cr1m
Зарегистрирован: 25 сен 2018, 10:49 Сообщения: 32
|
Добрый день, есть хаб на ASR1001X до него строят туннели споки 29ХХ, один спок ASR1001
license boot level adventerprise
Cisco IOS XE Software, Version 03.16.10.S - Extended Support Release
crypto isakmp policy 1 encr aes 256 group 14 lifetime 3600 ! crypto isakmp policy 2 encr aes group 14 lifetime 3600 ! crypto isakmp policy 100 encr aes 256 group 14 crypto isakmp keepalive 10 ! crypto ipsec security-association replay window-size 128 ! crypto ipsec transform-set _transformSetN01 esp-aes esp-sha256-hmac mode transport crypto ipsec df-bit clear ! ! crypto ipsec profile _ipsecProfileN01 set transform-set _transformSetN01
interface Tunnel0 bandwidth 10000 ip address 10.0.0.183 255.255.254.0 no ip redirects ip mtu 1400 ip nhrp authentication XXXX ip nhrp network-id XXX ip nhrp holdtime 300 ip nhrp nhs 10.0.0.1 nbma X.X.X.X multicast ip nhrp nhs 10.0.0.2 nbma Y.Y.Y.Y multicast ip nhrp shortcut ip tcp adjust-mss 1360 delay 100 cdp enable qos pre-classify tunnel source Port-channel1.111 tunnel mode gre multipoint tunnel key XXX tunnel path-mtu-discovery tunnel protection ipsec profile _ipsecProfileN01
interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr A.A.A>A
protected vrf: (none) local ident (addr/mask/prot/port): (A.A.A.A/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.255/47/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 31, #recv errors 0
local crypto endpt.: A.A.A.A, remote crypto endpt.: X.X.X.X plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.111 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none) local ident (addr/mask/prot/port): (A.A.A.A/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (Y.Y.Y.Y/255.255.255.255/47/0) current_peer Y.Y.Y.Y port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 32, #recv errors 0
local crypto endpt.: A.A.A.A, remote crypto endpt.: Y.Y.Y.Y plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.111 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Может кто сталкивался?
В логах ipsec спока крутятся ошибки:
Oct 29 11:34:58.849: [Sibling D77D6CBD]: request insert_spi got error Oct 29 11:34:58.849: IPSEC(send_delete_notify_kmi): not sending KEY_ENG_NOTIFY_DECR_COUNT Oct 29 11:34:58.849: [Ident 80000049]: request ipsec_wait_for_delete_to_complete got error Oct 29 11:34:58.850: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0 Oct 29 11:34:58.850: [Ident 80000048]: request ipsec_wait_for_delete_to_complete got error Oct 29 11:34:58.850: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0 Oct 29 11:35:33.889: IPSEC(ipsec_get_crypto_session_id):
На споке только на одном ошибки (ASR1001), с этими же настройками на ISR29XX, ISR19XX ipsec поднимается c хабом.
со стороны хаба сыпятся ошибки с этим споком:
Oct 30 08:55:12.709: ISAKMP-ERROR: (58470):deleting node 2209340122 error TRUE reason "Delete Larval" Oct 30 08:55:12.709: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list #sh crypto isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status X.X.X.X A.A.A.A QM_IDLE 1001 ACTIVE Y.Y.Y.Y A.A.A.A QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
Еще что заметил, что ранее этот asr1001 подцеплялся к другому хабу где шифрование было попроще:
crypto ipsec transform-set TransformSet esp-aes esp-sha-hmac mode transport
Как только шифрование сделали: crypto ipsec transform-set _transformSetN01 esp-des esp-sha256-hmac mode transport
перестал ipsec строиться, хотя другие споки (isr19XX, 29XX) с этим профилем цепляются к хабу. Может что-то с прошивкой и поддержкой в ней esp-sha256-hmac?
Авторизация по сертификатам.
|