Добрый день.
Который день пытаюсь поднять сабж, и, к сожалению ничего не выходит.Настройки на CISCO:
Current configuration : 5827 bytes
!
!
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
isdn switch-type primary-net5
!
voice-card 0
no dspfarm
!
!
voice hunt user-busy
voice call disc-pi-off
!
voice service pots
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
redirect ip2ip
sip
registrar server
redirect contact order best-match
no call service stop
!
!
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
codec preference 4 g729br8
codec preference 5 g728
codec preference 6 g726r32
codec preference 7 g726r24
codec preference 8 g726r16
codec preference 9 g723r63
codec preference 10 g723r53
codec preference 11 g723ar63
codec preference 12 g723ar53
!
!
!
!
!
!
!
voice register pool 76
id ip 192.168.27.76 mask 0.0.0.0
max registrations 42
voice-class codec 1
!
voice register pool 100
id ip 192.168.27.120 mask 0.0.0.0
max registrations 42
voice-class codec 1
!
...
!
crypto isakmp policy 120
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 192.168.27.120
!
!
crypto ipsec transform-set unodostres esp-3des esp-sha-hmac
mode transport
!
crypto map ac120 120 ipsec-isakmp
set peer 192.168.27.120
set security-association lifetime seconds 28800
set transform-set unodostres
set pfs group2
match address 120
!
!
!
!
interface FastEthernet0/0
description locallan
no ip address
no ip route-cache cef
duplex auto
speed auto
!
interface FastEthernet0/0.105
description vlan105
encapsulation dot1Q 105 native
ip address 192.168.27.105 255.255.255.0
no ip mroute-cache
no cdp enable
crypto map ac120
!
...
!
ip forward-protocol nd
ip route 192.168.27.120 255.255.255.255 FastEthernet0/0.105
!
...
!
access-list 120 permit ip host 192.168.27.105 host 192.168.27.120
access-list 120 permit ip host 192.168.27.120 host 192.168.27.105
no cdp run
!
На AudioCodes MP-114 настройки такие:
IPSEC - http://imageshack.us/photo/my-images/593/ac114ipsec.jpg/
ISAKMP - http://imageshack.us/photo/my-images/148/ac114.jpg/
Вот что выдает CISCO:
sh crypto ipsec sa
cc-cisco-reserve#sh crypto ipsec sa interface: FastEthernet0/0.105
Crypto map tag: ac120, local addr 192.168.27.105
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.27.120/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.27.105/255.255.255.255/0/0)
current_peer 192.168.27.120 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.27.105, remote crypto endpt.: 192.168.27.120
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.105
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.27.105/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.27.120/255.255.255.255/0/0)
current_peer 192.168.27.120 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60
#pkts decaps: 37, #pkts decrypt: 37, #pkts verify: 37
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 41, #recv errors 0
local crypto endpt.: 192.168.27.105, remote crypto endpt.: 192.168.27.120
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.105
current outbound spi: 0x3C580FCD(1012404173)
inbound esp sas:
spi: 0x15E1962E(367105582)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3001, flow_id: NETGX:1, crypto map: ac120
sa timing: remaining key lifetime (k/sec): (4377594/28685)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3C580FCD(1012404173)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3002, flow_id: NETGX:2, crypto map: ac120
sa timing: remaining key lifetime (k/sec): (4377588/28685)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
sh crypto isakmp sa
cc-cisco-reserve#sh crypto isakmp sa
dst src state conn-id slot status
192.168.27.105 192.168.27.120 QM_IDLE 3 0 ACTIVE
sh crypto sessions
cc-cisco-reserve#sh crypto session
Crypto session current statusInterface: FastEthernet0/0.105
Session status: UP-ACTIVE
Peer: 192.168.27.120 port 500
IKE SA: local 192.168.27.105/500 remote 192.168.27.120/500 Active
IPSEC FLOW: permit ip host 192.168.27.120 host 192.168.27.105
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 192.168.27.105 host 192.168.27.120
Active SAs: 2, origin: crypto map
debug crypto ipsec, debug crypto isakmp
*Jul 27 10:18:22.598: ISAKMP (0:0): received packet from 192.168.27.120 dport 500 sport 500 Global (N) NEW SA
*Jul 27 10:18:22.598: ISAKMP: Found a peer struct for 192.168.27.120, peer port 500
*Jul 27 10:18:22.598: ISAKMP: Locking peer struct 0x46DE20D0, IKE refcount 1 for crypto_isakmp_process_block
*Jul 27 10:18:22.598: ISAKMP: local port 500, remote port 500
*Jul 27 10:18:22.602: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 460DF72C
*Jul 27 10:18:22.602: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 27 10:18:22.602: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1 *Jul 27 10:18:22.602: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Jul 27 10:18:22.602: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.27.120
*Jul 27 10:18:22.602: ISAKMP:(0:0:N/A:0): local preshared key found
*Jul 27 10:18:22.602: ISAKMP : Scanning profiles for xauth ...
*Jul 27 10:18:22.602: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 120 policy
*Jul 27 10:18:22.602: ISAKMP: encryption 3DES-CBC
*Jul 27 10:18:22.602: ISAKMP: hash MD5
*Jul 27 10:18:22.602: ISAKMP: auth pre-share
*Jul 27 10:18:22.602: ISAKMP: default group 2
*Jul 27 10:18:22.602: ISAKMP: life type in seconds
*Jul 27 10:18:22.602: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jul 27 10:18:22.602: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
*Jul 27 10:18:22.642: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 27 10:18:22.642: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jul 27 10:18:22.642: ISAKMP:(0:2:SW:1): sending packet to 192.168.27.120 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul 27 10:18:22.642: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 27 10:18:22.642: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jul 27 10:18:23.266: ISAKMP (0:134217730): received packet from 192.168.27.120 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul 27 10:18:23.270: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 27 10:18:23.270: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jul 27 10:18:23.270: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
*Jul 27 10:18:23.314: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
*Jul 27 10:18:23.314: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 192.168.27.120
*Jul 27 10:18:23.318: ISAKMP:(0:2:SW:1):SKEYID state generated
*Jul 27 10:18:23.318: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 27 10:18:23.318: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jul 27 10:18:23.318: ISAKMP:(0:2:SW:1): sending packet to 192.168.27.120 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 27 10:18:23.318: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 27 10:18:23.318: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jul 27 10:18:24.122: ISAKMP (0:134217730): received packet from 192.168.27.120 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0
*Jul 27 10:18:24.126: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : 192.168.27.120
protocol : 17
port : 500
length : 12
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1):: peer matches *none* of the profiles
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1):SA authentication status:
authenticated
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1):SA has been authenticated with 192.168.27.120
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jul 27 10:18:24.126: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 27 10:18:24.126: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : 192.168.27.105
protocol : 17
port : 500
length : 12
*Jul 27 10:18:24.130: ISAKMP:(0:2:SW:1):Total payload length: 12
*Jul 27 10:18:24.130: ISAKMP:(0:2:SW:1): sending packet to 192.168.27.120 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 27 10:18:24.130: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 27 10:18:24.130: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jul 27 10:18:24.130: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 27 10:18:24.130: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 27 10:18:24.138: ISAKMP (0:134217730): received packet from 192.168.27.120 dport 500 sport 500 Global (R) QM_IDLE
*Jul 27 10:18:24.138: ISAKMP: set new node 832273823 to QM_IDLE
*Jul 27 10:18:24.138: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 832273823
*Jul 27 10:18:24.138: ISAKMP:(0:2:SW:1): processing SA payload. message ID = 832273823
*Jul 27 10:18:24.138: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1
*Jul 27 10:18:24.138: ISAKMP: transform 1, ESP_3DES
*Jul 27 10:18:24.138: ISAKMP: attributes in transform:
*Jul 27 10:18:24.138: ISAKMP: SA life type in seconds
*Jul 27 10:18:24.138: ISAKMP: SA life duration (basic) of 28800
*Jul 27 10:18:24.138: ISAKMP: encaps is 2 (Transport)
*Jul 27 10:18:24.138: ISAKMP: authenticator is HMAC-SHA
*Jul 27 10:18:24.138: ISAKMP:(0:2:SW:1):atts are acceptable.
*Jul 27 10:18:24.138: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.27.105, remote= 192.168.27.120,
local_proxy= 192.168.27.105/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.27.120/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
*Jul 27 10:18:24.138: Crypto mapdb : proxy_match
src addr : 192.168.27.105
dst addr : 192.168.27.120
protocol : 0
src port : 0
dst port : 0
*Jul 27 10:18:24.138: IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x4
*Jul 27 10:18:24.138: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
*Jul 27 10:18:24.142: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local 192.168.27.105 remote 192.168.27.120)
*Jul 27 10:18:24.142: ISAKMP: set new node 416186781 to QM_IDLE
*Jul 27 10:18:24.142: ISAKMP:(0:2:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1177079928, message ID = 416186781
*Jul 27 10:18:24.142: ISAKMP:(0:2:SW:1): sending packet to 192.168.27.120 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 27 10:18:24.142: ISAKMP:(0:2:SW:1):purging node 416186781
*Jul 27 10:18:24.142: ISAKMP:(0:2:SW:1):deleting node 832273823 error TRUE reason "QM rejected"
*Jul 27 10:18:24.142: ISAKMP (0:134217730): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 832273823: state = IKE_QM_READY
*Jul 27 10:18:24.142: ISAKMP:(0:2:SW:1):Node 832273823, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 27 10:18:24.142: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY
Не могу понять в чем проблема. Пробовал различные варианты transform-set как с той, так и с другой стороны.
Если меняю настройку
crypto ipsec transform-set unodostres esp-3des esp-sha-hmac
на
crypto ipsec transform-set unodostres esp-3des ah-sha-hmac
То в дебаге вижу:
*Jul 27 10:23:56.554: Crypto mapdb : proxy_match
src addr : 192.168.27.105
dst addr : 192.168.27.120
protocol : 0
src port : 0
dst port : 0
*Jul 27 10:23:56.554: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }
Подскажите, в чем может быть проблема?
Заранее благодарен.
Вариант для распечатки
