forum.opennet.ru - "CISCO 891 ipsec DLINK dsr-1000" (11)

форумы

помощь

поиск

регистрация

вход/выход

слежка

"CISCO 891 ipsec DLINK dsr-1000"

Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[ Отслеживать ]

"CISCO 891 ipsec DLINK dsr-1000"	+/–
Сообщение от KomaLex (ok) on 09-Окт-16, 16:13
Здравствуйте. нужно объеденить две сети. В одно в качестве шлюза cisco 891 во второй dlink dsr-1000 настройки dlink Policy Name ikcpolicy Policy Type Auto Policy IP Protocol Version IPv4 IKE Version IKEv1 L2TP Mode None IPSec Mode Tunnel Mode Select Local Gateway wan1 Remote Endpoint IP Address / FQDN x.x.30.214 Enable Mode Config Disabled Enable NetBIOS Disabled Enable RollOver Disabled Protocol ESP Enable DHCP Disabled Local IP Local Start IP Address 172.22.32.1 Local Subnet Mask 255.255.254.0 Remote IP Remote Start IP Address 192.168.11.1 Remote Subnet Mask 255.255.255.0 Enable Keepalive Disabled Phase1(IKE SA Parameters) Exchange Mode Main Direction / Type Both Nat Traversal off Local Identifier Type Remote Identifier Type Encryption Algorithm DES Authentication Algorithm SHA-1 Authentication Method Pre-Shared key Pre-Shared Key secret_key Diffie-Hellman (DH) Group Group 2 (1024 bit) SA-Lifetime 86400 Enable Dead Peer Detection Disabled Extended Authentication None Phase2-(Auto Policy Parameters) SA Lifetime 3600 Seconds Encryption Algorithm DES Integrity Algorithm SHA-1 ON PFS Key Group Disabled настройки cisco crypto keyring wgsecret pre-shared-key address 0.0.0.0 0.0.0.0 key secret_key ! crypto isakmp policy 10 authentication pre-share group 2 crypto isakmp profile WGprofile keyring wgsecret match identity address 0.0.0.0 ! ! crypto ipsec transform-set WGTS esp-des esp-sha-hmac mode tunnel ! ! ! crypto dynamic-map WGDM 10 set transform-set WGTS set isakmp-profile WGprofile match address WGCLUBNET reverse-route ! ! ! crypto map WGMap 10 ipsec-isakmp dynamic WGDM ! ! ! ! ! interface Loopback1 ip address 10.11.12.1 255.255.255.0 ip nat enable ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 no ip address ! interface FastEthernet5 no ip address ! interface FastEthernet6 no ip address ! interface FastEthernet7 no ip address ! interface FastEthernet8 no ip address duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Virtual-Template1 ip address 10.11.11.1 255.255.255.0 peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ppp authentication pap chap ms-chap ms-chap-v2 ! interface GigabitEthernet0 no ip address shutdown duplex auto speed auto ! interface Vlan1 ip address 192.168.11.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Async1 no ip address encapsulation slip ! interface Dialer1 ip address negotiated ip mtu 1452 ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp chap hostname 381035811 ppp chap password 7 050E050B2443480C13 ppp pap sent-username 381035811 password 7 050E050B2443480C13 no cdp enable crypto map WGMap ! ip local pool vpnpool 10.11.11.32 10.11.11.127 ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 122 interface Dialer1 overload ip nat inside source static tcp 192.168.11.6 22 x.x.30.214 22 extendable ip nat inside source static tcp 192.168.11.6 80 x.x.30.214 80 extendable ip nat inside source static tcp 192.168.11.5 3389 x.x.30.214 33891 extendable ip nat inside source static tcp 192.168.11.22 3389 x.x.30.214 33892 extendable ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 172.22.32.0 255.255.254.0 Dialer1 ! ip access-list extended WGCLUBNET permit ip host x.x.30.214 host x.x.54.66 permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255 ! dialer-list 1 protocol ip permit ! ! access-list 23 permit 192.168.11.0 0.0.0.255 access-list 122 permit ip 192.168.11.0 0.0.0.255 any ! фаза 1 проходит, фаза 2 нет. Вот что пишет в логи длинк: Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found. Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: accept a request to establish IKE-SA: x.x.30.214 Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214. Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214. Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0] а вот логи cisco Oct 9 11:34:45.078: ISAKMP (2003): received packet from 195.206.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 9 11:34:45.078: ISAKMP: set new node -598716224 to QM_IDLE Oct 9 11:34:45.078: ISAKMP:(2003): processing HASH payload. message ID = 3696251072 Oct 9 11:34:45.078: ISAKMP:(2003): processing SA payload. message ID = 3696251072 Oct 9 11:34:45.078: ISAKMP:(2003):Checking IPSec proposal 1 Oct 9 11:34:45.078: ISAKMP: transform 1, ESP_DES Oct 9 11:34:45.078: ISAKMP: attributes in transform: Oct 9 11:34:45.078: ISAKMP: SA life type in seconds Oct 9 11:34:45.078: ISAKMP: SA life duration (basic) of 3600 Oct 9 11:34:45.078: ISAKMP: encaps is 1 (Tunnel) Oct 9 11:34:45.078: ISAKMP: authenticator is HMAC-SHA Oct 9 11:34:45.078: ISAKMP:(2003):atts are acceptable. Oct 9 11:34:45.078: IPSEC(validate_proposal_request): proposal part #1 Oct 9 11:34:45.078: IPSEC(initialize_sas): invalid IPv4 proxy IDs Oct 9 11:34:45.082: ISAKMP:(2003): IPSec policy invalidated proposal with error 32 Oct 9 11:34:45.082: ISAKMP:(2003): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66) Oct 9 11:34:45.082: ISAKMP: set new node 1773506091 to QM_IDLE cisco-gw#sh run Oct 9 11:34:45.082: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2371042928, message ID = 1773506091 Oct 9 11:34:45.082: ISAKMP:(2003): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE Oct 9 11:34:45.082: ISAKMP:(2003):Sending an IKE IPv4 Packet. Oct 9 11:34:45.082: ISAKMP:(2003):purging node 1773506091 Oct 9 11:34:45.082: ISAKMP:(2003):deleting node -598716224 error TRUE reason "QM rejected" Oct 9 11:34:45.082: ISAKMP:(2003):Node 3696251072, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Oct 9 11:34:45.082: ISAKMP:(2003):Old State = IKE_QM_READY New State = IKE_QM_READY cisco-gw#sh run Oct 9 11:34:55.110: ISAKMP (2003): received packet from 195.206.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 9 11:34:55.110: ISAKMP:(2003): phase 2 packet is a duplicate of a previous packet. Oct 9 11:34:55.110: ISAKMP:(2003): retransmitting due to retransmit phase 2 Oct 9 11:34:55.110: ISAKMP:(2003): Quick Mode is being processed. Ignoring retransmission Судя по ошибкам и гуглению по этим ошибкам что то не так с access листами, но вот что. Помогите разобраться. Уже неделю тунель поднять не могу. Все перепробовал.
Ответить \| Правка \| Cообщить модератору

Оглавление

CISCO 891 ipsec DLINK dsr-1000, ShyLion, 07:09 , 10-Окт-16, (1)
CISCO 891 ipsec DLINK dsr-1000, ShyLion, 07:12 , 10-Окт-16, (2)
CISCO 891 ipsec DLINK dsr-1000, ShyLion, 07:19 , 10-Окт-16, (3)

CISCO 891 ipsec DLINK dsr-1000, KomaLex, 07:41 , 10-Окт-16, (4)

CISCO 891 ipsec DLINK dsr-1000, ShyLion, 09:38 , 10-Окт-16, (5)

CISCO 891 ipsec DLINK dsr-1000, KomaLex, 09:58 , 10-Окт-16, (6)

CISCO 891 ipsec DLINK dsr-1000, ShyLion, 06:38 , 11-Окт-16, (7)

CISCO 891 ipsec DLINK dsr-1000, KomaLex, 06:48 , 11-Окт-16, (8)

CISCO 891 ipsec DLINK dsr-1000, Aleksey, 16:53 , 14-Ноя-16, (9)

CISCO 891 ipsec DLINK dsr-1000, Aleksey, 11:27 , 17-Ноя-16, (10)

CISCO 891 ipsec DLINK dsr-1000, Serb, 18:50 , 22-Ноя-16, (11)

Сообщения по теме [Сортировка по времени | RSS]

1. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от ShyLion (ok) on 10-Окт-16, 07:09

> crypto dynamic-map WGDM 10
а с какой целью динамическая мапа?
> permit ip host x.x.30.214 host x.x.54.66
это лишнее

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

2. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от ShyLion (ok) on 10-Окт-16, 07:12

> Encryption Algorithm
> DES
> Authentication Algorithm
> SHA-1
Алгортимы очень слабые на сегодняшний день.

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

3. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от ShyLion (ok) on 10-Окт-16, 07:19

> crypto dynamic-map WGDM 10
>  set transform-set WGTS
>  set isakmp-profile WGprofile
>  match address WGCLUBNET
>  reverse-route
Думаю что match address тут лишнее.

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

4. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от KomaLex (ok) on 10-Окт-16, 07:41

>> crypto dynamic-map WGDM 10
>>  set transform-set WGTS
>>  set isakmp-profile WGprofile
>>  match address WGCLUBNET
>>  reverse-route
> Думаю что match address тут лишнее.
Динамическая мапа, потому что будет несколько подключений. Пробовал делать через статические мапы, результат тот же.
permit ip host host
Убирал результат тот же.
match address убирал не помогло.
Подскажите что еще можно попробовать и где посмотреть. Может еще какой то дебуг, где будет более понятно что именно не нравится.

Ответить | Правка | ^ к родителю #3 | Наверх | Cообщить модератору

5. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от ShyLion (ok) on 10-Окт-16, 09:38

> Local Start IP Address
> 172.22.32.1
> Local Subnet Mask
> 255.255.254.0
> Remote IP
> Remote Start IP Address
> 192.168.11.1
> Remote Subnet Mask
> 255.255.255.0
а вот тут не .0 должно быть в адресах?

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

6. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от KomaLex (ok) on 10-Окт-16, 09:58

>> Local Start IP Address
>> 172.22.32.1
>> Local Subnet Mask
>> 255.255.254.0
>> Remote IP
>> Remote Start IP Address
>> 192.168.11.1
>> Remote Subnet Mask
>> 255.255.255.0
> а вот тут не .0 должно быть в адресах?
Он там не дает 0 ставить. тоже показалось странным, адрес сети ведь нулевой адрес. Но у них в длинке видимо по другому.

Ответить | Правка | ^ к родителю #5 | Наверх | Cообщить модератору

7. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от ShyLion (ok) on 11-Окт-16, 06:38

>[оверквотинг удален]
>>> Local Subnet Mask
>>> 255.255.254.0
>>> Remote IP
>>> Remote Start IP Address
>>> 192.168.11.1
>>> Remote Subnet Mask
>>> 255.255.255.0
>> а вот тут не .0 должно быть в адресах?
> Он там не дает 0 ставить. тоже показалось странным, адрес сети ведь
> нулевой адрес. Но у них в длинке видимо по другому.
show debug
debug crypto ipsec включен?

Ответить | Правка | ^ к родителю #6 | Наверх | Cообщить модератору

8. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от KomaLex (ok) on 11-Окт-16, 06:48

>[оверквотинг удален]
>>>> Remote IP
>>>> Remote Start IP Address
>>>> 192.168.11.1
>>>> Remote Subnet Mask
>>>> 255.255.255.0
>>> а вот тут не .0 должно быть в адресах?
>> Он там не дает 0 ставить. тоже показалось странным, адрес сети ведь
>> нулевой адрес. Но у них в длинке видимо по другому.
> show debug
> debug crypto ipsec включен?

show debug
Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto IPSEC debugging is on
Да. Попробовал убрать динамические мапы вот новый конфиг:

crypto keyring wgsecret
  pre-shared-key address x.x.54.66 255.255.255.252 key DEVopengl1982
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp profile WGprofile
   keyring wgsecret
   match identity address x.x.54.66 255.255.255.252
!
!
crypto ipsec transform-set WGTS esp-des esp-sha-hmac
mode tunnel
!
!
!
!
!
!
crypto map WGMAp 10 ipsec-isakmp
! Incomplete
set transform-set WGTS
set isakmp-profile WGprofile
match address WGCLUBNET
reverse-route
!
ip access-list extended WGCLUBNET
permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255
Результат тот же. Уже и не знаю что думать. Все перепробовал. Этот же длин с другим таким же длинком ipsec тунель держит нормально.
ВОт логи с циски:

*Oct 10 07:52:36.557: ISAKMP (0): received packet from x.x.54.66 dport 500 sport 500 Global (N) NEW SA
*Oct 10 07:52:36.557: ISAKMP: Created a peer struct for x.x.54.66, peer port 500
*Oct 10 07:52:36.557: ISAKMP: New peer created peer = 0x8B88D9E8 peer_handle = 0x8000000D
*Oct 10 07:52:36.557: ISAKMP: Locking peer struct 0x8B88D9E8, refcount 1 for crypto_isakmp_process_block
*Oct 10 07:52:36.557: ISAKMP: local port 500, remote port 500
*Oct 10 07:52:36.557: ISAKMP:(0):insert sa successfully sa = 8E0E6128
*Oct 10 07:52:36.557: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 10 07:52:36.557: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
*Oct 10 07:52:36.557: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 10 07:52:36.557: ISAKMP:(0): processing vendor id payload
*Oct 10 07:52:36.557: ISAKMP:(0): vendor ID is DPD
*Oct 10 07:52:36.557: ISAKMP:(0):found peer pre-shared key matching x.x.54.66
*Oct 10 07:52:36.557: ISAKMP:(0): local preshared key found
*Oct 10 07:52:36.557: ISAKMP : Scanning profiles for xauth ... WGprofile
*Oct 10 07:52:36.557: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 10 07:52:36.557: ISAKMP:      life type in seconds
*Oct 10 07:52:36.557: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Oct 10 07:52:36.557: ISAKMP:      encryption DES-CBC
*Oct 10 07:52:36.557: ISAKMP:      auth pre-share
*Oct 10 07:52:36.557: ISAKMP:      hash SHA
*Oct 10 07:52:36.557: ISAKMP:      default group 2
*Oct 10 07:52:36.557: ISAKMP:(0):atts are acceptable. Next payload is 0
*Oct 10 07:52:36.557: ISAKMP:(0):Acceptable atts:actual life: 86400
*Oct 10 07:52:36.557: ISAKMP:(0):Acceptable atts:life: 0
*Oct 10 07:52:36.557: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct 10 07:52:36.557: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Oct 10 07:52:36.557: ISAKMP:(0):Returning Actual lifetime: 86400
*Oct 10 07:52:36.557: ISAKMP:(0)::Started lifetime timer: 86400.
*Oct 10 07:52:36.561: ISAKMP:(0): processing vendor id payload
*Oct 10 07:52:36.561: ISAKMP:(0): vendor ID is DPD
*Oct 10 07:52:36.561: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 10 07:52:36.561: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
*Oct 10 07:52:36.561: ISAKMP:(0): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 10 07:52:36.561: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 10 07:52:36.561: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 10 07:52:36.561: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2
*Oct 10 07:52:36.809: ISAKMP (0): received packet from x.x.54.66 dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 10 07:52:36.809: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 10 07:52:36.809: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3
*Oct 10 07:52:36.809: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 10 07:52:36.829: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct 10 07:52:36.829: ISAKMP:(0):found peer pre-shared key matching x.x.54.66
*Oct 10 07:52:36.829: ISAKMP:(2004): processing vendor id payload
*Oct 10 07:52:36.829: ISAKMP:(2004): vendor ID seems Unity/DPD but major 139 mismatch
*Oct 10 07:52:36.833: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 10 07:52:36.833: ISAKMP:(2004):Old State = IKE_R_MM3  New State = IKE_R_MM3
*Oct 10 07:52:36.833: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 10 07:52:36.833: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:52:36.833: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 10 07:52:36.833: ISAKMP:(2004):Old State = IKE_R_MM3  New State = IKE_R_MM4
*Oct 10 07:52:37.497: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM4  New State = IKE_R_MM5
*Oct 10 07:52:37.501: ISAKMP:(2004): processing ID payload. message ID = 0
*Oct 10 07:52:37.501: ISAKMP (2004): ID payload
        next-payload : 8
        type         : 1
        address      : x.x.54.66
        protocol     : 17
        port         : 500
        length       : 12
*Oct 10 07:52:37.501: ISAKMP:(0):: peer matches WGprofile profile
*Oct 10 07:52:37.501: ISAKMP:(2004):Found ADDRESS key in keyring wgsecret
*Oct 10 07:52:37.501: ISAKMP:(2004): processing HASH payload. message ID = 0
*Oct 10 07:52:37.501: ISAKMP:(2004):SA authentication status:
        authenticated
*Oct 10 07:52:37.501: ISAKMP:(2004):SA has been authenticated with x.x.54.66
*Oct 10 07:52:37.501: ISAKMP: Trying to insert a peer x.x.30.214/x.x.54.66/500/,  and inserted successfully 8B88D9E8.
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM5  New State = IKE_R_MM5
*Oct 10 07:52:37.501: ISAKMP:(2004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 10 07:52:37.501: ISAKMP (2004): ID payload
        next-payload : 8
        type         : 1
        address      : x.x.30.214
        protocol     : 17
        port         : 500
        length       : 12
*Oct 10 07:52:37.501: ISAKMP:(2004):Total payload length: 12
*Oct 10 07:52:37.501: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 10 07:52:37.501: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Oct 10 07:52:37.521: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:37.521: ISAKMP: set new node -328894163 to QM_IDLE
*Oct 10 07:52:37.521: ISAKMP:(2004): processing HASH payload. message ID = 3966073133
*Oct 10 07:52:37.521: ISAKMP:(2004): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 3966073133, sa = 0x8E0E6128
*Oct 10 07:52:37.521: ISAKMP:(2004):SA authentication status:
        authenticated
*Oct 10 07:52:37.521: ISAKMP:(2004): Process initial contact,
bring down existing phase 1 and 2 SA's with local x.x.30.214 remote x.x.54.66 remote port 500
cisco-gw#
*Oct 10 07:52:37.521: ISAKMP:(2004):deleting node -328894163 error FALSE reason "Informational (in) state 1"
*Oct 10 07:52:37.521: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 10 07:52:37.521: ISAKMP:(2004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Oct 10 07:52:37.521: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 10 07:52:38.537: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:38.537: ISAKMP: set new node -1813039523 to QM_IDLE
*Oct 10 07:52:38.537: ISAKMP:(2004): processing HASH payload. message ID = 2481927773
*Oct 10 07:52:38.537: ISAKMP:(2004): processing SA payload. message ID = 2481927773
*Oct 10 07:52:38.537: ISAKMP:(2004):Checking IPSec proposal 1
*Oct 10 07:52:38.537: ISAKMP: transform 1, ESP_DES
*Oct 10 07:52:38.537: ISAKMP:   attributes in transform:
*Oct 10 07:52:38.537: ISAKMP:      SA life type in seconds
*Oct 10 07:52:38.537: ISAKMP:      SA life duration (basic) of 3600
*Oct 10 07:52:38.537: ISAKMP:      encaps is 1 (Tunnel)
*Oct 10 07:52:38.537: ISAKMP:      authenticator is HMAC-SHA
*Oct 10 07:52:38.537: ISAKMP:(2004):atts are acceptable.
*Oct 10 07:52:38.537: IPSEC(validate_proposal_request): proposal part #1
*Oct 10 07:52:38.537: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct 10 07:52:38.537: ISAKMP:(2004): IPSec policy invalidated proposal with error 32
*Oct 10 07:52:38.537: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)
*Oct 10 07:52:38.537: ISAKMP: set new node 1494915460 to QM_IDLE
cisco-gw#
*Oct 10 07:52:38.537: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2371042928, message ID = 1494915460
*Oct 10 07:52:38.537: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 10 07:52:38.537: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:52:38.537: ISAKMP:(2004):purging node 1494915460
*Oct 10 07:52:38.537: ISAKMP:(2004):deleting node -1813039523 error TRUE reason "QM rejected"
*Oct 10 07:52:38.537: ISAKMP:(2004):Node 2481927773, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 10 07:52:38.537: ISAKMP:(2004):Old State = IKE_QM_READY  New State = IKE_QM_READY
cisco-gw#
*Oct 10 07:52:48.557: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:48.557: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:52:48.557: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:52:48.557: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:52:58.573: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:58.573: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:52:58.573: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:52:58.573: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:53:08.585: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:08.585: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:53:08.585: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:53:08.585: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:53:18.601: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:18.601: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:53:18.601: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:53:18.601: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:53:27.521: ISAKMP:(2004):purging node -328894163
cisco-gw#
*Oct 10 07:53:28.537: ISAKMP:(2004):purging node -1813039523
*Oct 10 07:53:28.977: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:28.977: ISAKMP: set new node -1813039523 to QM_IDLE
*Oct 10 07:53:28.977: ISAKMP:(2004): processing HASH payload. message ID = 2481927773
*Oct 10 07:53:28.977: ISAKMP:(2004): processing SA payload. message ID = 2481927773
*Oct 10 07:53:28.977: ISAKMP:(2004):Checking IPSec proposal 1
*Oct 10 07:53:28.977: ISAKMP: transform 1, ESP_DES
*Oct 10 07:53:28.977: ISAKMP:   attributes in transform:
*Oct 10 07:53:28.977: ISAKMP:      SA life type in seconds
*Oct 10 07:53:28.977: ISAKMP:      SA life duration (basic) of 3600
*Oct 10 07:53:28.977: ISAKMP:      encaps is 1 (Tunnel)
*Oct 10 07:53:28.977: ISAKMP:      authenticator is HMAC-SHA
*Oct 10 07:53:28.977: ISAKMP:(2004):atts are acceptable.
*Oct 10 07:53:28.977: IPSEC(validate_proposal_request): proposal part #1
*Oct 10 07:53:28.977: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct 10 07:53:28.977: ISAKMP:(2004): IPSec policy invalidated proposal with error 32
*Oct 10 07:53:28.977: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)
*Oct 10 07:53:28.977: ISAKMP: set new node 23007779 to QM_IDLE
cisco-gw#
*Oct 10 07:53:28.977: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2371042928, message ID = 23007779
*Oct 10 07:53:28.977: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 10 07:53:28.977: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:53:28.977: ISAKMP:(2004):purging node 23007779
*Oct 10 07:53:28.977: ISAKMP:(2004):deleting node -1813039523 error TRUE reason "QM rejected"
*Oct 10 07:53:28.977: ISAKMP:(2004):Node 2481927773, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 10 07:53:28.977: ISAKMP:(2004):Old State = IKE_QM_READY  New State = IKE_QM_READY
cisco-gw#
*Oct 10 07:53:37.997: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:37.997: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:53:37.997: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:53:37.997: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission

вот лог с длинка

Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: accept a request to establish IKE-SA: x.x.30.214
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Beginning Identity Protection mode.
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 1 negotiation: x.x.54.66[500]<=>x.x.30.214[500]
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received unknown Vendor ID
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: CISCO-UNITY
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: DPD
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mon Oct 10 08:19:12 2016 (GMT +0000): [DSR-1000] [IKE] INFO: ISAKMP-SA established for x.x.54.66[500]-x.x.30.214[500] with spi:7a71f16e02d182e4:c7b75d7981d40948
Mon Oct 10 08:19:12 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found.
Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0]
Mon Oct 10 08:20:04 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found.
Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Phase 2 negotiation failed due to time up. 7a71f16e02d182e4:c7b75d7981d40948:93ef365d
Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] INFO: an undead schedule has been deleted: 'quick_i1prep'.

Ответить | Правка | ^ к родителю #7 | Наверх | Cообщить модератору

9. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от Aleksey (??) on 14-Ноя-16, 16:53

У меня такая же проблема, удалось решить.

Ответить | Правка | ^ к родителю #8 | Наверх | Cообщить модератору

10. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от Aleksey (??) on 17-Ноя-16, 11:27

Проблема в настройке local и remote subnet на dlink.
При поднятии второй фазы IPSec туннеля происходит сравнение
crypto ACL со стороны cisco и параметров local remote subnets на dlink.
т.к. со стороны dlink эти сети описаны в поле start address как x.x.x.1/24
они не совпадают с subnet которые описаны на cisco как x.x.x.0/24 и туннель не
поднимается.
В dlink некоторые прошивки не позволяют ставить x.x.x.0 в поле
start address (можно попробовать маску меньше чем /24, например x.x.x.128/25)
если получиться прописать тогда туннель должен подняться, если нет экспериментировать с прошивкой.

Ответить | Правка | ^ к родителю #9 | Наверх | Cообщить модератору

11. "CISCO 891 ipsec DLINK dsr-1000" +/–

Сообщение от Serb on 22-Ноя-16, 18:50

>[оверквотинг удален]
> message from x.x.30.214[500].No phase2 handle found.
> Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new
> phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0]
> Mon Oct 10 08:20:04 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify
> message from x.x.30.214[500].No phase2 handle found.
> Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Phase 2
> negotiation failed due to time up. 7a71f16e02d182e4:c7b75d7981d40948:93ef365d
> Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] INFO: an undead
> schedule has been deleted: 'quick_i1prep'.
>
here is your problem :
*Oct 10 07:52:38.537: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct 10 07:52:38.537: ISAKMP:(2004): IPSec policy invalidated proposal with error 32
*Oct 10 07:52:38.537: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)

which means ACL for interesting traffic does not match on both ends

Ответить | Правка | ^ к родителю #8 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "CISCO 891 ipsec DLINK dsr-1000"	+/–
Сообщение от ShyLion (ok) on 10-Окт-16, 07:09
> crypto dynamic-map WGDM 10 а с какой целью динамическая мапа? > permit ip host x.x.30.214 host x.x.54.66 это лишнее
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору

2. "CISCO 891 ipsec DLINK dsr-1000"	+/–
Сообщение от ShyLion (ok) on 10-Окт-16, 07:12
> Encryption Algorithm > DES > Authentication Algorithm > SHA-1 Алгортимы очень слабые на сегодняшний день.
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору

3. "CISCO 891 ipsec DLINK dsr-1000"	+/–
Сообщение от ShyLion (ok) on 10-Окт-16, 07:19
> crypto dynamic-map WGDM 10 > set transform-set WGTS > set isakmp-profile WGprofile > match address WGCLUBNET > reverse-route Думаю что match address тут лишнее.
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору


	4. "CISCO 891 ipsec DLINK dsr-1000"	+/–
	Сообщение от KomaLex (ok) on 10-Окт-16, 07:41
	>> crypto dynamic-map WGDM 10 >> set transform-set WGTS >> set isakmp-profile WGprofile >> match address WGCLUBNET >> reverse-route > Думаю что match address тут лишнее. Динамическая мапа, потому что будет несколько подключений. Пробовал делать через статические мапы, результат тот же. permit ip host host Убирал результат тот же. match address убирал не помогло. Подскажите что еще можно попробовать и где посмотреть. Может еще какой то дебуг, где будет более понятно что именно не нравится.
	Ответить \| Правка \| ^ к родителю #3 \| Наверх \| Cообщить модератору

5. "CISCO 891 ipsec DLINK dsr-1000"	+/–
Сообщение от ShyLion (ok) on 10-Окт-16, 09:38
> Local Start IP Address > 172.22.32.1 > Local Subnet Mask > 255.255.254.0 > Remote IP > Remote Start IP Address > 192.168.11.1 > Remote Subnet Mask > 255.255.255.0 а вот тут не .0 должно быть в адресах?
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору


	6. "CISCO 891 ipsec DLINK dsr-1000"	+/–
	Сообщение от KomaLex (ok) on 10-Окт-16, 09:58
	>> Local Start IP Address >> 172.22.32.1 >> Local Subnet Mask >> 255.255.254.0 >> Remote IP >> Remote Start IP Address >> 192.168.11.1 >> Remote Subnet Mask >> 255.255.255.0 > а вот тут не .0 должно быть в адресах? Он там не дает 0 ставить. тоже показалось странным, адрес сети ведь нулевой адрес. Но у них в длинке видимо по другому.
	Ответить \| Правка \| ^ к родителю #5 \| Наверх \| Cообщить модератору


	7. "CISCO 891 ipsec DLINK dsr-1000"	+/–
	Сообщение от ShyLion (ok) on 11-Окт-16, 06:38
	>[оверквотинг удален] >>> Local Subnet Mask >>> 255.255.254.0 >>> Remote IP >>> Remote Start IP Address >>> 192.168.11.1 >>> Remote Subnet Mask >>> 255.255.255.0 >> а вот тут не .0 должно быть в адресах? > Он там не дает 0 ставить. тоже показалось странным, адрес сети ведь > нулевой адрес. Но у них в длинке видимо по другому. show debug debug crypto ipsec включен?
	Ответить \| Правка \| ^ к родителю #6 \| Наверх \| Cообщить модератору


	8. "CISCO 891 ipsec DLINK dsr-1000"	+/–
	Сообщение от KomaLex (ok) on 11-Окт-16, 06:48
	>[оверквотинг удален] >>>> Remote IP >>>> Remote Start IP Address >>>> 192.168.11.1 >>>> Remote Subnet Mask >>>> 255.255.255.0 >>> а вот тут не .0 должно быть в адресах? >> Он там не дает 0 ставить. тоже показалось странным, адрес сети ведь >> нулевой адрес. Но у них в длинке видимо по другому. > show debug > debug crypto ipsec включен? show debug Cryptographic Subsystem: Crypto ISAKMP debugging is on Crypto IPSEC debugging is on Да. Попробовал убрать динамические мапы вот новый конфиг: crypto keyring wgsecret pre-shared-key address x.x.54.66 255.255.255.252 key DEVopengl1982 ! crypto isakmp policy 10 authentication pre-share group 2 crypto isakmp profile WGprofile keyring wgsecret match identity address x.x.54.66 255.255.255.252 ! ! crypto ipsec transform-set WGTS esp-des esp-sha-hmac mode tunnel ! ! ! ! ! ! crypto map WGMAp 10 ipsec-isakmp ! Incomplete set transform-set WGTS set isakmp-profile WGprofile match address WGCLUBNET reverse-route ! ip access-list extended WGCLUBNET permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255 Результат тот же. Уже и не знаю что думать. Все перепробовал. Этот же длин с другим таким же длинком ipsec тунель держит нормально. ВОт логи с циски: Oct 10 07:52:36.557: ISAKMP (0): received packet from x.x.54.66 dport 500 sport 500 Global (N) NEW SA Oct 10 07:52:36.557: ISAKMP: Created a peer struct for x.x.54.66, peer port 500 Oct 10 07:52:36.557: ISAKMP: New peer created peer = 0x8B88D9E8 peer_handle = 0x8000000D Oct 10 07:52:36.557: ISAKMP: Locking peer struct 0x8B88D9E8, refcount 1 for crypto_isakmp_process_block Oct 10 07:52:36.557: ISAKMP: local port 500, remote port 500 Oct 10 07:52:36.557: ISAKMP:(0):insert sa successfully sa = 8E0E6128 Oct 10 07:52:36.557: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Oct 10 07:52:36.557: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 Oct 10 07:52:36.557: ISAKMP:(0): processing SA payload. message ID = 0 Oct 10 07:52:36.557: ISAKMP:(0): processing vendor id payload Oct 10 07:52:36.557: ISAKMP:(0): vendor ID is DPD Oct 10 07:52:36.557: ISAKMP:(0):found peer pre-shared key matching x.x.54.66 Oct 10 07:52:36.557: ISAKMP:(0): local preshared key found Oct 10 07:52:36.557: ISAKMP : Scanning profiles for xauth ... WGprofile Oct 10 07:52:36.557: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy Oct 10 07:52:36.557: ISAKMP: life type in seconds Oct 10 07:52:36.557: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Oct 10 07:52:36.557: ISAKMP: encryption DES-CBC Oct 10 07:52:36.557: ISAKMP: auth pre-share Oct 10 07:52:36.557: ISAKMP: hash SHA Oct 10 07:52:36.557: ISAKMP: default group 2 Oct 10 07:52:36.557: ISAKMP:(0):atts are acceptable. Next payload is 0 Oct 10 07:52:36.557: ISAKMP:(0):Acceptable atts:actual life: 86400 Oct 10 07:52:36.557: ISAKMP:(0):Acceptable atts:life: 0 Oct 10 07:52:36.557: ISAKMP:(0):Fill atts in sa vpi_length:4 Oct 10 07:52:36.557: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 Oct 10 07:52:36.557: ISAKMP:(0):Returning Actual lifetime: 86400 Oct 10 07:52:36.557: ISAKMP:(0)::Started lifetime timer: 86400. Oct 10 07:52:36.561: ISAKMP:(0): processing vendor id payload Oct 10 07:52:36.561: ISAKMP:(0): vendor ID is DPD Oct 10 07:52:36.561: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Oct 10 07:52:36.561: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Oct 10 07:52:36.561: ISAKMP:(0): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_SA_SETUP Oct 10 07:52:36.561: ISAKMP:(0):Sending an IKE IPv4 Packet. Oct 10 07:52:36.561: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Oct 10 07:52:36.561: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 Oct 10 07:52:36.809: ISAKMP (0): received packet from x.x.54.66 dport 500 sport 500 Global (R) MM_SA_SETUP Oct 10 07:52:36.809: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Oct 10 07:52:36.809: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 Oct 10 07:52:36.809: ISAKMP:(0): processing KE payload. message ID = 0 Oct 10 07:52:36.829: ISAKMP:(0): processing NONCE payload. message ID = 0 Oct 10 07:52:36.829: ISAKMP:(0):found peer pre-shared key matching x.x.54.66 Oct 10 07:52:36.829: ISAKMP:(2004): processing vendor id payload Oct 10 07:52:36.829: ISAKMP:(2004): vendor ID seems Unity/DPD but major 139 mismatch Oct 10 07:52:36.833: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Oct 10 07:52:36.833: ISAKMP:(2004):Old State = IKE_R_MM3 New State = IKE_R_MM3 Oct 10 07:52:36.833: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_KEY_EXCH Oct 10 07:52:36.833: ISAKMP:(2004):Sending an IKE IPv4 Packet. Oct 10 07:52:36.833: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Oct 10 07:52:36.833: ISAKMP:(2004):Old State = IKE_R_MM3 New State = IKE_R_MM4 Oct 10 07:52:37.497: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) MM_KEY_EXCH Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM4 New State = IKE_R_MM5 Oct 10 07:52:37.501: ISAKMP:(2004): processing ID payload. message ID = 0 Oct 10 07:52:37.501: ISAKMP (2004): ID payload next-payload : 8 type : 1 address : x.x.54.66 protocol : 17 port : 500 length : 12 Oct 10 07:52:37.501: ISAKMP:(0):: peer matches WGprofile profile Oct 10 07:52:37.501: ISAKMP:(2004):Found ADDRESS key in keyring wgsecret Oct 10 07:52:37.501: ISAKMP:(2004): processing HASH payload. message ID = 0 Oct 10 07:52:37.501: ISAKMP:(2004):SA authentication status: authenticated Oct 10 07:52:37.501: ISAKMP:(2004):SA has been authenticated with x.x.54.66 Oct 10 07:52:37.501: ISAKMP: Trying to insert a peer x.x.30.214/x.x.54.66/500/, and inserted successfully 8B88D9E8. Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM5 New State = IKE_R_MM5 Oct 10 07:52:37.501: ISAKMP:(2004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR Oct 10 07:52:37.501: ISAKMP (2004): ID payload next-payload : 8 type : 1 address : x.x.30.214 protocol : 17 port : 500 length : 12 Oct 10 07:52:37.501: ISAKMP:(2004):Total payload length: 12 Oct 10 07:52:37.501: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_KEY_EXCH Oct 10 07:52:37.501: ISAKMP:(2004):Sending an IKE IPv4 Packet. Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Oct 10 07:52:37.521: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 10 07:52:37.521: ISAKMP: set new node -328894163 to QM_IDLE Oct 10 07:52:37.521: ISAKMP:(2004): processing HASH payload. message ID = 3966073133 Oct 10 07:52:37.521: ISAKMP:(2004): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 3966073133, sa = 0x8E0E6128 Oct 10 07:52:37.521: ISAKMP:(2004):SA authentication status: authenticated Oct 10 07:52:37.521: ISAKMP:(2004): Process initial contact, bring down existing phase 1 and 2 SA's with local x.x.30.214 remote x.x.54.66 remote port 500 cisco-gw# Oct 10 07:52:37.521: ISAKMP:(2004):deleting node -328894163 error FALSE reason "Informational (in) state 1" Oct 10 07:52:37.521: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Oct 10 07:52:37.521: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Oct 10 07:52:37.521: IPSEC(key_engine): got a queue event with 1 KMI message(s) Oct 10 07:52:38.537: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 10 07:52:38.537: ISAKMP: set new node -1813039523 to QM_IDLE Oct 10 07:52:38.537: ISAKMP:(2004): processing HASH payload. message ID = 2481927773 Oct 10 07:52:38.537: ISAKMP:(2004): processing SA payload. message ID = 2481927773 Oct 10 07:52:38.537: ISAKMP:(2004):Checking IPSec proposal 1 Oct 10 07:52:38.537: ISAKMP: transform 1, ESP_DES Oct 10 07:52:38.537: ISAKMP: attributes in transform: Oct 10 07:52:38.537: ISAKMP: SA life type in seconds Oct 10 07:52:38.537: ISAKMP: SA life duration (basic) of 3600 Oct 10 07:52:38.537: ISAKMP: encaps is 1 (Tunnel) Oct 10 07:52:38.537: ISAKMP: authenticator is HMAC-SHA Oct 10 07:52:38.537: ISAKMP:(2004):atts are acceptable. Oct 10 07:52:38.537: IPSEC(validate_proposal_request): proposal part #1 Oct 10 07:52:38.537: IPSEC(initialize_sas): invalid IPv4 proxy IDs Oct 10 07:52:38.537: ISAKMP:(2004): IPSec policy invalidated proposal with error 32 Oct 10 07:52:38.537: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66) Oct 10 07:52:38.537: ISAKMP: set new node 1494915460 to QM_IDLE cisco-gw# Oct 10 07:52:38.537: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2371042928, message ID = 1494915460 Oct 10 07:52:38.537: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE Oct 10 07:52:38.537: ISAKMP:(2004):Sending an IKE IPv4 Packet. Oct 10 07:52:38.537: ISAKMP:(2004):purging node 1494915460 Oct 10 07:52:38.537: ISAKMP:(2004):deleting node -1813039523 error TRUE reason "QM rejected" Oct 10 07:52:38.537: ISAKMP:(2004):Node 2481927773, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Oct 10 07:52:38.537: ISAKMP:(2004):Old State = IKE_QM_READY New State = IKE_QM_READY cisco-gw# Oct 10 07:52:48.557: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 10 07:52:48.557: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet. Oct 10 07:52:48.557: ISAKMP:(2004): retransmitting due to retransmit phase 2 Oct 10 07:52:48.557: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission cisco-gw# Oct 10 07:52:58.573: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 10 07:52:58.573: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet. Oct 10 07:52:58.573: ISAKMP:(2004): retransmitting due to retransmit phase 2 Oct 10 07:52:58.573: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission cisco-gw# Oct 10 07:53:08.585: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 10 07:53:08.585: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet. Oct 10 07:53:08.585: ISAKMP:(2004): retransmitting due to retransmit phase 2 Oct 10 07:53:08.585: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission cisco-gw# Oct 10 07:53:18.601: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 10 07:53:18.601: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet. Oct 10 07:53:18.601: ISAKMP:(2004): retransmitting due to retransmit phase 2 Oct 10 07:53:18.601: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission cisco-gw# Oct 10 07:53:27.521: ISAKMP:(2004):purging node -328894163 cisco-gw# Oct 10 07:53:28.537: ISAKMP:(2004):purging node -1813039523 Oct 10 07:53:28.977: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 10 07:53:28.977: ISAKMP: set new node -1813039523 to QM_IDLE Oct 10 07:53:28.977: ISAKMP:(2004): processing HASH payload. message ID = 2481927773 Oct 10 07:53:28.977: ISAKMP:(2004): processing SA payload. message ID = 2481927773 Oct 10 07:53:28.977: ISAKMP:(2004):Checking IPSec proposal 1 Oct 10 07:53:28.977: ISAKMP: transform 1, ESP_DES Oct 10 07:53:28.977: ISAKMP: attributes in transform: Oct 10 07:53:28.977: ISAKMP: SA life type in seconds Oct 10 07:53:28.977: ISAKMP: SA life duration (basic) of 3600 Oct 10 07:53:28.977: ISAKMP: encaps is 1 (Tunnel) Oct 10 07:53:28.977: ISAKMP: authenticator is HMAC-SHA Oct 10 07:53:28.977: ISAKMP:(2004):atts are acceptable. Oct 10 07:53:28.977: IPSEC(validate_proposal_request): proposal part #1 Oct 10 07:53:28.977: IPSEC(initialize_sas): invalid IPv4 proxy IDs Oct 10 07:53:28.977: ISAKMP:(2004): IPSec policy invalidated proposal with error 32 Oct 10 07:53:28.977: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66) Oct 10 07:53:28.977: ISAKMP: set new node 23007779 to QM_IDLE cisco-gw# Oct 10 07:53:28.977: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2371042928, message ID = 23007779 Oct 10 07:53:28.977: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE Oct 10 07:53:28.977: ISAKMP:(2004):Sending an IKE IPv4 Packet. Oct 10 07:53:28.977: ISAKMP:(2004):purging node 23007779 Oct 10 07:53:28.977: ISAKMP:(2004):deleting node -1813039523 error TRUE reason "QM rejected" Oct 10 07:53:28.977: ISAKMP:(2004):Node 2481927773, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Oct 10 07:53:28.977: ISAKMP:(2004):Old State = IKE_QM_READY New State = IKE_QM_READY cisco-gw# Oct 10 07:53:37.997: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE Oct 10 07:53:37.997: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet. Oct 10 07:53:37.997: ISAKMP:(2004): retransmitting due to retransmit phase 2 Oct 10 07:53:37.997: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission вот лог с длинка Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: accept a request to establish IKE-SA: x.x.30.214 Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Beginning Identity Protection mode. Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214. Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214. Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 1 negotiation: x.x.54.66[500]<=>x.x.30.214[500] Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received unknown Vendor ID Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: CISCO-UNITY Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: DPD Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Mon Oct 10 08:19:12 2016 (GMT +0000): [DSR-1000] [IKE] INFO: ISAKMP-SA established for x.x.54.66[500]-x.x.30.214[500] with spi:7a71f16e02d182e4:c7b75d7981d40948 Mon Oct 10 08:19:12 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT] Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found. Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0] Mon Oct 10 08:20:04 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found. Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Phase 2 negotiation failed due to time up. 7a71f16e02d182e4:c7b75d7981d40948:93ef365d Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] INFO: an undead schedule has been deleted: 'quick_i1prep'.
	Ответить \| Правка \| ^ к родителю #7 \| Наверх \| Cообщить модератору


	9. "CISCO 891 ipsec DLINK dsr-1000"	+/–
	Сообщение от Aleksey (??) on 14-Ноя-16, 16:53
	У меня такая же проблема, удалось решить.
	Ответить \| Правка \| ^ к родителю #8 \| Наверх \| Cообщить модератору


	10. "CISCO 891 ipsec DLINK dsr-1000"	+/–
	Сообщение от Aleksey (??) on 17-Ноя-16, 11:27
	Проблема в настройке local и remote subnet на dlink. При поднятии второй фазы IPSec туннеля происходит сравнение crypto ACL со стороны cisco и параметров local remote subnets на dlink. т.к. со стороны dlink эти сети описаны в поле start address как x.x.x.1/24 они не совпадают с subnet которые описаны на cisco как x.x.x.0/24 и туннель не поднимается. В dlink некоторые прошивки не позволяют ставить x.x.x.0 в поле start address (можно попробовать маску меньше чем /24, например x.x.x.128/25) если получиться прописать тогда туннель должен подняться, если нет экспериментировать с прошивкой.
	Ответить \| Правка \| ^ к родителю #9 \| Наверх \| Cообщить модератору


	11. "CISCO 891 ipsec DLINK dsr-1000"	+/–
	Сообщение от Serb on 22-Ноя-16, 18:50
	>[оверквотинг удален] > message from x.x.30.214[500].No phase2 handle found. > Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new > phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0] > Mon Oct 10 08:20:04 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify > message from x.x.30.214[500].No phase2 handle found. > Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Phase 2 > negotiation failed due to time up. 7a71f16e02d182e4:c7b75d7981d40948:93ef365d > Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] INFO: an undead > schedule has been deleted: 'quick_i1prep'. > here is your problem : Oct 10 07:52:38.537: IPSEC(initialize_sas): invalid IPv4 proxy IDs Oct 10 07:52:38.537: ISAKMP:(2004): IPSec policy invalidated proposal with error 32 *Oct 10 07:52:38.537: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66) which means ACL for interesting traffic does not match on both ends
	Ответить \| Правка \| ^ к родителю #8 \| Наверх \| Cообщить модератору