Сообщения без ответов | Активные темы Текущее время: 13 июл 2020, 00:49



Ответить на тему  [ Сообщений: 27 ]  На страницу 1, 2  След.
L2tp over IPSec 
Автор Сообщение

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
Добрый день!
Помогите пожалуйста разобраться или ткните носом в ошибку.
Ситуация такая: Есть cisco ISR c892FSP
Версия IOS "Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(3)M3"
Пытаюсь настроить l2tp over ipsec vpn, нашел несколько достаточно хороших инструкций и по ним все сделал. Но сначало не получалось подключить ПК на Windows стандартными средствами. В итоге все таки нашел решение, путем добавление ключей в реестр параметров ProhibitIpSec = 1 и allowl2tpweakcrypto = 1.
Это достаточно не удобно, т.к. приходится на каждом клиенте править реестр, да и по сути измененных параметров в реестре, ухудшается шифрование.

Вот конфиг кошки:

Код:
Building configuration...

Current configuration : 3680 bytes
!
! Last configuration change at 16:58:38 MSK Wed Oct 19 2016 by admin
!
version 15.4
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
logging buffered 51200 warnings
enable secret 5 $1$Gy8y$zqq0du5z.2752ONUOwoSj/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 10.217.68.1 10.217.68.10
ip dhcp excluded-address 10.217.69.1
!
ip dhcp pool l2tp
 network 10.217.69.0 255.255.255.0
 domain-name 1.vpn
 default-router 10.217.69.1
 dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool lan
 network 10.217.68.0 255.255.255.0
 domain-name 1.lan
 default-router 10.217.68.1
 dns-server 8.8.8.8 8.8.4.4
!
!
!
no ip bootp server
ip domain name 1.local

ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 l2tp security crypto-profile ipnetconfig
 no l2tp tunnel authentication
!
!
!
!
!
!
!
!
!
cts logging verbose

!
!
username admin privilege 15 password
username test privilege 0 password 7 03105E1812
!
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0         no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
!
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
!
!
!
!
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address dhcp
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map cisco
!
interface GigabitEthernet9
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet8
 ip virtual-reassembly in
 peer default ip address dhcp-pool l2tp
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2
!
interface Vlan1
 ip address 10.217.68.1 255.255.255.0
 ip nat enable
 ip virtual-reassembly in
!
interface Vlan2
 ip address 10.217.69.1 255.255.255.0
 ip nat enable
 ip virtual-reassembly in
!
ip default-gateway 192.168.0.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat source list vpn interface GigabitEthernet8 overload
ip route static install-routes-recurse-via-nexthop all
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip access-list extended vpn
 permit ip 10.217.0.0 0.0.255.255 any
!
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
!
!
end


19 окт 2016, 17:29
Профиль

Зарегистрирован: 14 янв 2016, 12:12
Сообщения: 458
не знаю,какая там у вас конкретно проблема.
Но попробуйте ввести код
Код:
ppp packet throttle 30 1 30

Без него у меня тоже винда не взлетала почему-то.Но в с кодом, без кастылей работает.


19 окт 2016, 18:39
Профиль

Зарегистрирован: 17 окт 2014, 08:35
Сообщения: 300
Откуда: Samara
А с других платформ пытались подключаться?

Меня немного смущает вот здесь:
Код:
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
- mode transport

Там не mode tunnel? Учитывая, что мы используем crypto map?

Писал даже когда-то статейку про это, хотя помниться, с виндой тоже были проблемы. Посмотрите здесь:
http://www.aneyeblog.ru/index.php?controller=post&action=view&id_post=13


19 окт 2016, 21:00
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
kr1keee писал(а):
не знаю,какая там у вас конкретно проблема.
Но попробуйте ввести код
Код:
ppp packet throttle 30 1 30

Без него у меня тоже винда не взлетала почему-то.Но в с кодом, без кастылей работает.

Благодарю за ответ!

Добавил тротл ППП пакетов, но ничего не изменилось. Если поможет вот что говорит кошка во время коннекта:
Код:
*Oct 25 10:43:58.823: ISAKMP (0): received packet from 192.168.0.101 dport 500 sport 500 Global (N) NEW SA
*Oct 25 10:43:58.823: ISAKMP: Created a peer struct for 192.168.0.101, peer port 500
*Oct 25 10:43:58.823: ISAKMP: New peer created peer = 0x11659240 peer_handle = 0x80000003
*Oct 25 10:43:58.823: ISAKMP: Locking peer struct 0x11659240, refcount 1 for crypto_isakmp_process_block
*Oct 25 10:43:58.823: ISAKMP: local port 500, remote port 500
*Oct 25 10:43:58.827: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 25E1498
*Oct 25 10:43:58.827: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 10:43:58.827: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Oct 25 10:43:58.827: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 25 10:43:58.827: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0):found peer pre-shared key matching 192.168.0.101
*Oct 25 10:43:58.827: ISAKMP:(0): local preshared key found
*Oct 25 10:43:58.827: ISAKMP : Scanning profiles for xauth ...
*Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 25 10:43:58.827: ISAKMP:      encryption AES-CBC
*Oct 25 10:43:58.827: ISAKMP:      keylength of 256
*Oct 25 10:43:58.827: ISAKMP:      hash SHA
*Oct 25 10:43:58.827: ISAKMP:      default group 20
*Oct 25 10:43:58.827: ISAKMP:      auth pre-share
*Oct 25 10:43:58.827: ISAKMP:      life type in seconds
*Oct 25 10:43:58.827: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:43:58.827: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 25 10:43:58.827: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 25 10:43:58.827: ISAKMP:      encryption AES-CBC
*Oct 25 10:43:58.827: ISAKMP:      keylength of 128
*Oct 25 10:43:58.827: ISAKMP:      hash SHA
*Oct 25 10:43:58.827: ISAKMP:      default group 19
*Oct 25 10:43:58.827: ISAKMP:      auth pre-share
*Oct 25 10:43:58.827: ISAKMP:      life type in seconds
*Oct 25 10:43:58.827: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:43:58.827: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 25 10:43:58.827: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 25 10:43:58.827: ISAKMP:      encryption AES-CBC
*Oct 25 10:43:58.827: ISAKMP:      keylength of 256
*Oct 25 10:43:58.827: ISAKMP:      hash SHA
*Oct 25 10:43:58.827: ISAKMP:      default group 14
*Oct 25 10:43:58.827: ISAKMP:      auth pre-share
*Oct 25 10:43:58.827: ISAKMP:      life type in seconds
*Oct 25 10:43:58.827: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:43:58.827: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 25 10:43:58.827: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 25 10:43:58.827: ISAKMP:      encryption 3DES-CBC
*Oct 25 10:43:58.827: ISAKMP:      hash SHA
*Oct 25 10:43:58.827: ISAKMP:      default group 14
*Oct 25 10:43:58.827: ISAKMP:      auth pre-share
*Oct 25 10:43:58.827: ISAKMP:      life type in seconds
*Oct 25 10:43:58.827: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:43:58.827: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*Oct 25 10:43:58.827: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 25 10:43:58.827: ISAKMP:      encryption 3DES-CBC
*Oct 25 10:43:58.827: ISAKMP:      hash SHA
*Oct 25 10:43:58.827: ISAKMP:      default group 2
*Oct 25 10:43:58.827: ISAKMP:      auth pre-share
*Oct 25 10:43:58.827: ISAKMP:      life type in seconds
*Oct 25 10:43:58.827: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:43:58.827: ISAKMP:(0):atts are acceptable. Next payload is 0
*Oct 25 10:43:58.827: ISAKMP:(0):Acceptable atts:actual life: 86400
*Oct 25 10:43:58.827: ISAKMP:(0):Acceptable atts:life: 0
*Oct 25 10:43:58.827: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct 25 10:43:58.827: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
*Oct 25 10:43:58.827: ISAKMP:(0):Returning Actual lifetime: 28800
*Oct 25 10:43:58.827: ISAKMP:(0)::Started lifetime timer: 28800.

*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 25 10:43:58.827: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload
*Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Oct 25 10:43:58.827: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 25 10:43:58.827: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Oct 25 10:43:58.827: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 25 10:43:58.827: ISAKMP:(0): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 25 10:43:58.827: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 25 10:43:58.827: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 25 10:43:58.827: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Oct 25 10:43:58.831: ISAKMP (0): received packet from 192.168.0.101 dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 25 10:43:58.831: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 10:43:58.831: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Oct 25 10:43:58.831: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 25 10:43:58.831: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct 25 10:43:58.831: ISAKMP:(0):found peer pre-shared key matching 192.168.0.101
*Oct 25 10:43:58.831: ISAKMP:received payload type 20
*Oct 25 10:43:58.831: ISAKMP (2002): His hash no match - this node outside NAT
*Oct 25 10:43:58.831: ISAKMP:received payload type 20
*Oct 25 10:43:58.831: ISAKMP (2002): No NAT Found for self or peer
*Oct 25 10:43:58.831: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 25 10:43:58.831: ISAKMP:(2002):Old State = IKE_R_MM3  New State = IKE_R_MM3             

*Oct 25 10:43:58.835: ISAKMP:(2002): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 25 10:43:58.835: ISAKMP:(2002):Sending an IKE IPv4 Packet.
*Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_R_MM3  New State = IKE_R_MM4             

*Oct 25 10:43:58.835: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_R_MM4  New State = IKE_R_MM5             

*Oct 25 10:43:58.835: ISAKMP:(2002): processing ID payload. message ID = 0
*Oct 25 10:43:58.835: ISAKMP (2002): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.0.101
        protocol     : 0
        port         : 0
        length       : 12
*Oct 25 10:43:58.835: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 25 10:43:58.835: ISAKMP:(2002): processing HASH payload. message ID = 0
*Oct 25 10:43:58.835: ISAKMP:(2002):SA authentication status:
        authenticated
*Oct 25 10:43:58.835: ISAKMP:(2002):SA has been authenticated with 192.168.0.101
*Oct 25 10:43:58.835: ISAKMP: Trying to insert a peer 192.168.0.106/192.168.0.101/500/,  and inserted successfully 11659240.
*Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_=MODE
*Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_R_MM5  New State = IKE_R_MM5             

*Oct 25 10:43:58.835: ISAKMP:(2002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 25 10:43:58.835: ISAKMP (2002): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.0.106
        protocol     : 17
        port         : 500
        length       : 12
*Oct 25 10:43:58.835: ISAKMP:(2002):Total payload length: 12
*Oct 25 10:43:58.835: ISAKMP:(2002): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 25 10:43:58.835: ISAKMP:(2002):Sending an IKE IPv4 Packet.
*Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Oct 25 10:43:58.839: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 25 10:43:58.839: ISAKMP: set new node 1 to QM_IDLE
*Oct 25 10:43:58.839: ISAKMP:(2002): processing HASH payload. message ID = 1
*Oct 25 10:43:58.839: ISAKMP:(2002): processing SA payload. message ID = 1
*Oct 25 10:43:58.839: ISAKMP:(2002):Checking IPSec proposal 1
*Oct 25 10:43:58.839: ISAKMP: transform 1, ESP_AES
*Oct 25 10:43:58.839: ISAKMP:   attributes in transform:
*Oct 25 10:43:58.839: ISAKMP:      encaps is 2 (Transport)
*Oct 25 10:43:58.839: ISAKMP:      key length is 128
*Oct 25 10:43:58.839: ISAKMP:      authenticator is HMAC-SHA
*Oct 25 10:43:58.839: ISAKMP:      SA life type in seconds
*Oct 25 10:43:58.839: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
*Oct 25 10:43:58.839: ISAKMP:      SA life type in kilobytes
*Oct 25 10:43:58.839: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
*Oct 25 10:43:58.839: ISAKMP:(2002):atts are acceptable.
*Oct 25 10:43:58.839: IPSEC(validate_proposal_request): proposal part #1
*Oct 25 10:43:58.839: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.101/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Oct 25 10:43:58.839: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac }
*Oct 25 10:43:58.839: ISAKMP:(2002): IPSec policy invalidated proposal with error 256
*Oct 25 10:43:58.839: ISAKMP:(2002):Checking IPSec proposal 2
*Oct 25 10:43:58.839: ISAKMP: transform 1, ESP_3DES
*Oct 25 10:43:58.839: ISAKMP:   attributes in transform:
*Oct 25 10:43:58.839: ISAKMP:      encaps is 2 (Transport)
*Oct 25 10:43:58.839: ISAKMP:      authenticator is HMAC-SHA
*Oct 25 10:43:58.839: ISAKMP:      SA life type in seconds
*Oct 25 10:43:58.839: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
*Oct 25 10:43:58.839: ISAKMP:      SA life type in kilobytes
*Oct 25 10:43:58.839: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
*Oct 25 10:43:58.839: ISAKMP:(2002):atts are acceptable.
*Oct 25 10:43:58.839: IPSEC(validate_proposal_request): proposal part #1
*Oct 25 10:43:58.839: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.101/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 25 10:43:58.839: (ipsec_process_proposal)Map Accepted: ipnetconfig-map, 10
*Oct 25 10:43:58.839: ISAKMP:(2002): processing NONCE payload. message ID = 1
*Oct 25 10:43:58.839: ISAKMP:(2002): processing ID payload. message ID = 1
*Oct 25 10:43:58.839: ISAKMP:(2002): processing ID payload. message ID = 1
*Oct 25 10:43:58.839: ISAKMP:(2002):QM Responder gets spi
*Oct 25 10:43:58.839: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 25 10:43:58.839: ISAKMP:(2002):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Oct 25 10:43:58.839: ISAKMP:(2002):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Oct 25 10:43:58.839: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Oct 25 10:43:58.839: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 25 10:43:58.839: IPSEC(crypto_ipsec_create_ipsec_sas): Map found ipnetconfig-map, 10
*Oct 25 10:43:58.843: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.0.106, sa_proto= 50,
    sa_spi= 0xD5FF3EF0(3590274800),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.101:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.101/255.255.255.255/17/1701
*Oct 25 10:43:58.843: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.0.101, sa_proto= 50,
    sa_spi= 0x72C00E82(1925189250),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.101:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.101/255.255.255.255/17/1701
*Oct 25 10:43:58.843:  ISAKMP: Failed to find peer index node to update peer_info_list
*Oct 25 10:43:58.843: ISAKMP:(2002):Received IPSec Install callback... proceeding with the negotiation
*Oct 25 10:43:58.843: ISAKMP:(2002):Successfully installed IPSEC SA (SPI:0xD5FF3EF0) on GigabitEthernet8
*Oct 25 10:43:58.843: ISAKMP:(2002): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 25 10:43:58.843: ISAKMP:(2002):Sending an IKE IPv4 Packet.
*Oct 25 10:43:58.843: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Oct 25 10:43:58.843: ISAKMP:(2002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
*Oct 25 10:43:58.847: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 25 10:43:58.847: ISAKMP:(2002):deleting node 1 error FALSE reason "QM donen(await)"
*Oct 25 10:43:58.847: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 25 10:43:58.847: ISAKMP:(2002):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Oct 25 10:43:58.847: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 25 10:43:58.847: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Oct 25 10:43:58.847: IPSEC: Expand action denied, notify RP
*Oct 25 10:44:05.483: ISAKMP:(2001):purging SA., sa=377F2A8, delme=377F2A8
*Oct 25 10:44:33.875: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 25 10:44:33.875: ISAKMP: set new node -601388558 to QM_IDLE
*Oct 25 10:44:33.875: ISAKMP:(2002): processing HASH payload. message ID = 3693578738
*Oct 25 10:44:33.875: ISAKMP:(2002): processing DELETE payload. message ID = 3693578738
*Oct 25 10:44:33.875: ISAKMP:(2002):peer does not do paranoid keepalives.

*Oct 25 10:44:33.875: ISAKMP:(2002):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x72C00E82)
*Oct 25 10:44:33.875: ISAKMP:(2002):deleting node -601388558 error FALSE reason "Informational (in) state 1"
*Oct 25 10:44:33.879: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 25 10:44:33.879: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5069
*Oct 25 10:44:33.879: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Oct 25 10:44:33.879: IPSEC: still in use sa: 0xFAA2F24
*Oct 25 10:44:33.879: IPSEC(key_engine_delete_sas): delete SA with spi 0x72C00E82 proto 50 for 192.168.0.101
*Oct 25 10:44:33.879:  ISAKMP: Failed to find peer index node to update peer_info_list
*Oct 25 10:44:33.879: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.0.106, sa_proto= 50,
    sa_spi= 0xD5FF3EF0(3590274800),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.101:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.101/255.255.255.255/17/1701
*Oct 25 10:44:33.879: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.0.101, sa_proto= 50,
    sa_spi= 0x72C00E82(1925189250),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.101:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.101/255.255.255.255/17/1701
*Oct 25 10:44:33.879: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
*Oct 25 10:44:33.879: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 25 10:44:33.879: ISAKMP: set new node 225808184 to QM_IDLE
*Oct 25 10:44:33.879: ISAKMP:(2002): processing HASH payload. message ID = 22580=8184
*Oct 25 10:44:33.879: ISAKMP:(2002): processing DELETE payload. message ID = 225=808184
*Oct 25 10:44:33.879: ISAKMP:(2002):peer does not do paranoid keepalives.

*Oct 25 10:44:33.879: ISAKMP:(2002):deleting SA reason "No reason" state (R) QM_=IDLE       (peer 192.168.0.101)
*Oct 25 10:44:33.879: ISAKMP:(2002):deleting node 225808184 error FALSE reason "=Informational (in) state 1"
*Oct 25 10:44:33.879: ISAKMP: set new node 1523228667 to QM_IDLE
*Oct 25 10:44:33.879: ISAKMP:(2002): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 25 10:44:33.879: ISAKMP:(2002):Sending an IKE IPv4 Packet.
*Oct 25 10:44:33.879: ISAKMP:(2002):purging node 1523228667
*Oct 25 10:44:33.879: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 25 10:44:33.879: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Oct 25 10:44:33.879: ISAKMP:(2002):deleting SA reason "No reason" state (R) QM_IDLE       (peer 192.168.0.101)
*Oct 25 10:44:33.879: ISAKMP: Unlocking peer struct 0x11659240 for isadb_mark_sa_deleted(), count 0
*Oct 25 10:44:33.879: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 10:44:33.879: ISAKMP:(2002):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Oct 25 10:44:33.879: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS
*Oct 25 10:44:33.879: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x24D8844 ikmp handle 0x80000003
IPSEC IKMP peer index 0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x14000003,peer index 0

*Oct 25 10:44:33.879: ISAKMP: Deleting peer node by peer_reap for 192.168.0.101: 11659240
*Oct 25 10:44:33.883: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 25 10:44:48.847: ISAKMP:(2002):purging node 1
*Oct 25 10:45:23.879: ISAKMP:(2002):purging node -601388558
*Oct 25 10:45:23.879: ISAKMP:(2002):purging node 225808184


25 окт 2016, 14:12
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
Aneye писал(а):
А с других платформ пытались подключаться?


Да конечно, с платформ apple подключается без проблем, а вот с андроид только со старых версий.

Aneye писал(а):
Меня немного смущает вот здесь:
Код:
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
- mode transport

Там не mode tunnel? Учитывая, что мы используем crypto map?

Писал даже когда-то статейку про это, хотя помниться, с виндой тоже были проблемы. Посмотрите здесь:
http://www.aneyeblog.ru/index.php?controller=post&action=view&id_post=13


Не знаю как туда это затисалось, но после исправления на тунель кошка уже выдает что не может пройти 2 фазу:
Код:
*Oct 25 10:51:53.691: ISAKMP (0): received packet from 192.168.0.101 dport 500 sport 500 Global (N) NEW SA
*Oct 25 10:51:53.691: ISAKMP: Created a peer struct for 192.168.0.101, peer port 500
*Oct 25 10:51:53.691: ISAKMP: New peer created peer = 0x1A3BDAC peer_handle = 0x80000004
*Oct 25 10:51:53.691: ISAKMP: Locking peer struct 0x1A3BDAC, refcount 1 for crypto_isakmp_process_block
*Oct 25 10:51:53.691: ISAKMP: local port 500, remote port 500
*Oct 25 10:51:53.691: ISAKMP:(0):insert sa successfully sa = 1A3B258
*Oct 25 10:51:53.691: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 10:51:53.691: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Oct 25 10:51:53.691: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 25 10:51:53.691: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.691: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 25 10:51:53.691: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 25 10:51:53.691: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.691: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 25 10:51:53.691: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 25 10:51:53.695: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0):found peer pre-shared key matching 192.168.0.101
*Oct 25 10:51:53.695: ISAKMP:(0): local preshared key found
*Oct 25 10:51:53.695: ISAKMP : Scanning profiles for xauth ...
*Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 25 10:51:53.695: ISAKMP:      encryption AES-CBC
*Oct 25 10:51:53.695: ISAKMP:      keylength of 256
*Oct 25 10:51:53.695: ISAKMP:      hash SHA
*Oct 25 10:51:53.695: ISAKMP:      default group 20
*Oct 25 10:51:53.695: ISAKMP:      auth pre-share
*Oct 25 10:51:53.695: ISAKMP:      life type in seconds
*Oct 25 10:51:53.695: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:51:53.695: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 25 10:51:53.695: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 25 10:51:53.695: ISAKMP:      encryption AES-CBC
*Oct 25 10:51:53.695: ISAKMP:      keylength of 128
*Oct 25 10:51:53.695: ISAKMP:      hash SHA
*Oct 25 10:51:53.695: ISAKMP:      default group 19
*Oct 25 10:51:53.695: ISAKMP:      auth pre-share
*Oct 25 10:51:53.695: ISAKMP:      life type in seconds
*Oct 25 10:51:53.695: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:51:53.695: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 25 10:51:53.695: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 25 10:51:53.695: ISAKMP:      encryption AES-CBC
*Oct 25 10:51:53.695: ISAKMP:      keylength of 256
*Oct 25 10:51:53.695: ISAKMP:      hash SHA
*Oct 25 10:51:53.695: ISAKMP:      default group 14
*Oct 25 10:51:53.695: ISAKMP:      auth pre-share
*Oct 25 10:51:53.695: ISAKMP:      life type in seconds
*Oct 25 10:51:53.695: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:51:53.695: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 25 10:51:53.695: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 25 10:51:53.695: ISAKMP:      encryption 3DES-CBC
*Oct 25 10:51:53.695: ISAKMP:      hash SHA
*Oct 25 10:51:53.695: ISAKMP:      default group 14
*Oct 25 10:51:53.695: ISAKMP:      auth pre-share
*Oct 25 10:51:53.695: ISAKMP:      life type in seconds
*Oct 25 10:51:53.695: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:51:53.695: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*Oct 25 10:51:53.695: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 25 10:51:53.695: ISAKMP:      encryption 3DES-CBC
*Oct 25 10:51:53.695: ISAKMP:      hash SHA
*Oct 25 10:51:53.695: ISAKMP:      default group 2
*Oct 25 10:51:53.695: ISAKMP:      auth pre-share
*Oct 25 10:51:53.695: ISAKMP:      life type in seconds
*Oct 25 10:51:53.695: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:51:53.695: ISAKMP:(0):atts are acceptable. Next payload is 0
*Oct 25 10:51:53.695: ISAKMP:(0):Acceptable atts:actual life: 86400
*Oct 25 10:51:53.695: ISAKMP:(0):Acceptable atts:life: 0
*Oct 25 10:51:53.695: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct 25 10:51:53.695: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
*Oct 25 10:51:53.695: ISAKMP:(0):Returning Actual lifetime: 28800
*Oct 25 10:51:53.695: ISAKMP:(0)::Started lifetime timer: 28800.

*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 25 10:51:53.695: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload
*Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Oct 25 10:51:53.695: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 25 10:51:53.695: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Oct 25 10:51:53.695: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 25 10:51:53.695: ISAKMP:(0): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 25 10:51:53.695: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 25 10:51:53.695: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 25 10:51:53.695: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Oct 25 10:51:53.699: ISAKMP (0): received packet from 192.168.0.101 dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 25 10:51:53.699: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 10:51:53.699: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Oct 25 10:51:53.699: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 25 10:51:53.699: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct 25 10:51:53.699: ISAKMP:(0):found peer pre-shared key matching 192.168.0.101
*Oct 25 10:51:53.699: ISAKMP:received payload type 20
*Oct 25 10:51:53.699: ISAKMP (2003): His hash no match - this node outside NAT
*Oct 25 10:51:53.699: ISAKMP:received payload type 20
*Oct 25 10:51:53.699: ISAKMP (2003): No NAT Found for self or peer
*Oct 25 10:51:53.699: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 25 10:51:53.699: ISAKMP:(2003):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Oct 25 10:51:53.699: ISAKMP:(2003): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 25 10:51:53.699: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Oct 25 10:51:53.699: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 25 10:51:53.699: ISAKMP:(2003):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Oct 25 10:51:53.703: ISAKMP (2003): received packet from 192.168.0.101 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Oct 25 10:51:53.703: ISAKMP:(2003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 10:51:53.703: ISAKMP:(2003):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Oct 25 10:51:53.703: ISAKMP:(2003): processing ID payload. message ID = 0
*Oct 25 10:51:53.703: ISAKMP (2003): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.0.101
        protocol     : 0
        port         : 0
        length       : 12
*Oct 25 10:51:53.703: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 25 10:51:53.703: ISAKMP:(2003): processing HASH payload. message ID = 0
*Oct 25 10:51:53.703: ISAKMP:(2003):SA authentication status:
        authenticated
*Oct 25 10:51:53.703: ISAKMP:(2003):SA has been authenticated with 192.168.0.101
*Oct 25 10:51:53.703: ISAKMP: Trying to insert a peer 192.168.0.106/192.168.0.101/500/,  and inserted successfully 1A3BDAC.
*Oct 25 10:51:53.703: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 25 10:51:53.703: ISAKMP:(2003):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Oct 25 10:51:53.703: ISAKMP:(2003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 25 10:51:53.703: ISAKMP (2003): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.0.106
        protocol     : 17
        port         : 500
        length       : 12
*Oct 25 10:51:53.703: ISAKMP:(2003):Total payload length: 12
*Oct 25 10:51:53.703: ISAKMP:(2003): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 25 10:51:53.703: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Oct 25 10:51:53.703: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 25 10:51:53.703: ISAKMP:(2003):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Oct 25 10:51:53.703: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 25 10:51:53.703: ISAKMP:(2003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Oct 25 10:51:53.707: ISAKMP (2003): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 25 10:51:53.707: ISAKMP: set new node 1 to QM_IDLE
*Oct 25 10:51:53.707: ISAKMP:(2003): processing HASH payload. message ID = 1
*Oct 25 10:51:53.707: ISAKMP:(2003): processing SA payload. message ID = 1
*Oct 25 10:51:53.707: ISAKMP:(2003):Checking IPSec proposal 1
*Oct 25 10:51:53.707: ISAKMP: transform 1, ESP_AES
*Oct 25 10:51:53.707: ISAKMP:   attributes in transform:
*Oct 25 10:51:53.707: ISAKMP:      encaps is 2 (Transport)
*Oct 25 10:51:53.707: ISAKMP:      key length is 128
*Oct 25 10:51:53.707: ISAKMP:      authenticator is HMAC-SHA
*Oct 25 10:51:53.707: ISAKMP:      SA life type in seconds
*Oct 25 10:51:53.707: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
*Oct 25 10:51:53.707: ISAKMP:      SA life type in kilobytes
*Oct 25 10:51:53.707: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
*Oct 25 10:51:53.707: ISAKMP:(2003):atts are acceptable.
*Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1
*Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.101/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac }
*Oct 25 10:51:53.707: ISAKMP:(2003): IPSec policy invalidated proposal with error 256
*Oct 25 10:51:53.707: ISAKMP:(2003):Checking IPSec proposal 2
*Oct 25 10:51:53.707: ISAKMP: transform 1, ESP_3DES
*Oct 25 10:51:53.707: ISAKMP:   attributes in transform:
*Oct 25 10:51:53.707: ISAKMP:      encaps is 2 (Transport)
*Oct 25 10:51:53.707: ISAKMP:      authenticator is HMAC-SHA
*Oct 25 10:51:53.707: ISAKMP:      SA life type in seconds
*Oct 25 10:51:53.707: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
*Oct 25 10:51:53.707: ISAKMP:      SA life type in kilobytes
*Oct 25 10:51:53.707: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
*Oct 25 10:51:53.707: ISAKMP:(2003):atts are acceptable.
*Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1
*Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.101/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x2
*Oct 25 10:51:53.707: ISAKMP:(2003): IPSec policy invalidated proposal with error 1024
*Oct 25 10:51:53.707: ISAKMP:(2003):Checking IPSec proposal 3
*Oct 25 10:51:53.707: ISAKMP: transform 1, ESP_DES
*Oct 25 10:51:53.707: ISAKMP:   attributes in transform:
*Oct 25 10:51:53.707: ISAKMP:      encaps is 2 (Transport)
*Oct 25 10:51:53.707: ISAKMP:      authenticator is HMAC-SHA
*Oct 25 10:51:53.707: ISAKMP:      SA life type in seconds
*Oct 25 10:51:53.707: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
*Oct 25 10:51:53.707: ISAKMP:      SA life type in kilobytes
*Oct 25 10:51:53.707: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
*Oct 25 10:51:53.707: ISAKMP:(2003):atts are acceptable.
*Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1
*Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.101/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-des esp-sha-hmac  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-des esp-sha-hmac }
*Oct 25 10:51:53.707: ISAKMP:(2003): IPSec policy invalidated proposal with error 256
*Oct 25 10:51:53.711: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 192.168.0.106 remote 192.168.0.101)
*Oct 25 10:51:53.711: ISAKMP: set new node 1461724718 to QM_IDLE
*Oct 25 10:51:53.711: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 38617352, message ID = 1461724718
*Oct 25 10:51:53.711: ISAKMP:(2003): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 25 10:51:53.711: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Oct 25 10:51:53.711: ISAKMP:(2003):purging node 1461724718
*Oct 25 10:51:53.711: ISAKMP:(2003):deleting node 1 error TRUE reason "QM rejected"
*Oct 25 10:51:53.711: ISAKMP:(2003):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 25 10:51:53.711: ISAKMP:(2003):Old State = IKE_QM_READY  New State = IKE_QM_READY
*Oct 25 10:51:53.715: ISAKMP (2003): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 25 10:51:53.715: ISAKMP: set new node -1376170192 to QM_IDLE
*Oct 25 10:51:53.715: ISAKMP:(2003): processing HASH payload. message ID = 2918797104
*Oct 25 10:51:53.715: ISAKMP:(2003): processing DELETE payload. message ID = 2918797104
*Oct 25 10:51:53.715: ISAKMP:(2003):peer does not do paranoid keepalives.

*Oct 25 10:51:53.715: ISAKMP:(2003):deleting SA reason "No reason" state (R) QM_IDLE       (peer 192.168.0.101)
*Oct 25 10:51:53.715: ISAKMP:(2003):deleting node -1376170192 error FALSE reason "Informational (in) state 1"
*Oct 25 10:51:53.715: ISAKMP: set new node -314951178 to QM_IDLE
*Oct 25 10:51:53.715: ISAKMP:(2003): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 25 10:51:53.715: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Oct 25 10:51:53.715: ISAKMP:(2003):purging node -314951178
*Oct 25 10:51:53.715: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 25 10:51:53.715: ISAKMP:(2003):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Oct 25 10:51:53.715: ISAKMP:(2003):deleting SA reason "No reason" state (R) QM_IDLE       (peer 192.168.0.101)
*Oct 25 10:51:53.715: ISAKMP: Unlocking peer struct 0x1A3BDAC for isadb_mark_sa_deleted(), count 0
*Oct 25 10:51:53.715: ISAKMP: Deleting peer node by peer_reap for 192.168.0.101: 1A3BDAC
*Oct 25 10:51:53.719: ISAKMP:(2003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 10:51:53.719: ISAKMP:(2003):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Oct 25 10:51:53.719: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 25 10:52:43.711: ISAKMP:(2003):purging node 1
*Oct 25 10:52:43.715: ISAKMP:(2003):purging node -1376170192
*Oct 25 10:52:53.715: ISAKMP:(2003):purging SA., sa=1A3B258, delme=1A3B258


25 окт 2016, 14:19
Профиль

Зарегистрирован: 17 окт 2014, 08:35
Сообщения: 300
Откуда: Samara
Сильно не вчитывался, но бросилось в глаза:

Код:
*Oct 25 10:51:53.695: ISAKMP:      encryption 3DES-CBC
*Oct 25 10:51:53.695: ISAKMP:      hash SHA
*Oct 25 10:51:53.695: ISAKMP:      default group 2
*Oct 25 10:51:53.695: ISAKMP:      auth pre-share
*Oct 25 10:51:53.695: ISAKMP:      life type in seconds
*Oct 25 10:51:53.695: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 25 10:51:53.695: ISAKMP:(0):atts are acceptable.

...

Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-des esp-sha-hmac }


У вас в первой фазе шифрование 3DES-CBC, а трансформ-сет запрашивает esp-des, если я правильно понимаю дебаг.


25 окт 2016, 18:56
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
Aneye писал(а):
Сильно не вчитывался, но бросилось в глаза:

У вас в первой фазе шифрование 3DES-CBC, а трансформ-сет запрашивает esp-des, если я правильно понимаю дебаг.


Там как я понял идет перебор методов шифрования и если посмотреть ниже, то находится сопоставление:
Код:
*Oct 25 10:51:53.707: ISAKMP: transform 1, ESP_3DES
*Oct 25 10:51:53.707: ISAKMP:   attributes in transform:
*Oct 25 10:51:53.707: ISAKMP:      encaps is 2 (Transport)
*Oct 25 10:51:53.707: ISAKMP:      authenticator is HMAC-SHA
*Oct 25 10:51:53.707: ISAKMP:      SA life type in seconds
*Oct 25 10:51:53.707: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
*Oct 25 10:51:53.707: ISAKMP:      SA life type in kilobytes
*Oct 25 10:51:53.707: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
*Oct 25 10:51:53.707: ISAKMP:(2003):atts are acceptable.


и несмотря на совпадение выдает:
Код:
*Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x2


25 окт 2016, 20:21
Профиль

Зарегистрирован: 17 окт 2014, 08:35
Сообщения: 300
Откуда: Samara
Уф, sh run | s crypto в студию еще разок.


25 окт 2016, 21:38
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
Aneye писал(а):
Уф, sh run | s crypto в студию еще разок.

Прошу:
Код:
crypto pki trustpoint TP-self-signed-832665923
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-832665923
 revocation-check none
 rsakeypair TP-self-signed-832665923
crypto pki certificate chain TP-self-signed-832665923
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31383931 34393031 3036301E 170D3135 31313136 31313533
  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38393134
  39303130 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009955 4E941D07 D5D3CF26 403714CD 27B58AEB 7B6C3C60 47118804 C6ED0C6F
  F7F9DA27 274F4D29 1D3C40A2 8F119C97 44BC22BD A712824F 6C207A28 94A979AA
  517BB988 04A38769 92CB51E1 6F61490A 41C93209 9D1F2E69 299C3EAB 5A5098AA
  081DE8FB E9DFB040 2805D1B5 4B8BD467 95A36EAC F72F6E8D FC1A7790 A532C927
  5FB50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14D720F0 CAE9FD38 B98AE2EC 3AF03CB4 417FC761 B7301D06
  03551D0E 04160414 D720F0CA E9FD38B9 8AE2EC3A F03CB441 7FC761B7 300D0609
  2A864886 F70D0101 05050003 81810002 2C2C60FF FDF00DB1 AF48CD2C E8617DB0
  0471A4E7 5C1A1D81 E37EC93A 00EF5EC2 57877EF8 54E76142 3F580630 77ED6676
  9102ACB6 6D8FAB8A CD27FD61 16EE0469 0F99F687 1774FF3B 7F2FB4D1 5E207926
  197615FD 8E107597 A593F5F6 8856D059 5FC60807 85D0279A E5ECC09B 1135A17D
  0FF91CBE 48E3787F 32D009E7 1B6C03
        quit
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key ххххххх address 0.0.0.0         no-xauth
crypto isakmp keepalive 3600
crypto ipsec transform-set ipnetconfig esp-aes 256 esp-sha-hmac
 mode transport
crypto ipsec transform-set ipnetconfig-3des esp-3des esp-sha-hmac
 mode transport
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig-3des
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
 crypto map cisco


26 окт 2016, 15:42
Профиль

Зарегистрирован: 23 май 2012, 15:07
Сообщения: 47
notomy писал(а):
Aneye писал(а):
Уф, sh run | s crypto в студию еще разок.


Код:
crypto pki trustpoint TP-self-signed-832665923
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600


AES это group 14

encr aes 256
authentication pre-share
group 14

И да, 3DES это уже "weakcrypto", вот и ругается.


26 окт 2016, 18:19
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
AlexDv писал(а):
notomy писал(а):
Aneye писал(а):
Уф, sh run | s crypto в студию еще разок.


Код:
crypto pki trustpoint TP-self-signed-832665923
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600


AES это group 14

encr aes 256
authentication pre-share
group 14

И да, 3DES это уже "weakcrypto", вот и ругается.


Подправил конфиг и перезагрузил кошку несколько раз (для уверенности)
И всеравно не хочет соединяться:
Код:
*Oct 27 13:59:17.775: ISAKMP (0): received packet from 192.168.0.107 dport 500 sport 500 Global (N) NEW SA
*Oct 27 13:59:17.775: ISAKMP: Created a peer struct for 192.168.0.107, peer port 500
*Oct 27 13:59:17.775: ISAKMP: New peer created peer = 0x11D853CC peer_handle = 0x80000002
*Oct 27 13:59:17.775: ISAKMP: Locking peer struct 0x11D853CC, refcount 1 for crypto_isakmp_process_block
*Oct 27 13:59:17.775: ISAKMP: local port 500, remote port 500
*Oct 27 13:59:17.775: ISAKMP:(0):insert sa successfully sa = 314D438
*Oct 27 13:59:17.775: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 27 13:59:17.775: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Oct 27 13:59:17.775: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 27 13:59:17.775: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 27 13:59:17.779: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0):found peer pre-shared key matching 192.168.0.107
*Oct 27 13:59:17.779: ISAKMP:(0): local preshared key found
*Oct 27 13:59:17.779: ISAKMP : Scanning profiles for xauth ...
*Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 27 13:59:17.779: ISAKMP:      encryption AES-CBC
*Oct 27 13:59:17.779: ISAKMP:      keylength of 256
*Oct 27 13:59:17.779: ISAKMP:      hash SHA
*Oct 27 13:59:17.779: ISAKMP:      default group 20
*Oct 27 13:59:17.779: ISAKMP:      auth pre-share
*Oct 27 13:59:17.779: ISAKMP:      life type in seconds
*Oct 27 13:59:17.779: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 27 13:59:17.779: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 27 13:59:17.779: ISAKMP:      encryption AES-CBC
*Oct 27 13:59:17.779: ISAKMP:      keylength of 128
*Oct 27 13:59:17.779: ISAKMP:      hash SHA
*Oct 27 13:59:17.779: ISAKMP:      default group 19
*Oct 27 13:59:17.779: ISAKMP:      auth pre-share
*Oct 27 13:59:17.779: ISAKMP:      life type in seconds
*Oct 27 13:59:17.779: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 27 13:59:17.779: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 27 13:59:17.779: ISAKMP:      encryption AES-CBC
*Oct 27 13:59:17.779: ISAKMP:      keylength of 256
*Oct 27 13:59:17.779: ISAKMP:      hash SHA
*Oct 27 13:59:17.779: ISAKMP:      default group 14
*Oct 27 13:59:17.779: ISAKMP:      auth pre-share
*Oct 27 13:59:17.779: ISAKMP:      life type in seconds
*Oct 27 13:59:17.779: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 27 13:59:17.779: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 27 13:59:17.779: ISAKMP:      encryption 3DES-CBC
*Oct 27 13:59:17.779: ISAKMP:      hash SHA
*Oct 27 13:59:17.779: ISAKMP:      default group 14
*Oct 27 13:59:17.779: ISAKMP:      auth pre-share
*Oct 27 13:59:17.779: ISAKMP:      life type in seconds
*Oct 27 13:59:17.779: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 27 13:59:17.779: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 27 13:59:17.779: ISAKMP:      encryption 3DES-CBC
*Oct 27 13:59:17.779: ISAKMP:      hash SHA
*Oct 27 13:59:17.779: ISAKMP:      default group 2
*Oct 27 13:59:17.779: ISAKMP:      auth pre-share
*Oct 27 13:59:17.779: ISAKMP:      life type in seconds
*Oct 27 13:59:17.779: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 27 13:59:17.779: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 1 against priority 9998 policy
*Oct 27 13:59:17.779: ISAKMP:      encryption AES-CBC
*Oct 27 13:59:17.779: ISAKMP:      keylength of 256
*Oct 27 13:59:17.779: ISAKMP:      hash SHA
*Oct 27 13:59:17.779: ISAKMP:      default group 20
*Oct 27 13:59:17.779: ISAKMP:      auth pre-share
*Oct 27 13:59:17.779: ISAKMP:      life type in seconds
*Oct 27 13:59:17.779: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 27 13:59:17.779: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 2 against priority 9998 policy
*Oct 27 13:59:17.779: ISAKMP:      encryption AES-CBC
*Oct 27 13:59:17.779: ISAKMP:      keylength of 128
*Oct 27 13:59:17.779: ISAKMP:      hash SHA
*Oct 27 13:59:17.779: ISAKMP:      default group 19
*Oct 27 13:59:17.779: ISAKMP:      auth pre-share
*Oct 27 13:59:17.779: ISAKMP:      life type in seconds
*Oct 27 13:59:17.779: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 27 13:59:17.779: ISAKMP:(0):Proposed key length does not match policy
*Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 3 against priority 9998 policy
*Oct 27 13:59:17.779: ISAKMP:      encryption AES-CBC
*Oct 27 13:59:17.779: ISAKMP:      keylength of 256
*Oct 27 13:59:17.779: ISAKMP:      hash SHA
*Oct 27 13:59:17.779: ISAKMP:      default group 14
*Oct 27 13:59:17.779: ISAKMP:      auth pre-share
*Oct 27 13:59:17.779: ISAKMP:      life type in seconds
*Oct 27 13:59:17.779: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Oct 27 13:59:17.779: ISAKMP:(0):atts are acceptable. Next payload is 3
*Oct 27 13:59:17.779: ISAKMP:(0):Acceptable atts:actual life: 86400
*Oct 27 13:59:17.779: ISAKMP:(0):Acceptable atts:life: 0
*Oct 27 13:59:17.779: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct 27 13:59:17.779: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
*Oct 27 13:59:17.779: ISAKMP:(0):Returning Actual lifetime: 28800
*Oct 27 13:59:17.779: ISAKMP:(0)::Started lifetime timer: 28800.

*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 27 13:59:17.779: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload
*Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Oct 27 13:59:17.779: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 27 13:59:17.779: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Oct 27 13:59:17.779: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 27 13:59:17.779: ISAKMP:(0): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 27 13:59:17.779: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 27 13:59:17.779: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 27 13:59:17.779: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Oct 27 13:59:17.787: ISAKMP (0): received packet from 192.168.0.107 dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 27 13:59:17.787: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 27 13:59:17.787: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Oct 27 13:59:17.787: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 27 13:59:17.799: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct 27 13:59:17.799: ISAKMP:(0):found peer pre-shared key matching 192.168.0.107
*Oct 27 13:59:17.799: ISAKMP:received payload type 20
*Oct 27 13:59:17.799: ISAKMP (2001): His hash no match - this node outside NAT
*Oct 27 13:59:17.799: ISAKMP:received payload type 20
*Oct 27 13:59:17.799: ISAKMP (2001): No NAT Found for self or peer
*Oct 27 13:59:17.799: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 27 13:59:17.799: ISAKMP:(2001):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Oct 27 13:59:17.799: ISAKMP:(2001): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 27 13:59:17.799: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Oct 27 13:59:17.799: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 27 13:59:17.799: ISAKMP:(2001):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Oct 27 13:59:17.811: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Oct 27 13:59:17.811: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 27 13:59:17.811: ISAKMP:(2001):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Oct 27 13:59:17.815: ISAKMP:(2001): processing ID payload. message ID = 0
*Oct 27 13:59:17.815: ISAKMP (2001): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.0.107
        protocol     : 0
        port         : 0
        length       : 12
*Oct 27 13:59:17.815: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 27 13:59:17.815: ISAKMP:(2001): processing HASH payload. message ID = 0
*Oct 27 13:59:17.815: ISAKMP:(2001):SA authentication status:
        authenticated
*Oct 27 13:59:17.815: ISAKMP:(2001):SA has been authenticated with 192.168.0.107
*Oct 27 13:59:17.815: ISAKMP: Trying to insert a peer 192.168.0.106/192.168.0.107/500/,  and inserted successfully 11D853CC.
*Oct 27 13:59:17.815: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 27 13:59:17.815: ISAKMP:(2001):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Oct 27 13:59:17.815: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 27 13:59:17.815: ISAKMP (2001): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.0.106
        protocol     : 17
        port         : 500
        length       : 12
*Oct 27 13:59:17.815: ISAKMP:(2001):Total payload length: 12
*Oct 27 13:59:17.815: ISAKMP:(2001): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 27 13:59:17.815: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Oct 27 13:59:17.815: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 27 13:59:17.815: ISAKMP:(2001):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Oct 27 13:59:17.815: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 27 13:59:17.815: ISAKMP:(2001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Oct 27 13:59:17.815: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE     
*Oct 27 13:59:17.815: ISAKMP: set new node 1 to QM_IDLE
*Oct 27 13:59:17.815: ISAKMP:(2001): processing HASH payload. message ID = 1
*Oct 27 13:59:17.819: ISAKMP:(2001): processing SA payload. message ID = 1
*Oct 27 13:59:17.819: ISAKMP:(2001):Checking IPSec proposal 1
*Oct 27 13:59:17.819: ISAKMP: transform 1, ESP_AES
*Oct 27 13:59:17.819: ISAKMP:   attributes in transform:
*Oct 27 13:59:17.819: ISAKMP:      encaps is 2 (Transport)
*Oct 27 13:59:17.819: ISAKMP:      key length is 128
*Oct 27 13:59:17.819: ISAKMP:      authenticator is HMAC-SHA
*Oct 27 13:59:17.819: ISAKMP:      SA life type in seconds
*Oct 27 13:59:17.819: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
*Oct 27 13:59:17.819: ISAKMP:      SA life type in kilobytes
*Oct 27 13:59:17.819: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
*Oct 27 13:59:17.819: ISAKMP:(2001):atts are acceptable.
*Oct 27 13:59:17.819: IPSEC(validate_proposal_request): proposal part #1
*Oct 27 13:59:17.819: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.107:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.107/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Oct 27 13:59:17.819: (ipsec_process_proposal)Map Accepted: ipnetconfig-map, 10
*Oct 27 13:59:17.819: ISAKMP:(2001): processing NONCE payload. message ID = 1
*Oct 27 13:59:17.819: ISAKMP:(2001): processing ID payload. message ID = 1
*Oct 27 13:59:17.819: ISAKMP:(2001): processing ID payload. message ID = 1
*Oct 27 13:59:17.819: ISAKMP:(2001):QM Responder gets spi
*Oct 27 13:59:17.819: ISAKMP:(2001):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 27 13:59:17.819: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Oct 27 13:59:17.819: ISAKMP:(2001):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Oct 27 13:59:17.819: ISAKMP:(2001):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Oct 27 13:59:17.819: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 27 13:59:17.819: IPSEC(crypto_ipsec_create_ipsec_sas): Map found ipnetconfig-map, 10
*Oct 27 13:59:17.819: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.0.106, sa_proto= 50,
    sa_spi= 0x3D7B1A7F(1031477887),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 1
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.107:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.107/255.255.255.255/17/1701
*Oct 27 13:59:17.819: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.0.107, sa_proto= 50,
    sa_spi= 0x724CD3D0(1917637584),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.107:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.107/255.255.255.255/17/1701
*Oct 27 13:59:17.819:  ISAKMP: Failed to find peer index node to update peer_info_list
*Oct 27 13:59:17.819: ISAKMP:(2001):Received IPSec Install callback... proceeding with the negotiation
*Oct 27 13:59:17.819: ISAKMP:(2001):Successfully installed IPSEC SA (SPI:0x3D7B1A7F) on GigabitEthernet8
*Oct 27 13:59:17.819: ISAKMP:(2001): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 27 13:59:17.819: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Oct 27 13:59:17.819: ISAKMP:(2001):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Oct 27 13:59:17.819: ISAKMP:(2001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
*Oct 27 13:59:17.823: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE     
*Oct 27 13:59:17.823: ISAKMP:(2001):deleting node 1 error FALSE reason "QM done (await)"
*Oct 27 13:59:17.823: ISAKMP:(2001):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 27 13:59:17.823: ISAKMP:(2001):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Oct 27 13:59:17.823: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 27 13:59:17.823: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Oct 27 13:59:17.823: IPSEC: Expand action denied, notify RP
*Oct 27 13:59:52.847: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE     
*Oct 27 13:59:52.847: ISAKMP: set new node 1491250073 to QM_IDLE
*Oct 27 13:59:52.847: ISAKMP:(2001): processing HASH payload. message ID = 1491250073
*Oct 27 13:59:52.847: ISAKMP:(2001): processing DELETE payload. message ID = 1491250073
*Oct 27 13:59:52.847: ISAKMP:(2001):peer does not do paranoid keepalives.

*Oct 27 13:59:52.847: ISAKMP:(2001):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x724CD3D0)
*Oct 27 13:59:52.847: ISAKMP:(2001):deleting node 1491250073 error FALSE reason "Informational (in) state 1"
*Oct 27 13:59:52.847: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 27 13:59:52.847: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5069
*Oct 27 13:59:52.847: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Oct 27 13:59:52.847: IPSEC: still in use sa: 0x11F56B00
*Oct 27 13:59:52.847: IPSEC(key_engine_delete_sas): delete SA with spi 0x724CD3D0 proto 50 for 192.168.0.107
*Oct 27 13:59:52.847:  ISAKMP: Failed to find peer index node to update peer_info_list
*Oct 27 13:59:52.847: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.0.106, sa_proto= 50,
    sa_spi= 0x3D7B1A7F(1031477887),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 1
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.107:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.107/255.255.255.255/17/1701
*Oct 27 13:59:52.847: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.0.107, sa_proto= 50,
    sa_spi= 0x724CD3D0(1917637584),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.107:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.107/255.255.255.255/17/1701
*Oct 27 13:59:52.847: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
*Oct 27 13:59:52.847: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE     
*Oct 27 13:59:52.847: ISAKMP: set new node -1076387541 to QM_IDLE
*Oct 27 13:59:52.847: ISAKMP:(2001): processing HASH payload. message ID = 3218579755
*Oct 27 13:59:52.847: ISAKMP:(2001): processing DELETE payload. message ID = 3218579755
*Oct 27 13:59:52.847: ISAKMP:(2001):peer does not do paranoid keepalives.

*Oct 27 13:59:52.847: ISAKMP:(2001):deleting SA reason "No reason" state (R) QM_IDLE       (peer 192.168.0.107)
*Oct 27 13:59:52.847: ISAKMP:(2001):deleting node -1076387541 error FALSE reason "Informational (in) state 1"
*Oct 27 13:59:52.847: ISAKMP: set new node -353122057 to QM_IDLE
*Oct 27 13:59:52.847: ISAKMP:(2001): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 27 13:59:52.847: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Oct 27 13:59:52.847: ISAKMP:(2001):purging node -353122057
*Oct 27 13:59:52.847: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 27 13:59:52.847: ISAKMP:(2001):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Oct 27 13:59:52.847: ISAKMP:(2001):deleting SA reason "No reason" state (R) QM_IDLE       (peer 192.168.0.107)
*Oct 27 13:59:52.847: ISAKMP: Unlocking peer struct 0x11D853CC for isadb_mark_sa_deleted(), count 0
*Oct 27 13:59:52.851: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 27 13:59:52.851: ISAKMP:(2001):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Oct 27 13:59:52.851: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS
*Oct 27 13:59:52.851: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x24174E0 ikmp handle 0x80000002
IPSEC IKMP peer index 0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x14000001,peer index 0

*Oct 27 13:59:52.851: ISAKMP: Deleting peer node by peer_reap for 192.168.0.107: 11D853CC
*Oct 27 13:59:52.851: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 27 14:00:07.823: ISAKMP:(2001):purging node 1
*Oct 27 14:00:42.847: ISAKMP:(2001):purging node 1491250073
*Oct 27 14:00:42.847: ISAKMP:(2001):purging node -1076387541
*Oct 27 14:00:52.847: ISAKMP:(2001):purging SA., sa=314D438, delme=314D438


27 окт 2016, 17:09
Профиль

Зарегистрирован: 23 май 2012, 15:07
Сообщения: 47
Код:
*Oct 27 13:59:17.823: ISAKMP:(2001):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Oct 27 13:59:17.823: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 27 13:59:17.823: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Oct 27 13:59:17.823: IPSEC: Expand action denied, notify RP
*Oct 27 13:59:52.847: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE     
*Oct 27 13:59:52.847: ISAKMP: set new node 1491250073 to QM_IDLE


Ну, собственно-то SA установился IKE_QM_PHASE2_COMPLETE.
А вот потом соединение рвется. С роутингом до пира все нормально? Из конфига не понять у кого какой адрес.
GigabitEthernet8 - у него какой адрес?

Код:
ip dhcp pool l2tp
 network 10.217.69.0 255.255.255.0
 domain-name 1.vpn
 default-router 10.217.69.1
 dns-server 8.8.8.8 8.8.4.4

interface GigabitEthernet8
 ip address dhcp
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map cisco
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet8
 ip virtual-reassembly in
 peer default ip address dhcp-pool l2tp
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2



28 окт 2016, 13:17
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
AlexDv писал(а):
Ну, собственно-то SA установился IKE_QM_PHASE2_COMPLETE.
А вот потом соединение рвется. С роутингом до пира все нормально? Из конфига не понять у кого какой адрес.
GigabitEthernet8 - у него какой адрес?


Ge8 адрес получает по dhcp, пир находится в одной сети с кошкой.
Схема подключения такая: роутер с сетью 192.168.0.0, к нему подключена кошка и пиры.


28 окт 2016, 14:09
Профиль

Зарегистрирован: 23 май 2012, 15:07
Сообщения: 47
notomy писал(а):
AlexDv писал(а):
Ну, собственно-то SA установился IKE_QM_PHASE2_COMPLETE.
А вот потом соединение рвется. С роутингом до пира все нормально? Из конфига не понять у кого какой адрес.
GigabitEthernet8 - у него какой адрес?


Ge8 адрес получает по dhcp, пир находится в одной сети с кошкой.
Схема подключения такая: роутер с сетью 192.168.0.0, к нему подключена кошка и пиры.


Покажите
sh ip rou
sh ip int br

и попробуйте поймать то-же самое до разрыва

*Oct 27 13:59:17.823: ISAKMP:(2001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Oct 27 13:59:17.823: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 27 13:59:17.823: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Oct 27 13:59:17.823: IPSEC: Expand action denied, notify RP

Вот тут

*Oct 27 13:59:52.847: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE
*Oct 27 13:59:52.847: ISAKMP: set new node 1491250073 to QM_IDLE


28 окт 2016, 18:01
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
AlexDv писал(а):

Покажите
sh ip rou
sh ip int br

и попробуйте поймать то-же самое до разрыва



sh ip rou
Код:
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.0.1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet8
L        192.168.0.106/32 is directly connected, GigabitEthernet8


sh ip int br
Код:
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           unassigned      YES unset  down                  down
GigabitEthernet1           unassigned      YES unset  down                  down
GigabitEthernet2           unassigned      YES unset  down                  down
GigabitEthernet3           unassigned      YES unset  down                  down
GigabitEthernet4           unassigned      YES unset  down                  down
GigabitEthernet5           unassigned      YES unset  down                  down
GigabitEthernet6           unassigned      YES unset  down                  down
GigabitEthernet7           unassigned      YES unset  down                  down
GigabitEthernet8           192.168.0.106   YES DHCP   up                    up
GigabitEthernet9           unassigned      YES NVRAM  administratively down down
NVI0                       192.168.0.106   YES unset  up                    up
Virtual-Access1            unassigned      YES unset  down                  down
Virtual-Template1          192.168.0.106   YES unset  down                  down
Vlan1                      10.217.68.1     YES NVRAM  down                  down
Vlan2                      10.217.69.1     YES NVRAM  down                  down



Тоже самое до разрыва
sh ip rou
Код:
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.0.1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet8
L        192.168.0.106/32 is directly connected, GigabitEthernet8


sh ip int br
Код:
GigabitEthernet0           unassigned      YES unset  down                  down
GigabitEthernet1           unassigned      YES unset  down                  down
GigabitEthernet2           unassigned      YES unset  down                  down
GigabitEthernet3           unassigned      YES unset  down                  down
GigabitEthernet4           unassigned      YES unset  down                  down
GigabitEthernet5           unassigned      YES unset  down                  down
GigabitEthernet6           unassigned      YES unset  down                  down
GigabitEthernet7           unassigned      YES unset  down                  down
GigabitEthernet8           192.168.0.106   YES DHCP   up                    up
GigabitEthernet9           unassigned      YES NVRAM  administratively down down
NVI0                       192.168.0.106   YES unset  up                    up
Virtual-Access1            unassigned      YES unset  down                  down
Virtual-Template1          192.168.0.106   YES unset  down                  down
Vlan1                      10.217.68.1     YES NVRAM  down                  down
Vlan2                      10.217.69.1     YES NVRAM  down                  down


Примечательно то, что с данным конфигом перестал коннектится и iOS клиент =-(


28 окт 2016, 18:12
Профиль

Зарегистрирован: 23 май 2012, 15:07
Сообщения: 47
notomy писал(а):
AlexDv писал(а):

Покажите
sh ip rou
sh ip int br

и попробуйте поймать то-же самое до разрыва



sh ip rou
Код:
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.0.1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet8
L        192.168.0.106/32 is directly connected, GigabitEthernet8


sh ip int br
Код:
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           unassigned      YES unset  down                  down
GigabitEthernet1           unassigned      YES unset  down                  down
GigabitEthernet2           unassigned      YES unset  down                  down
GigabitEthernet3           unassigned      YES unset  down                  down
GigabitEthernet4           unassigned      YES unset  down                  down
GigabitEthernet5           unassigned      YES unset  down                  down
GigabitEthernet6           unassigned      YES unset  down                  down
GigabitEthernet7           unassigned      YES unset  down                  down
GigabitEthernet8           192.168.0.106   YES DHCP   up                    up
GigabitEthernet9           unassigned      YES NVRAM  administratively down down
NVI0                       192.168.0.106   YES unset  up                    up
Virtual-Access1            unassigned      YES unset  down                  down
Virtual-Template1          192.168.0.106   YES unset  down                  down
Vlan1                      10.217.68.1     YES NVRAM  down                  down
Vlan2                      10.217.69.1     YES NVRAM  down                  down



Тоже самое до разрыва
sh ip rou
Код:
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.0.1
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet8
L        192.168.0.106/32 is directly connected, GigabitEthernet8


sh ip int br
Код:
GigabitEthernet0           unassigned      YES unset  down                  down
GigabitEthernet1           unassigned      YES unset  down                  down
GigabitEthernet2           unassigned      YES unset  down                  down
GigabitEthernet3           unassigned      YES unset  down                  down
GigabitEthernet4           unassigned      YES unset  down                  down
GigabitEthernet5           unassigned      YES unset  down                  down
GigabitEthernet6           unassigned      YES unset  down                  down
GigabitEthernet7           unassigned      YES unset  down                  down
GigabitEthernet8           192.168.0.106   YES DHCP   up                    up
GigabitEthernet9           unassigned      YES NVRAM  administratively down down
NVI0                       192.168.0.106   YES unset  up                    up
Virtual-Access1            unassigned      YES unset  down                  down
Virtual-Template1          192.168.0.106   YES unset  down                  down
Vlan1                      10.217.68.1     YES NVRAM  down                  down
Vlan2                      10.217.69.1     YES NVRAM  down                  down


Примечательно то, что с данным конфигом перестал коннектится и iOS клиент =-(


Странная конструкция с 1 интерфейсом, поскольку Vlan1 и Vlan2 никуда не привязаны.
Сделайте так.
Код:
no int Vlan1
no int Vlan2
interface Virtual-Template1
no ip unnumbered GigabitEthernet8
ip address 10.217.69.1 255.255.255.0
 ip virtual-reassembly in
 peer default ip address dhcp-pool l2tp
no  ppp encrypt mppe 40
 ppp authentication ms-chap-v2




28 окт 2016, 19:59
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
AlexDv писал(а):
Странная конструкция с 1 интерфейсом, поскольку Vlan1 и Vlan2 никуда не привязаны.
Сделайте так.
Код:
no int Vlan1
no int Vlan2
interface Virtual-Template1
no ip unnumbered GigabitEthernet8
ip address 10.217.69.1 255.255.255.0
 ip virtual-reassembly in
 peer default ip address dhcp-pool l2tp
no  ppp encrypt mppe 40
 ppp authentication ms-chap-v2


Добрый день!
Сделал как Вы написали, результат плачевный.
Давайте немного поясню.
У меня есть 2 кошки.
Одна боевая, стоит и работает, но для подключения windows платформ нужна правка реестра, параметра prohibitipsec - что не есть хорошо.
Вторая, для опытов, стоит дома. Я поставил конфиг с боевой на домашнюю и опыты ставил, результатами чего стал конфиг из 1 сообщения.

Схема сети одинаковая что дома что на работе: входящий роутер с сетью 192.168.0.0 255.255.255.0, к нему по кабелю подключена кошка в Ge8, все порты по дефолту объединены в Vlan1 с сетью 10.217.68.0 255.255.255.0, Vlan2 с сетью 10.217.69.0 255.255.255.0, я сделал для vpn клиентов.

Вот копия конфига с боевой:
Код:
version 15.4
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GW0
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
logging buffered 51200 warnings
enable secret 5 -------------------------------
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 10.217.68.1 10.217.68.10
ip dhcp excluded-address 10.217.69.1
!
ip dhcp pool lan
 network 10.217.68.0 255.255.255.0
 domain-name -----.lan
 default-router 10.217.68.1
 dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool l2tp
 network 10.217.69.0 255.255.255.0
 domain-name -----.vpn
 dns-server 8.8.8.8 8.8.4.4
 default-router 10.217.69.1
!
!
!
no ip bootp server
ip domain name terra.local
ip name-server --.--.0.4
ip name-server --.--.1.4
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name inspect icmp
ip inspect name inspect tcp
ip inspect name inspect udp
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C892FSP-K9 sn -------------
license accept end user agreement
license boot module c800 level advipservices
!
!
username admin privilege 15 password 7 --------------------
username test privilege 0 password 7 ------------------
!
!
!
!
!
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key --------- address 0.0.0.0         no-xauth
crypto isakmp keepalive 3600
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
!
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
!
!
!
!
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description PrimaryWAN
 ip address dhcp
 ip nat enable
 ip inspect inspect in
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 crypto map cisco
!
interface GigabitEthernet9
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet8
 ip nat enable
 peer default ip address dhcp-pool l2tp
 ppp mtu adaptive
 ppp encrypt mppe auto
 ppp authentication ms-chap-v2
!
interface Vlan1
 description LAN
 ip address 10.217.68.1 255.255.255.0
 ip nat enable
 ip inspect inspect in
 ip virtual-reassembly in
!
interface Vlan2
 description VPN
 ip address 10.217.69.1 255.255.255.0
 ip nat enable
 ip inspect inspect in
 ip virtual-reassembly in
!
ip default-gateway 192.168.0.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat source list vpn interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip ssh version 2
!
ip access-list extended vpn
 permit ip 10.217.0.0 0.0.255.255 any
!
logging dmvpn
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 60 0
 privilege level 15
 password 7 -----------------------
 logging synchronous
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server ru.pool.ntp.org
!
!
!
end


Поиски решения проблемы привели меня к другому параметру реестра: AssumeUDPEncapsulationContextOnSendRule. С помощью него разрешается НАТ для обоих сторон тунеля и теперь я могу подключиться к боевой кошке без prohibitipsec.

Но вот незадача, с этим же конфигом не могу подключиться дома. Соединение не устанавливается =-(


01 ноя 2016, 16:49
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
Еще проверил только что, к боевой коннектится без проблем, а к домашней только через изменение prohibitipsec


01 ноя 2016, 20:37
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
Проверил sh cry ips sa при подключении.
вывод:
Код:
interface: GigabitEthernet8
    Crypto map tag: cisco, local addr 192.168.0.106

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.106/255.255.255.255/17/1701)
   remote ident (addr/mask/prot/port): (192.168.0.101/255.255.255.255/17/0)
   current_peer 192.168.0.101 port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 31, #pkts decrypt: 31, #pkts verify: 31
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.0.106, remote crypto endpt.: 192.168.0.101
     plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8
     current outbound spi: 0xF5A9D32(257596722)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9FAA7DFB(2678750715)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 7, flow_id: Onboard VPN:7, sibling_flags 80000000, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4244740/3392)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF5A9D32(257596722)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 8, flow_id: Onboard VPN:8, sibling_flags 80000000, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4244744/3392)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:


Получается трафик с кошки не идет в тунель и не шифруется?


03 ноя 2016, 17:05
Профиль

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 181
Хотелось бы прояснить некоторые вещи...
1)
Код:
vpdn-group l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 l2tp security crypto-profile ipnetconfig
 no l2tp tunnel authentication

это из конфига в первом сообщении
а такого крипто-профайла нет...
2)
Код:
crypto isakmp key --------- address 0.0.0.0         no-xauth

ок, логин и пароль не проверяем... и оно так работало? а что в l2tp-клиенте в качестве логина и пароля вбивалось?
3)
ключ реестра prohibitipsec=1 отключает ipsec в l2tp-клиенте, о чем мы тут вообще говорим?


03 ноя 2016, 17:18
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
tr33ks писал(а):
Хотелось бы прояснить некоторые вещи...
1)
Код:
vpdn-group l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 l2tp security crypto-profile ipnetconfig
 no l2tp tunnel authentication

это из конфига в первом сообщении
а такого крипто-профайла нет...
2)
Код:
crypto isakmp key --------- address 0.0.0.0         no-xauth

ок, логин и пароль не проверяем... и оно так работало? а что в l2tp-клиенте в качестве логина и пароля вбивалось?
3)
ключ реестра prohibitipsec=1 отключает ipsec в l2tp-клиенте, о чем мы тут вообще говорим?


1) В 1 сообщении конфиг, результат моего брожения по интернету в поисках рабочего конфига и курения множества мануалов.
Профайл был, видимо я удалил случайно когда вставлял в сообщение. Да и на данный момент я взял конфиг с боевой кошки и играюсь с ним дома

2) Эммм... я настраивал на боевой по этой статье: http://blogconfigs.blogspot.ru/2010/07/configure-l2tp-ipsec-vpn-server-on.html
И без логина и пароля не устанавливается соединение
логин пароль берется из локальной базы

3) Самое смешное, что именно при отключении ipsec, на windows пороходит соединение при выставлении с клиенте руками тип подключения L2TP\IPSec


03 ноя 2016, 17:50
Профиль

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 181
Думается мне, что клиента вы неправильно настраиваете.
Влил сейчас конфиг на циску и успешно зацепились и комп с десяткой и ифон.
Верните ключи реестра в прежние значения и проверьте правильно ли клиент настроен.
Как на картинке
http://prntscr.com/d2yzmk
Там где "ключ" должен быть isakmp key соответственно.


04 ноя 2016, 15:17
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
tr33ks писал(а):
Думается мне, что клиента вы неправильно настраиваете.
Влил сейчас конфиг на циску и успешно зацепились и комп с десяткой и ифон.
Верните ключи реестра в прежние значения и проверьте правильно ли клиент настроен.
Как на картинке
http://prntscr.com/d2yzmk
Там где "ключ" должен быть isakmp key соответственно.


Вы не поверите, но именно так и настроены клиенты, абсолютно все. Если не указать pre-shared (isakmp key) на клиентах, выдается ошибка подключения.

Я сбросил домашнюю циску, хочу сейчас попробовать заного настроить, а Вы какой конфиг влили? Из первого сообщения или с моей боевой?
Буду рад, если Вы мне скинете конфиг который у вас заработал =-).


04 ноя 2016, 15:44
Профиль

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 181
Как-то странно... но если у вас иос цепляется, а винда нет - то причина должна быть где-то в винде.
Конфиг вот:
Код:
aaa new-model
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
vpdn enable
!
vpdn-group L2TP
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 2
 no l2tp tunnel authentication
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key kluchik address 0.0.0.0
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
 mode transport
crypto ipsec nat-transparency spi-matching
!
crypto dynamic-map dyn-map 10
 set nat demux
 set transform-set L2TP-Set2
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface GigabitEthernet0/0
 ip address dhcp
 ip nat outside
 no ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map outside_map
!
interface Virtual-Template2
 ip unnumbered GigabitEthernet0/0
 peer default ip address pool L2TP-POOL
 ppp authentication ms-chap-v2
!
ip local pool L2TP-POOL 192.168.2.70 192.168.2.80


04 ноя 2016, 16:44
Профиль

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 16
tr33ks писал(а):
Как-то странно... но если у вас иос цепляется, а винда нет - то причина должна быть где-то в винде.


В общем, после сброса циски и настройки по Вашему конфигу, ниодна платформа не коннектится =-(

Вот дебаг:
Код:
Nov  4 17:48:43.067: ISAKMP (0): received packet from 192.168.0.105 dport 500 sport 500 Global (N) NEW SA
Nov  4 17:48:43.067: ISAKMP: Created a peer struct for 192.168.0.105, peer port 500
Nov  4 17:48:43.067: ISAKMP: New peer created peer = 0x11781EDC peer_handle = 0x80000003
Nov  4 17:48:43.067: ISAKMP: Locking peer struct 0x11781EDC, refcount 1 for crypto_isakmp_process_block
Nov  4 17:48:43.067: ISAKMP: local port 500, remote port 500
Nov  4 17:48:43.067: ISAKMP:(0):insert sa successfully sa = 39F5198
Nov  4 17:48:43.067: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov  4 17:48:43.067: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

Nov  4 17:48:43.067: ISAKMP:(0): processing SA payload. message ID = 0
Nov  4 17:48:43.067: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0): processing IKE frag vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov  4 17:48:43.067: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0): processing IKE frag vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov  4 17:48:43.067: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Nov  4 17:48:43.067: ISAKMP (0): vendor ID is NAT-T RFC 3947
Nov  4 17:48:43.067: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov  4 17:48:43.067: ISAKMP:(0): vendor ID is NAT-T v2
Nov  4 17:48:43.067: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Nov  4 17:48:43.067: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
Nov  4 17:48:43.067: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
Nov  4 17:48:43.067: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
Nov  4 17:48:43.067: ISAKMP:(0):found peer pre-shared key matching 192.168.0.105
Nov  4 17:48:43.067: ISAKMP:(0): local preshared key found
Nov  4 17:48:43.067: ISAKMP : Scanning profiles for xauth ...
Nov  4 17:48:43.067: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
Nov  4 17:48:43.067: ISAKMP:      encryption AES-CBC
Nov  4 17:48:43.067: ISAKMP:      keylength of 256
Nov  4 17:48:43.067: ISAKMP:      hash SHA
Nov  4 17:48:43.067: ISAKMP:      default group 20
Nov  4 17:48:43.067: ISAKMP:      auth pre-share
Nov  4 17:48:43.067: ISAKMP:      life type in seconds
Nov  4 17:48:43.067: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Nov  4 17:48:43.067: ISAKMP:(0):Encryption algorithm offered does not match policy!
Nov  4 17:48:43.067: ISAKMP:(0):atts are not acceptable. Next payload is 3
Nov  4 17:48:43.067: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
Nov  4 17:48:43.067: ISAKMP:      encryption AES-CBC
Nov  4 17:48:43.067: ISAKMP:      keylength of 128
Nov  4 17:48:43.067: ISAKMP:      hash SHA
Nov  4 17:48:43.067: ISAKMP:      default group 19
Nov  4 17:48:43.067: ISAKMP:      auth pre-share
Nov  4 17:48:43.067: ISAKMP:      life type in seconds
Nov  4 17:48:43.067: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Nov  4 17:48:43.067: ISAKMP:(0):Encryption algorithm offered does not match policy!
Nov  4 17:48:43.067: ISAKMP:(0):atts are not acceptable. Next payload is 3
Nov  4 17:48:43.067: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
Nov  4 17:48:43.067: ISAKMP:      encryption AES-CBC
Nov  4 17:48:43.067: ISAKMP:      keylength of 256
Nov  4 17:48:43.067: ISAKMP:      hash SHA
Nov  4 17:48:43.067: ISAKMP:      default group 14
Nov  4 17:48:43.067: ISAKMP:      auth pre-share
Nov  4 17:48:43.067: ISAKMP:      life type in seconds
Nov  4 17:48:43.067: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Nov  4 17:48:43.067: ISAKMP:(0):Encryption algorithm offered does not match policy!
Nov  4 17:48:43.067: ISAKMP:(0):atts are not acceptable. Next payload is 3
Nov  4 17:48:43.071: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
Nov  4 17:48:43.071: ISAKMP:      encryption 3DES-CBC
Nov  4 17:48:43.071: ISAKMP:      hash SHA
Nov  4 17:48:43.071: ISAKMP:      default group 14
Nov  4 17:48:43.071: ISAKMP:      auth pre-share
Nov  4 17:48:43.071: ISAKMP:      life type in seconds
Nov  4 17:48:43.071: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Nov  4 17:48:43.071: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
Nov  4 17:48:43.071: ISAKMP:(0):atts are not acceptable. Next payload is 3
Nov  4 17:48:43.071: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
Nov  4 17:48:43.071: ISAKMP:      encryption 3DES-CBC
Nov  4 17:48:43.071: ISAKMP:      hash SHA
Nov  4 17:48:43.071: ISAKMP:      default group 2
Nov  4 17:48:43.071: ISAKMP:      auth pre-share
Nov  4 17:48:43.071: ISAKMP:      life type in seconds
Nov  4 17:48:43.071: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
Nov  4 17:48:43.071: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov  4 17:48:43.071: ISAKMP:(0):Acceptable atts:actual life: 86400
Nov  4 17:48:43.071: ISAKMP:(0):Acceptable atts:life: 0
Nov  4 17:48:43.071: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov  4 17:48:43.071: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
Nov  4 17:48:43.071: ISAKMP:(0):Returning Actual lifetime: 28800
Nov  4 17:48:43.071: ISAKMP:(0)::Started lifetime timer: 28800.

Nov  4 17:48:43.071: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0): processing IKE frag vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov  4 17:48:43.071: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0): processing IKE frag vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov  4 17:48:43.071: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Nov  4 17:48:43.071: ISAKMP (0): vendor ID is NAT-T RFC 3947
Nov  4 17:48:43.071: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov  4 17:48:43.071: ISAKMP:(0): vendor ID is NAT-T v2
Nov  4 17:48:43.071: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Nov  4 17:48:43.071: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
Nov  4 17:48:43.071: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
Nov  4 17:48:43.071: ISAKMP:(0): processing vendor id payload
Nov  4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
Nov  4 17:48:43.071: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov  4 17:48:43.071: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Nov  4 17:48:43.071: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov  4 17:48:43.071: ISAKMP:(0): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) MM_SA_SETUP
Nov  4 17:48:43.071: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov  4 17:48:43.071: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov  4 17:48:43.071: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

Nov  4 17:48:43.075: ISAKMP (0): received packet from 192.168.0.105 dport 500 sport 500 Global (R) MM_SA_SETUP
Nov  4 17:48:43.075: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov  4 17:48:43.075: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

Nov  4 17:48:43.075: ISAKMP:(0): processing KE payload. message ID = 0
Nov  4 17:48:43.075: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov  4 17:48:43.079: ISAKMP:(0):found peer pre-shared key matching 192.168.0.105
Nov  4 17:48:43.079: ISAKMP:received payload type 20
Nov  4 17:48:43.079: ISAKMP (2002): His hash no match - this node outside NAT
Nov  4 17:48:43.079: ISAKMP:received payload type 20
Nov  4 17:48:43.079: ISAKMP (2002): No NAT Found for self or peer
Nov  4 17:48:43.079: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov  4 17:48:43.079: ISAKMP:(2002):Old State = IKE_R_MM3  New State = IKE_R_MM3

Nov  4 17:48:43.079: ISAKMP:(2002): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Nov  4 17:48:43.079: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Nov  4 17:48:43.079: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov  4 17:48:43.079: ISAKMP:(2002):Old State = IKE_R_MM3  New State = IKE_R_MM4

Nov  4 17:48:43.079: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) MM_KEY_EXCH
Nov  4 17:48:43.079: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov  4 17:48:43.079: ISAKMP:(2002):Old State = IKE_R_MM4  New State = IKE_R_MM5

Nov  4 17:48:43.079: ISAKMP:(2002): processing ID payload. message ID = 0
Nov  4 17:48:43.079: ISAKMP (2002): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.0.105
        protocol     : 0
        port         : 0
        length       : 12
Nov  4 17:48:43.079: ISAKMP:(0):: peer matches *none* of the profiles
Nov  4 17:48:43.079: ISAKMP:(2002): processing HASH payload. message ID = 0
Nov  4 17:48:43.079: ISAKMP:(2002):SA authentication status:
        authenticated
Nov  4 17:48:43.079: ISAKMP:(2002):SA has been authenticated with 192.168.0.105
Nov  4 17:48:43.079: ISAKMP: Trying to insert a peer 192.168.0.106/192.168.0.105/500/,  and inserted successfully 11781EDC.
Nov  4 17:48:43.079: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov  4 17:48:43.079: ISAKMP:(2002):Old State = IKE_R_MM5  New State = IKE_R_MM5

Nov  4 17:48:43.079: ISAKMP:(2002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov  4 17:48:43.079: ISAKMP (2002): ID payload
        next-payload : 8
        type         : 1
        address      : 192.168.0.106
        protocol     : 17
        port         : 500
        length       : 12
Nov  4 17:48:43.079: ISAKMP:(2002):Total payload length: 12
Nov  4 17:48:43.079: ISAKMP:(2002): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Nov  4 17:48:43.083: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Nov  4 17:48:43.083: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov  4 17:48:43.083: ISAKMP:(2002):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

Nov  4 17:48:43.083: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov  4 17:48:43.083: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Nov  4 17:48:43.083: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) QM_IDLE
Nov  4 17:48:43.083: ISAKMP: set new node 1 to QM_IDLE
Nov  4 17:48:43.083: ISAKMP:(2002): processing HASH payload. message ID = 1
Nov  4 17:48:43.083: ISAKMP:(2002): processing SA payload. message ID = 1
Nov  4 17:48:43.083: ISAKMP:(2002):Checking IPSec proposal 1
Nov  4 17:48:43.083: ISAKMP: transform 1, ESP_AES
Nov  4 17:48:43.083: ISAKMP:   attributes in transform:
Nov  4 17:48:43.083: ISAKMP:      encaps is 2 (Transport)
Nov  4 17:48:43.083: ISAKMP:      key length is 128
Nov  4 17:48:43.083: ISAKMP:      authenticator is HMAC-SHA
Nov  4 17:48:43.083: ISAKMP:      SA life type in seconds
Nov  4 17:48:43.083: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
Nov  4 17:48:43.083: ISAKMP:      SA life type in kilobytes
Nov  4 17:48:43.083: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
Nov  4 17:48:43.083: ISAKMP:(2002):atts are acceptable.
Nov  4 17:48:43.083: IPSEC(validate_proposal_request): proposal part #1
Nov  4 17:48:43.083: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.105:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.105/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Nov  4 17:48:43.083: IPSEC(ipsec_process_proposal): transform not supported by encryption hardware:
    {esp-aes esp-sha-hmac }
Nov  4 17:48:43.083: ISAKMP:(2002): IPSec policy invalidated proposal with error 512
Nov  4 17:48:43.083: ISAKMP:(2002):Checking IPSec proposal 2
Nov  4 17:48:43.083: ISAKMP: transform 1, ESP_3DES
Nov  4 17:48:43.083: ISAKMP:   attributes in transform:
Nov  4 17:48:43.083: ISAKMP:      encaps is 2 (Transport)
Nov  4 17:48:43.083: ISAKMP:      authenticator is HMAC-SHA
Nov  4 17:48:43.083: ISAKMP:      SA life type in seconds
Nov  4 17:48:43.083: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
Nov  4 17:48:43.083: ISAKMP:      SA life type in kilobytes
Nov  4 17:48:43.083: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90
Nov  4 17:48:43.083: ISAKMP:(2002):atts are acceptable.
Nov  4 17:48:43.083: IPSEC(validate_proposal_request): proposal part #1
Nov  4 17:48:43.083: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.105:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.105/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Nov  4 17:48:43.083: (ipsec_process_proposal)Map Accepted: dyn-map, 10
Nov  4 17:48:43.083: ISAKMP:(2002): processing NONCE payload. message ID = 1
Nov  4 17:48:43.083: ISAKMP:(2002): processing ID payload. message ID = 1
Nov  4 17:48:43.083: ISAKMP:(2002): processing ID payload. message ID = 1
Nov  4 17:48:43.083: ISAKMP:(2002):QM Responder gets spi
Nov  4 17:48:43.083: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Nov  4 17:48:43.083: ISAKMP:(2002):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Nov  4 17:48:43.083: KMI: Crypto IKMP sending message KEY_MGR_CREATE_IPSEC_SAS to IPSEC key engine.
Nov  4 17:48:43.083: ISAKMP:(2002):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Nov  4 17:48:43.083: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
Nov  4 17:48:43.083: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Nov  4 17:48:43.087: KMI: IPSEC key engine received message KEY_MGR_CREATE_IPSEC_SAS from Crypto IKMP.
Nov  4 17:48:43.087: IPSEC(crypto_ipsec_create_ipsec_sas): Map found dyn-map, 10
Nov  4 17:48:43.087: KMI: IPSEC key engine sending message KEY_ENG_NOTIFY_QOS_GROUP to Crypto IKMP.
Nov  4 17:48:43.087: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.0.106, sa_proto= 50,
    sa_spi= 0xD30CBDCB(3540827595),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.105:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.105/255.255.255.255/17/1701
Nov  4 17:48:43.087: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.0.105, sa_proto= 50,
    sa_spi= 0x2E79153C(779687228),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.105:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.105/255.255.255.255/17/1701
Nov  4 17:48:43.087:  ISAKMP: Failed to find peer index node to update peer_info_list
Nov  4 17:48:43.087: KMI: IPSEC key engine sending message KEY_ENG_NOTIFY_INCR_COUNT to Crypto IKMP.
Nov  4 17:48:43.087: ISAKMP:(2002):Received IPSec Install callback... proceeding with the negotiation
Nov  4 17:48:43.087: ISAKMP:(2002):Successfully installed IPSEC SA (SPI:0xD30CBDCB) on GigabitEthernet8
Nov  4 17:48:43.087: KMI: Crypto IKMP received message KEY_ENG_NOTIFY_QOS_GROUP from IPSEC key engine.
Nov  4 17:48:43.087: KMI: Crypto IKMP received message KEY_ENG_NOTIFY_INCR_COUNT from IPSEC key engine.
Nov  4 17:48:43.087: ISAKMP:(2002): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) QM_IDLE   
Nov  4 17:48:43.087: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Nov  4 17:48:43.087: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Nov  4 17:48:43.087: ISAKMP:(2002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
Nov  4 17:48:43.087: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) QM_IDLE
Nov  4 17:48:43.091: KMI: Crypto IKMP sending message KEY_MGR_SA_ENABLE_OUTBOUND to IPSEC key engine.
Nov  4 17:48:43.091: ISAKMP:(2002):deleting node 1 error FALSE reason "QM done (await)"
Nov  4 17:48:43.091: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Nov  4 17:48:43.091: ISAKMP:(2002):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Nov  4 17:48:43.091: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Nov  4 17:48:43.091: KMI: IPSEC key engine received message KEY_MGR_SA_ENABLE_OUTBOUND from Crypto IKMP.
Nov  4 17:48:43.091: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Nov  4 17:48:43.091: IPSEC: Expand action denied, notify RP

Nov  4 17:49:18.119: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) QM_IDLE
Nov  4 17:49:18.119: ISAKMP: set new node 1545032874 to QM_IDLE
Nov  4 17:49:18.119: ISAKMP:(2002): processing HASH payload. message ID = 1545032874
Nov  4 17:49:18.119: ISAKMP:(2002): processing DELETE payload. message ID = 1545032874
Nov  4 17:49:18.119: ISAKMP:(2002):peer does not do paranoid keepalives.

Nov  4 17:49:18.119: KMI: Crypto IKMP sending message KEY_MGR_DELETE_SAS to IPSEC key engine.
Nov  4 17:49:18.119: ISAKMP:(2002):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x2E79153C)
Nov  4 17:49:18.119: ISAKMP:(2002):deleting node 1545032874 error FALSE reason "Informational (in) state 1"
Nov  4 17:49:18.119: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) QM_IDLE
Nov  4 17:49:18.119: ISAKMP: set new node 1230826502 to QM_IDLE
Nov  4 17:49:18.119: ISAKMP:(2002): processing HASH payload. message ID = 1230826502
Nov  4 17:49:18.119: ISAKMP:(2002): processing DELETE payload. message ID = 1230826502
Nov  4 17:49:18.119: ISAKMP:(2002):peer does not do paranoid keepalives.

Nov  4 17:49:18.119: ISAKMP:(2002):deleting SA reason "No reason" state (R) QM_IDLE       (peer 192.168.0.105)
Nov  4 17:49:18.119: ISAKMP:(2002):deleting node 1230826502 error FALSE reason "Informational (in) state 1"
Nov  4 17:49:18.119: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Nov  4 17:49:18.119: KMI: IPSEC key engine received message KEY_MGR_DELETE_SAS from Crypto IKMP.
Nov  4 17:49:18.119: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5103
Nov  4 17:49:18.119: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
Nov  4 17:49:18.119: IPSEC: still in use sa: 0x390A76C
Nov  4 17:49:18.119: IPSEC(key_engine_delete_sas): delete SA with spi 0x2E79153C proto 50 for 192.168.0.105
Nov  4 17:49:18.119:  ISAKMP: Failed to find peer index node to update peer_info_list
Nov  4 17:49:18.119: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.0.106, sa_proto= 50,
    sa_spi= 0xD30CBDCB(3540827595),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.105:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.105/255.255.255.255/17/1701
Nov  4 17:49:18.119: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.0.105, sa_proto= 50,
    sa_spi= 0x2E79153C(779687228),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
    sa_lifetime(k/sec)= (250000/3600),
  (identity) local= 192.168.0.106:0, remote= 192.168.0.105:0,
    local_proxy= 192.168.0.106/255.255.255.255/17/1701,
    remote_proxy= 192.168.0.105/255.255.255.255/17/1701
Nov  4 17:49:18.119: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Nov  4 17:49:18.119: ISAKMP: set new node -1570398965 to QM_IDLE
Nov  4 17:49:18.119: ISAKMP:(2002): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) QM_IDLE   
Nov  4 17:49:18.119: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Nov  4 17:49:18.119: ISAKMP:(2002):purging node -1570398965
Nov  4 17:49:18.119: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov  4 17:49:18.119: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Nov  4 17:49:18.119: ISAKMP:(2002):deleting SA reason "No reason" state (R) QM_IDLE       (peer 192.168.0.105)
Nov  4 17:49:18.119: ISAKMP: Unlocking peer struct 0x11781EDC for isadb_mark_sa_deleted(), count 0
Nov  4 17:49:18.119: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov  4 17:49:18.119: ISAKMP:(2002):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Nov  4 17:49:18.123: KMI: IPSEC key engine sending message KEY_ENG_NOTIFY_DECR_COUNT to Crypto IKMP.
Nov  4 17:49:18.123: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS
Nov  4 17:49:18.123: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x265FF70 ikmp handle 0x80000003
IPSEC IKMP peer index 0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x14000003,peer index 0

Nov  4 17:49:18.123: KMI: Crypto IKMP received message KEY_ENG_NOTIFY_DECR_COUNT from IPSEC key engine.

Nov  4 17:49:18.123: KMI: Crypto IKMP sending message KEY_MGR_SESSION_CLOSED to IPSEC key engine.
Nov  4 17:49:18.123: ISAKMP: Deleting peer node by peer_reap for 192.168.0.105: 11781EDC
Nov  4 17:49:18.123: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Nov  4 17:49:18.123: KMI: IPSEC key engine received message KEY_MGR_SESSION_CLOSED from Crypto IKMP.

Nov  4 17:49:33.091: ISAKMP:(2002):purging node 1


2 фаза согласования проходит и на этом стопарится, потом клиент (iOS) выдает сообщение что сервер не ответил, да и клиент windows 10 говорит тоже


04 ноя 2016, 20:57
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ Сообщений: 27 ]  На страницу 1, 2  След.

Кто сейчас на конференции

Сейчас этот форум просматривают: Google [Bot] и гости: 21


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB