Сообщения без ответов | Активные темы Текущее время: 29 мар 2024, 12:15



Ответить на тему  [ Сообщений: 2 ] 
dmvpn+ipsec не поднимается 
Автор Сообщение

Зарегистрирован: 25 сен 2018, 10:49
Сообщения: 32
Здрав

Feature name Enforcement Evaluation Subscription Enabled RightToUse
ipbasek9 no no no yes no
securityk9 yes yes no yes yes
datak9 yes yes no yes yes



лицензия на шифрование включена, ключ сгенерирован. Настройки на споках типовые, адреса белые:

crypto isakmp policy 1
encr aes 256
group 14
lifetime 3600
!
crypto isakmp policy 2
encr aes
group 14
lifetime 3600
!
crypto isakmp policy 100
encr aes 256
group 14
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!

crypto ipsec transform-set _transformSetN02 esp-aes esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
!
crypto ipsec profile _ipsecProfileN02
set transform-set _transformSetN02
set pfs group14
!
!
!
!
!
!
!

!
interface Tunnel0
description DMVPN-A1
bandwidth 50000
ip address 192.168.0.177 255.255.254.0
no ip redirects
ip mtu 1400
ip nhrp authentication XYJxE3bZ
ip nhrp summary-map 10.40.0.0/24
ip nhrp network-id 65019001
ip nhrp holdtime 300
ip nhrp nhs 192.168.0.1 nbma hub.XXX.XXX multicast
no ip nhrp record
ip summary-address eigrp 65019 10.40.0.0 255.255.255.0
ip tcp adjust-mss 1360
cdp enable
qos pre-classify
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 65019001
tunnel path-mtu-discovery
tunnel protection ipsec profile _ipsecProfileN02





Дебаг пишет что не могут установиться sa, постоянно зациклено происходит обмен:

c 17 10:20:28.883: ISAKMP: (1199):retransmitting due to retransmit phase 1
Dec 17 10:20:29.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH...
Dec 17 10:20:29.383: ISAKMP: (1199):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Dec 17 10:20:29.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH
Dec 17 10:20:29.383: ISAKMP-PAK: (1199):sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_KEY_EXCH
Dec 17 10:20:29.383: ISAKMP: (1199):Sending an IKE IPv4 Packet.
Dec 17 10:20:37.963: ISAKMP: (1198):purging SA., sa=337EC3E4, delme=337EC3E4
Dec 17 10:20:38.723: ISAKMP: (1199):set new node 0 to QM_IDLE
Dec 17 10:20:38.723: ISAKMP-ERROR: (1199):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
Dec 17 10:20:38.723: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
Dec 17 10:20:38.723: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
Dec 17 10:20:38.903: ISAKMP-PAK: (1199):received packet from B.B.B.B dport 500 sport 500 Global (I) MM_KEY_EXCH
Dec 17 10:20:38.903: ISAKMP: (1199):phase 1 packet is a duplicate of a previous packet.
Dec 17 10:20:38.903: ISAKMP: (1199):retransmitting due to retransmit phase 1
Dec 17 10:20:39.403: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH...
Dec 17 10:20:39.403: ISAKMP: (1199):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Dec 17 10:20:39.403: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH
Dec 17 10:20:39.403: ISAKMP-PAK: (1199):sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_KEY_EXCH
Dec 17 10:20:39.403: ISAKMP: (1199):Sending an IKE IPv4 Packet.
Dec 17 10:20:48.883: ISAKMP-PAK: (1199):received packet from B.B.B.B dport 500 sport 500 Global (I) MM_KEY_EXCH
Dec 17 10:20:48.883: ISAKMP: (1199):phase 1 packet is a duplicate of a previous packet.
Dec 17 10:20:48.883: ISAKMP: (1199):retransmitting due to retransmit phase 1
Dec 17 10:20:49.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH...
Dec 17 10:20:49.383: ISAKMP: (1199):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Dec 17 10:20:49.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH
Dec 17 10:20:49.383: ISAKMP-PAK: (1199):sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_KEY_EXCH
Dec 17 10:20:49.383: ISAKMP: (1199):Sending an IKE IPv4 Packet.
Dec 17 10:20:58.883: ISAKMP-PAK: (1199):received packet from B.B.B.B dport 500 sport 500 Global (I) MM_KEY_EXCH
Dec 17 10:20:58.883: ISAKMP: (1199):phase 1 packet is a duplicate of a previous packet.
Dec 17 10:20:58.883: ISAKMP: (1199):retransmitting due to retransmit phase 1
Dec 17 10:20:59.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH...
Dec 17 10:20:59.383: ISAKMP: (1199):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Dec 17 10:20:59.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH
Dec 17 10:20:59.383: ISAKMP-PAK: (1199):sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_KEY_EXCH
Dec 17 10:20:59.383: ISAKMP: (1199):Sending an IKE IPv4 Packet.
Dec 17 10:21:09.031: ISAKMP: (1199):set new node 0 to QM_IDLE
Dec 17 10:21:09.031: ISAKMP-ERROR: (1199):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
Dec 17 10:21:09.031: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
Dec 17 10:21:09.031: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
Dec 17 10:21:09.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH...
Dec 17 10:21:09.383: ISAKMP: (1199):peer does not do paranoid keepalives.
Dec 17 10:21:09.383: ISAKMP-ERROR: (1199):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer B.B.B.B)
Dec 17 10:21:09.383: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message
Dec 17 10:21:09.383: ISAKMP (1199): IPSec has no more SA's with this peer. Won't keepalive phase 1.
Dec 17 10:21:09.383: ISAKMP-ERROR: (1199):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer B.B.B.B)
Dec 17 10:21:09.383: ISAKMP: (0):Unlocking peer struct 0x3389F6A8 for isadb_mark_sa_deleted(), count 0
Dec 17 10:21:09.383: ISAKMP: (0):Deleting peer node by peer_reap for B.B.B.B: 3389F6A8
Dec 17 10:21:09.383: ISAKMP: (1199):deleting node 1468643257 error FALSE reason "IKE deleted"
Dec 17 10:21:09.383: ISAKMP: (1199):deleting node -1425303883 error FALSE reason "IKE deleted"
Dec 17 10:21:09.383: ISAKMP: (1199):deleting node 1527074067 error FALSE reason "IKE deleted"
Dec 17 10:21:09.383: ISAKMP: (1199):IKE->PKI End PKI Session state (I) MM_NO_STATE (peer B.B.B.B)
Dec 17 10:21:09.383: ISAKMP: (1199):PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer B.B.B.B)





Может кто сталкивался?


17 дек 2019, 13:46
Профиль

Зарегистрирован: 29 май 2017, 21:19
Сообщения: 1404
пробуйте

на хабе

interface Tunnel1
ip address 172.16.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication ХХХ
ip nhrp network-id 99
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key ХХХ
tunnel protection ipsec profile DMVPN-AES256-SHA2
crypto ipsec df-bit clear

на споке

interface Tunnel1
ip address 172.16.2.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication XXX
ip nhrp map multicast A.A.A.A
ip nhrp map 172.16.2.1 A.A.A.A
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 172.16.2.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0.500
tunnel mode gre multipoint
tunnel key XXX
tunnel protection ipsec profile DMVPN-AES256-SHA2
crypto ipsec df-bit clear


17 дек 2019, 15:35
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ Сообщений: 2 ] 

Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 91


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB