|
Автор |
Сообщение |
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
Добрый день! Помогите пожалуйста разобраться или ткните носом в ошибку. Ситуация такая: Есть cisco ISR c892FSP Версия IOS "Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(3)M3" Пытаюсь настроить l2tp over ipsec vpn, нашел несколько достаточно хороших инструкций и по ним все сделал. Но сначало не получалось подключить ПК на Windows стандартными средствами. В итоге все таки нашел решение, путем добавление ключей в реестр параметров ProhibitIpSec = 1 и allowl2tpweakcrypto = 1. Это достаточно не удобно, т.к. приходится на каждом клиенте править реестр, да и по сути измененных параметров в реестре, ухудшается шифрование. Вот конфиг кошки: Код: Building configuration...
Current configuration : 3680 bytes ! ! Last configuration change at 16:58:38 MSK Wed Oct 19 2016 by admin ! version 15.4 service tcp-keepalives-in service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 1 ! boot-start-marker boot-end-marker ! ! security authentication failure rate 3 log logging buffered 51200 warnings enable secret 5 $1$Gy8y$zqq0du5z.2752ONUOwoSj/ ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local ! ! ! ! ! aaa session-id common clock timezone MSK 3 0 ! ! ! ! ! ! ! ! ! !
! ip dhcp excluded-address 10.217.68.1 10.217.68.10 ip dhcp excluded-address 10.217.69.1 ! ip dhcp pool l2tp network 10.217.69.0 255.255.255.0 domain-name 1.vpn default-router 10.217.69.1 dns-server 8.8.8.8 8.8.4.4 ! ip dhcp pool lan network 10.217.68.0 255.255.255.0 domain-name 1.lan default-router 10.217.68.1 dns-server 8.8.8.8 8.8.4.4 ! ! ! no ip bootp server ip domain name 1.local
ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated vpdn enable ! vpdn-group l2tp ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 l2tp security crypto-profile ipnetconfig no l2tp tunnel authentication ! ! ! ! ! ! ! ! ! cts logging verbose
! ! username admin privilege 15 password username test privilege 0 password 7 03105E1812 ! ! ! ! ! ip ssh version 2 ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 no-xauth crypto isakmp keepalive 3600 ! ! crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac mode transport ! ! ! crypto dynamic-map ipnetconfig-map 10 set nat demux set transform-set ipnetconfig ! ! crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map ! ! ! ! ! ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet1 no ip address ! interface GigabitEthernet2 no ip address ! interface GigabitEthernet3 no ip address ! interface GigabitEthernet4 no ip address ! interface GigabitEthernet5 no ip address ! interface GigabitEthernet6 no ip address ! interface GigabitEthernet7 no ip address ! interface GigabitEthernet8 ip address dhcp ip nat enable ip virtual-reassembly in duplex auto speed auto crypto map cisco ! interface GigabitEthernet9 no ip address shutdown duplex auto speed auto ! interface Virtual-Template1 ip unnumbered GigabitEthernet8 ip virtual-reassembly in peer default ip address dhcp-pool l2tp ppp encrypt mppe 40 ppp authentication ms-chap-v2 ! interface Vlan1 ip address 10.217.68.1 255.255.255.0 ip nat enable ip virtual-reassembly in ! interface Vlan2 ip address 10.217.69.1 255.255.255.0 ip nat enable ip virtual-reassembly in ! ip default-gateway 192.168.0.1 ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat source list vpn interface GigabitEthernet8 overload ip route static install-routes-recurse-via-nexthop all ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! ip access-list extended vpn permit ip 10.217.0.0 0.0.255.255 any ! ! ! ! ! control-plane ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! ! line con 0 no modem enable line aux 0 line vty 0 4 privilege level 15 password transport input telnet ssh ! scheduler allocate 20000 1000 ! ! ! end
|
19 окт 2016, 17:29 |
|
|
kr1keee
Зарегистрирован: 14 янв 2016, 12:12 Сообщения: 458
|
не знаю,какая там у вас конкретно проблема. Но попробуйте ввести код Код: ppp packet throttle 30 1 30 Без него у меня тоже винда не взлетала почему-то.Но в с кодом, без кастылей работает.
|
19 окт 2016, 18:39 |
|
|
Aneye
Зарегистрирован: 17 окт 2014, 08:35 Сообщения: 300 Откуда: Samara
|
А с других платформ пытались подключаться? Меня немного смущает вот здесь: Код: crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac mode transport - mode transport Там не mode tunnel? Учитывая, что мы используем crypto map? Писал даже когда-то статейку про это, хотя помниться, с виндой тоже были проблемы. Посмотрите здесь: http://www.aneyeblog.ru/index.php?controller=post&action=view&id_post=13
|
19 окт 2016, 21:00 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
kr1keee писал(а): не знаю,какая там у вас конкретно проблема. Но попробуйте ввести код Код: ppp packet throttle 30 1 30 Без него у меня тоже винда не взлетала почему-то.Но в с кодом, без кастылей работает. Благодарю за ответ! Добавил тротл ППП пакетов, но ничего не изменилось. Если поможет вот что говорит кошка во время коннекта: Код: *Oct 25 10:43:58.823: ISAKMP (0): received packet from 192.168.0.101 dport 500 sport 500 Global (N) NEW SA *Oct 25 10:43:58.823: ISAKMP: Created a peer struct for 192.168.0.101, peer port 500 *Oct 25 10:43:58.823: ISAKMP: New peer created peer = 0x11659240 peer_handle = 0x80000003 *Oct 25 10:43:58.823: ISAKMP: Locking peer struct 0x11659240, refcount 1 for crypto_isakmp_process_block *Oct 25 10:43:58.823: ISAKMP: local port 500, remote port 500 *Oct 25 10:43:58.827: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 25E1498 *Oct 25 10:43:58.827: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 25 10:43:58.827: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 25 10:43:58.827: ISAKMP:(0): processing SA payload. message ID = 0 *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): processing IKE frag vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): processing IKE frag vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Oct 25 10:43:58.827: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID is NAT-T v2 *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch *Oct 25 10:43:58.827: ISAKMP:(0):found peer pre-shared key matching 192.168.0.101 *Oct 25 10:43:58.827: ISAKMP:(0): local preshared key found *Oct 25 10:43:58.827: ISAKMP : Scanning profiles for xauth ... *Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Oct 25 10:43:58.827: ISAKMP: encryption AES-CBC *Oct 25 10:43:58.827: ISAKMP: keylength of 256 *Oct 25 10:43:58.827: ISAKMP: hash SHA *Oct 25 10:43:58.827: ISAKMP: default group 20 *Oct 25 10:43:58.827: ISAKMP: auth pre-share *Oct 25 10:43:58.827: ISAKMP: life type in seconds *Oct 25 10:43:58.827: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:43:58.827: ISAKMP:(0):Encryption algorithm offered does not match policy! *Oct 25 10:43:58.827: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy *Oct 25 10:43:58.827: ISAKMP: encryption AES-CBC *Oct 25 10:43:58.827: ISAKMP: keylength of 128 *Oct 25 10:43:58.827: ISAKMP: hash SHA *Oct 25 10:43:58.827: ISAKMP: default group 19 *Oct 25 10:43:58.827: ISAKMP: auth pre-share *Oct 25 10:43:58.827: ISAKMP: life type in seconds *Oct 25 10:43:58.827: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:43:58.827: ISAKMP:(0):Encryption algorithm offered does not match policy! *Oct 25 10:43:58.827: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy *Oct 25 10:43:58.827: ISAKMP: encryption AES-CBC *Oct 25 10:43:58.827: ISAKMP: keylength of 256 *Oct 25 10:43:58.827: ISAKMP: hash SHA *Oct 25 10:43:58.827: ISAKMP: default group 14 *Oct 25 10:43:58.827: ISAKMP: auth pre-share *Oct 25 10:43:58.827: ISAKMP: life type in seconds *Oct 25 10:43:58.827: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:43:58.827: ISAKMP:(0):Encryption algorithm offered does not match policy! *Oct 25 10:43:58.827: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy *Oct 25 10:43:58.827: ISAKMP: encryption 3DES-CBC *Oct 25 10:43:58.827: ISAKMP: hash SHA *Oct 25 10:43:58.827: ISAKMP: default group 14 *Oct 25 10:43:58.827: ISAKMP: auth pre-share *Oct 25 10:43:58.827: ISAKMP: life type in seconds *Oct 25 10:43:58.827: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:43:58.827: ISAKMP:(0):Diffie-Hellman group offered does not match policy! *Oct 25 10:43:58.827: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 25 10:43:58.827: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy *Oct 25 10:43:58.827: ISAKMP: encryption 3DES-CBC *Oct 25 10:43:58.827: ISAKMP: hash SHA *Oct 25 10:43:58.827: ISAKMP: default group 2 *Oct 25 10:43:58.827: ISAKMP: auth pre-share *Oct 25 10:43:58.827: ISAKMP: life type in seconds *Oct 25 10:43:58.827: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:43:58.827: ISAKMP:(0):atts are acceptable. Next payload is 0 *Oct 25 10:43:58.827: ISAKMP:(0):Acceptable atts:actual life: 86400 *Oct 25 10:43:58.827: ISAKMP:(0):Acceptable atts:life: 0 *Oct 25 10:43:58.827: ISAKMP:(0):Fill atts in sa vpi_length:4 *Oct 25 10:43:58.827: ISAKMP:(0):Fill atts in sa life_in_seconds:28800 *Oct 25 10:43:58.827: ISAKMP:(0):Returning Actual lifetime: 28800 *Oct 25 10:43:58.827: ISAKMP:(0)::Started lifetime timer: 28800.
*Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): processing IKE frag vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): processing IKE frag vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Oct 25 10:43:58.827: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID is NAT-T v2 *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch *Oct 25 10:43:58.827: ISAKMP:(0): processing vendor id payload *Oct 25 10:43:58.827: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch *Oct 25 10:43:58.827: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct 25 10:43:58.827: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 25 10:43:58.827: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Oct 25 10:43:58.827: ISAKMP:(0): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_SA_SETUP *Oct 25 10:43:58.827: ISAKMP:(0):Sending an IKE IPv4 Packet. *Oct 25 10:43:58.827: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct 25 10:43:58.827: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Oct 25 10:43:58.831: ISAKMP (0): received packet from 192.168.0.101 dport 500 sport 500 Global (R) MM_SA_SETUP *Oct 25 10:43:58.831: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 25 10:43:58.831: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Oct 25 10:43:58.831: ISAKMP:(0): processing KE payload. message ID = 0 *Oct 25 10:43:58.831: ISAKMP:(0): processing NONCE payload. message ID = 0 *Oct 25 10:43:58.831: ISAKMP:(0):found peer pre-shared key matching 192.168.0.101 *Oct 25 10:43:58.831: ISAKMP:received payload type 20 *Oct 25 10:43:58.831: ISAKMP (2002): His hash no match - this node outside NAT *Oct 25 10:43:58.831: ISAKMP:received payload type 20 *Oct 25 10:43:58.831: ISAKMP (2002): No NAT Found for self or peer *Oct 25 10:43:58.831: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct 25 10:43:58.831: ISAKMP:(2002):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Oct 25 10:43:58.835: ISAKMP:(2002): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Oct 25 10:43:58.835: ISAKMP:(2002):Sending an IKE IPv4 Packet. *Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Oct 25 10:43:58.835: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) MM_KEY_EXCH *Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Oct 25 10:43:58.835: ISAKMP:(2002): processing ID payload. message ID = 0 *Oct 25 10:43:58.835: ISAKMP (2002): ID payload next-payload : 8 type : 1 address : 192.168.0.101 protocol : 0 port : 0 length : 12 *Oct 25 10:43:58.835: ISAKMP:(0):: peer matches *none* of the profiles *Oct 25 10:43:58.835: ISAKMP:(2002): processing HASH payload. message ID = 0 *Oct 25 10:43:58.835: ISAKMP:(2002):SA authentication status: authenticated *Oct 25 10:43:58.835: ISAKMP:(2002):SA has been authenticated with 192.168.0.101 *Oct 25 10:43:58.835: ISAKMP: Trying to insert a peer 192.168.0.106/192.168.0.101/500/, and inserted successfully 11659240. *Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_=MODE *Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Oct 25 10:43:58.835: ISAKMP:(2002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Oct 25 10:43:58.835: ISAKMP (2002): ID payload next-payload : 8 type : 1 address : 192.168.0.106 protocol : 17 port : 500 length : 12 *Oct 25 10:43:58.835: ISAKMP:(2002):Total payload length: 12 *Oct 25 10:43:58.835: ISAKMP:(2002): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Oct 25 10:43:58.835: ISAKMP:(2002):Sending an IKE IPv4 Packet. *Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Oct 25 10:43:58.835: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Oct 25 10:43:58.835: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 25 10:43:58.839: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE *Oct 25 10:43:58.839: ISAKMP: set new node 1 to QM_IDLE *Oct 25 10:43:58.839: ISAKMP:(2002): processing HASH payload. message ID = 1 *Oct 25 10:43:58.839: ISAKMP:(2002): processing SA payload. message ID = 1 *Oct 25 10:43:58.839: ISAKMP:(2002):Checking IPSec proposal 1 *Oct 25 10:43:58.839: ISAKMP: transform 1, ESP_AES *Oct 25 10:43:58.839: ISAKMP: attributes in transform: *Oct 25 10:43:58.839: ISAKMP: encaps is 2 (Transport) *Oct 25 10:43:58.839: ISAKMP: key length is 128 *Oct 25 10:43:58.839: ISAKMP: authenticator is HMAC-SHA *Oct 25 10:43:58.839: ISAKMP: SA life type in seconds *Oct 25 10:43:58.839: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 *Oct 25 10:43:58.839: ISAKMP: SA life type in kilobytes *Oct 25 10:43:58.839: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 *Oct 25 10:43:58.839: ISAKMP:(2002):atts are acceptable. *Oct 25 10:43:58.839: IPSEC(validate_proposal_request): proposal part #1 *Oct 25 10:43:58.839: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.101/255.255.255.255/17/1701, protocol= ESP, transform= esp-aes esp-sha-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Oct 25 10:43:58.839: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes esp-sha-hmac } *Oct 25 10:43:58.839: ISAKMP:(2002): IPSec policy invalidated proposal with error 256 *Oct 25 10:43:58.839: ISAKMP:(2002):Checking IPSec proposal 2 *Oct 25 10:43:58.839: ISAKMP: transform 1, ESP_3DES *Oct 25 10:43:58.839: ISAKMP: attributes in transform: *Oct 25 10:43:58.839: ISAKMP: encaps is 2 (Transport) *Oct 25 10:43:58.839: ISAKMP: authenticator is HMAC-SHA *Oct 25 10:43:58.839: ISAKMP: SA life type in seconds *Oct 25 10:43:58.839: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 *Oct 25 10:43:58.839: ISAKMP: SA life type in kilobytes *Oct 25 10:43:58.839: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 *Oct 25 10:43:58.839: ISAKMP:(2002):atts are acceptable. *Oct 25 10:43:58.839: IPSEC(validate_proposal_request): proposal part #1 *Oct 25 10:43:58.839: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.101/255.255.255.255/17/1701, protocol= ESP, transform= esp-3des esp-sha-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Oct 25 10:43:58.839: (ipsec_process_proposal)Map Accepted: ipnetconfig-map, 10 *Oct 25 10:43:58.839: ISAKMP:(2002): processing NONCE payload. message ID = 1 *Oct 25 10:43:58.839: ISAKMP:(2002): processing ID payload. message ID = 1 *Oct 25 10:43:58.839: ISAKMP:(2002): processing ID payload. message ID = 1 *Oct 25 10:43:58.839: ISAKMP:(2002):QM Responder gets spi *Oct 25 10:43:58.839: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Oct 25 10:43:58.839: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE *Oct 25 10:43:58.839: ISAKMP:(2002):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI *Oct 25 10:43:58.839: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT *Oct 25 10:43:58.839: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 25 10:43:58.839: IPSEC(crypto_ipsec_create_ipsec_sas): Map found ipnetconfig-map, 10 *Oct 25 10:43:58.843: IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.106, sa_proto= 50, sa_spi= 0xD5FF3EF0(3590274800), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.101:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.101/255.255.255.255/17/1701 *Oct 25 10:43:58.843: IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.101, sa_proto= 50, sa_spi= 0x72C00E82(1925189250), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.101:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.101/255.255.255.255/17/1701 *Oct 25 10:43:58.843: ISAKMP: Failed to find peer index node to update peer_info_list *Oct 25 10:43:58.843: ISAKMP:(2002):Received IPSec Install callback... proceeding with the negotiation *Oct 25 10:43:58.843: ISAKMP:(2002):Successfully installed IPSEC SA (SPI:0xD5FF3EF0) on GigabitEthernet8 *Oct 25 10:43:58.843: ISAKMP:(2002): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) QM_IDLE *Oct 25 10:43:58.843: ISAKMP:(2002):Sending an IKE IPv4 Packet. *Oct 25 10:43:58.843: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE *Oct 25 10:43:58.843: ISAKMP:(2002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 *Oct 25 10:43:58.847: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE *Oct 25 10:43:58.847: ISAKMP:(2002):deleting node 1 error FALSE reason "QM donen(await)" *Oct 25 10:43:58.847: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Oct 25 10:43:58.847: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Oct 25 10:43:58.847: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 25 10:43:58.847: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Oct 25 10:43:58.847: IPSEC: Expand action denied, notify RP *Oct 25 10:44:05.483: ISAKMP:(2001):purging SA., sa=377F2A8, delme=377F2A8 *Oct 25 10:44:33.875: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE *Oct 25 10:44:33.875: ISAKMP: set new node -601388558 to QM_IDLE *Oct 25 10:44:33.875: ISAKMP:(2002): processing HASH payload. message ID = 3693578738 *Oct 25 10:44:33.875: ISAKMP:(2002): processing DELETE payload. message ID = 3693578738 *Oct 25 10:44:33.875: ISAKMP:(2002):peer does not do paranoid keepalives.
*Oct 25 10:44:33.875: ISAKMP:(2002):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x72C00E82) *Oct 25 10:44:33.875: ISAKMP:(2002):deleting node -601388558 error FALSE reason "Informational (in) state 1" *Oct 25 10:44:33.879: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 25 10:44:33.879: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5069 *Oct 25 10:44:33.879: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Oct 25 10:44:33.879: IPSEC: still in use sa: 0xFAA2F24 *Oct 25 10:44:33.879: IPSEC(key_engine_delete_sas): delete SA with spi 0x72C00E82 proto 50 for 192.168.0.101 *Oct 25 10:44:33.879: ISAKMP: Failed to find peer index node to update peer_info_list *Oct 25 10:44:33.879: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 192.168.0.106, sa_proto= 50, sa_spi= 0xD5FF3EF0(3590274800), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.101:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.101/255.255.255.255/17/1701 *Oct 25 10:44:33.879: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 192.168.0.101, sa_proto= 50, sa_spi= 0x72C00E82(1925189250), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.101:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.101/255.255.255.255/17/1701 *Oct 25 10:44:33.879: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS *Oct 25 10:44:33.879: ISAKMP (2002): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE *Oct 25 10:44:33.879: ISAKMP: set new node 225808184 to QM_IDLE *Oct 25 10:44:33.879: ISAKMP:(2002): processing HASH payload. message ID = 22580=8184 *Oct 25 10:44:33.879: ISAKMP:(2002): processing DELETE payload. message ID = 225=808184 *Oct 25 10:44:33.879: ISAKMP:(2002):peer does not do paranoid keepalives.
*Oct 25 10:44:33.879: ISAKMP:(2002):deleting SA reason "No reason" state (R) QM_=IDLE (peer 192.168.0.101) *Oct 25 10:44:33.879: ISAKMP:(2002):deleting node 225808184 error FALSE reason "=Informational (in) state 1" *Oct 25 10:44:33.879: ISAKMP: set new node 1523228667 to QM_IDLE *Oct 25 10:44:33.879: ISAKMP:(2002): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) QM_IDLE *Oct 25 10:44:33.879: ISAKMP:(2002):Sending an IKE IPv4 Packet. *Oct 25 10:44:33.879: ISAKMP:(2002):purging node 1523228667 *Oct 25 10:44:33.879: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Oct 25 10:44:33.879: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Oct 25 10:44:33.879: ISAKMP:(2002):deleting SA reason "No reason" state (R) QM_IDLE (peer 192.168.0.101) *Oct 25 10:44:33.879: ISAKMP: Unlocking peer struct 0x11659240 for isadb_mark_sa_deleted(), count 0 *Oct 25 10:44:33.879: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 25 10:44:33.879: ISAKMP:(2002):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Oct 25 10:44:33.879: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS *Oct 25 10:44:33.879: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB IPSEC get IKMP peer index from peer 0x24D8844 ikmp handle 0x80000003 IPSEC IKMP peer index 0 [ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x14000003,peer index 0
*Oct 25 10:44:33.879: ISAKMP: Deleting peer node by peer_reap for 192.168.0.101: 11659240 *Oct 25 10:44:33.883: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 25 10:44:48.847: ISAKMP:(2002):purging node 1 *Oct 25 10:45:23.879: ISAKMP:(2002):purging node -601388558 *Oct 25 10:45:23.879: ISAKMP:(2002):purging node 225808184
|
25 окт 2016, 14:12 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
Aneye писал(а): А с других платформ пытались подключаться? Да конечно, с платформ apple подключается без проблем, а вот с андроид только со старых версий. Aneye писал(а): Меня немного смущает вот здесь: Код: crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac mode transport - mode transport Там не mode tunnel? Учитывая, что мы используем crypto map? Писал даже когда-то статейку про это, хотя помниться, с виндой тоже были проблемы. Посмотрите здесь: http://www.aneyeblog.ru/index.php?controller=post&action=view&id_post=13Не знаю как туда это затисалось, но после исправления на тунель кошка уже выдает что не может пройти 2 фазу: Код: *Oct 25 10:51:53.691: ISAKMP (0): received packet from 192.168.0.101 dport 500 sport 500 Global (N) NEW SA *Oct 25 10:51:53.691: ISAKMP: Created a peer struct for 192.168.0.101, peer port 500 *Oct 25 10:51:53.691: ISAKMP: New peer created peer = 0x1A3BDAC peer_handle = 0x80000004 *Oct 25 10:51:53.691: ISAKMP: Locking peer struct 0x1A3BDAC, refcount 1 for crypto_isakmp_process_block *Oct 25 10:51:53.691: ISAKMP: local port 500, remote port 500 *Oct 25 10:51:53.691: ISAKMP:(0):insert sa successfully sa = 1A3B258 *Oct 25 10:51:53.691: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 25 10:51:53.691: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 25 10:51:53.691: ISAKMP:(0): processing SA payload. message ID = 0 *Oct 25 10:51:53.691: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.691: ISAKMP:(0): processing IKE frag vendor id payload *Oct 25 10:51:53.691: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 25 10:51:53.691: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.691: ISAKMP:(0): processing IKE frag vendor id payload *Oct 25 10:51:53.691: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Oct 25 10:51:53.695: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID is NAT-T v2 *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch *Oct 25 10:51:53.695: ISAKMP:(0):found peer pre-shared key matching 192.168.0.101 *Oct 25 10:51:53.695: ISAKMP:(0): local preshared key found *Oct 25 10:51:53.695: ISAKMP : Scanning profiles for xauth ... *Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Oct 25 10:51:53.695: ISAKMP: encryption AES-CBC *Oct 25 10:51:53.695: ISAKMP: keylength of 256 *Oct 25 10:51:53.695: ISAKMP: hash SHA *Oct 25 10:51:53.695: ISAKMP: default group 20 *Oct 25 10:51:53.695: ISAKMP: auth pre-share *Oct 25 10:51:53.695: ISAKMP: life type in seconds *Oct 25 10:51:53.695: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:51:53.695: ISAKMP:(0):Encryption algorithm offered does not match policy! *Oct 25 10:51:53.695: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy *Oct 25 10:51:53.695: ISAKMP: encryption AES-CBC *Oct 25 10:51:53.695: ISAKMP: keylength of 128 *Oct 25 10:51:53.695: ISAKMP: hash SHA *Oct 25 10:51:53.695: ISAKMP: default group 19 *Oct 25 10:51:53.695: ISAKMP: auth pre-share *Oct 25 10:51:53.695: ISAKMP: life type in seconds *Oct 25 10:51:53.695: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:51:53.695: ISAKMP:(0):Encryption algorithm offered does not match policy! *Oct 25 10:51:53.695: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy *Oct 25 10:51:53.695: ISAKMP: encryption AES-CBC *Oct 25 10:51:53.695: ISAKMP: keylength of 256 *Oct 25 10:51:53.695: ISAKMP: hash SHA *Oct 25 10:51:53.695: ISAKMP: default group 14 *Oct 25 10:51:53.695: ISAKMP: auth pre-share *Oct 25 10:51:53.695: ISAKMP: life type in seconds *Oct 25 10:51:53.695: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:51:53.695: ISAKMP:(0):Encryption algorithm offered does not match policy! *Oct 25 10:51:53.695: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy *Oct 25 10:51:53.695: ISAKMP: encryption 3DES-CBC *Oct 25 10:51:53.695: ISAKMP: hash SHA *Oct 25 10:51:53.695: ISAKMP: default group 14 *Oct 25 10:51:53.695: ISAKMP: auth pre-share *Oct 25 10:51:53.695: ISAKMP: life type in seconds *Oct 25 10:51:53.695: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:51:53.695: ISAKMP:(0):Diffie-Hellman group offered does not match policy! *Oct 25 10:51:53.695: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 25 10:51:53.695: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy *Oct 25 10:51:53.695: ISAKMP: encryption 3DES-CBC *Oct 25 10:51:53.695: ISAKMP: hash SHA *Oct 25 10:51:53.695: ISAKMP: default group 2 *Oct 25 10:51:53.695: ISAKMP: auth pre-share *Oct 25 10:51:53.695: ISAKMP: life type in seconds *Oct 25 10:51:53.695: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:51:53.695: ISAKMP:(0):atts are acceptable. Next payload is 0 *Oct 25 10:51:53.695: ISAKMP:(0):Acceptable atts:actual life: 86400 *Oct 25 10:51:53.695: ISAKMP:(0):Acceptable atts:life: 0 *Oct 25 10:51:53.695: ISAKMP:(0):Fill atts in sa vpi_length:4 *Oct 25 10:51:53.695: ISAKMP:(0):Fill atts in sa life_in_seconds:28800 *Oct 25 10:51:53.695: ISAKMP:(0):Returning Actual lifetime: 28800 *Oct 25 10:51:53.695: ISAKMP:(0)::Started lifetime timer: 28800.
*Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): processing IKE frag vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): processing IKE frag vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Oct 25 10:51:53.695: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID is NAT-T v2 *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch *Oct 25 10:51:53.695: ISAKMP:(0): processing vendor id payload *Oct 25 10:51:53.695: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch *Oct 25 10:51:53.695: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct 25 10:51:53.695: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 25 10:51:53.695: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Oct 25 10:51:53.695: ISAKMP:(0): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_SA_SETUP *Oct 25 10:51:53.695: ISAKMP:(0):Sending an IKE IPv4 Packet. *Oct 25 10:51:53.695: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct 25 10:51:53.695: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Oct 25 10:51:53.699: ISAKMP (0): received packet from 192.168.0.101 dport 500 sport 500 Global (R) MM_SA_SETUP *Oct 25 10:51:53.699: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 25 10:51:53.699: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Oct 25 10:51:53.699: ISAKMP:(0): processing KE payload. message ID = 0 *Oct 25 10:51:53.699: ISAKMP:(0): processing NONCE payload. message ID = 0 *Oct 25 10:51:53.699: ISAKMP:(0):found peer pre-shared key matching 192.168.0.101 *Oct 25 10:51:53.699: ISAKMP:received payload type 20 *Oct 25 10:51:53.699: ISAKMP (2003): His hash no match - this node outside NAT *Oct 25 10:51:53.699: ISAKMP:received payload type 20 *Oct 25 10:51:53.699: ISAKMP (2003): No NAT Found for self or peer *Oct 25 10:51:53.699: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct 25 10:51:53.699: ISAKMP:(2003):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Oct 25 10:51:53.699: ISAKMP:(2003): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Oct 25 10:51:53.699: ISAKMP:(2003):Sending an IKE IPv4 Packet. *Oct 25 10:51:53.699: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct 25 10:51:53.699: ISAKMP:(2003):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Oct 25 10:51:53.703: ISAKMP (2003): received packet from 192.168.0.101 dport 500 sport 500 Global (R) MM_KEY_EXCH *Oct 25 10:51:53.703: ISAKMP:(2003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 25 10:51:53.703: ISAKMP:(2003):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Oct 25 10:51:53.703: ISAKMP:(2003): processing ID payload. message ID = 0 *Oct 25 10:51:53.703: ISAKMP (2003): ID payload next-payload : 8 type : 1 address : 192.168.0.101 protocol : 0 port : 0 length : 12 *Oct 25 10:51:53.703: ISAKMP:(0):: peer matches *none* of the profiles *Oct 25 10:51:53.703: ISAKMP:(2003): processing HASH payload. message ID = 0 *Oct 25 10:51:53.703: ISAKMP:(2003):SA authentication status: authenticated *Oct 25 10:51:53.703: ISAKMP:(2003):SA has been authenticated with 192.168.0.101 *Oct 25 10:51:53.703: ISAKMP: Trying to insert a peer 192.168.0.106/192.168.0.101/500/, and inserted successfully 1A3BDAC. *Oct 25 10:51:53.703: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct 25 10:51:53.703: ISAKMP:(2003):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Oct 25 10:51:53.703: ISAKMP:(2003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Oct 25 10:51:53.703: ISAKMP (2003): ID payload next-payload : 8 type : 1 address : 192.168.0.106 protocol : 17 port : 500 length : 12 *Oct 25 10:51:53.703: ISAKMP:(2003):Total payload length: 12 *Oct 25 10:51:53.703: ISAKMP:(2003): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Oct 25 10:51:53.703: ISAKMP:(2003):Sending an IKE IPv4 Packet. *Oct 25 10:51:53.703: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct 25 10:51:53.703: ISAKMP:(2003):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Oct 25 10:51:53.703: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Oct 25 10:51:53.703: ISAKMP:(2003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 25 10:51:53.707: ISAKMP (2003): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE *Oct 25 10:51:53.707: ISAKMP: set new node 1 to QM_IDLE *Oct 25 10:51:53.707: ISAKMP:(2003): processing HASH payload. message ID = 1 *Oct 25 10:51:53.707: ISAKMP:(2003): processing SA payload. message ID = 1 *Oct 25 10:51:53.707: ISAKMP:(2003):Checking IPSec proposal 1 *Oct 25 10:51:53.707: ISAKMP: transform 1, ESP_AES *Oct 25 10:51:53.707: ISAKMP: attributes in transform: *Oct 25 10:51:53.707: ISAKMP: encaps is 2 (Transport) *Oct 25 10:51:53.707: ISAKMP: key length is 128 *Oct 25 10:51:53.707: ISAKMP: authenticator is HMAC-SHA *Oct 25 10:51:53.707: ISAKMP: SA life type in seconds *Oct 25 10:51:53.707: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 *Oct 25 10:51:53.707: ISAKMP: SA life type in kilobytes *Oct 25 10:51:53.707: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 *Oct 25 10:51:53.707: ISAKMP:(2003):atts are acceptable. *Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1 *Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.101/255.255.255.255/17/1701, protocol= ESP, transform= esp-aes esp-sha-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes esp-sha-hmac } *Oct 25 10:51:53.707: ISAKMP:(2003): IPSec policy invalidated proposal with error 256 *Oct 25 10:51:53.707: ISAKMP:(2003):Checking IPSec proposal 2 *Oct 25 10:51:53.707: ISAKMP: transform 1, ESP_3DES *Oct 25 10:51:53.707: ISAKMP: attributes in transform: *Oct 25 10:51:53.707: ISAKMP: encaps is 2 (Transport) *Oct 25 10:51:53.707: ISAKMP: authenticator is HMAC-SHA *Oct 25 10:51:53.707: ISAKMP: SA life type in seconds *Oct 25 10:51:53.707: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 *Oct 25 10:51:53.707: ISAKMP: SA life type in kilobytes *Oct 25 10:51:53.707: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 *Oct 25 10:51:53.707: ISAKMP:(2003):atts are acceptable. *Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1 *Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.101/255.255.255.255/17/1701, protocol= ESP, transform= esp-3des esp-sha-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x2 *Oct 25 10:51:53.707: ISAKMP:(2003): IPSec policy invalidated proposal with error 1024 *Oct 25 10:51:53.707: ISAKMP:(2003):Checking IPSec proposal 3 *Oct 25 10:51:53.707: ISAKMP: transform 1, ESP_DES *Oct 25 10:51:53.707: ISAKMP: attributes in transform: *Oct 25 10:51:53.707: ISAKMP: encaps is 2 (Transport) *Oct 25 10:51:53.707: ISAKMP: authenticator is HMAC-SHA *Oct 25 10:51:53.707: ISAKMP: SA life type in seconds *Oct 25 10:51:53.707: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 *Oct 25 10:51:53.707: ISAKMP: SA life type in kilobytes *Oct 25 10:51:53.707: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 *Oct 25 10:51:53.707: ISAKMP:(2003):atts are acceptable. *Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1 *Oct 25 10:51:53.707: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.101:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.101/255.255.255.255/17/1701, protocol= ESP, transform= esp-des esp-sha-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-des esp-sha-hmac } *Oct 25 10:51:53.707: ISAKMP:(2003): IPSec policy invalidated proposal with error 256 *Oct 25 10:51:53.711: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 192.168.0.106 remote 192.168.0.101) *Oct 25 10:51:53.711: ISAKMP: set new node 1461724718 to QM_IDLE *Oct 25 10:51:53.711: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 38617352, message ID = 1461724718 *Oct 25 10:51:53.711: ISAKMP:(2003): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) QM_IDLE *Oct 25 10:51:53.711: ISAKMP:(2003):Sending an IKE IPv4 Packet. *Oct 25 10:51:53.711: ISAKMP:(2003):purging node 1461724718 *Oct 25 10:51:53.711: ISAKMP:(2003):deleting node 1 error TRUE reason "QM rejected" *Oct 25 10:51:53.711: ISAKMP:(2003):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Oct 25 10:51:53.711: ISAKMP:(2003):Old State = IKE_QM_READY New State = IKE_QM_READY *Oct 25 10:51:53.715: ISAKMP (2003): received packet from 192.168.0.101 dport 500 sport 500 Global (R) QM_IDLE *Oct 25 10:51:53.715: ISAKMP: set new node -1376170192 to QM_IDLE *Oct 25 10:51:53.715: ISAKMP:(2003): processing HASH payload. message ID = 2918797104 *Oct 25 10:51:53.715: ISAKMP:(2003): processing DELETE payload. message ID = 2918797104 *Oct 25 10:51:53.715: ISAKMP:(2003):peer does not do paranoid keepalives.
*Oct 25 10:51:53.715: ISAKMP:(2003):deleting SA reason "No reason" state (R) QM_IDLE (peer 192.168.0.101) *Oct 25 10:51:53.715: ISAKMP:(2003):deleting node -1376170192 error FALSE reason "Informational (in) state 1" *Oct 25 10:51:53.715: ISAKMP: set new node -314951178 to QM_IDLE *Oct 25 10:51:53.715: ISAKMP:(2003): sending packet to 192.168.0.101 my_port 500 peer_port 500 (R) QM_IDLE *Oct 25 10:51:53.715: ISAKMP:(2003):Sending an IKE IPv4 Packet. *Oct 25 10:51:53.715: ISAKMP:(2003):purging node -314951178 *Oct 25 10:51:53.715: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Oct 25 10:51:53.715: ISAKMP:(2003):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Oct 25 10:51:53.715: ISAKMP:(2003):deleting SA reason "No reason" state (R) QM_IDLE (peer 192.168.0.101) *Oct 25 10:51:53.715: ISAKMP: Unlocking peer struct 0x1A3BDAC for isadb_mark_sa_deleted(), count 0 *Oct 25 10:51:53.715: ISAKMP: Deleting peer node by peer_reap for 192.168.0.101: 1A3BDAC *Oct 25 10:51:53.719: ISAKMP:(2003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 25 10:51:53.719: ISAKMP:(2003):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Oct 25 10:51:53.719: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 25 10:52:43.711: ISAKMP:(2003):purging node 1 *Oct 25 10:52:43.715: ISAKMP:(2003):purging node -1376170192 *Oct 25 10:52:53.715: ISAKMP:(2003):purging SA., sa=1A3B258, delme=1A3B258
|
25 окт 2016, 14:19 |
|
|
Aneye
Зарегистрирован: 17 окт 2014, 08:35 Сообщения: 300 Откуда: Samara
|
Сильно не вчитывался, но бросилось в глаза: Код: *Oct 25 10:51:53.695: ISAKMP: encryption 3DES-CBC *Oct 25 10:51:53.695: ISAKMP: hash SHA *Oct 25 10:51:53.695: ISAKMP: default group 2 *Oct 25 10:51:53.695: ISAKMP: auth pre-share *Oct 25 10:51:53.695: ISAKMP: life type in seconds *Oct 25 10:51:53.695: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 25 10:51:53.695: ISAKMP:(0):atts are acceptable.
...
Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-des esp-sha-hmac } У вас в первой фазе шифрование 3DES-CBC, а трансформ-сет запрашивает esp-des, если я правильно понимаю дебаг.
|
25 окт 2016, 18:56 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
Aneye писал(а): Сильно не вчитывался, но бросилось в глаза:
У вас в первой фазе шифрование 3DES-CBC, а трансформ-сет запрашивает esp-des, если я правильно понимаю дебаг. Там как я понял идет перебор методов шифрования и если посмотреть ниже, то находится сопоставление: Код: *Oct 25 10:51:53.707: ISAKMP: transform 1, ESP_3DES *Oct 25 10:51:53.707: ISAKMP: attributes in transform: *Oct 25 10:51:53.707: ISAKMP: encaps is 2 (Transport) *Oct 25 10:51:53.707: ISAKMP: authenticator is HMAC-SHA *Oct 25 10:51:53.707: ISAKMP: SA life type in seconds *Oct 25 10:51:53.707: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 *Oct 25 10:51:53.707: ISAKMP: SA life type in kilobytes *Oct 25 10:51:53.707: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 *Oct 25 10:51:53.707: ISAKMP:(2003):atts are acceptable. и несмотря на совпадение выдает: Код: *Oct 25 10:51:53.707: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x2
|
25 окт 2016, 20:21 |
|
|
Aneye
Зарегистрирован: 17 окт 2014, 08:35 Сообщения: 300 Откуда: Samara
|
Уф, sh run | s crypto в студию еще разок.
|
25 окт 2016, 21:38 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
Aneye писал(а): Уф, sh run | s crypto в студию еще разок. Прошу: Код: crypto pki trustpoint TP-self-signed-832665923 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-832665923 revocation-check none rsakeypair TP-self-signed-832665923 crypto pki certificate chain TP-self-signed-832665923 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31383931 34393031 3036301E 170D3135 31313136 31313533 34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38393134 39303130 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009955 4E941D07 D5D3CF26 403714CD 27B58AEB 7B6C3C60 47118804 C6ED0C6F F7F9DA27 274F4D29 1D3C40A2 8F119C97 44BC22BD A712824F 6C207A28 94A979AA 517BB988 04A38769 92CB51E1 6F61490A 41C93209 9D1F2E69 299C3EAB 5A5098AA 081DE8FB E9DFB040 2805D1B5 4B8BD467 95A36EAC F72F6E8D FC1A7790 A532C927 5FB50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14D720F0 CAE9FD38 B98AE2EC 3AF03CB4 417FC761 B7301D06 03551D0E 04160414 D720F0CA E9FD38B9 8AE2EC3A F03CB441 7FC761B7 300D0609 2A864886 F70D0101 05050003 81810002 2C2C60FF FDF00DB1 AF48CD2C E8617DB0 0471A4E7 5C1A1D81 E37EC93A 00EF5EC2 57877EF8 54E76142 3F580630 77ED6676 9102ACB6 6D8FAB8A CD27FD61 16EE0469 0F99F687 1774FF3B 7F2FB4D1 5E207926 197615FD 8E107597 A593F5F6 8856D059 5FC60807 85D0279A E5ECC09B 1135A17D 0FF91CBE 48E3787F 32D009E7 1B6C03 quit crypto isakmp policy 5 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 3600 crypto isakmp policy 20 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key ххххххх address 0.0.0.0 no-xauth crypto isakmp keepalive 3600 crypto ipsec transform-set ipnetconfig esp-aes 256 esp-sha-hmac mode transport crypto ipsec transform-set ipnetconfig-3des esp-3des esp-sha-hmac mode transport crypto dynamic-map ipnetconfig-map 10 set nat demux set transform-set ipnetconfig-3des crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map crypto map cisco
|
26 окт 2016, 15:42 |
|
|
AlexDv
Зарегистрирован: 23 май 2012, 15:07 Сообщения: 50
|
notomy писал(а): Aneye писал(а): Уф, sh run | s crypto в студию еще разок. Код: crypto pki trustpoint TP-self-signed-832665923 crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 3600
AES это group 14 encr aes 256 authentication pre-share group 14 И да, 3DES это уже "weakcrypto", вот и ругается.
|
26 окт 2016, 18:19 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
AlexDv писал(а): notomy писал(а): Aneye писал(а): Уф, sh run | s crypto в студию еще разок. Код: crypto pki trustpoint TP-self-signed-832665923 crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 3600
AES это group 14 encr aes 256 authentication pre-share group 14 И да, 3DES это уже "weakcrypto", вот и ругается. Подправил конфиг и перезагрузил кошку несколько раз (для уверенности) И всеравно не хочет соединяться: Код: *Oct 27 13:59:17.775: ISAKMP (0): received packet from 192.168.0.107 dport 500 sport 500 Global (N) NEW SA *Oct 27 13:59:17.775: ISAKMP: Created a peer struct for 192.168.0.107, peer port 500 *Oct 27 13:59:17.775: ISAKMP: New peer created peer = 0x11D853CC peer_handle = 0x80000002 *Oct 27 13:59:17.775: ISAKMP: Locking peer struct 0x11D853CC, refcount 1 for crypto_isakmp_process_block *Oct 27 13:59:17.775: ISAKMP: local port 500, remote port 500 *Oct 27 13:59:17.775: ISAKMP:(0):insert sa successfully sa = 314D438 *Oct 27 13:59:17.775: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 27 13:59:17.775: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 27 13:59:17.775: ISAKMP:(0): processing SA payload. message ID = 0 *Oct 27 13:59:17.775: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): processing IKE frag vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): processing IKE frag vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Oct 27 13:59:17.779: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID is NAT-T v2 *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch *Oct 27 13:59:17.779: ISAKMP:(0):found peer pre-shared key matching 192.168.0.107 *Oct 27 13:59:17.779: ISAKMP:(0): local preshared key found *Oct 27 13:59:17.779: ISAKMP : Scanning profiles for xauth ... *Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Oct 27 13:59:17.779: ISAKMP: encryption AES-CBC *Oct 27 13:59:17.779: ISAKMP: keylength of 256 *Oct 27 13:59:17.779: ISAKMP: hash SHA *Oct 27 13:59:17.779: ISAKMP: default group 20 *Oct 27 13:59:17.779: ISAKMP: auth pre-share *Oct 27 13:59:17.779: ISAKMP: life type in seconds *Oct 27 13:59:17.779: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 27 13:59:17.779: ISAKMP:(0):Encryption algorithm offered does not match policy! *Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy *Oct 27 13:59:17.779: ISAKMP: encryption AES-CBC *Oct 27 13:59:17.779: ISAKMP: keylength of 128 *Oct 27 13:59:17.779: ISAKMP: hash SHA *Oct 27 13:59:17.779: ISAKMP: default group 19 *Oct 27 13:59:17.779: ISAKMP: auth pre-share *Oct 27 13:59:17.779: ISAKMP: life type in seconds *Oct 27 13:59:17.779: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 27 13:59:17.779: ISAKMP:(0):Encryption algorithm offered does not match policy! *Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy *Oct 27 13:59:17.779: ISAKMP: encryption AES-CBC *Oct 27 13:59:17.779: ISAKMP: keylength of 256 *Oct 27 13:59:17.779: ISAKMP: hash SHA *Oct 27 13:59:17.779: ISAKMP: default group 14 *Oct 27 13:59:17.779: ISAKMP: auth pre-share *Oct 27 13:59:17.779: ISAKMP: life type in seconds *Oct 27 13:59:17.779: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 27 13:59:17.779: ISAKMP:(0):Encryption algorithm offered does not match policy! *Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy *Oct 27 13:59:17.779: ISAKMP: encryption 3DES-CBC *Oct 27 13:59:17.779: ISAKMP: hash SHA *Oct 27 13:59:17.779: ISAKMP: default group 14 *Oct 27 13:59:17.779: ISAKMP: auth pre-share *Oct 27 13:59:17.779: ISAKMP: life type in seconds *Oct 27 13:59:17.779: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 27 13:59:17.779: ISAKMP:(0):Hash algorithm offered does not match policy! *Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy *Oct 27 13:59:17.779: ISAKMP: encryption 3DES-CBC *Oct 27 13:59:17.779: ISAKMP: hash SHA *Oct 27 13:59:17.779: ISAKMP: default group 2 *Oct 27 13:59:17.779: ISAKMP: auth pre-share *Oct 27 13:59:17.779: ISAKMP: life type in seconds *Oct 27 13:59:17.779: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 27 13:59:17.779: ISAKMP:(0):Hash algorithm offered does not match policy! *Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 1 against priority 9998 policy *Oct 27 13:59:17.779: ISAKMP: encryption AES-CBC *Oct 27 13:59:17.779: ISAKMP: keylength of 256 *Oct 27 13:59:17.779: ISAKMP: hash SHA *Oct 27 13:59:17.779: ISAKMP: default group 20 *Oct 27 13:59:17.779: ISAKMP: auth pre-share *Oct 27 13:59:17.779: ISAKMP: life type in seconds *Oct 27 13:59:17.779: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 27 13:59:17.779: ISAKMP:(0):Diffie-Hellman group offered does not match policy! *Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 2 against priority 9998 policy *Oct 27 13:59:17.779: ISAKMP: encryption AES-CBC *Oct 27 13:59:17.779: ISAKMP: keylength of 128 *Oct 27 13:59:17.779: ISAKMP: hash SHA *Oct 27 13:59:17.779: ISAKMP: default group 19 *Oct 27 13:59:17.779: ISAKMP: auth pre-share *Oct 27 13:59:17.779: ISAKMP: life type in seconds *Oct 27 13:59:17.779: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 27 13:59:17.779: ISAKMP:(0):Proposed key length does not match policy *Oct 27 13:59:17.779: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Oct 27 13:59:17.779: ISAKMP:(0):Checking ISAKMP transform 3 against priority 9998 policy *Oct 27 13:59:17.779: ISAKMP: encryption AES-CBC *Oct 27 13:59:17.779: ISAKMP: keylength of 256 *Oct 27 13:59:17.779: ISAKMP: hash SHA *Oct 27 13:59:17.779: ISAKMP: default group 14 *Oct 27 13:59:17.779: ISAKMP: auth pre-share *Oct 27 13:59:17.779: ISAKMP: life type in seconds *Oct 27 13:59:17.779: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Oct 27 13:59:17.779: ISAKMP:(0):atts are acceptable. Next payload is 3 *Oct 27 13:59:17.779: ISAKMP:(0):Acceptable atts:actual life: 86400 *Oct 27 13:59:17.779: ISAKMP:(0):Acceptable atts:life: 0 *Oct 27 13:59:17.779: ISAKMP:(0):Fill atts in sa vpi_length:4 *Oct 27 13:59:17.779: ISAKMP:(0):Fill atts in sa life_in_seconds:28800 *Oct 27 13:59:17.779: ISAKMP:(0):Returning Actual lifetime: 28800 *Oct 27 13:59:17.779: ISAKMP:(0)::Started lifetime timer: 28800.
*Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): processing IKE frag vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): processing IKE frag vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0):Support for IKE Fragmentation not enabled *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Oct 27 13:59:17.779: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID is NAT-T v2 *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch *Oct 27 13:59:17.779: ISAKMP:(0): processing vendor id payload *Oct 27 13:59:17.779: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch *Oct 27 13:59:17.779: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct 27 13:59:17.779: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 27 13:59:17.779: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Oct 27 13:59:17.779: ISAKMP:(0): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) MM_SA_SETUP *Oct 27 13:59:17.779: ISAKMP:(0):Sending an IKE IPv4 Packet. *Oct 27 13:59:17.779: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct 27 13:59:17.779: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Oct 27 13:59:17.787: ISAKMP (0): received packet from 192.168.0.107 dport 500 sport 500 Global (R) MM_SA_SETUP *Oct 27 13:59:17.787: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 27 13:59:17.787: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Oct 27 13:59:17.787: ISAKMP:(0): processing KE payload. message ID = 0 *Oct 27 13:59:17.799: ISAKMP:(0): processing NONCE payload. message ID = 0 *Oct 27 13:59:17.799: ISAKMP:(0):found peer pre-shared key matching 192.168.0.107 *Oct 27 13:59:17.799: ISAKMP:received payload type 20 *Oct 27 13:59:17.799: ISAKMP (2001): His hash no match - this node outside NAT *Oct 27 13:59:17.799: ISAKMP:received payload type 20 *Oct 27 13:59:17.799: ISAKMP (2001): No NAT Found for self or peer *Oct 27 13:59:17.799: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct 27 13:59:17.799: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Oct 27 13:59:17.799: ISAKMP:(2001): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Oct 27 13:59:17.799: ISAKMP:(2001):Sending an IKE IPv4 Packet. *Oct 27 13:59:17.799: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct 27 13:59:17.799: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Oct 27 13:59:17.811: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) MM_KEY_EXCH *Oct 27 13:59:17.811: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 27 13:59:17.811: ISAKMP:(2001):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Oct 27 13:59:17.815: ISAKMP:(2001): processing ID payload. message ID = 0 *Oct 27 13:59:17.815: ISAKMP (2001): ID payload next-payload : 8 type : 1 address : 192.168.0.107 protocol : 0 port : 0 length : 12 *Oct 27 13:59:17.815: ISAKMP:(0):: peer matches *none* of the profiles *Oct 27 13:59:17.815: ISAKMP:(2001): processing HASH payload. message ID = 0 *Oct 27 13:59:17.815: ISAKMP:(2001):SA authentication status: authenticated *Oct 27 13:59:17.815: ISAKMP:(2001):SA has been authenticated with 192.168.0.107 *Oct 27 13:59:17.815: ISAKMP: Trying to insert a peer 192.168.0.106/192.168.0.107/500/, and inserted successfully 11D853CC. *Oct 27 13:59:17.815: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Oct 27 13:59:17.815: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Oct 27 13:59:17.815: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Oct 27 13:59:17.815: ISAKMP (2001): ID payload next-payload : 8 type : 1 address : 192.168.0.106 protocol : 17 port : 500 length : 12 *Oct 27 13:59:17.815: ISAKMP:(2001):Total payload length: 12 *Oct 27 13:59:17.815: ISAKMP:(2001): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Oct 27 13:59:17.815: ISAKMP:(2001):Sending an IKE IPv4 Packet. *Oct 27 13:59:17.815: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Oct 27 13:59:17.815: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Oct 27 13:59:17.815: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Oct 27 13:59:17.815: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 27 13:59:17.815: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE *Oct 27 13:59:17.815: ISAKMP: set new node 1 to QM_IDLE *Oct 27 13:59:17.815: ISAKMP:(2001): processing HASH payload. message ID = 1 *Oct 27 13:59:17.819: ISAKMP:(2001): processing SA payload. message ID = 1 *Oct 27 13:59:17.819: ISAKMP:(2001):Checking IPSec proposal 1 *Oct 27 13:59:17.819: ISAKMP: transform 1, ESP_AES *Oct 27 13:59:17.819: ISAKMP: attributes in transform: *Oct 27 13:59:17.819: ISAKMP: encaps is 2 (Transport) *Oct 27 13:59:17.819: ISAKMP: key length is 128 *Oct 27 13:59:17.819: ISAKMP: authenticator is HMAC-SHA *Oct 27 13:59:17.819: ISAKMP: SA life type in seconds *Oct 27 13:59:17.819: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 *Oct 27 13:59:17.819: ISAKMP: SA life type in kilobytes *Oct 27 13:59:17.819: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 *Oct 27 13:59:17.819: ISAKMP:(2001):atts are acceptable. *Oct 27 13:59:17.819: IPSEC(validate_proposal_request): proposal part #1 *Oct 27 13:59:17.819: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.107:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.107/255.255.255.255/17/1701, protocol= ESP, transform= esp-aes esp-sha-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Oct 27 13:59:17.819: (ipsec_process_proposal)Map Accepted: ipnetconfig-map, 10 *Oct 27 13:59:17.819: ISAKMP:(2001): processing NONCE payload. message ID = 1 *Oct 27 13:59:17.819: ISAKMP:(2001): processing ID payload. message ID = 1 *Oct 27 13:59:17.819: ISAKMP:(2001): processing ID payload. message ID = 1 *Oct 27 13:59:17.819: ISAKMP:(2001):QM Responder gets spi *Oct 27 13:59:17.819: ISAKMP:(2001):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Oct 27 13:59:17.819: ISAKMP:(2001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE *Oct 27 13:59:17.819: ISAKMP:(2001):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI *Oct 27 13:59:17.819: ISAKMP:(2001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT *Oct 27 13:59:17.819: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 27 13:59:17.819: IPSEC(crypto_ipsec_create_ipsec_sas): Map found ipnetconfig-map, 10 *Oct 27 13:59:17.819: IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.106, sa_proto= 50, sa_spi= 0x3D7B1A7F(1031477887), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 1 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.107:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.107/255.255.255.255/17/1701 *Oct 27 13:59:17.819: IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.107, sa_proto= 50, sa_spi= 0x724CD3D0(1917637584), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.107:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.107/255.255.255.255/17/1701 *Oct 27 13:59:17.819: ISAKMP: Failed to find peer index node to update peer_info_list *Oct 27 13:59:17.819: ISAKMP:(2001):Received IPSec Install callback... proceeding with the negotiation *Oct 27 13:59:17.819: ISAKMP:(2001):Successfully installed IPSEC SA (SPI:0x3D7B1A7F) on GigabitEthernet8 *Oct 27 13:59:17.819: ISAKMP:(2001): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) QM_IDLE *Oct 27 13:59:17.819: ISAKMP:(2001):Sending an IKE IPv4 Packet. *Oct 27 13:59:17.819: ISAKMP:(2001):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE *Oct 27 13:59:17.819: ISAKMP:(2001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 *Oct 27 13:59:17.823: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE *Oct 27 13:59:17.823: ISAKMP:(2001):deleting node 1 error FALSE reason "QM done (await)" *Oct 27 13:59:17.823: ISAKMP:(2001):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Oct 27 13:59:17.823: ISAKMP:(2001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Oct 27 13:59:17.823: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 27 13:59:17.823: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Oct 27 13:59:17.823: IPSEC: Expand action denied, notify RP *Oct 27 13:59:52.847: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE *Oct 27 13:59:52.847: ISAKMP: set new node 1491250073 to QM_IDLE *Oct 27 13:59:52.847: ISAKMP:(2001): processing HASH payload. message ID = 1491250073 *Oct 27 13:59:52.847: ISAKMP:(2001): processing DELETE payload. message ID = 1491250073 *Oct 27 13:59:52.847: ISAKMP:(2001):peer does not do paranoid keepalives.
*Oct 27 13:59:52.847: ISAKMP:(2001):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x724CD3D0) *Oct 27 13:59:52.847: ISAKMP:(2001):deleting node 1491250073 error FALSE reason "Informational (in) state 1" *Oct 27 13:59:52.847: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 27 13:59:52.847: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5069 *Oct 27 13:59:52.847: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Oct 27 13:59:52.847: IPSEC: still in use sa: 0x11F56B00 *Oct 27 13:59:52.847: IPSEC(key_engine_delete_sas): delete SA with spi 0x724CD3D0 proto 50 for 192.168.0.107 *Oct 27 13:59:52.847: ISAKMP: Failed to find peer index node to update peer_info_list *Oct 27 13:59:52.847: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 192.168.0.106, sa_proto= 50, sa_spi= 0x3D7B1A7F(1031477887), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 1 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.107:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.107/255.255.255.255/17/1701 *Oct 27 13:59:52.847: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 192.168.0.107, sa_proto= 50, sa_spi= 0x724CD3D0(1917637584), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.107:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.107/255.255.255.255/17/1701 *Oct 27 13:59:52.847: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS *Oct 27 13:59:52.847: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE *Oct 27 13:59:52.847: ISAKMP: set new node -1076387541 to QM_IDLE *Oct 27 13:59:52.847: ISAKMP:(2001): processing HASH payload. message ID = 3218579755 *Oct 27 13:59:52.847: ISAKMP:(2001): processing DELETE payload. message ID = 3218579755 *Oct 27 13:59:52.847: ISAKMP:(2001):peer does not do paranoid keepalives.
*Oct 27 13:59:52.847: ISAKMP:(2001):deleting SA reason "No reason" state (R) QM_IDLE (peer 192.168.0.107) *Oct 27 13:59:52.847: ISAKMP:(2001):deleting node -1076387541 error FALSE reason "Informational (in) state 1" *Oct 27 13:59:52.847: ISAKMP: set new node -353122057 to QM_IDLE *Oct 27 13:59:52.847: ISAKMP:(2001): sending packet to 192.168.0.107 my_port 500 peer_port 500 (R) QM_IDLE *Oct 27 13:59:52.847: ISAKMP:(2001):Sending an IKE IPv4 Packet. *Oct 27 13:59:52.847: ISAKMP:(2001):purging node -353122057 *Oct 27 13:59:52.847: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Oct 27 13:59:52.847: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Oct 27 13:59:52.847: ISAKMP:(2001):deleting SA reason "No reason" state (R) QM_IDLE (peer 192.168.0.107) *Oct 27 13:59:52.847: ISAKMP: Unlocking peer struct 0x11D853CC for isadb_mark_sa_deleted(), count 0 *Oct 27 13:59:52.851: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Oct 27 13:59:52.851: ISAKMP:(2001):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Oct 27 13:59:52.851: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS *Oct 27 13:59:52.851: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB IPSEC get IKMP peer index from peer 0x24174E0 ikmp handle 0x80000002 IPSEC IKMP peer index 0 [ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x14000001,peer index 0
*Oct 27 13:59:52.851: ISAKMP: Deleting peer node by peer_reap for 192.168.0.107: 11D853CC *Oct 27 13:59:52.851: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 27 14:00:07.823: ISAKMP:(2001):purging node 1 *Oct 27 14:00:42.847: ISAKMP:(2001):purging node 1491250073 *Oct 27 14:00:42.847: ISAKMP:(2001):purging node -1076387541 *Oct 27 14:00:52.847: ISAKMP:(2001):purging SA., sa=314D438, delme=314D438
|
27 окт 2016, 17:09 |
|
|
AlexDv
Зарегистрирован: 23 май 2012, 15:07 Сообщения: 50
|
Код: *Oct 27 13:59:17.823: ISAKMP:(2001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Oct 27 13:59:17.823: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 27 13:59:17.823: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Oct 27 13:59:17.823: IPSEC: Expand action denied, notify RP *Oct 27 13:59:52.847: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE *Oct 27 13:59:52.847: ISAKMP: set new node 1491250073 to QM_IDLE
Ну, собственно-то SA установился IKE_QM_PHASE2_COMPLETE. А вот потом соединение рвется. С роутингом до пира все нормально? Из конфига не понять у кого какой адрес. GigabitEthernet8 - у него какой адрес? Код: ip dhcp pool l2tp network 10.217.69.0 255.255.255.0 domain-name 1.vpn default-router 10.217.69.1 dns-server 8.8.8.8 8.8.4.4
interface GigabitEthernet8 ip address dhcp ip nat enable ip virtual-reassembly in duplex auto speed auto crypto map cisco ! interface Virtual-Template1 ip unnumbered GigabitEthernet8 ip virtual-reassembly in peer default ip address dhcp-pool l2tp ppp encrypt mppe 40 ppp authentication ms-chap-v2
|
28 окт 2016, 13:17 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
AlexDv писал(а): Ну, собственно-то SA установился IKE_QM_PHASE2_COMPLETE. А вот потом соединение рвется. С роутингом до пира все нормально? Из конфига не понять у кого какой адрес. GigabitEthernet8 - у него какой адрес? Ge8 адрес получает по dhcp, пир находится в одной сети с кошкой. Схема подключения такая: роутер с сетью 192.168.0.0, к нему подключена кошка и пиры.
|
28 окт 2016, 14:09 |
|
|
AlexDv
Зарегистрирован: 23 май 2012, 15:07 Сообщения: 50
|
notomy писал(а): AlexDv писал(а): Ну, собственно-то SA установился IKE_QM_PHASE2_COMPLETE. А вот потом соединение рвется. С роутингом до пира все нормально? Из конфига не понять у кого какой адрес. GigabitEthernet8 - у него какой адрес? Ge8 адрес получает по dhcp, пир находится в одной сети с кошкой. Схема подключения такая: роутер с сетью 192.168.0.0, к нему подключена кошка и пиры. Покажите sh ip rou sh ip int br и попробуйте поймать то-же самое до разрыва *Oct 27 13:59:17.823: ISAKMP:(2001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Oct 27 13:59:17.823: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Oct 27 13:59:17.823: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Oct 27 13:59:17.823: IPSEC: Expand action denied, notify RP Вот тут *Oct 27 13:59:52.847: ISAKMP (2001): received packet from 192.168.0.107 dport 500 sport 500 Global (R) QM_IDLE *Oct 27 13:59:52.847: ISAKMP: set new node 1491250073 to QM_IDLE
|
28 окт 2016, 18:01 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
AlexDv писал(а): Покажите sh ip rou sh ip int br
и попробуйте поймать то-же самое до разрыва
sh ip rou Код: Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.0.1 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, GigabitEthernet8 L 192.168.0.106/32 is directly connected, GigabitEthernet8
sh ip int br Код: Interface IP-Address OK? Method Status Protocol GigabitEthernet0 unassigned YES unset down down GigabitEthernet1 unassigned YES unset down down GigabitEthernet2 unassigned YES unset down down GigabitEthernet3 unassigned YES unset down down GigabitEthernet4 unassigned YES unset down down GigabitEthernet5 unassigned YES unset down down GigabitEthernet6 unassigned YES unset down down GigabitEthernet7 unassigned YES unset down down GigabitEthernet8 192.168.0.106 YES DHCP up up GigabitEthernet9 unassigned YES NVRAM administratively down down NVI0 192.168.0.106 YES unset up up Virtual-Access1 unassigned YES unset down down Virtual-Template1 192.168.0.106 YES unset down down Vlan1 10.217.68.1 YES NVRAM down down Vlan2 10.217.69.1 YES NVRAM down down
Тоже самое до разрыва sh ip rou Код: Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.0.1 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, GigabitEthernet8 L 192.168.0.106/32 is directly connected, GigabitEthernet8
sh ip int br Код: GigabitEthernet0 unassigned YES unset down down GigabitEthernet1 unassigned YES unset down down GigabitEthernet2 unassigned YES unset down down GigabitEthernet3 unassigned YES unset down down GigabitEthernet4 unassigned YES unset down down GigabitEthernet5 unassigned YES unset down down GigabitEthernet6 unassigned YES unset down down GigabitEthernet7 unassigned YES unset down down GigabitEthernet8 192.168.0.106 YES DHCP up up GigabitEthernet9 unassigned YES NVRAM administratively down down NVI0 192.168.0.106 YES unset up up Virtual-Access1 unassigned YES unset down down Virtual-Template1 192.168.0.106 YES unset down down Vlan1 10.217.68.1 YES NVRAM down down Vlan2 10.217.69.1 YES NVRAM down down
Примечательно то, что с данным конфигом перестал коннектится и iOS клиент =-(
|
28 окт 2016, 18:12 |
|
|
AlexDv
Зарегистрирован: 23 май 2012, 15:07 Сообщения: 50
|
notomy писал(а): AlexDv писал(а): Покажите sh ip rou sh ip int br
и попробуйте поймать то-же самое до разрыва
sh ip rou Код: Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.0.1 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, GigabitEthernet8 L 192.168.0.106/32 is directly connected, GigabitEthernet8
sh ip int br Код: Interface IP-Address OK? Method Status Protocol GigabitEthernet0 unassigned YES unset down down GigabitEthernet1 unassigned YES unset down down GigabitEthernet2 unassigned YES unset down down GigabitEthernet3 unassigned YES unset down down GigabitEthernet4 unassigned YES unset down down GigabitEthernet5 unassigned YES unset down down GigabitEthernet6 unassigned YES unset down down GigabitEthernet7 unassigned YES unset down down GigabitEthernet8 192.168.0.106 YES DHCP up up GigabitEthernet9 unassigned YES NVRAM administratively down down NVI0 192.168.0.106 YES unset up up Virtual-Access1 unassigned YES unset down down Virtual-Template1 192.168.0.106 YES unset down down Vlan1 10.217.68.1 YES NVRAM down down Vlan2 10.217.69.1 YES NVRAM down down
Тоже самое до разрыва sh ip rou Код: Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.0.1 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, GigabitEthernet8 L 192.168.0.106/32 is directly connected, GigabitEthernet8
sh ip int br Код: GigabitEthernet0 unassigned YES unset down down GigabitEthernet1 unassigned YES unset down down GigabitEthernet2 unassigned YES unset down down GigabitEthernet3 unassigned YES unset down down GigabitEthernet4 unassigned YES unset down down GigabitEthernet5 unassigned YES unset down down GigabitEthernet6 unassigned YES unset down down GigabitEthernet7 unassigned YES unset down down GigabitEthernet8 192.168.0.106 YES DHCP up up GigabitEthernet9 unassigned YES NVRAM administratively down down NVI0 192.168.0.106 YES unset up up Virtual-Access1 unassigned YES unset down down Virtual-Template1 192.168.0.106 YES unset down down Vlan1 10.217.68.1 YES NVRAM down down Vlan2 10.217.69.1 YES NVRAM down down
Примечательно то, что с данным конфигом перестал коннектится и iOS клиент =-( Странная конструкция с 1 интерфейсом, поскольку Vlan1 и Vlan2 никуда не привязаны. Сделайте так. Код: no int Vlan1 no int Vlan2 interface Virtual-Template1 no ip unnumbered GigabitEthernet8 ip address 10.217.69.1 255.255.255.0 ip virtual-reassembly in peer default ip address dhcp-pool l2tp no ppp encrypt mppe 40 ppp authentication ms-chap-v2
|
28 окт 2016, 19:59 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
AlexDv писал(а): Странная конструкция с 1 интерфейсом, поскольку Vlan1 и Vlan2 никуда не привязаны. Сделайте так. Код: no int Vlan1 no int Vlan2 interface Virtual-Template1 no ip unnumbered GigabitEthernet8 ip address 10.217.69.1 255.255.255.0 ip virtual-reassembly in peer default ip address dhcp-pool l2tp no ppp encrypt mppe 40 ppp authentication ms-chap-v2 Добрый день! Сделал как Вы написали, результат плачевный. Давайте немного поясню. У меня есть 2 кошки. Одна боевая, стоит и работает, но для подключения windows платформ нужна правка реестра, параметра prohibitipsec - что не есть хорошо. Вторая, для опытов, стоит дома. Я поставил конфиг с боевой на домашнюю и опыты ставил, результатами чего стал конфиг из 1 сообщения. Схема сети одинаковая что дома что на работе: входящий роутер с сетью 192.168.0.0 255.255.255.0, к нему по кабелю подключена кошка в Ge8, все порты по дефолту объединены в Vlan1 с сетью 10.217.68.0 255.255.255.0, Vlan2 с сетью 10.217.69.0 255.255.255.0, я сделал для vpn клиентов. Вот копия конфига с боевой: Код: version 15.4 service tcp-keepalives-in service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname GW0 ! boot-start-marker boot-end-marker ! ! security authentication failure rate 3 log logging buffered 51200 warnings enable secret 5 ------------------------------- ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local ! ! ! ! ! aaa session-id common clock timezone MSK 3 0 ! ! ! ! ! ! ! ! ! !
! ip dhcp excluded-address 10.217.68.1 10.217.68.10 ip dhcp excluded-address 10.217.69.1 ! ip dhcp pool lan network 10.217.68.0 255.255.255.0 domain-name -----.lan default-router 10.217.68.1 dns-server 8.8.8.8 8.8.4.4 ! ip dhcp pool l2tp network 10.217.69.0 255.255.255.0 domain-name -----.vpn dns-server 8.8.8.8 8.8.4.4 default-router 10.217.69.1 ! ! ! no ip bootp server ip domain name terra.local ip name-server --.--.0.4 ip name-server --.--.1.4 ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip inspect name inspect icmp ip inspect name inspect tcp ip inspect name inspect udp ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated vpdn enable ! vpdn-group l2tp ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! ! ! ! ! ! ! ! ! cts logging verbose license udi pid C892FSP-K9 sn ------------- license accept end user agreement license boot module c800 level advipservices ! ! username admin privilege 15 password 7 -------------------- username test privilege 0 password 7 ------------------ ! ! ! ! ! ! ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 lifetime 3600 ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 3600 ! crypto isakmp policy 20 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 crypto isakmp key --------- address 0.0.0.0 no-xauth crypto isakmp keepalive 3600 ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac mode transport ! ! ! crypto dynamic-map ipnetconfig-map 10 set nat demux set transform-set ipnetconfig ! ! crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map ! ! ! ! ! ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet1 no ip address ! interface GigabitEthernet2 no ip address ! interface GigabitEthernet3 no ip address ! interface GigabitEthernet4 no ip address ! interface GigabitEthernet5 no ip address ! interface GigabitEthernet6 no ip address ! interface GigabitEthernet7 no ip address ! interface GigabitEthernet8 description PrimaryWAN ip address dhcp ip nat enable ip inspect inspect in ip virtual-reassembly in duplex auto speed auto media-type rj45 crypto map cisco ! interface GigabitEthernet9 no ip address shutdown duplex auto speed auto ! interface Virtual-Template1 ip unnumbered GigabitEthernet8 ip nat enable peer default ip address dhcp-pool l2tp ppp mtu adaptive ppp encrypt mppe auto ppp authentication ms-chap-v2 ! interface Vlan1 description LAN ip address 10.217.68.1 255.255.255.0 ip nat enable ip inspect inspect in ip virtual-reassembly in ! interface Vlan2 description VPN ip address 10.217.69.1 255.255.255.0 ip nat enable ip inspect inspect in ip virtual-reassembly in ! ip default-gateway 192.168.0.1 ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat source list vpn interface GigabitEthernet8 overload ip route 0.0.0.0 0.0.0.0 192.168.0.1 ip ssh version 2 ! ip access-list extended vpn permit ip 10.217.0.0 0.0.255.255 any ! logging dmvpn ! ! ! ! control-plane ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! ! line con 0 no modem enable line aux 0 line vty 0 4 exec-timeout 60 0 privilege level 15 password 7 ----------------------- logging synchronous transport input telnet ssh ! scheduler allocate 20000 1000 ntp update-calendar ntp server ru.pool.ntp.org ! ! ! end
Поиски решения проблемы привели меня к другому параметру реестра: AssumeUDPEncapsulationContextOnSendRule. С помощью него разрешается НАТ для обоих сторон тунеля и теперь я могу подключиться к боевой кошке без prohibitipsec. Но вот незадача, с этим же конфигом не могу подключиться дома. Соединение не устанавливается =-(
|
01 ноя 2016, 16:49 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
Еще проверил только что, к боевой коннектится без проблем, а к домашней только через изменение prohibitipsec
|
01 ноя 2016, 20:37 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
Проверил sh cry ips sa при подключении. вывод: Код: interface: GigabitEthernet8 Crypto map tag: cisco, local addr 192.168.0.106
protected vrf: (none) local ident (addr/mask/prot/port): (192.168.0.106/255.255.255.255/17/1701) remote ident (addr/mask/prot/port): (192.168.0.101/255.255.255.255/17/0) current_peer 192.168.0.101 port 500 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 31, #pkts decrypt: 31, #pkts verify: 31 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 192.168.0.106, remote crypto endpt.: 192.168.0.101 plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8 current outbound spi: 0xF5A9D32(257596722) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x9FAA7DFB(2678750715) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 7, flow_id: Onboard VPN:7, sibling_flags 80000000, crypto map: cisco sa timing: remaining key lifetime (k/sec): (4244740/3392) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0xF5A9D32(257596722) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 8, flow_id: Onboard VPN:8, sibling_flags 80000000, crypto map: cisco sa timing: remaining key lifetime (k/sec): (4244744/3392) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Получается трафик с кошки не идет в тунель и не шифруется?
|
03 ноя 2016, 17:05 |
|
|
tr33ks
Зарегистрирован: 01 янв 1970, 03:00 Сообщения: 191
|
Хотелось бы прояснить некоторые вещи... 1) Код: vpdn-group l2tp ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 l2tp security crypto-profile ipnetconfig no l2tp tunnel authentication это из конфига в первом сообщении а такого крипто-профайла нет... 2) Код: crypto isakmp key --------- address 0.0.0.0 no-xauth ок, логин и пароль не проверяем... и оно так работало? а что в l2tp-клиенте в качестве логина и пароля вбивалось? 3) ключ реестра prohibitipsec=1 отключает ipsec в l2tp-клиенте, о чем мы тут вообще говорим?
|
03 ноя 2016, 17:18 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
tr33ks писал(а): Хотелось бы прояснить некоторые вещи... 1) Код: vpdn-group l2tp ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 l2tp security crypto-profile ipnetconfig no l2tp tunnel authentication это из конфига в первом сообщении а такого крипто-профайла нет... 2) Код: crypto isakmp key --------- address 0.0.0.0 no-xauth ок, логин и пароль не проверяем... и оно так работало? а что в l2tp-клиенте в качестве логина и пароля вбивалось? 3) ключ реестра prohibitipsec=1 отключает ipsec в l2tp-клиенте, о чем мы тут вообще говорим? 1) В 1 сообщении конфиг, результат моего брожения по интернету в поисках рабочего конфига и курения множества мануалов. Профайл был, видимо я удалил случайно когда вставлял в сообщение. Да и на данный момент я взял конфиг с боевой кошки и играюсь с ним дома 2) Эммм... я настраивал на боевой по этой статье: http://blogconfigs.blogspot.ru/2010/07/configure-l2tp-ipsec-vpn-server-on.htmlИ без логина и пароля не устанавливается соединение логин пароль берется из локальной базы 3) Самое смешное, что именно при отключении ipsec, на windows пороходит соединение при выставлении с клиенте руками тип подключения L2TP\IPSec
|
03 ноя 2016, 17:50 |
|
|
tr33ks
Зарегистрирован: 01 янв 1970, 03:00 Сообщения: 191
|
Думается мне, что клиента вы неправильно настраиваете. Влил сейчас конфиг на циску и успешно зацепились и комп с десяткой и ифон. Верните ключи реестра в прежние значения и проверьте правильно ли клиент настроен. Как на картинке http://prntscr.com/d2yzmkТам где "ключ" должен быть isakmp key соответственно.
|
04 ноя 2016, 15:17 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
tr33ks писал(а): Думается мне, что клиента вы неправильно настраиваете. Влил сейчас конфиг на циску и успешно зацепились и комп с десяткой и ифон. Верните ключи реестра в прежние значения и проверьте правильно ли клиент настроен. Как на картинке http://prntscr.com/d2yzmkТам где "ключ" должен быть isakmp key соответственно. Вы не поверите, но именно так и настроены клиенты, абсолютно все. Если не указать pre-shared (isakmp key) на клиентах, выдается ошибка подключения. Я сбросил домашнюю циску, хочу сейчас попробовать заного настроить, а Вы какой конфиг влили? Из первого сообщения или с моей боевой? Буду рад, если Вы мне скинете конфиг который у вас заработал =-).
|
04 ноя 2016, 15:44 |
|
|
tr33ks
Зарегистрирован: 01 янв 1970, 03:00 Сообщения: 191
|
Как-то странно... но если у вас иос цепляется, а винда нет - то причина должна быть где-то в винде. Конфиг вот: Код: aaa new-model ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local aaa authorization network default local ! vpdn enable ! vpdn-group L2TP ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 2 no l2tp tunnel authentication ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key kluchik address 0.0.0.0 ! crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac mode transport crypto ipsec nat-transparency spi-matching ! crypto dynamic-map dyn-map 10 set nat demux set transform-set L2TP-Set2 ! crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map ! interface GigabitEthernet0/0 ip address dhcp ip nat outside no ip virtual-reassembly in duplex auto speed auto crypto map outside_map ! interface Virtual-Template2 ip unnumbered GigabitEthernet0/0 peer default ip address pool L2TP-POOL ppp authentication ms-chap-v2 ! ip local pool L2TP-POOL 192.168.2.70 192.168.2.80
|
04 ноя 2016, 16:44 |
|
|
notomy
Зарегистрирован: 19 окт 2016, 17:12 Сообщения: 17
|
tr33ks писал(а): Как-то странно... но если у вас иос цепляется, а винда нет - то причина должна быть где-то в винде. В общем, после сброса циски и настройки по Вашему конфигу, ниодна платформа не коннектится =-( Вот дебаг: Код: Nov 4 17:48:43.067: ISAKMP (0): received packet from 192.168.0.105 dport 500 sport 500 Global (N) NEW SA Nov 4 17:48:43.067: ISAKMP: Created a peer struct for 192.168.0.105, peer port 500 Nov 4 17:48:43.067: ISAKMP: New peer created peer = 0x11781EDC peer_handle = 0x80000003 Nov 4 17:48:43.067: ISAKMP: Locking peer struct 0x11781EDC, refcount 1 for crypto_isakmp_process_block Nov 4 17:48:43.067: ISAKMP: local port 500, remote port 500 Nov 4 17:48:43.067: ISAKMP:(0):insert sa successfully sa = 39F5198 Nov 4 17:48:43.067: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 4 17:48:43.067: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Nov 4 17:48:43.067: ISAKMP:(0): processing SA payload. message ID = 0 Nov 4 17:48:43.067: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.067: ISAKMP:(0): processing IKE frag vendor id payload Nov 4 17:48:43.067: ISAKMP:(0):Support for IKE Fragmentation not enabled Nov 4 17:48:43.067: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.067: ISAKMP:(0): processing IKE frag vendor id payload Nov 4 17:48:43.067: ISAKMP:(0):Support for IKE Fragmentation not enabled Nov 4 17:48:43.067: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch Nov 4 17:48:43.067: ISAKMP (0): vendor ID is NAT-T RFC 3947 Nov 4 17:48:43.067: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Nov 4 17:48:43.067: ISAKMP:(0): vendor ID is NAT-T v2 Nov 4 17:48:43.067: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch Nov 4 17:48:43.067: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch Nov 4 17:48:43.067: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch Nov 4 17:48:43.067: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.067: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch Nov 4 17:48:43.067: ISAKMP:(0):found peer pre-shared key matching 192.168.0.105 Nov 4 17:48:43.067: ISAKMP:(0): local preshared key found Nov 4 17:48:43.067: ISAKMP : Scanning profiles for xauth ... Nov 4 17:48:43.067: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy Nov 4 17:48:43.067: ISAKMP: encryption AES-CBC Nov 4 17:48:43.067: ISAKMP: keylength of 256 Nov 4 17:48:43.067: ISAKMP: hash SHA Nov 4 17:48:43.067: ISAKMP: default group 20 Nov 4 17:48:43.067: ISAKMP: auth pre-share Nov 4 17:48:43.067: ISAKMP: life type in seconds Nov 4 17:48:43.067: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Nov 4 17:48:43.067: ISAKMP:(0):Encryption algorithm offered does not match policy! Nov 4 17:48:43.067: ISAKMP:(0):atts are not acceptable. Next payload is 3 Nov 4 17:48:43.067: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy Nov 4 17:48:43.067: ISAKMP: encryption AES-CBC Nov 4 17:48:43.067: ISAKMP: keylength of 128 Nov 4 17:48:43.067: ISAKMP: hash SHA Nov 4 17:48:43.067: ISAKMP: default group 19 Nov 4 17:48:43.067: ISAKMP: auth pre-share Nov 4 17:48:43.067: ISAKMP: life type in seconds Nov 4 17:48:43.067: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Nov 4 17:48:43.067: ISAKMP:(0):Encryption algorithm offered does not match policy! Nov 4 17:48:43.067: ISAKMP:(0):atts are not acceptable. Next payload is 3 Nov 4 17:48:43.067: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy Nov 4 17:48:43.067: ISAKMP: encryption AES-CBC Nov 4 17:48:43.067: ISAKMP: keylength of 256 Nov 4 17:48:43.067: ISAKMP: hash SHA Nov 4 17:48:43.067: ISAKMP: default group 14 Nov 4 17:48:43.067: ISAKMP: auth pre-share Nov 4 17:48:43.067: ISAKMP: life type in seconds Nov 4 17:48:43.067: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Nov 4 17:48:43.067: ISAKMP:(0):Encryption algorithm offered does not match policy! Nov 4 17:48:43.067: ISAKMP:(0):atts are not acceptable. Next payload is 3 Nov 4 17:48:43.071: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy Nov 4 17:48:43.071: ISAKMP: encryption 3DES-CBC Nov 4 17:48:43.071: ISAKMP: hash SHA Nov 4 17:48:43.071: ISAKMP: default group 14 Nov 4 17:48:43.071: ISAKMP: auth pre-share Nov 4 17:48:43.071: ISAKMP: life type in seconds Nov 4 17:48:43.071: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Nov 4 17:48:43.071: ISAKMP:(0):Diffie-Hellman group offered does not match policy! Nov 4 17:48:43.071: ISAKMP:(0):atts are not acceptable. Next payload is 3 Nov 4 17:48:43.071: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy Nov 4 17:48:43.071: ISAKMP: encryption 3DES-CBC Nov 4 17:48:43.071: ISAKMP: hash SHA Nov 4 17:48:43.071: ISAKMP: default group 2 Nov 4 17:48:43.071: ISAKMP: auth pre-share Nov 4 17:48:43.071: ISAKMP: life type in seconds Nov 4 17:48:43.071: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 Nov 4 17:48:43.071: ISAKMP:(0):atts are acceptable. Next payload is 0 Nov 4 17:48:43.071: ISAKMP:(0):Acceptable atts:actual life: 86400 Nov 4 17:48:43.071: ISAKMP:(0):Acceptable atts:life: 0 Nov 4 17:48:43.071: ISAKMP:(0):Fill atts in sa vpi_length:4 Nov 4 17:48:43.071: ISAKMP:(0):Fill atts in sa life_in_seconds:28800 Nov 4 17:48:43.071: ISAKMP:(0):Returning Actual lifetime: 28800 Nov 4 17:48:43.071: ISAKMP:(0)::Started lifetime timer: 28800.
Nov 4 17:48:43.071: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.071: ISAKMP:(0): processing IKE frag vendor id payload Nov 4 17:48:43.071: ISAKMP:(0):Support for IKE Fragmentation not enabled Nov 4 17:48:43.071: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.071: ISAKMP:(0): processing IKE frag vendor id payload Nov 4 17:48:43.071: ISAKMP:(0):Support for IKE Fragmentation not enabled Nov 4 17:48:43.071: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch Nov 4 17:48:43.071: ISAKMP (0): vendor ID is NAT-T RFC 3947 Nov 4 17:48:43.071: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Nov 4 17:48:43.071: ISAKMP:(0): vendor ID is NAT-T v2 Nov 4 17:48:43.071: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch Nov 4 17:48:43.071: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch Nov 4 17:48:43.071: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch Nov 4 17:48:43.071: ISAKMP:(0): processing vendor id payload Nov 4 17:48:43.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch Nov 4 17:48:43.071: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Nov 4 17:48:43.071: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Nov 4 17:48:43.071: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID Nov 4 17:48:43.071: ISAKMP:(0): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) MM_SA_SETUP Nov 4 17:48:43.071: ISAKMP:(0):Sending an IKE IPv4 Packet. Nov 4 17:48:43.071: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Nov 4 17:48:43.071: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Nov 4 17:48:43.075: ISAKMP (0): received packet from 192.168.0.105 dport 500 sport 500 Global (R) MM_SA_SETUP Nov 4 17:48:43.075: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 4 17:48:43.075: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Nov 4 17:48:43.075: ISAKMP:(0): processing KE payload. message ID = 0 Nov 4 17:48:43.075: ISAKMP:(0): processing NONCE payload. message ID = 0 Nov 4 17:48:43.079: ISAKMP:(0):found peer pre-shared key matching 192.168.0.105 Nov 4 17:48:43.079: ISAKMP:received payload type 20 Nov 4 17:48:43.079: ISAKMP (2002): His hash no match - this node outside NAT Nov 4 17:48:43.079: ISAKMP:received payload type 20 Nov 4 17:48:43.079: ISAKMP (2002): No NAT Found for self or peer Nov 4 17:48:43.079: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Nov 4 17:48:43.079: ISAKMP:(2002):Old State = IKE_R_MM3 New State = IKE_R_MM3
Nov 4 17:48:43.079: ISAKMP:(2002): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) MM_KEY_EXCH Nov 4 17:48:43.079: ISAKMP:(2002):Sending an IKE IPv4 Packet. Nov 4 17:48:43.079: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Nov 4 17:48:43.079: ISAKMP:(2002):Old State = IKE_R_MM3 New State = IKE_R_MM4
Nov 4 17:48:43.079: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) MM_KEY_EXCH Nov 4 17:48:43.079: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 4 17:48:43.079: ISAKMP:(2002):Old State = IKE_R_MM4 New State = IKE_R_MM5
Nov 4 17:48:43.079: ISAKMP:(2002): processing ID payload. message ID = 0 Nov 4 17:48:43.079: ISAKMP (2002): ID payload next-payload : 8 type : 1 address : 192.168.0.105 protocol : 0 port : 0 length : 12 Nov 4 17:48:43.079: ISAKMP:(0):: peer matches *none* of the profiles Nov 4 17:48:43.079: ISAKMP:(2002): processing HASH payload. message ID = 0 Nov 4 17:48:43.079: ISAKMP:(2002):SA authentication status: authenticated Nov 4 17:48:43.079: ISAKMP:(2002):SA has been authenticated with 192.168.0.105 Nov 4 17:48:43.079: ISAKMP: Trying to insert a peer 192.168.0.106/192.168.0.105/500/, and inserted successfully 11781EDC. Nov 4 17:48:43.079: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Nov 4 17:48:43.079: ISAKMP:(2002):Old State = IKE_R_MM5 New State = IKE_R_MM5
Nov 4 17:48:43.079: ISAKMP:(2002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR Nov 4 17:48:43.079: ISAKMP (2002): ID payload next-payload : 8 type : 1 address : 192.168.0.106 protocol : 17 port : 500 length : 12 Nov 4 17:48:43.079: ISAKMP:(2002):Total payload length: 12 Nov 4 17:48:43.079: ISAKMP:(2002): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) MM_KEY_EXCH Nov 4 17:48:43.083: ISAKMP:(2002):Sending an IKE IPv4 Packet. Nov 4 17:48:43.083: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Nov 4 17:48:43.083: ISAKMP:(2002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Nov 4 17:48:43.083: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Nov 4 17:48:43.083: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 4 17:48:43.083: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) QM_IDLE Nov 4 17:48:43.083: ISAKMP: set new node 1 to QM_IDLE Nov 4 17:48:43.083: ISAKMP:(2002): processing HASH payload. message ID = 1 Nov 4 17:48:43.083: ISAKMP:(2002): processing SA payload. message ID = 1 Nov 4 17:48:43.083: ISAKMP:(2002):Checking IPSec proposal 1 Nov 4 17:48:43.083: ISAKMP: transform 1, ESP_AES Nov 4 17:48:43.083: ISAKMP: attributes in transform: Nov 4 17:48:43.083: ISAKMP: encaps is 2 (Transport) Nov 4 17:48:43.083: ISAKMP: key length is 128 Nov 4 17:48:43.083: ISAKMP: authenticator is HMAC-SHA Nov 4 17:48:43.083: ISAKMP: SA life type in seconds Nov 4 17:48:43.083: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 Nov 4 17:48:43.083: ISAKMP: SA life type in kilobytes Nov 4 17:48:43.083: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 Nov 4 17:48:43.083: ISAKMP:(2002):atts are acceptable. Nov 4 17:48:43.083: IPSEC(validate_proposal_request): proposal part #1 Nov 4 17:48:43.083: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.105:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.105/255.255.255.255/17/1701, protocol= ESP, transform= esp-aes esp-sha-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 Nov 4 17:48:43.083: IPSEC(ipsec_process_proposal): transform not supported by encryption hardware: {esp-aes esp-sha-hmac } Nov 4 17:48:43.083: ISAKMP:(2002): IPSec policy invalidated proposal with error 512 Nov 4 17:48:43.083: ISAKMP:(2002):Checking IPSec proposal 2 Nov 4 17:48:43.083: ISAKMP: transform 1, ESP_3DES Nov 4 17:48:43.083: ISAKMP: attributes in transform: Nov 4 17:48:43.083: ISAKMP: encaps is 2 (Transport) Nov 4 17:48:43.083: ISAKMP: authenticator is HMAC-SHA Nov 4 17:48:43.083: ISAKMP: SA life type in seconds Nov 4 17:48:43.083: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10 Nov 4 17:48:43.083: ISAKMP: SA life type in kilobytes Nov 4 17:48:43.083: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90 Nov 4 17:48:43.083: ISAKMP:(2002):atts are acceptable. Nov 4 17:48:43.083: IPSEC(validate_proposal_request): proposal part #1 Nov 4 17:48:43.083: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 192.168.0.106:0, remote= 192.168.0.105:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.105/255.255.255.255/17/1701, protocol= ESP, transform= esp-3des esp-sha-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 Nov 4 17:48:43.083: (ipsec_process_proposal)Map Accepted: dyn-map, 10 Nov 4 17:48:43.083: ISAKMP:(2002): processing NONCE payload. message ID = 1 Nov 4 17:48:43.083: ISAKMP:(2002): processing ID payload. message ID = 1 Nov 4 17:48:43.083: ISAKMP:(2002): processing ID payload. message ID = 1 Nov 4 17:48:43.083: ISAKMP:(2002):QM Responder gets spi Nov 4 17:48:43.083: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Nov 4 17:48:43.083: ISAKMP:(2002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Nov 4 17:48:43.083: KMI: Crypto IKMP sending message KEY_MGR_CREATE_IPSEC_SAS to IPSEC key engine. Nov 4 17:48:43.083: ISAKMP:(2002):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Nov 4 17:48:43.083: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT Nov 4 17:48:43.083: IPSEC(key_engine): got a queue event with 1 KMI message(s) Nov 4 17:48:43.087: KMI: IPSEC key engine received message KEY_MGR_CREATE_IPSEC_SAS from Crypto IKMP. Nov 4 17:48:43.087: IPSEC(crypto_ipsec_create_ipsec_sas): Map found dyn-map, 10 Nov 4 17:48:43.087: KMI: IPSEC key engine sending message KEY_ENG_NOTIFY_QOS_GROUP to Crypto IKMP. Nov 4 17:48:43.087: IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.106, sa_proto= 50, sa_spi= 0xD30CBDCB(3540827595), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.105:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.105/255.255.255.255/17/1701 Nov 4 17:48:43.087: IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.105, sa_proto= 50, sa_spi= 0x2E79153C(779687228), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.105:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.105/255.255.255.255/17/1701 Nov 4 17:48:43.087: ISAKMP: Failed to find peer index node to update peer_info_list Nov 4 17:48:43.087: KMI: IPSEC key engine sending message KEY_ENG_NOTIFY_INCR_COUNT to Crypto IKMP. Nov 4 17:48:43.087: ISAKMP:(2002):Received IPSec Install callback... proceeding with the negotiation Nov 4 17:48:43.087: ISAKMP:(2002):Successfully installed IPSEC SA (SPI:0xD30CBDCB) on GigabitEthernet8 Nov 4 17:48:43.087: KMI: Crypto IKMP received message KEY_ENG_NOTIFY_QOS_GROUP from IPSEC key engine. Nov 4 17:48:43.087: KMI: Crypto IKMP received message KEY_ENG_NOTIFY_INCR_COUNT from IPSEC key engine. Nov 4 17:48:43.087: ISAKMP:(2002): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) QM_IDLE Nov 4 17:48:43.087: ISAKMP:(2002):Sending an IKE IPv4 Packet. Nov 4 17:48:43.087: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE Nov 4 17:48:43.087: ISAKMP:(2002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 Nov 4 17:48:43.087: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) QM_IDLE Nov 4 17:48:43.091: KMI: Crypto IKMP sending message KEY_MGR_SA_ENABLE_OUTBOUND to IPSEC key engine. Nov 4 17:48:43.091: ISAKMP:(2002):deleting node 1 error FALSE reason "QM done (await)" Nov 4 17:48:43.091: ISAKMP:(2002):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Nov 4 17:48:43.091: ISAKMP:(2002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE Nov 4 17:48:43.091: IPSEC(key_engine): got a queue event with 1 KMI message(s) Nov 4 17:48:43.091: KMI: IPSEC key engine received message KEY_MGR_SA_ENABLE_OUTBOUND from Crypto IKMP. Nov 4 17:48:43.091: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Nov 4 17:48:43.091: IPSEC: Expand action denied, notify RP
Nov 4 17:49:18.119: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) QM_IDLE Nov 4 17:49:18.119: ISAKMP: set new node 1545032874 to QM_IDLE Nov 4 17:49:18.119: ISAKMP:(2002): processing HASH payload. message ID = 1545032874 Nov 4 17:49:18.119: ISAKMP:(2002): processing DELETE payload. message ID = 1545032874 Nov 4 17:49:18.119: ISAKMP:(2002):peer does not do paranoid keepalives.
Nov 4 17:49:18.119: KMI: Crypto IKMP sending message KEY_MGR_DELETE_SAS to IPSEC key engine. Nov 4 17:49:18.119: ISAKMP:(2002):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x2E79153C) Nov 4 17:49:18.119: ISAKMP:(2002):deleting node 1545032874 error FALSE reason "Informational (in) state 1" Nov 4 17:49:18.119: ISAKMP (2002): received packet from 192.168.0.105 dport 500 sport 500 Global (R) QM_IDLE Nov 4 17:49:18.119: ISAKMP: set new node 1230826502 to QM_IDLE Nov 4 17:49:18.119: ISAKMP:(2002): processing HASH payload. message ID = 1230826502 Nov 4 17:49:18.119: ISAKMP:(2002): processing DELETE payload. message ID = 1230826502 Nov 4 17:49:18.119: ISAKMP:(2002):peer does not do paranoid keepalives.
Nov 4 17:49:18.119: ISAKMP:(2002):deleting SA reason "No reason" state (R) QM_IDLE (peer 192.168.0.105) Nov 4 17:49:18.119: ISAKMP:(2002):deleting node 1230826502 error FALSE reason "Informational (in) state 1" Nov 4 17:49:18.119: IPSEC(key_engine): got a queue event with 1 KMI message(s) Nov 4 17:49:18.119: KMI: IPSEC key engine received message KEY_MGR_DELETE_SAS from Crypto IKMP. Nov 4 17:49:18.119: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5103 Nov 4 17:49:18.119: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP Nov 4 17:49:18.119: IPSEC: still in use sa: 0x390A76C Nov 4 17:49:18.119: IPSEC(key_engine_delete_sas): delete SA with spi 0x2E79153C proto 50 for 192.168.0.105 Nov 4 17:49:18.119: ISAKMP: Failed to find peer index node to update peer_info_list Nov 4 17:49:18.119: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 192.168.0.106, sa_proto= 50, sa_spi= 0xD30CBDCB(3540827595), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.105:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.105/255.255.255.255/17/1701 Nov 4 17:49:18.119: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 192.168.0.105, sa_proto= 50, sa_spi= 0x2E79153C(779687228), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4 sa_lifetime(k/sec)= (250000/3600), (identity) local= 192.168.0.106:0, remote= 192.168.0.105:0, local_proxy= 192.168.0.106/255.255.255.255/17/1701, remote_proxy= 192.168.0.105/255.255.255.255/17/1701 Nov 4 17:49:18.119: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Nov 4 17:49:18.119: ISAKMP: set new node -1570398965 to QM_IDLE Nov 4 17:49:18.119: ISAKMP:(2002): sending packet to 192.168.0.105 my_port 500 peer_port 500 (R) QM_IDLE Nov 4 17:49:18.119: ISAKMP:(2002):Sending an IKE IPv4 Packet. Nov 4 17:49:18.119: ISAKMP:(2002):purging node -1570398965 Nov 4 17:49:18.119: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Nov 4 17:49:18.119: ISAKMP:(2002):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 4 17:49:18.119: ISAKMP:(2002):deleting SA reason "No reason" state (R) QM_IDLE (peer 192.168.0.105) Nov 4 17:49:18.119: ISAKMP: Unlocking peer struct 0x11781EDC for isadb_mark_sa_deleted(), count 0 Nov 4 17:49:18.119: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Nov 4 17:49:18.119: ISAKMP:(2002):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 4 17:49:18.123: KMI: IPSEC key engine sending message KEY_ENG_NOTIFY_DECR_COUNT to Crypto IKMP. Nov 4 17:49:18.123: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS Nov 4 17:49:18.123: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB IPSEC get IKMP peer index from peer 0x265FF70 ikmp handle 0x80000003 IPSEC IKMP peer index 0 [ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x14000003,peer index 0
Nov 4 17:49:18.123: KMI: Crypto IKMP received message KEY_ENG_NOTIFY_DECR_COUNT from IPSEC key engine.
Nov 4 17:49:18.123: KMI: Crypto IKMP sending message KEY_MGR_SESSION_CLOSED to IPSEC key engine. Nov 4 17:49:18.123: ISAKMP: Deleting peer node by peer_reap for 192.168.0.105: 11781EDC Nov 4 17:49:18.123: IPSEC(key_engine): got a queue event with 1 KMI message(s) Nov 4 17:49:18.123: KMI: IPSEC key engine received message KEY_MGR_SESSION_CLOSED from Crypto IKMP.
Nov 4 17:49:33.091: ISAKMP:(2002):purging node 1
2 фаза согласования проходит и на этом стопарится, потом клиент (iOS) выдает сообщение что сервер не ответил, да и клиент windows 10 говорит тоже
|
04 ноя 2016, 20:57 |
|
|
Кто сейчас на конференции |
Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 33 |
|
Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения
|
|
|