|
|
|
|
Страница 1 из 1
|
[ Сообщений: 2 ] |
|
dmvpn+ipsec не поднимается
Автор |
Сообщение |
cr1m
Зарегистрирован: 25 сен 2018, 10:49 Сообщения: 32
|
Здрав
Feature name Enforcement Evaluation Subscription Enabled RightToUse ipbasek9 no no no yes no securityk9 yes yes no yes yes datak9 yes yes no yes yes
лицензия на шифрование включена, ключ сгенерирован. Настройки на споках типовые, адреса белые:
crypto isakmp policy 1 encr aes 256 group 14 lifetime 3600 ! crypto isakmp policy 2 encr aes group 14 lifetime 3600 ! crypto isakmp policy 100 encr aes 256 group 14 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 ! !
crypto ipsec transform-set _transformSetN02 esp-aes esp-sha-hmac mode transport crypto ipsec df-bit clear ! ! crypto ipsec profile _ipsecProfileN02 set transform-set _transformSetN02 set pfs group14 ! ! ! ! ! ! !
! interface Tunnel0 description DMVPN-A1 bandwidth 50000 ip address 192.168.0.177 255.255.254.0 no ip redirects ip mtu 1400 ip nhrp authentication XYJxE3bZ ip nhrp summary-map 10.40.0.0/24 ip nhrp network-id 65019001 ip nhrp holdtime 300 ip nhrp nhs 192.168.0.1 nbma hub.XXX.XXX multicast no ip nhrp record ip summary-address eigrp 65019 10.40.0.0 255.255.255.0 ip tcp adjust-mss 1360 cdp enable qos pre-classify tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 65019001 tunnel path-mtu-discovery tunnel protection ipsec profile _ipsecProfileN02
Дебаг пишет что не могут установиться sa, постоянно зациклено происходит обмен:
c 17 10:20:28.883: ISAKMP: (1199):retransmitting due to retransmit phase 1 Dec 17 10:20:29.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH... Dec 17 10:20:29.383: ISAKMP: (1199):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 Dec 17 10:20:29.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH Dec 17 10:20:29.383: ISAKMP-PAK: (1199):sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_KEY_EXCH Dec 17 10:20:29.383: ISAKMP: (1199):Sending an IKE IPv4 Packet. Dec 17 10:20:37.963: ISAKMP: (1198):purging SA., sa=337EC3E4, delme=337EC3E4 Dec 17 10:20:38.723: ISAKMP: (1199):set new node 0 to QM_IDLE Dec 17 10:20:38.723: ISAKMP-ERROR: (1199):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B) Dec 17 10:20:38.723: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA Dec 17 10:20:38.723: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2. Dec 17 10:20:38.903: ISAKMP-PAK: (1199):received packet from B.B.B.B dport 500 sport 500 Global (I) MM_KEY_EXCH Dec 17 10:20:38.903: ISAKMP: (1199):phase 1 packet is a duplicate of a previous packet. Dec 17 10:20:38.903: ISAKMP: (1199):retransmitting due to retransmit phase 1 Dec 17 10:20:39.403: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH... Dec 17 10:20:39.403: ISAKMP: (1199):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 Dec 17 10:20:39.403: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH Dec 17 10:20:39.403: ISAKMP-PAK: (1199):sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_KEY_EXCH Dec 17 10:20:39.403: ISAKMP: (1199):Sending an IKE IPv4 Packet. Dec 17 10:20:48.883: ISAKMP-PAK: (1199):received packet from B.B.B.B dport 500 sport 500 Global (I) MM_KEY_EXCH Dec 17 10:20:48.883: ISAKMP: (1199):phase 1 packet is a duplicate of a previous packet. Dec 17 10:20:48.883: ISAKMP: (1199):retransmitting due to retransmit phase 1 Dec 17 10:20:49.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH... Dec 17 10:20:49.383: ISAKMP: (1199):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 Dec 17 10:20:49.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH Dec 17 10:20:49.383: ISAKMP-PAK: (1199):sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_KEY_EXCH Dec 17 10:20:49.383: ISAKMP: (1199):Sending an IKE IPv4 Packet. Dec 17 10:20:58.883: ISAKMP-PAK: (1199):received packet from B.B.B.B dport 500 sport 500 Global (I) MM_KEY_EXCH Dec 17 10:20:58.883: ISAKMP: (1199):phase 1 packet is a duplicate of a previous packet. Dec 17 10:20:58.883: ISAKMP: (1199):retransmitting due to retransmit phase 1 Dec 17 10:20:59.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH... Dec 17 10:20:59.383: ISAKMP: (1199):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 Dec 17 10:20:59.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH Dec 17 10:20:59.383: ISAKMP-PAK: (1199):sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_KEY_EXCH Dec 17 10:20:59.383: ISAKMP: (1199):Sending an IKE IPv4 Packet. Dec 17 10:21:09.031: ISAKMP: (1199):set new node 0 to QM_IDLE Dec 17 10:21:09.031: ISAKMP-ERROR: (1199):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B) Dec 17 10:21:09.031: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA Dec 17 10:21:09.031: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2. Dec 17 10:21:09.383: ISAKMP: (1199):retransmitting phase 1 MM_KEY_EXCH... Dec 17 10:21:09.383: ISAKMP: (1199):peer does not do paranoid keepalives. Dec 17 10:21:09.383: ISAKMP-ERROR: (1199):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer B.B.B.B) Dec 17 10:21:09.383: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message Dec 17 10:21:09.383: ISAKMP (1199): IPSec has no more SA's with this peer. Won't keepalive phase 1. Dec 17 10:21:09.383: ISAKMP-ERROR: (1199):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer B.B.B.B) Dec 17 10:21:09.383: ISAKMP: (0):Unlocking peer struct 0x3389F6A8 for isadb_mark_sa_deleted(), count 0 Dec 17 10:21:09.383: ISAKMP: (0):Deleting peer node by peer_reap for B.B.B.B: 3389F6A8 Dec 17 10:21:09.383: ISAKMP: (1199):deleting node 1468643257 error FALSE reason "IKE deleted" Dec 17 10:21:09.383: ISAKMP: (1199):deleting node -1425303883 error FALSE reason "IKE deleted" Dec 17 10:21:09.383: ISAKMP: (1199):deleting node 1527074067 error FALSE reason "IKE deleted" Dec 17 10:21:09.383: ISAKMP: (1199):IKE->PKI End PKI Session state (I) MM_NO_STATE (peer B.B.B.B) Dec 17 10:21:09.383: ISAKMP: (1199):PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer B.B.B.B)
Может кто сталкивался?
|
17 дек 2019, 13:46 |
|
|
root99
Зарегистрирован: 29 май 2017, 21:19 Сообщения: 1404
|
пробуйте
на хабе
interface Tunnel1 ip address 172.16.2.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ХХХ ip nhrp network-id 99 ip nhrp holdtime 300 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint tunnel key ХХХ tunnel protection ipsec profile DMVPN-AES256-SHA2 crypto ipsec df-bit clear
на споке
interface Tunnel1 ip address 172.16.2.4 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication XXX ip nhrp map multicast A.A.A.A ip nhrp map 172.16.2.1 A.A.A.A ip nhrp network-id 99 ip nhrp holdtime 300 ip nhrp nhs 172.16.2.1 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0.500 tunnel mode gre multipoint tunnel key XXX tunnel protection ipsec profile DMVPN-AES256-SHA2 crypto ipsec df-bit clear
|
17 дек 2019, 15:35 |
|
|
|
Страница 1 из 1
|
[ Сообщений: 2 ] |
|
Кто сейчас на конференции |
Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 91 |
|
Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения
|
|
|
|