URL: https://www.opennet.ru/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 20090
[ Назад ]

Исходное сообщение
"Easy VPN Site-to-Site"

Отправлено mansell , 23-Ноя-09 15:41 
замучался уже с site-to-site VPN (коннекты с PC VPN Client проходят отлично). А циски между собой не цепляются. Вернее цепляются очень иногда - что и как я не смог отловить. Судя по мануалу - там настраивать-то нечего. Но что-то не растет кокос третий день. Помогите, а ? )

Easy VPN Server (лишнее убрал):


!
hostname VPN_server
!
!
aaa new-model
!
!
aaa authentication login userauth local
aaa authorization network vpnclient local
!
username cisco password 0 cisco123
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.50.200 no-xauth
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain test.com
pool remote_user
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1
set transform-set myset
reverse-route
!
!
crypto map dynmap client authentication list userauth
crypto map dynmap isakmp authorization list vpnclient
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 192.168.50.100 255.255.255.0
crypto map dynmap
!
ip local pool remote_user 10.10.10.50 10.10.10.100
!

Easy VPN Client:


!
no aaa new-model
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
!
crypto ipsec client ezvpn vpnclient
connect auto
group vpnclient key cisco123
mode client
peer 192.168.50.100
xauth userid mode interactive
!
!
username cisco password 0 cisco123
!
interface Loopback0
ip address 172.0.19.1 255.255.255.0
crypto ipsec client ezvpn vpnclient inside
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.50.200 255.255.255.0
crypto ipsec client ezvpn vpnclient
!

debug crypto isa:

*Nov 23 12:26:29.347: ISAKMP (0:0): received packet from 192.168.50.200 dport 500 sport 500 Global (N) NEW SA
*Nov 23 12:26:29.347: ISAKMP: Created a peer struct for 192.168.50.200, peer port 500
*Nov 23 12:26:29.347: ISAKMP: New peer created peer = 0x643558F0 peer_handle = 0x80000017
*Nov 23 12:26:29.347: ISAKMP: Locking peer struct 0x643558F0, IKE refcount 1 for crypto_isakmp_process_block
*Nov 23 12:26:29.347: ISAKMP:(0:0:N/A:0):Setting client config settings 64EFCFB8
*Nov 23 12:26:29.347: ISAKMP: local port 500, remote port 500
*Nov 23 12:26:29.347: insert sa successfully sa = 6500C5B8
*Nov 23 12:26:29.347: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Nov 23 12:26:29.347: ISAKMP:(0:0:N/A:0): processing ID payload. message ID = 0
*Nov 23 12:26:29.351: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpnclient
        protocol     : 17
        port         : 0
        length       : 17
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0):: peer matches *none* of the profiles
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Nov 23 12:26:29.351: ISAKMP (0:0): vendor ID is NAT-T v7
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Nov 23 12:26:29.351: ISAKMP : Scanning profiles for xauth ...
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 3 policy
*Nov 23 12:26:29.351: ISAKMP:      encryption AES-CBC
*Nov 23 12:26:29.351: ISAKMP:      keylength of 128
*Nov 23 12:26:29.351: ISAKMP:      hash SHA
*Nov 23 12:26:29.351: ISAKMP:      default group 2
*Nov 23 12:26:29.351: ISAKMP:      auth XAUTHInitPreShared
*Nov 23 12:26:29.351: ISAKMP:      life type in seconds
*Nov 23 12:26:29.351: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 3 policy
*Nov 23 12:26:29.351: ISAKMP:      encryption AES-CBC
*Nov 23 12:26:29.351: ISAKMP:      keylength of 128
*Nov 23 12:26:29.351: ISAKMP:      hash MD5
*Nov 23 12:26:29.351: ISAKMP:      default group 2
*Nov 23 12:26:29.351: ISAKMP:      auth XAUTHInitPreShared
*Nov 23 12:26:29.351: ISAKMP:      life type in seconds
*Nov 23 12:26:29.351: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
*Nov 23 12:26:29.351: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 3 policy

/тут перебор других комбинаций алгоритмов/

policy!
*Nov 23 12:26:29.375: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
*Nov 23 12:26:29.375: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 20 against priority 65535 policy
*Nov 23 12:26:29.375: ISAKMP:      encryption DES-CBC
*Nov 23 12:26:29.375: ISAKMP:      hash MD5
*Nov 23 12:26:29.375: ISAKMP:      default group 2
*Nov 23 12:26:29.375: ISAKMP:      auth pre-share
*Nov 23 12:26:29.375: ISAKMP:      life type in seconds
*Nov 23 12:26:29.375: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Nov 23 12:26:29.375: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
*Nov 23 12:26:29.375: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
*Nov 23 12:26:29.375: ISAKMP:(0:0:N/A:0):no offers accepted!
*Nov 23 12:26:29.375: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 192.168.50.100 remote 192.168.50.200)
*Nov 23 12:26:29.379: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): sending packet to 192.168.50.200 my_port 500 peer_port 500 (R) AG_NO_STATE
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STA
TE (peer 192.168.50.200)
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Nov 23 12:26:29.379: ISAKMP (0:0): vendor ID is NAT-T v7
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128
*Nov 23 12:26:29.379: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Nov 23 12:26:29.379: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY

*Nov 23 12:26:29.379: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.50.200
*Nov 23 12:26:29.379: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STA
TE (peer 192.168.50.200)
*Nov 23 12:26:29.379: ISAKMP: Unlocking IKE struct 0x643558F0 for isadb_mark_sa_deleted(), count 0
*Nov 23 12:26:29.379: ISAKMP: Deleting peer node by peer_reap for 192.168.50.200: 643558F0
*Nov 23 12:26:29.383: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Nov 23 12:26:29.383: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA
*Nov 23 12:27:45.823: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.50.200



Содержание

Сообщения в этом обсуждении
"Easy VPN Site-to-Site"
Отправлено denp , 23-Ноя-09 16:58 
КЛЮЧЕВЫЕ КОМАНДЫ:

1) на сервере:

username XXX privilege 0 password XXXX

crypto isakmp client configuration group XXXX
key XXXX
pool XXXX
save-password


2) на клиенте:

crypto ipsec client ezvpn XXXX
connect auto
group XXXX key XXXX
mode network-plus
username XXXX password XXXX
xauth userid mode local


interface FastEthernet4
crypto ipsec client ezvpn XXXX

interface Vlan1
  crypto ipsec client ezvpn XXXX inside


"Easy VPN Site-to-Site"
Отправлено mansell , 24-Ноя-09 08:50 
команды ввел) не помогло - те же самые логи.

VPN_client#
*Mar  5 23:28:31.767: ISAKMP:(0):purging SA., sa=829AE5C0, delme=829AE5C0
*Mar  5 23:28:48.311: ISAKMP: quick mode timer expired.
*Mar  5 23:28:48.311: ISAKMP:(0):src 192.168.50.200 dst 192.168.50.100, SA is not authenticated
*Mar  5 23:28:48.311: ISAKMP:(0):peer does not do paranoid keepalives.

*Mar  5 23:28:48.311: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) AG_INIT_EXCH (peer 192.168.50.100)
*Mar  5 23:28:48.311: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) AG_INIT_EXCH (peer 192.168.50.100)
*Mar  5 23:28:48.311: ISAKMP: Unlocking peer struct 0x82642E50 for isadb_mark_sa_deleted(), count 0
*Mar  5 23:28:48.311: ISAKMP: Deleting peer node by peer_reap for 192.168.50.100: 82642E50
*Mar  5 23:28:48.311: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  5 23:28:48.311: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_DEST_SA

*Mar  5 23:28:48.311: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpnclient  Client_public_addr=192.168.50.
00  Server_public_addr=192.168.50.100
*Mar  5 23:28:49.983: del_node src 192.168.50.200:500 dst 192.168.50.100:500 fvrf 0x0, ivrf 0x0
*Mar  5 23:28:49.983: ISAKMP:(0):peer does not do paranoid keepalives.

*Mar  5 23:28:49.983: ISAKMP:(0): SA request profile is (NULL)
*Mar  5 23:28:49.983: ISAKMP: Created a peer struct for 192.168.50.100, peer port 500
*Mar  5 23:28:49.983: ISAKMP: New peer created peer = 0x82642E50 peer_handle = 0x80000004
*Mar  5 23:28:49.983: ISAKMP: Locking peer struct 0x82642E50, refcount 1 for isakmp_initiator
*Mar  5 23:28:49.983: ISAKMP:(0):Setting client config settings 8263CDAC
*Mar  5 23:28:49.983: ISAKMP: local port 500, remote port 500
*Mar  5 23:28:49.983: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82D3E418
*Mar  5 23:28:49.983: ISAKMP:(0): client mode configured.
*Mar  5 23:28:49.987: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar  5 23:28:49.987: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar  5 23:28:49.987: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar  5 23:28:49.987: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar  5 23:28:49.987: ISKAMP: growing send buffer from 1024 to 3072
*Mar  5 23:28:49.987: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*Mar  5 23:28:49.987: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpnclient
        protocol     : 17
        port         : 0
        length       : 17
*Mar  5 23:28:49.987: ISAKMP:(0):Total payload length: 17
*Mar  5 23:28:49.987: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar  5 23:28:49.987: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*Mar  5 23:28:49.987: ISAKMP:(0): beginning Aggressive Mode exchange
*Mar  5 23:28:49.987: ISAKMP:(0): sending packet to 192.168.50.100 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  5 23:28:49.987: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  5 23:28:50.023: ISAKMP (0:0): received packet from 192.168.50.100 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  5 23:28:50.023: ISAKMP:(0):Notify has no hash. Rejected.
*Mar  5 23:28:50.027: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_AM1
*Mar  5 23:28:50.027: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  5 23:28:50.027: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_I_AM1

*Mar  5 23:28:50.027: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.168.50.100
*Mar  5 23:29:48.311: ISAKMP:(0):purging SA., sa=82DF067C, delme=82DF067C
*Mar  5 23:30:04.983: ISAKMP: quick mode timer expired.
*Mar  5 23:30:04.983: ISAKMP:(0):src 192.168.50.200 dst 192.168.50.100, SA is not authenticated
*Mar  5 23:30:04.983: ISAKMP:(0):peer does not do paranoid keepalives.

*Mar  5 23:30:04.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) AG_INIT_EXCH (peer 192.168.50.100)
*Mar  5 23:30:04.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) AG_INIT_EXCH (peer 192.168.50.100)
*Mar  5 23:30:04.983: ISAKMP: Unlocking peer struct 0x82642E50 for isadb_mark_sa_deleted(), count 0
*Mar  5 23:30:04.983: ISAKMP: Deleting peer node by peer_reap for 192.168.50.100: 82642E50
*Mar  5 23:30:04.983: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  5 23:30:04.983: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_DEST_SA

*Mar  5 23:30:04.983: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpnclient  Client_public_addr=192.168.50.
00  Server_public_addr=192.168.50.100
*Mar  5 23:30:04.987: ISAKMP:isadb_key_addr_delete: no key for address 192.168.50.100 (NULL root)
*Mar  5 23:30:06.367: del_node src 192.168.50.200:500 dst 192.168.50.100:500 fvrf 0x0, ivrf 0x0
*Mar  5 23:30:06.367: ISAKMP:(0):peer does not do paranoid keepalives.

*Mar  5 23:30:06.367: ISAKMP:(0): SA request profile is (NULL)
*Mar  5 23:30:06.367: ISAKMP: Created a peer struct for 192.168.50.100, peer port 500
*Mar  5 23:30:06.367: ISAKMP: New peer created peer = 0x82642E50 peer_handle = 0x80000005
*Mar  5 23:30:06.367: ISAKMP: Locking peer struct 0x82642E50, refcount 1 for isakmp_initiator
*Mar  5 23:30:06.367: ISAKMP:(0):Setting client config settings 82DF0DA4
*Mar  5 23:30:06.367: ISAKMP: local port 500, remote port 500
*Mar  5 23:30:06.367: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82DF0628
*Mar  5 23:30:06.367: ISAKMP:(0): client mode configured.
*Mar  5 23:30:06.371: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar  5 23:30:06.371: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar  5 23:30:06.371: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar  5 23:30:06.371: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar  5 23:30:06.371: ISKAMP: growing send buffer from 1024 to 3072
*Mar  5 23:30:06.371: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*Mar  5 23:30:06.371: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpnclient
        protocol     : 17
        port         : 0
        length       : 17
*Mar  5 23:30:06.371: ISAKMP:(0):Total payload length: 17
*Mar  5 23:30:06.371: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar  5 23:30:06.371: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*Mar  5 23:30:06.371: ISAKMP:(0): beginning Aggressive Mode exchange
*Mar  5 23:30:06.371: ISAKMP:(0): sending packet to 192.168.50.100 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  5 23:30:06.371: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  5 23:30:06.407: ISAKMP (0:0): received packet from 192.168.50.100 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  5 23:30:06.407: ISAKMP:(0):Notify has no hash. Rejected.
*Mar  5 23:30:06.407: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_AM1
*Mar  5 23:30:06.407: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  5 23:30:06.407: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_I_AM1

*Mar  5 23:30:06.407: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.168.50.100


"Easy VPN Site-to-Site"
Отправлено mansell , 24-Ноя-09 08:52 
VPN_server#
*Nov 24 05:40:52.619: ISAKMP:(0:0:N/A:0):Authentication method offered does not match policy!
*Nov 24 05:40:52.619: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
*Nov 24 05:40:52.619: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 20 against priority 65535 policy
*Nov 24 05:40:52.623: ISAKMP:      encryption DES-CBC
*Nov 24 05:40:52.623: ISAKMP:      hash MD5
*Nov 24 05:40:52.623: ISAKMP:      default group 2
*Nov 24 05:40:52.623: ISAKMP:      auth pre-share
*Nov 24 05:40:52.623: ISAKMP:      life type in seconds
*Nov 24 05:40:52.623: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0):no offers accepted!
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 192.168.50.100 remote 192.168.50.200)
*Nov 24 05:40:52.623: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): sending packet to 192.168.50.200 my_port 500 peer_port 500 (R) AG_NO_STATE
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STA
TE (peer 192.168.50.200)
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Nov 24 05:40:52.623: ISAKMP (0:0): vendor ID is NAT-T v7
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128
*Nov 24 05:40:52.623: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Nov 24 05:40:52.623: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Nov 24 05:40:52.623: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY

*Nov 24 05:40:52.623: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.50.200
*Nov 24 05:40:52.627: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STA
TE (peer 192.168.50.200)
*Nov 24 05:40:52.627: ISAKMP: Unlocking IKE struct 0x64DDF120 for isadb_mark_sa_deleted(), count 0
*Nov 24 05:40:52.627: ISAKMP: Deleting peer node by peer_reap for 192.168.50.200: 64DDF120
*Nov 24 05:40:52.627: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Nov 24 05:40:52.627: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA


"Easy VPN Site-to-Site"
Отправлено mansell , 24-Ноя-09 10:00 
>[оверквотинг удален]
> mode network-plus
> username XXXX password XXXX
> xauth userid mode local
>
>
>interface FastEthernet4
> crypto ipsec client ezvpn XXXX
>
>interface Vlan1
>  crypto ipsec client ezvpn XXXX inside

спасибо ))) завелось )))

после удаления crypto isakmp key cisco123 address 192.168.50.200 no-xauth