57.495: ISAKMP: Unlocking IKE struct 0x658C3FD0 for isadb_mark_sa_deleted(), count 0
Jun 28 18:10:57.495: ISAKMP: Deleting peer node by peer_reap for 80.250.218.2: 658C3FD0
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):deleting node 876229975 error FALSE reason "IKE deleted"
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):deleting node 687874368 error FALSE reason "IKE deleted"
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
Jun 28 18:11:29.355: ISAKMP: received ke message (1/1)
Jun 28 18:11:29.355: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jun 28 18:11:29.355: ISAKMP: Created a peer struct for 80.250.218.2, peer port 500
Jun 28 18:11:29.355: ISAKMP: New peer created peer = 0x646608C8 peer_handle = 0x80000015
Jun 28 18:11:29.355: ISAKMP: Locking peer struct 0x646608C8, IKE refcount 1 for isakmp_initiator
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Setting client config settings 6466AE28
Jun 28 18:11:29.359: ISAKMP: local port 500, remote port 500
Jun 28 18:11:29.359: ISAKMP: set new node 0 to QM_IDLE
Jun 28 18:11:29.359: insert sa successfully sa = 646BBE68
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): : success
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 80.250.218.2
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 28 18:11:29.371: ISAKMP (0:0): received packet from 80.250.218.2 dport 500 sport 500 Global (I) MM_NO_STATE
Jun 28 18:11:29.371: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 28 18:11:29.371: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2
Jun 28 18:11:29.371: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Jun 28 18:11:29.375: ISAKMP (0:0): vendor ID is NAT-T v7
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): : success
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 80.250.218.2
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): local preshared key found
Jun 28 18:11:29.375: ISAKMP : Scanning profiles for xauth ...
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Jun 28 18:11:29.375: ISAKMP:      encryption AES-CBC
Jun 28 18:11:29.375: ISAKMP:      keylength of 256
Jun 28 18:11:29.375: ISAKMP:      hash SHA
Jun 28 18:11:29.375: ISAKMP:      default group 2
Jun 28 18:11:29.375: ISAKMP:      auth pre-share
Jun 28 18:11:29.375: ISAKMP:      life type in seconds
Jun 28 18:11:29.375: ISAKMP:      life duration (basic) of 3600
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2): processing vendor id payload
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2): vendor ID seems Unity/DPD but major 245 mismatch
Jun 28 18:11:29.383: ISAKMP (0:268435485): vendor ID is NAT-T v7
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM2  New State = IKE_I_MM2
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun 28 18:11:29.387: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 28 18:11:29.387: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM2  New State = IKE_I_MM3
Jun 28 18:11:29.403: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun 28 18:11:29.403: ISAKMP:(0:29:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 28 18:11:29.403: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM3  New State = IKE_I_MM4
Jun 28 18:11:29.403: ISAKMP:(0:29:HW:2): processing KE payload. message ID = 0
Jun 28 18:11:29.411: ISAKMP:(0:29:HW:2): processing NONCE payload. message ID = 0
Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default
Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0): : success
Jun 28 18:11:29.411: ISAKMP:(0:29:HW:2):found peer pre-shared key matching 80.250.218.2
Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default
Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0): : success
Jun 28 18:11:29.411: ISAKMP:(0:29:HW:2):found peer pre-shared key matching 80.250.218.2
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2):SKEYID state generated
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): processing vendor id payload
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): vendor ID is Unity
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): processing vendor id payload
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): vendor ID is DPD
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): processing vendor id payload
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): speaking to another IOS box!
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM4  New State = IKE_I_MM4
Jun 28 18:11:29.419: ISAKMP:(0:29:HW:2):Send initial contact
Jun 28 18:11:29.419: ISAKMP:(0:29:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 28 18:11:29.419: ISAKMP (0:268435485): ID payload
        next-payload : 8
        type         : 1
        address      : 82.148.15.64
        protocol     : 17
        port         : 500
        length       : 12
Jun 28 18:11:29.419: ISAKMP:(0:29:HW:2):Total payload length: 12
Jun 28 18:11:29.423: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 28 18:11:29.423: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 28 18:11:29.423: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM4  New State = IKE_I_MM5
Jun 28 18:11:29.427: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2): processing ID payload. message ID = 0
Jun 28 18:11:29.431: ISAKMP (0:268435485): ID payload
        next-payload : 8
        type         : 1
        address      : 80.250.218.2
        protocol     : 17
        port         : 500
        length       : 12
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2):: peer matches *none* of the profiles
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = 0
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2):SA authentication status:
        authenticated
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2):SA has been authenticated with 80.250.218.2
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):IKE_DPD is enabled, initializing timers
Jun 28 18:11:29.435: ISAKMP: Trying to insert a peer 82.148.15.64/80.250.218.2/500/,  and inserted successfully 646608C8.
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM5  New State = IKE_I_MM6
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM6  New State = IKE_I_MM6
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):beginning Quick Mode exchange, M-ID of 80228627
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Node 80228627, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Jun 28 18:11:29.475: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) QM_IDLE
Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = 80228627
Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2): processing SA payload. message ID = 80228627
Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2):Checking IPSec proposal 1
Jun 28 18:11:29.479: ISAKMP: transform 1, ESP_AES
Jun 28 18:11:29.479: ISAKMP:   attributes in transform:
Jun 28 18:11:29.479: ISAKMP:      encaps is 1 (Tunnel)
Jun 28 18:11:29.479: ISAKMP:      SA life type in seconds
Jun 28 18:11:29.479: ISAKMP:      SA life duration (basic) of 3600
Jun 28 18:11:29.479: ISAKMP:      SA life type in kilobytes
Jun 28 18:11:29.479: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Jun 28 18:11:29.479: ISAKMP:      authenticator is HMAC-SHA
Jun 28 18:11:29.479: ISAKMP:      key length is 256
Jun 28 18:11:29.479: ISAKMP:      group is 2
Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2):atts are acceptable.
Jun 28 18:11:29.483: ISAKMP:(0:29:HW:2): processing NONCE payload. message ID = 80228627
Jun 28 18:11:29.483: ISAKMP:(0:29:HW:2): processing KE payload. message ID = 80228627
Jun 28 18:11:29.487: ISAKMP:(0:29:HW:2): processing ID payload. message ID = 80228627
Jun 28 18:11:29.487: ISAKMP:(0:29:HW:2): processing ID payload. message ID = 80228627
Jun 28 18:11:29.499: ISAKMP: Locking peer struct 0x646608C8, IPSEC refcount 1 for for stuff_ke
Jun 28 18:11:29.499: ISAKMP:(0:29:HW:2): Creating IPSec SAs
Jun 28 18:11:29.499:         inbound SA from 80.250.218.2 to 82.148.15.64 (f/i)  0/ 0
        (proxy 10.0.0.0 to 10.0.254.0)
Jun 28 18:11:29.499:         has spi 0x4B1337A and conn_id 0 and flags 23
Jun 28 18:11:29.499:         lifetime of 3600 seconds
Jun 28 18:11:29.499:         lifetime of 4608000 kilobytes
Jun 28 18:11:29.499:         has client flags 0x0
Jun 28 18:11:29.499:         outbound SA from 82.148.15.64 to 80.250.218.2 (f/i) 0/0
        (proxy 10.0.254.0 to 10.0.0.0)
Jun 28 18:11:29.499:         has spi -1882863622 and conn_id 0 and flags 2B
Jun 28 18:11:29.499:         lifetime of 3600 seconds
Jun 28 18:11:29.499:         lifetime of 4608000 kilobytes
Jun 28 18:11:29.499:         has client flags 0x0
Jun 28 18:11:29.499: ISAKMP: Locking peer struct 0x646608C8, IPSEC refcount 2 for from create_transforms
Jun 28 18:11:29.503: ISAKMP: Unlocking IPSEC struct 0x646608C8 from create_transforms, count 1
Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE
Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2):deleting node 80228627 error FALSE reason "No Error"
Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2):Node 80228627, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
Jun 28 18:11:47.496: ISAKMP:(0:28:HW:2):purging node 876229975
Jun 28 18:11:47.496: ISAKMP:(0:28:HW:2):purging node 687874368
Jun 28 18:11:57.496: ISAKMP:(0:28:HW:2):purging SA., sa=646B799C, delme=646B799C
Jun 28 18:12:19.496: ISAKMP:(0:29:HW:2):purging node 80228627
Jun 28 18:45:08.969: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) QM_IDLE
Jun 28 18:45:08.969: ISAKMP: set new node 1196849088 to QM_IDLE
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = 1196849088
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): processing SA payload. message ID = 1196849088
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2):Checking IPSec proposal 1
Jun 28 18:45:08.973: ISAKMP: transform 1, ESP_AES
Jun 28 18:45:08.973: ISAKMP:   attributes in transform:
Jun 28 18:45:08.973: ISAKMP:      encaps is 1 (Tunnel)
Jun 28 18:45:08.973: ISAKMP:      SA life type in seconds
Jun 28 18:45:08.973: ISAKMP:      SA life duration (basic) of 3600
Jun 28 18:45:08.973: ISAKMP:      SA life type in kilobytes
Jun 28 18:45:08.973: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Jun 28 18:45:08.973: ISAKMP:      authenticator is HMAC-SHA
Jun 28 18:45:08.973: ISAKMP:      key length is 256
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2):atts are acceptable.
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): IPSec policy invalidated proposal
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): phase 2 SA policy not acceptable! (local 82.148.15.64 remote 80.250.218.2)
Jun 28 18:45:08.977: ISAKMP: set new node 411620218 to QM_IDLE
Jun 28 18:45:08.977: ISAKMP:(0:29:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1697941984, message ID = 411620218
Jun 28 18:45:08.977: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE
Jun 28 18:45:08.977: ISAKMP:(0:29:HW:2):purging node 411620218
Jun 28 18:45:08.981: ISAKMP:(0:29:HW:2):deleting node 1196849088 error TRUE reason "QM rejected"
Jun 28 18:45:08.981: ISAKMP (0:268435485): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node 1196849088: state = IKE_QM_READY
Jun 28 18:45:08.981: ISAKMP:(0:29:HW:2):Node 1196849088, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 28 18:45:08.981: ISAKMP:(0:29:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_READY
Jun 28 18:45:08.981: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 80.250.218.2
Jun 28 18:45:38.965: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) QM_IDLE
Jun 28 18:45:38.965: ISAKMP: set new node -1614916990 to QM_IDLE
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = -1614916990
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): processing SA payload. message ID = -1614916990
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2):Checking IPSec proposal 1
Jun 28 18:45:38.969: ISAKMP: transform 1, ESP_AES
Jun 28 18:45:38.969: ISAKMP:   attributes in transform:
Jun 28 18:45:38.969: ISAKMP:      encaps is 1 (Tunnel)
Jun 28 18:45:38.969: ISAKMP:      SA life type in seconds
Jun 28 18:45:38.969: ISAKMP:      SA life duration (basic) of 3600
Jun 28 18:45:38.969: ISAKMP:      SA life type in kilobytes
Jun 28 18:45:38.969: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Jun 28 18:45:38.969: ISAKMP:      authenticator is HMAC-SHA
Jun 28 18:45:38.969: ISAKMP:      key length is 256
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2):atts are acceptable.
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): IPSec policy invalidated proposal
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): phase 2 SA policy not acceptable! (local 82.148.15.64 remote 80.250.218.2)
Jun 28 18:45:38.973: ISAKMP: set new node -1227785736 to QM_IDLE
Jun 28 18:45:38.973: ISAKMP:(0:29:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1697941984, message ID = -1227785736
Jun 28 18:45:38.973: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE
Jun 28 18:45:38.973: ISAKMP:(0:29:HW:2):purging node -1227785736
Jun 28 18:45:38.977: ISAKMP:(0:29:HW:2):deleting node -1614916990 error TRUE reason "QM rejected"
Jun 28 18:45:38.977: ISAKMP (0:268435485): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -1614916990: state = IKE_QM_READY
Jun 28 18:45:38.977: ISAKMP:(0:29:HW:2):Node -1614916990, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 28 18:45:38.977: ISAKMP:(0:29:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_READY
Jun 28 18:45:58.981: ISAKMP:(0:29:HW:2):purging node 1196849088

Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

2. "проблема с ipsec и двумя кошками =(" +/–

Сообщение от Osirix (??) on 29-Июн-07, 12:09

Нашел в чем проблема была. Даже самому обидно что столько времени убил.
Лишнюю строчку пометил. После ее удаления и переинициализации криптосессии все разаботало в обе стороны как и положено.
crypto map VPN local-address Loopback0
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
set peer a.a.a.a
set transform-set BRANCH_VPN
>>set pfs group2
match address VPN_MO9
reverse-route remote-peer a.a.a.a static

Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

3. "проблема с ipsec и двумя кошками =(" +/–

Сообщение от Alexey (??) on 13-Мрт-10, 10:55

>[оверквотинг удален]
>обе стороны как и положено.
>
>crypto map VPN local-address Loopback0
>crypto map VPN client configuration address respond
>crypto map VPN 10 ipsec-isakmp
>set peer a.a.a.a
>set transform-set BRANCH_VPN
>>>set pfs group2
>match address VPN_MO9
>reverse-route remote-peer a.a.a.a static
У меня сейчас точно такая же проблема, но pfs group нету ни на одной стороне =/

Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "проблема с ipsec и двумя кошками =("		+/–
Сообщение от Osirix (ok) on 28-Июн-07, 22:49
Вот логи установки соединения той стороны которая 10.0.254.0/24 Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):deleting SA reason "No reason" state (R) QM_IDLE (peer 80.250.218.2) Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):deleting node 687874368 error FALSE reason "Informational (in) state 1" Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):deleting SA reason "No reason" state (R) QM_IDLE (peer 80.250.218.2) Jun 28 18:10:57.495: ISAKMP: Unlocking IKE struct 0x658C3FD0 for isadb_mark_sa_deleted(), count 0 Jun 28 18:10:57.495: ISAKMP: Deleting peer node by peer_reap for 80.250.218.2: 658C3FD0 Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):deleting node 876229975 error FALSE reason "IKE deleted" Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):deleting node 687874368 error FALSE reason "IKE deleted" Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):Old State = IKE_DEST_SA New State = IKE_DEST_SA Jun 28 18:11:29.355: ISAKMP: received ke message (1/1) Jun 28 18:11:29.355: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) Jun 28 18:11:29.355: ISAKMP: Created a peer struct for 80.250.218.2, peer port 500 Jun 28 18:11:29.355: ISAKMP: New peer created peer = 0x646608C8 peer_handle = 0x80000015 Jun 28 18:11:29.355: ISAKMP: Locking peer struct 0x646608C8, IKE refcount 1 for isakmp_initiator Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Setting client config settings 6466AE28 Jun 28 18:11:29.359: ISAKMP: local port 500, remote port 500 Jun 28 18:11:29.359: ISAKMP: set new node 0 to QM_IDLE Jun 28 18:11:29.359: insert sa successfully sa = 646BBE68 Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode. Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): : success Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 80.250.218.2 Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) MM_NO_STATE Jun 28 18:11:29.371: ISAKMP (0:0): received packet from 80.250.218.2 dport 500 sport 500 Global (I) MM_NO_STATE Jun 28 18:11:29.371: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jun 28 18:11:29.371: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2 Jun 28 18:11:29.371: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): processing vendor id payload Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch Jun 28 18:11:29.375: ISAKMP (0:0): vendor ID is NAT-T v7 Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): : success Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 80.250.218.2 Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): local preshared key found Jun 28 18:11:29.375: ISAKMP : Scanning profiles for xauth ... Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy Jun 28 18:11:29.375: ISAKMP: encryption AES-CBC Jun 28 18:11:29.375: ISAKMP: keylength of 256 Jun 28 18:11:29.375: ISAKMP: hash SHA Jun 28 18:11:29.375: ISAKMP: default group 2 Jun 28 18:11:29.375: ISAKMP: auth pre-share Jun 28 18:11:29.375: ISAKMP: life type in seconds Jun 28 18:11:29.375: ISAKMP: life duration (basic) of 3600 Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2): processing vendor id payload Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2): vendor ID seems Unity/DPD but major 245 mismatch Jun 28 18:11:29.383: ISAKMP (0:268435485): vendor ID is NAT-T v7 Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM2 New State = IKE_I_MM2 Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) MM_SA_SETUP Jun 28 18:11:29.387: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jun 28 18:11:29.387: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM2 New State = IKE_I_MM3 Jun 28 18:11:29.403: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) MM_SA_SETUP Jun 28 18:11:29.403: ISAKMP:(0:29:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jun 28 18:11:29.403: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM3 New State = IKE_I_MM4 Jun 28 18:11:29.403: ISAKMP:(0:29:HW:2): processing KE payload. message ID = 0 Jun 28 18:11:29.411: ISAKMP:(0:29:HW:2): processing NONCE payload. message ID = 0 Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0): : success Jun 28 18:11:29.411: ISAKMP:(0:29:HW:2):found peer pre-shared key matching 80.250.218.2 Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0): : success Jun 28 18:11:29.411: ISAKMP:(0:29:HW:2):found peer pre-shared key matching 80.250.218.2 Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2):SKEYID state generated Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): processing vendor id payload Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): vendor ID is Unity Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): processing vendor id payload Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): vendor ID is DPD Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): processing vendor id payload Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): speaking to another IOS box! Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM4 Jun 28 18:11:29.419: ISAKMP:(0:29:HW:2):Send initial contact Jun 28 18:11:29.419: ISAKMP:(0:29:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR Jun 28 18:11:29.419: ISAKMP (0:268435485): ID payload next-payload : 8 type : 1 address : 82.148.15.64 protocol : 17 port : 500 length : 12 Jun 28 18:11:29.419: ISAKMP:(0:29:HW:2):Total payload length: 12 Jun 28 18:11:29.423: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH Jun 28 18:11:29.423: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jun 28 18:11:29.423: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM5 Jun 28 18:11:29.427: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) MM_KEY_EXCH Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2): processing ID payload. message ID = 0 Jun 28 18:11:29.431: ISAKMP (0:268435485): ID payload next-payload : 8 type : 1 address : 80.250.218.2 protocol : 17 port : 500 length : 12 Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2):: peer matches none of the profiles Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = 0 Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2):SA authentication status: authenticated Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2):SA has been authenticated with 80.250.218.2 Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):IKE_DPD is enabled, initializing timers Jun 28 18:11:29.435: ISAKMP: Trying to insert a peer 82.148.15.64/80.250.218.2/500/, and inserted successfully 646608C8. Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM5 New State = IKE_I_MM6 Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM6 New State = IKE_I_MM6 Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):beginning Quick Mode exchange, M-ID of 80228627 Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Node 80228627, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 28 18:11:29.475: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) QM_IDLE Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = 80228627 Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2): processing SA payload. message ID = 80228627 Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2):Checking IPSec proposal 1 Jun 28 18:11:29.479: ISAKMP: transform 1, ESP_AES Jun 28 18:11:29.479: ISAKMP: attributes in transform: Jun 28 18:11:29.479: ISAKMP: encaps is 1 (Tunnel) Jun 28 18:11:29.479: ISAKMP: SA life type in seconds Jun 28 18:11:29.479: ISAKMP: SA life duration (basic) of 3600 Jun 28 18:11:29.479: ISAKMP: SA life type in kilobytes Jun 28 18:11:29.479: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jun 28 18:11:29.479: ISAKMP: authenticator is HMAC-SHA Jun 28 18:11:29.479: ISAKMP: key length is 256 Jun 28 18:11:29.479: ISAKMP: group is 2 Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2):atts are acceptable. Jun 28 18:11:29.483: ISAKMP:(0:29:HW:2): processing NONCE payload. message ID = 80228627 Jun 28 18:11:29.483: ISAKMP:(0:29:HW:2): processing KE payload. message ID = 80228627 Jun 28 18:11:29.487: ISAKMP:(0:29:HW:2): processing ID payload. message ID = 80228627 Jun 28 18:11:29.487: ISAKMP:(0:29:HW:2): processing ID payload. message ID = 80228627 Jun 28 18:11:29.499: ISAKMP: Locking peer struct 0x646608C8, IPSEC refcount 1 for for stuff_ke Jun 28 18:11:29.499: ISAKMP:(0:29:HW:2): Creating IPSec SAs Jun 28 18:11:29.499: inbound SA from 80.250.218.2 to 82.148.15.64 (f/i) 0/ 0 (proxy 10.0.0.0 to 10.0.254.0) Jun 28 18:11:29.499: has spi 0x4B1337A and conn_id 0 and flags 23 Jun 28 18:11:29.499: lifetime of 3600 seconds Jun 28 18:11:29.499: lifetime of 4608000 kilobytes Jun 28 18:11:29.499: has client flags 0x0 Jun 28 18:11:29.499: outbound SA from 82.148.15.64 to 80.250.218.2 (f/i) 0/0 (proxy 10.0.254.0 to 10.0.0.0) Jun 28 18:11:29.499: has spi -1882863622 and conn_id 0 and flags 2B Jun 28 18:11:29.499: lifetime of 3600 seconds Jun 28 18:11:29.499: lifetime of 4608000 kilobytes Jun 28 18:11:29.499: has client flags 0x0 Jun 28 18:11:29.499: ISAKMP: Locking peer struct 0x646608C8, IPSEC refcount 2 for from create_transforms Jun 28 18:11:29.503: ISAKMP: Unlocking IPSEC struct 0x646608C8 from create_transforms, count 1 Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2):deleting node 80228627 error FALSE reason "No Error" Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2):Node 80228627, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE Jun 28 18:11:47.496: ISAKMP:(0:28:HW:2):purging node 876229975 Jun 28 18:11:47.496: ISAKMP:(0:28:HW:2):purging node 687874368 Jun 28 18:11:57.496: ISAKMP:(0:28:HW:2):purging SA., sa=646B799C, delme=646B799C Jun 28 18:12:19.496: ISAKMP:(0:29:HW:2):purging node 80228627 Jun 28 18:45:08.969: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) QM_IDLE Jun 28 18:45:08.969: ISAKMP: set new node 1196849088 to QM_IDLE Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = 1196849088 Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): processing SA payload. message ID = 1196849088 Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2):Checking IPSec proposal 1 Jun 28 18:45:08.973: ISAKMP: transform 1, ESP_AES Jun 28 18:45:08.973: ISAKMP: attributes in transform: Jun 28 18:45:08.973: ISAKMP: encaps is 1 (Tunnel) Jun 28 18:45:08.973: ISAKMP: SA life type in seconds Jun 28 18:45:08.973: ISAKMP: SA life duration (basic) of 3600 Jun 28 18:45:08.973: ISAKMP: SA life type in kilobytes Jun 28 18:45:08.973: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jun 28 18:45:08.973: ISAKMP: authenticator is HMAC-SHA Jun 28 18:45:08.973: ISAKMP: key length is 256 Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2):atts are acceptable. Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): IPSec policy invalidated proposal Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): phase 2 SA policy not acceptable! (local 82.148.15.64 remote 80.250.218.2) Jun 28 18:45:08.977: ISAKMP: set new node 411620218 to QM_IDLE Jun 28 18:45:08.977: ISAKMP:(0:29:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 1697941984, message ID = 411620218 Jun 28 18:45:08.977: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE Jun 28 18:45:08.977: ISAKMP:(0:29:HW:2):purging node 411620218 Jun 28 18:45:08.981: ISAKMP:(0:29:HW:2):deleting node 1196849088 error TRUE reason "QM rejected" Jun 28 18:45:08.981: ISAKMP (0:268435485): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 1196849088: state = IKE_QM_READY Jun 28 18:45:08.981: ISAKMP:(0:29:HW:2):Node 1196849088, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jun 28 18:45:08.981: ISAKMP:(0:29:HW:2):Old State = IKE_QM_READY New State = IKE_QM_READY Jun 28 18:45:08.981: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 80.250.218.2 Jun 28 18:45:38.965: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) QM_IDLE Jun 28 18:45:38.965: ISAKMP: set new node -1614916990 to QM_IDLE Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = -1614916990 Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): processing SA payload. message ID = -1614916990 Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2):Checking IPSec proposal 1 Jun 28 18:45:38.969: ISAKMP: transform 1, ESP_AES Jun 28 18:45:38.969: ISAKMP: attributes in transform: Jun 28 18:45:38.969: ISAKMP: encaps is 1 (Tunnel) Jun 28 18:45:38.969: ISAKMP: SA life type in seconds Jun 28 18:45:38.969: ISAKMP: SA life duration (basic) of 3600 Jun 28 18:45:38.969: ISAKMP: SA life type in kilobytes Jun 28 18:45:38.969: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jun 28 18:45:38.969: ISAKMP: authenticator is HMAC-SHA Jun 28 18:45:38.969: ISAKMP: key length is 256 Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2):atts are acceptable. Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): IPSec policy invalidated proposal Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): phase 2 SA policy not acceptable! (local 82.148.15.64 remote 80.250.218.2) Jun 28 18:45:38.973: ISAKMP: set new node -1227785736 to QM_IDLE Jun 28 18:45:38.973: ISAKMP:(0:29:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 1697941984, message ID = -1227785736 Jun 28 18:45:38.973: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE Jun 28 18:45:38.973: ISAKMP:(0:29:HW:2):purging node -1227785736 Jun 28 18:45:38.977: ISAKMP:(0:29:HW:2):deleting node -1614916990 error TRUE reason "QM rejected" Jun 28 18:45:38.977: ISAKMP (0:268435485): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -1614916990: state = IKE_QM_READY Jun 28 18:45:38.977: ISAKMP:(0:29:HW:2):Node -1614916990, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jun 28 18:45:38.977: ISAKMP:(0:29:HW:2):Old State = IKE_QM_READY New State = IKE_QM_READY Jun 28 18:45:58.981: ISAKMP:(0:29:HW:2):purging node 1196849088
Высказать мнение \| Ответить \| Правка \| ^ \| Наверх \| Cообщить модератору


	2. "проблема с ipsec и двумя кошками =("		+/–
	Сообщение от Osirix (??) on 29-Июн-07, 12:09
	Нашел в чем проблема была. Даже самому обидно что столько времени убил. Лишнюю строчку пометил. После ее удаления и переинициализации криптосессии все разаботало в обе стороны как и положено. crypto map VPN local-address Loopback0 crypto map VPN client configuration address respond crypto map VPN 10 ipsec-isakmp set peer a.a.a.a set transform-set BRANCH_VPN >>set pfs group2 match address VPN_MO9 reverse-route remote-peer a.a.a.a static
	Высказать мнение \| Ответить \| Правка \| ^ \| Наверх \| Cообщить модератору


	3. "проблема с ipsec и двумя кошками =("		+/–
	Сообщение от Alexey (??) on 13-Мрт-10, 10:55
	>[оверквотинг удален] >обе стороны как и положено. > >crypto map VPN local-address Loopback0 >crypto map VPN client configuration address respond >crypto map VPN 10 ipsec-isakmp >set peer a.a.a.a >set transform-set BRANCH_VPN >>>set pfs group2 >match address VPN_MO9 >reverse-route remote-peer a.a.a.a static У меня сейчас точно такая же проблема, но pfs group нету ни на одной стороне =/
	Высказать мнение \| Ответить \| Правка \| ^ \| Наверх \| Cообщить модератору