forum.opennet.ru

Составление сообщения

Исходное сообщение

"Не могу поднять VPN IPSec tunnel между CISCO 2821 и Linux"
Отправлено lesha4ever, 23-Июл-09 11:28

>>>а почему опять dynamic-map?
>>>я ж дал пример.
>>
>>А как я туда впихну своих виндовых? Там пример без них. А
>>они то все на одном внешнем интерфейсе живут.
>
>ну что ты за странный человек....
>ты хоть попробовал, один и тот же мап, с разными приоритетами, но
>второй без dynamic
>ты хоть пробуй чтоль.
Попробовал.
Не работает. Описую все симптомы.
Конфиг циски:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key SECRETKEY1 address X.X.X.X
crypto isakmp key SECRETKEY2 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set L2TP_V ah-sha-hmac esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set SITE_TO_SITE esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map L2TP_D 10
set transform-set L2TP L2TP_V
!
!
!
crypto map L2TP 1 ipsec-isakmp
set peer X.X.X.X
set transform-set SITE_TO_SITE
set pfs group2
match address CRYPTO_ACL_IPSec
crypto map L2TP 20 ipsec-isakmp dynamic L2TP_D
!
ip access-list extended CRYPTO_ACL_IPSec
remark SDM_ACL Category=20
permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit icmp 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
permit icmp 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
router_2800#sh crypto ipsec sa interface GigabitEthernet0/0
protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer X.X.X.X port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X
     path mtu 1480, ip mtu 1480
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
    protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer X.X.X.X port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0
     local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X
     path mtu 1480, ip mtu 1480
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
  protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/1/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/1/0)
   current_peer X.X.X.X port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X
     path mtu 1480, ip mtu 1480
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/1/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/1/0)
   current_peer X.X.X.X port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X
     path mtu 1480, ip mtu 1480
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:

конфиг линукса
remote Y.Y.Y.Y
{
        exchange_mode main, aggressive;
        doi ipsec_doi;
        situation identity_only;
        my_identifier address X.X.X.X;
        initial_contact on;
        proposal_check obey;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo address 192.168.0.0/24 any address 10.0.1.0/24 any {
                pfs_group 2; # pfs_group modp768;
                encryption_algorithm 3des;
                authentication_algorithm hmac_md5;
                compression_algorithm deflate;
        }
[root@mon]~# setkey -DP
10.1.1.0/24[any] 192.168.0.0/24[any] any
        in prio def ipsec
        esp/tunnel/Y.Y.Y.Y-X.X.X.X/require
        ah/tunnel/Y.Y.Y.Y-X.X.X.X/require
        created: Jul 23 10:12:44 2009  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=5512 seq=4 pid=5302
        refcnt=1
192.168.0.0/24[any] 10.1.1.0/24[any] any
        out prio def ipsec
        esp/tunnel/X.X.X.X-Y.Y.Y.Y/require
        ah/tunnel/X.X.X.X-Y.Y.Y.Y/require
        created: Jul 23 10:12:44 2009  lastused: Jul 23 10:12:53 2009
        lifetime: 0(s) validtime: 0(s)
        spid=5505 seq=3 pid=5302
        refcnt=2
10.1.1.0/24[any] 192.168.0.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/Y.Y.Y.Y-X.X.X.X/require
        ah/tunnel/Y.Y.Y.Y-X.X.X.X/require
        created: Jul 23 10:12:44 2009  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=5522 seq=2 pid=5302
        refcnt=1
(per-socket policy)
        in none
        created: Jul 23 10:12:44 2009  lastused: Jul 23 10:12:53 2009
        lifetime: 0(s) validtime: 0(s)
        spid=5531 seq=1 pid=5302
        refcnt=1
(per-socket policy)
        out none
        created: Jul 23 10:12:44 2009  lastused: Jul 23 10:12:53 2009
        lifetime: 0(s) validtime: 0(s)
        spid=5540 seq=0 pid=5302
        refcnt=1
    При пинег со стороны циски
    Jul 23 10:22:39 mon racoon: INFO: respond new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Jul 23 10:22:39 mon racoon: INFO: begin Identity Protection mode.
Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: CISCO-UNITY
Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: DPD
Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jul 23 10:22:39 mon racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Jul 23 10:22:39 mon racoon: INFO: ISAKMP-SA established X.X.X.X[500]-Y.Y.Y.Y[500] spi:1f36d2df0946dd2f:3ede2786fed9cd
2e
Jul 23 10:22:39 mon racoon: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Jul 23 10:22:39 mon racoon: ERROR: not matched
Jul 23 10:22:39 mon racoon: ERROR: no suitable policy found.
Jul 23 10:22:39 mon racoon: ERROR: failed to pre-process packet.
Jul 23 10:22:39 mon racoon: INFO: purging ISAKMP-SA spi=1f36d2df0946dd2f:3ede2786fed9cd2e.
Jul 23 10:22:39 mon racoon: INFO: purged ISAKMP-SA spi=1f36d2df0946dd2f:3ede2786fed9cd2e.
Jul 23 10:22:40 mon racoon: INFO: ISAKMP-SA deleted X.X.X.X[500]-Y.Y.Y.Y[500] spi:1f36d2df0946dd2f:3ede2786fed9cd2e
Jul 23 10:24:49 10.1.1.1 157159: 108854: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):: peer matches *none* of the profiles
Jul 23 10:24:49 10.1.1.1 157160: 108855: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1): processing HASH payload. message ID = 0
Jul 23 10:24:49 10.1.1.1 157161: 108856: Jul 23 09:24:48.239 PCTime: CryptoEngine0: generate hmac context for conn id 10
Jul 23 10:24:49 10.1.1.1 157162: 108857: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):SA authentication status:
Jul 23 10:24:49 10.1.1.1 157163:        authenticated
Jul 23 10:24:49 10.1.1.1 157164: 108858: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):SA has been authenticated with X.X.X.X
Jul 23 10:24:49 10.1.1.1 157165: 108859: Jul 23 09:24:48.239 PCTime: ISAKMP: Trying to insert a peer Y.Y.Y.Y/X.X.X.X/500/,  and inser
ted successfully 4468F960.
Jul 23 10:24:49 10.1.1.1 157166: 108860: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 23 10:24:49 10.1.1.1 157167: 108861: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6
Jul 23 10:24:49 10.1.1.1 157168:
Jul 23 10:24:49 10.1.1.1 157169: 108862: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 23 10:24:49 10.1.1.1 157170: 108863: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6
Jul 23 10:24:49 10.1.1.1 157171:
Jul 23 10:24:49 10.1.1.1 157172: 108864: Jul 23 09:24:48.239 PCTime: CryptoEngine0: clear dh number for conn id 3
Jul 23 10:24:49 10.1.1.1 157173: 108865: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 23 10:24:49 10.1.1.1 157174: 108866: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
Jul 23 10:24:49 10.1.1.1 157175:
Jul 23 10:24:49 10.1.1.1 157176: 108867: Jul 23 09:24:48.243 PCTime: ISAKMP:(0:10:SW:1):beginning Quick Mode exchange, M-ID of -818982025
Jul 23 10:24:49 10.1.1.1 157177: 108868: Jul 23 09:24:48.243 PCTime: CryptoEngine0: generating alg parameter for connid 10
Jul 23 10:24:49 10.1.1.1 157178: 108869: Jul 23 09:24:48.263 PCTime: CRYPTO_ENGINE: Dh phase 1 status: 0
Jul 23 10:24:49 10.1.1.1 157179: 108870: Jul 23 09:24:48.263 PCTime: CRYPTO_ENGINE: Dh phase 1 status: OK
Jul 23 10:24:49 10.1.1.1 157180: 108871: Jul 23 09:24:48.267 PCTime: CryptoEngine0: generate hmac context for conn id 10
Jul 23 10:24:49 10.1.1.1 157181: 108872: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500
(I) QM_IDLE
Jul 23 10:24:49 10.1.1.1 157182: 108873: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Node -818982025, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jul 23 10:24:49 10.1.1.1 157183: 108874: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jul 23 10:24:49 10.1.1.1 157184: 108875: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jul 23 10:24:49 10.1.1.1 157185: 108876: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Jul 23 10:24:49 10.1.1.1 157186:
Jul 23 10:24:49 10.1.1.1 157187: 108877: Jul 23 09:24:48.315 PCTime: ISAKMP (0:134217738): received packet from X.X.X.X dport 500 sport 500
Global (I) QM_IDLE
Jul 23 10:24:49 10.1.1.1 157188: 108878: Jul 23 09:24:48.315 PCTime: ISAKMP: set new node -587284616 to QM_IDLE
Jul 23 10:24:49 10.1.1.1 157189: 108879: Jul 23 09:24:48.315 PCTime: CryptoEngine0: generate hmac context for conn id 10
Jul 23 10:24:49 10.1.1.1 157190: 108880: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1): processing HASH payload. message ID = -587284616
Jul 23 10:24:49 10.1.1.1 157191: 108881: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1
Jul 23 10:24:49 10.1.1.1 157192:        spi 0, message ID = -587284616, sa = 4463B944
Jul 23 10:24:49 10.1.1.1 157193: 108882: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):peer does not do paranoid keepalives.
Jul 23 10:24:49 10.1.1.1 157194:
Jul 23 10:24:49 10.1.1.1 157195: 108883: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):deleting SA reason "Recevied fatal informational" state (I)
QM_IDLE       (peer X.X.X.X)
Jul 23 10:24:49 10.1.1.1 157196: 108884: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):deleting node -587284616 error FALSE reason "Informational
(in) state 1"
Jul 23 10:24:49 10.1.1.1 157197: 108885: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jul 23 10:24:49 10.1.1.1 157198: 108886: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Jul 23 10:24:49 10.1.1.1 157199:
Jul 23 10:24:49 10.1.1.1 157200: 108887: Jul 23 09:24:48.315 PCTime: ISAKMP: set new node -1051703389 to QM_IDLE
Jul 23 10:24:49 10.1.1.1 157201: 108888: Jul 23 09:24:48.315 PCTime: CryptoEngine0: generate hmac context for conn id 10
Jul 23 10:24:49 10.1.1.1 157202: 108889: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500
(I) QM_IDLE
Jul 23 10:24:49 10.1.1.1 157203: 108890: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):purging node -1051703389
Jul 23 10:24:49 10.1.1.1 157204: 108891: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 23 10:24:49 10.1.1.1 157205: 108892: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
Jul 23 10:24:49 10.1.1.1 157206:
Jul 23 10:24:49 10.1.1.1 157207: 108893: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (pee
r X.X.X.X)
Jul 23 10:24:49 10.1.1.1 157208: 108894: Jul 23 09:24:48.319 PCTime: ISAKMP: Unlocking IKE struct 0x4468F960 for isadb_mark_sa_deleted(), count 0
Jul 23 10:24:49 10.1.1.1 157209: 108895: Jul 23 09:24:48.319 PCTime: ISAKMP: Deleting peer node by peer_reap for X.X.X.X: 4468F960
Jul 23 10:24:49 10.1.1.1 157210: 108896: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):deleting node -818982025 error FALSE reason "IKE deleted"
Jul 23 10:24:49 10.1.1.1 157211: 108897: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):deleting node -587284616 error FALSE reason "IKE deleted"
Jul 23 10:24:49 10.1.1.1 157212: 108898: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 23 10:24:49 10.1.1.1 157213: 108899: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
Jul 23 10:24:49 10.1.1.1 157214:
Jul 23 10:24:49 10.1.1.1 157215: 108900: Jul 23 09:24:48.319 PCTime: IPSEC(key_engine): got a queue event with 1 kei messages

при пинга со стороний линукса
лог циско
Jul 23 10:26:51 10.1.1.1 157796: 109341: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1):Checking IPSec proposal 1
Jul 23 10:26:51 10.1.1.1 157797: 109342: Jul 23 09:26:50.817 PCTime: ISAKMP: transform 1, ESP_3DES
Jul 23 10:26:51 10.1.1.1 157798: 109343: Jul 23 09:26:50.817 PCTime: ISAKMP:   attributes in transform:
Jul 23 10:26:51 10.1.1.1 157799: 109344: Jul 23 09:26:50.817 PCTime: ISAKMP:      SA life type in seconds
Jul 23 10:26:51 10.1.1.1 157800: 109345: Jul 23 09:26:50.817 PCTime: ISAKMP:      SA life duration (basic) of 28800
Jul 23 10:26:51 10.1.1.1 157801: 109346: Jul 23 09:26:50.817 PCTime: ISAKMP:      encaps is 1 (Tunnel)
Jul 23 10:26:51 10.1.1.1 157802: 109347: Jul 23 09:26:50.817 PCTime: ISAKMP:      authenticator is HMAC-MD5
Jul 23 10:26:51 10.1.1.1 157803: 109348: Jul 23 09:26:50.817 PCTime: ISAKMP:      group is 2
Jul 23 10:26:51 10.1.1.1 157804: 109349: Jul 23 09:26:50.817 PCTime: CryptoEngine0: validate proposal
Jul 23 10:26:51 10.1.1.1 157805: 109350: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1):atts are acceptable.
Jul 23 10:26:51 10.1.1.1 157806: 109351: Jul 23 09:26:50.817 PCTime: IPSEC(validate_proposal_request): proposal part #1,
Jul 23 10:26:51 10.1.1.1 157807:   (key eng. msg.) INBOUND local= Y.Y.Y.Y, remote= X.X.X.X,
Jul 23 10:26:51 10.1.1.1 157808:     local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
Jul 23 10:26:51 10.1.1.1 157809:     remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
Jul 23 10:26:51 10.1.1.1 157810:     protocol= AH, transform= ah-md5-hmac  (Tunnel),
Jul 23 10:26:51 10.1.1.1 157811:     lifedur= 0s and 0kb,
Jul 23 10:26:51 10.1.1.1 157812:     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x22
Jul 23 10:26:51 10.1.1.1 157813: 109352: Jul 23 09:26:50.817 PCTime: IPSEC(validate_proposal_request): proposal part #2,
Jul 23 10:26:51 10.1.1.1 157814:   (key eng. msg.) INBOUND local= Y.Y.Y.Y, remote= X.X.X.X,
Jul 23 10:26:51 10.1.1.1 157815:     local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
Jul 23 10:26:51 10.1.1.1 157816:     remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
Jul 23 10:26:51 10.1.1.1 157817: ,
Jul 23 10:26:51 10.1.1.1 157818:     protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
Jul 23 10:26:51 10.1.1.1 157819:     lifedur= 0s and 0kb,
Jul 23 10:26:51 10.1.1.1 157820:     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x22
Jul 23 10:26:51 10.1.1.1 157821: 109353: Jul 23 09:26:50.817 PCTime: CryptoEngine0: validate proposal request
Jul 23 10:26:51 10.1.1.1 157822: 109354: Jul 23 09:26:50.817 PCTime: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local addres
s Y.Y.Y.Y
Jul 23 10:26:51 10.1.1.1 157823: 109355: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1): IPSec policy invalidated proposal
Jul 23 10:26:51 10.1.1.1 157824: 109356: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1): phase 2 SA policy not acceptable! (local Y.Y.Y.Y re
mote X.X.X.X)
Jul 23 10:26:51 10.1.1.1 157825: 109357: Jul 23 09:26:50.817 PCTime: ISAKMP: set new node -1192811471 to QM_IDLE
Jul 23 10:26:51 10.1.1.1 157826: 109358: Jul 23 09:26:50.817 PCTime: CryptoEngine0: generate hmac context for conn id 13
Jul 23 10:26:52 10.1.1.1 157827: 109359: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 2
Jul 23 10:26:52 10.1.1.1 157828:        spi 1142015312, message ID = -1192811471
Jul 23 10:26:52 10.1.1.1 157829: 109360: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500
(R) QM_IDLE
Jul 23 10:26:52 10.1.1.1 157830: 109361: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):purging node -1192811471
Jul 23 10:26:52 10.1.1.1 157831: 109362: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):deleting node -1410154997 error TRUE reason "QM rejected"
Jul 23 10:26:52 10.1.1.1 157832: 109363: Jul 23 09:26:50.821 PCTime: ISAKMP (0:134217741): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:
Jul 23 10:26:52 10.1.1.1 157833:  for node -1410154997: state = IKE_QM_READY
Jul 23 10:26:52 10.1.1.1 157834: 109364: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):Node -1410154997, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jul 23 10:26:52 10.1.1.1 157835: 109365: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
лог ракуна
Jul 23 10:25:42 mon racoon: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found.
Jul 23 10:25:42 mon racoon: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Jul 23 10:25:42 mon racoon: INFO: begin Identity Protection mode.
Jul 23 10:25:42 mon racoon: INFO: received Vendor ID: CISCO-UNITY
Jul 23 10:25:42 mon racoon: INFO: received Vendor ID: DPD
Jul 23 10:25:42 mon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jul 23 10:25:42 mon racoon: INFO: ISAKMP-SA established X.X.X.X[500]-Y.Y.Y.Y[500] spi:e7ccebec074add40:66341efea9e314
0a
Jul 23 10:25:42 mon racoon: ERROR: unknown Informational exchange received.
Jul 23 10:25:43 mon racoon: INFO: initiate new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Jul 23 10:25:43 mon racoon: ERROR: unknown notify message, no phase2 handle found.
Jul 23 10:25:58 mon racoon: ERROR: Y.Y.Y.Y give up to get IPsec-SA due to time up to wait.

Исходное сообщение
"Не могу поднять VPN IPSec tunnel между CISCO 2821 и Linux" Отправлено lesha4ever, 23-Июл-09 11:28
>>>а почему опять dynamic-map? >>>я ж дал пример. >> >>А как я туда впихну своих виндовых? Там пример без них. А >>они то все на одном внешнем интерфейсе живут. > >ну что ты за странный человек.... >ты хоть попробовал, один и тот же мап, с разными приоритетами, но >второй без dynamic >ты хоть пробуй чтоль. Попробовал. Не работает. Описую все симптомы. Конфиг циски: crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 ! crypto isakmp policy 30 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp key SECRETKEY1 address X.X.X.X crypto isakmp key SECRETKEY2 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set L2TP esp-3des esp-md5-hmac mode transport crypto ipsec transform-set L2TP_V ah-sha-hmac esp-3des esp-sha-hmac mode transport crypto ipsec transform-set SITE_TO_SITE esp-3des esp-md5-hmac mode transport ! crypto dynamic-map L2TP_D 10 set transform-set L2TP L2TP_V ! ! ! crypto map L2TP 1 ipsec-isakmp set peer X.X.X.X set transform-set SITE_TO_SITE set pfs group2 match address CRYPTO_ACL_IPSec crypto map L2TP 20 ipsec-isakmp dynamic L2TP_D ! ip access-list extended CRYPTO_ACL_IPSec remark SDM_ACL Category=20 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255 permit icmp 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255 permit icmp 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255 router_2800#sh crypto ipsec sa interface GigabitEthernet0/0 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X path mtu 1480, ip mtu 1480 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 12, #recv errors 0 local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X path mtu 1480, ip mtu 1480 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/1/0) remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/1/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X path mtu 1480, ip mtu 1480 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/1/0) remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/1/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X path mtu 1480, ip mtu 1480 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: конфиг линукса remote Y.Y.Y.Y { exchange_mode main, aggressive; doi ipsec_doi; situation identity_only; my_identifier address X.X.X.X; initial_contact on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } sainfo address 192.168.0.0/24 any address 10.0.1.0/24 any { pfs_group 2; # pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } [root@mon]~# setkey -DP 10.1.1.0/24[any] 192.168.0.0/24[any] any in prio def ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/require ah/tunnel/Y.Y.Y.Y-X.X.X.X/require created: Jul 23 10:12:44 2009 lastused: lifetime: 0(s) validtime: 0(s) spid=5512 seq=4 pid=5302 refcnt=1 192.168.0.0/24[any] 10.1.1.0/24[any] any out prio def ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require ah/tunnel/X.X.X.X-Y.Y.Y.Y/require created: Jul 23 10:12:44 2009 lastused: Jul 23 10:12:53 2009 lifetime: 0(s) validtime: 0(s) spid=5505 seq=3 pid=5302 refcnt=2 10.1.1.0/24[any] 192.168.0.0/24[any] any fwd prio def ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/require ah/tunnel/Y.Y.Y.Y-X.X.X.X/require created: Jul 23 10:12:44 2009 lastused: lifetime: 0(s) validtime: 0(s) spid=5522 seq=2 pid=5302 refcnt=1 (per-socket policy) in none created: Jul 23 10:12:44 2009 lastused: Jul 23 10:12:53 2009 lifetime: 0(s) validtime: 0(s) spid=5531 seq=1 pid=5302 refcnt=1 (per-socket policy) out none created: Jul 23 10:12:44 2009 lastused: Jul 23 10:12:53 2009 lifetime: 0(s) validtime: 0(s) spid=5540 seq=0 pid=5302 refcnt=1 При пинег со стороны циски Jul 23 10:22:39 mon racoon: INFO: respond new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jul 23 10:22:39 mon racoon: INFO: begin Identity Protection mode. Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: CISCO-UNITY Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: DPD Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Jul 23 10:22:39 mon racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Jul 23 10:22:39 mon racoon: INFO: ISAKMP-SA established X.X.X.X[500]-Y.Y.Y.Y[500] spi:1f36d2df0946dd2f:3ede2786fed9cd 2e Jul 23 10:22:39 mon racoon: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jul 23 10:22:39 mon racoon: ERROR: not matched Jul 23 10:22:39 mon racoon: ERROR: no suitable policy found. Jul 23 10:22:39 mon racoon: ERROR: failed to pre-process packet. Jul 23 10:22:39 mon racoon: INFO: purging ISAKMP-SA spi=1f36d2df0946dd2f:3ede2786fed9cd2e. Jul 23 10:22:39 mon racoon: INFO: purged ISAKMP-SA spi=1f36d2df0946dd2f:3ede2786fed9cd2e. Jul 23 10:22:40 mon racoon: INFO: ISAKMP-SA deleted X.X.X.X[500]-Y.Y.Y.Y[500] spi:1f36d2df0946dd2f:3ede2786fed9cd2e Jul 23 10:24:49 10.1.1.1 157159: 108854: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):: peer matches none of the profiles Jul 23 10:24:49 10.1.1.1 157160: 108855: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1): processing HASH payload. message ID = 0 Jul 23 10:24:49 10.1.1.1 157161: 108856: Jul 23 09:24:48.239 PCTime: CryptoEngine0: generate hmac context for conn id 10 Jul 23 10:24:49 10.1.1.1 157162: 108857: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):SA authentication status: Jul 23 10:24:49 10.1.1.1 157163: authenticated Jul 23 10:24:49 10.1.1.1 157164: 108858: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):SA has been authenticated with X.X.X.X Jul 23 10:24:49 10.1.1.1 157165: 108859: Jul 23 09:24:48.239 PCTime: ISAKMP: Trying to insert a peer Y.Y.Y.Y/X.X.X.X/500/, and inser ted successfully 4468F960. Jul 23 10:24:49 10.1.1.1 157166: 108860: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jul 23 10:24:49 10.1.1.1 157167: 108861: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6 Jul 23 10:24:49 10.1.1.1 157168: Jul 23 10:24:49 10.1.1.1 157169: 108862: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jul 23 10:24:49 10.1.1.1 157170: 108863: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6 Jul 23 10:24:49 10.1.1.1 157171: Jul 23 10:24:49 10.1.1.1 157172: 108864: Jul 23 09:24:48.239 PCTime: CryptoEngine0: clear dh number for conn id 3 Jul 23 10:24:49 10.1.1.1 157173: 108865: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jul 23 10:24:49 10.1.1.1 157174: 108866: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Jul 23 10:24:49 10.1.1.1 157175: Jul 23 10:24:49 10.1.1.1 157176: 108867: Jul 23 09:24:48.243 PCTime: ISAKMP:(0:10:SW:1):beginning Quick Mode exchange, M-ID of -818982025 Jul 23 10:24:49 10.1.1.1 157177: 108868: Jul 23 09:24:48.243 PCTime: CryptoEngine0: generating alg parameter for connid 10 Jul 23 10:24:49 10.1.1.1 157178: 108869: Jul 23 09:24:48.263 PCTime: CRYPTO_ENGINE: Dh phase 1 status: 0 Jul 23 10:24:49 10.1.1.1 157179: 108870: Jul 23 09:24:48.263 PCTime: CRYPTO_ENGINE: Dh phase 1 status: OK Jul 23 10:24:49 10.1.1.1 157180: 108871: Jul 23 09:24:48.267 PCTime: CryptoEngine0: generate hmac context for conn id 10 Jul 23 10:24:49 10.1.1.1 157181: 108872: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500 (I) QM_IDLE Jul 23 10:24:49 10.1.1.1 157182: 108873: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Node -818982025, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Jul 23 10:24:49 10.1.1.1 157183: 108874: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Jul 23 10:24:49 10.1.1.1 157184: 108875: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Jul 23 10:24:49 10.1.1.1 157185: 108876: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jul 23 10:24:49 10.1.1.1 157186: Jul 23 10:24:49 10.1.1.1 157187: 108877: Jul 23 09:24:48.315 PCTime: ISAKMP (0:134217738): received packet from X.X.X.X dport 500 sport 500 Global (I) QM_IDLE Jul 23 10:24:49 10.1.1.1 157188: 108878: Jul 23 09:24:48.315 PCTime: ISAKMP: set new node -587284616 to QM_IDLE Jul 23 10:24:49 10.1.1.1 157189: 108879: Jul 23 09:24:48.315 PCTime: CryptoEngine0: generate hmac context for conn id 10 Jul 23 10:24:49 10.1.1.1 157190: 108880: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1): processing HASH payload. message ID = -587284616 Jul 23 10:24:49 10.1.1.1 157191: 108881: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1 Jul 23 10:24:49 10.1.1.1 157192: spi 0, message ID = -587284616, sa = 4463B944 Jul 23 10:24:49 10.1.1.1 157193: 108882: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):peer does not do paranoid keepalives. Jul 23 10:24:49 10.1.1.1 157194: Jul 23 10:24:49 10.1.1.1 157195: 108883: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer X.X.X.X) Jul 23 10:24:49 10.1.1.1 157196: 108884: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):deleting node -587284616 error FALSE reason "Informational (in) state 1" Jul 23 10:24:49 10.1.1.1 157197: 108885: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jul 23 10:24:49 10.1.1.1 157198: 108886: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jul 23 10:24:49 10.1.1.1 157199: Jul 23 10:24:49 10.1.1.1 157200: 108887: Jul 23 09:24:48.315 PCTime: ISAKMP: set new node -1051703389 to QM_IDLE Jul 23 10:24:49 10.1.1.1 157201: 108888: Jul 23 09:24:48.315 PCTime: CryptoEngine0: generate hmac context for conn id 10 Jul 23 10:24:49 10.1.1.1 157202: 108889: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500 (I) QM_IDLE Jul 23 10:24:49 10.1.1.1 157203: 108890: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):purging node -1051703389 Jul 23 10:24:49 10.1.1.1 157204: 108891: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Jul 23 10:24:49 10.1.1.1 157205: 108892: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA Jul 23 10:24:49 10.1.1.1 157206: Jul 23 10:24:49 10.1.1.1 157207: 108893: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):deleting SA reason "No reason" state (I) QM_IDLE (pee r X.X.X.X) Jul 23 10:24:49 10.1.1.1 157208: 108894: Jul 23 09:24:48.319 PCTime: ISAKMP: Unlocking IKE struct 0x4468F960 for isadb_mark_sa_deleted(), count 0 Jul 23 10:24:49 10.1.1.1 157209: 108895: Jul 23 09:24:48.319 PCTime: ISAKMP: Deleting peer node by peer_reap for X.X.X.X: 4468F960 Jul 23 10:24:49 10.1.1.1 157210: 108896: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):deleting node -818982025 error FALSE reason "IKE deleted" Jul 23 10:24:49 10.1.1.1 157211: 108897: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):deleting node -587284616 error FALSE reason "IKE deleted" Jul 23 10:24:49 10.1.1.1 157212: 108898: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jul 23 10:24:49 10.1.1.1 157213: 108899: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA Jul 23 10:24:49 10.1.1.1 157214: Jul 23 10:24:49 10.1.1.1 157215: 108900: Jul 23 09:24:48.319 PCTime: IPSEC(key_engine): got a queue event with 1 kei messages при пинга со стороний линукса лог циско Jul 23 10:26:51 10.1.1.1 157796: 109341: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1):Checking IPSec proposal 1 Jul 23 10:26:51 10.1.1.1 157797: 109342: Jul 23 09:26:50.817 PCTime: ISAKMP: transform 1, ESP_3DES Jul 23 10:26:51 10.1.1.1 157798: 109343: Jul 23 09:26:50.817 PCTime: ISAKMP: attributes in transform: Jul 23 10:26:51 10.1.1.1 157799: 109344: Jul 23 09:26:50.817 PCTime: ISAKMP: SA life type in seconds Jul 23 10:26:51 10.1.1.1 157800: 109345: Jul 23 09:26:50.817 PCTime: ISAKMP: SA life duration (basic) of 28800 Jul 23 10:26:51 10.1.1.1 157801: 109346: Jul 23 09:26:50.817 PCTime: ISAKMP: encaps is 1 (Tunnel) Jul 23 10:26:51 10.1.1.1 157802: 109347: Jul 23 09:26:50.817 PCTime: ISAKMP: authenticator is HMAC-MD5 Jul 23 10:26:51 10.1.1.1 157803: 109348: Jul 23 09:26:50.817 PCTime: ISAKMP: group is 2 Jul 23 10:26:51 10.1.1.1 157804: 109349: Jul 23 09:26:50.817 PCTime: CryptoEngine0: validate proposal Jul 23 10:26:51 10.1.1.1 157805: 109350: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1):atts are acceptable. Jul 23 10:26:51 10.1.1.1 157806: 109351: Jul 23 09:26:50.817 PCTime: IPSEC(validate_proposal_request): proposal part #1, Jul 23 10:26:51 10.1.1.1 157807: (key eng. msg.) INBOUND local= Y.Y.Y.Y, remote= X.X.X.X, Jul 23 10:26:51 10.1.1.1 157808: local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), Jul 23 10:26:51 10.1.1.1 157809: remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4), Jul 23 10:26:51 10.1.1.1 157810: protocol= AH, transform= ah-md5-hmac (Tunnel), Jul 23 10:26:51 10.1.1.1 157811: lifedur= 0s and 0kb, Jul 23 10:26:51 10.1.1.1 157812: spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x22 Jul 23 10:26:51 10.1.1.1 157813: 109352: Jul 23 09:26:50.817 PCTime: IPSEC(validate_proposal_request): proposal part #2, Jul 23 10:26:51 10.1.1.1 157814: (key eng. msg.) INBOUND local= Y.Y.Y.Y, remote= X.X.X.X, Jul 23 10:26:51 10.1.1.1 157815: local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), Jul 23 10:26:51 10.1.1.1 157816: remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4) Jul 23 10:26:51 10.1.1.1 157817: , Jul 23 10:26:51 10.1.1.1 157818: protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), Jul 23 10:26:51 10.1.1.1 157819: lifedur= 0s and 0kb, Jul 23 10:26:51 10.1.1.1 157820: spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x22 Jul 23 10:26:51 10.1.1.1 157821: 109353: Jul 23 09:26:50.817 PCTime: CryptoEngine0: validate proposal request Jul 23 10:26:51 10.1.1.1 157822: 109354: Jul 23 09:26:50.817 PCTime: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local addres s Y.Y.Y.Y Jul 23 10:26:51 10.1.1.1 157823: 109355: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1): IPSec policy invalidated proposal Jul 23 10:26:51 10.1.1.1 157824: 109356: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1): phase 2 SA policy not acceptable! (local Y.Y.Y.Y re mote X.X.X.X) Jul 23 10:26:51 10.1.1.1 157825: 109357: Jul 23 09:26:50.817 PCTime: ISAKMP: set new node -1192811471 to QM_IDLE Jul 23 10:26:51 10.1.1.1 157826: 109358: Jul 23 09:26:50.817 PCTime: CryptoEngine0: generate hmac context for conn id 13 Jul 23 10:26:52 10.1.1.1 157827: 109359: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 2 Jul 23 10:26:52 10.1.1.1 157828: spi 1142015312, message ID = -1192811471 Jul 23 10:26:52 10.1.1.1 157829: 109360: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1): sending packet to X.X.X.X my_port 500 peer_port 500 (R) QM_IDLE Jul 23 10:26:52 10.1.1.1 157830: 109361: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):purging node -1192811471 Jul 23 10:26:52 10.1.1.1 157831: 109362: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):deleting node -1410154997 error TRUE reason "QM rejected" Jul 23 10:26:52 10.1.1.1 157832: 109363: Jul 23 09:26:50.821 PCTime: ISAKMP (0:134217741): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: Jul 23 10:26:52 10.1.1.1 157833: for node -1410154997: state = IKE_QM_READY Jul 23 10:26:52 10.1.1.1 157834: 109364: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):Node -1410154997, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jul 23 10:26:52 10.1.1.1 157835: 109365: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY лог ракуна Jul 23 10:25:42 mon racoon: INFO: IPsec-SA request for Y.Y.Y.Y queued due to no phase1 found. Jul 23 10:25:42 mon racoon: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jul 23 10:25:42 mon racoon: INFO: begin Identity Protection mode. Jul 23 10:25:42 mon racoon: INFO: received Vendor ID: CISCO-UNITY Jul 23 10:25:42 mon racoon: INFO: received Vendor ID: DPD Jul 23 10:25:42 mon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Jul 23 10:25:42 mon racoon: INFO: ISAKMP-SA established X.X.X.X[500]-Y.Y.Y.Y[500] spi:e7ccebec074add40:66341efea9e314 0a Jul 23 10:25:42 mon racoon: ERROR: unknown Informational exchange received. Jul 23 10:25:43 mon racoon: INFO: initiate new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] Jul 23 10:25:43 mon racoon: ERROR: unknown notify message, no phase2 handle found. Jul 23 10:25:58 mon racoon: ERROR: Y.Y.Y.Y give up to get IPsec-SA due to time up to wait.

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	>>>>а почему опять dynamic-map? >>>>я ж дал пример. >>> >>>А как я туда впихну своих виндовых? Там пример без них. А >>>они то все на одном внешнем интерфейсе живут. >> >>ну что ты за странный человек.... >>ты хоть попробовал, один и тот же мап, с разными приоритетами, но >>второй без dynamic >>ты хоть пробуй чтоль. > Попробовал. > Не работает. Описую все симптомы. > Конфиг циски: > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > lifetime 3600 > ! > crypto isakmp policy 20 > encr 3des > authentication pre-share > group 2 > ! > crypto isakmp policy 30 > encr 3des > hash md5 > authentication pre-share > group 2 > ! > crypto isakmp key SECRETKEY1 address X.X.X.X > crypto isakmp key SECRETKEY2 address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set L2TP esp-3des esp-md5-hmac > mode transport > crypto ipsec transform-set L2TP_V ah-sha-hmac esp-3des esp-sha-hmac > mode transport > crypto ipsec transform-set SITE_TO_SITE esp-3des esp-md5-hmac > mode transport > ! > crypto dynamic-map L2TP_D 10 > set transform-set L2TP L2TP_V > ! > ! > ! > crypto map L2TP 1 ipsec-isakmp > set peer X.X.X.X > set transform-set SITE_TO_SITE > set pfs group2 > match address CRYPTO_ACL_IPSec > crypto map L2TP 20 ipsec-isakmp dynamic L2TP_D > ! > ip access-list extended CRYPTO_ACL_IPSec > remark SDM_ACL Category=20 > permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255 > permit icmp 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255 > permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255 > permit icmp 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255 > router_2800#sh crypto ipsec sa interface GigabitEthernet0/0 > protected vrf: (none) > local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) > remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) > current_peer X.X.X.X port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: > 0 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: > 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 0, #recv errors 0 > local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: > X.X.X.X > path mtu 1480, ip mtu 1480 > current outbound spi: 0x0(0) > inbound esp sas: > inbound ah sas: > inbound pcp sas: > outbound esp sas: > outbound ah sas: > outbound pcp sas: > protected vrf: (none) > local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) > remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) > current_peer X.X.X.X port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: > 0 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: > 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 12, #recv errors 0 > local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: > X.X.X.X > path mtu 1480, ip mtu 1480 > current outbound spi: 0x0(0) > inbound esp sas: > inbound ah sas: > inbound pcp sas: > outbound esp sas: > outbound ah sas: > outbound pcp sas: > protected vrf: (none) > local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/1/0) > remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/1/0) > current_peer X.X.X.X port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: > 0 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: > 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 0, #recv errors 0 > local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: > X.X.X.X > path mtu 1480, ip mtu 1480 > current outbound spi: 0x0(0) > inbound esp sas: > inbound ah sas: > inbound pcp sas: > outbound esp sas: > outbound ah sas: > outbound pcp sas: > protected vrf: (none) > local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/1/0) > remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/1/0) > current_peer X.X.X.X port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: > 0 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: > 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 0, #recv errors 0 > local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: > X.X.X.X > path mtu 1480, ip mtu 1480 > current outbound spi: 0x0(0) > inbound esp sas: > inbound ah sas: > inbound pcp sas: > outbound esp sas: > outbound ah sas: > outbound pcp sas: > конфиг линукса > remote Y.Y.Y.Y > { > exchange_mode main, aggressive; > doi ipsec_doi; > situation identity_only; > my_identifier address X.X.X.X; > initial_contact on; > proposal_check obey; > proposal { > > encryption_algorithm 3des; > > hash_algorithm md5; > > authentication_method pre_shared_key; > > dh_group 2; > } > } > sainfo address 192.168.0.0/24 any address 10.0.1.0/24 any { > > pfs_group 2; # pfs_group modp768; > > encryption_algorithm 3des; > > authentication_algorithm hmac_md5; > > compression_algorithm deflate; > } > [root@mon]~# setkey -DP > 10.1.1.0/24[any] 192.168.0.0/24[any] any > in prio def ipsec > esp/tunnel/Y.Y.Y.Y-X.X.X.X/require > ah/tunnel/Y.Y.Y.Y-X.X.X.X/require > created: Jul 23 10:12:44 > 2009 lastused: > lifetime: 0(s) validtime: 0(s) > spid=5512 seq=4 pid=5302 > refcnt=1 > 192.168.0.0/24[any] 10.1.1.0/24[any] any > out prio def ipsec > esp/tunnel/X.X.X.X-Y.Y.Y.Y/require > ah/tunnel/X.X.X.X-Y.Y.Y.Y/require > created: Jul 23 10:12:44 > 2009 lastused: Jul 23 10:12:53 2009 > lifetime: 0(s) validtime: 0(s) > spid=5505 seq=3 pid=5302 > refcnt=2 > 10.1.1.0/24[any] 192.168.0.0/24[any] any > fwd prio def ipsec > esp/tunnel/Y.Y.Y.Y-X.X.X.X/require > ah/tunnel/Y.Y.Y.Y-X.X.X.X/require > created: Jul 23 10:12:44 > 2009 lastused: > lifetime: 0(s) validtime: 0(s) > spid=5522 seq=2 pid=5302 > refcnt=1 > (per-socket policy) > in none > created: Jul 23 10:12:44 > 2009 lastused: Jul 23 10:12:53 2009 > lifetime: 0(s) validtime: 0(s) > spid=5531 seq=1 pid=5302 > refcnt=1 > (per-socket policy) > out none > created: Jul 23 10:12:44 > 2009 lastused: Jul 23 10:12:53 2009 > lifetime: 0(s) validtime: 0(s) > spid=5540 seq=0 pid=5302 > refcnt=1 > При пинег со стороны циски > Jul 23 10:22:39 mon racoon: INFO: respond new phase 1 negotiation: > X.X.X.X[500]<=>Y.Y.Y.Y[500] > Jul 23 10:22:39 mon racoon: INFO: begin Identity Protection mode. > Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 > Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 > Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 > Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: CISCO-UNITY > Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: DPD > Jul 23 10:22:39 mon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt > Jul 23 10:22:39 mon racoon: WARNING: ignore INITIAL-CONTACT notification, because it is > only accepted after phase1. > Jul 23 10:22:39 mon racoon: INFO: ISAKMP-SA established X.X.X.X[500]-Y.Y.Y.Y[500] spi:1f36d2df0946dd2f:3ede2786fed9cd > 2e > Jul 23 10:22:39 mon racoon: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] > Jul 23 10:22:39 mon racoon: ERROR: not matched > Jul 23 10:22:39 mon racoon: ERROR: no suitable policy found. > Jul 23 10:22:39 mon racoon: ERROR: failed to pre-process packet. > Jul 23 10:22:39 mon racoon: INFO: purging ISAKMP-SA spi=1f36d2df0946dd2f:3ede2786fed9cd2e. > Jul 23 10:22:39 mon racoon: INFO: purged ISAKMP-SA spi=1f36d2df0946dd2f:3ede2786fed9cd2e. > Jul 23 10:22:40 mon racoon: INFO: ISAKMP-SA deleted X.X.X.X[500]-Y.Y.Y.Y[500] spi:1f36d2df0946dd2f:3ede2786fed9cd2e > Jul 23 10:24:49 10.1.1.1 157159: 108854: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):: > peer matches none of the profiles > Jul 23 10:24:49 10.1.1.1 157160: 108855: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1): > processing HASH payload. message ID = 0 > Jul 23 10:24:49 10.1.1.1 157161: 108856: Jul 23 09:24:48.239 PCTime: CryptoEngine0: generate > hmac context for conn id 10 > Jul 23 10:24:49 10.1.1.1 157162: 108857: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):SA > authentication status: > Jul 23 10:24:49 10.1.1.1 157163: > authenticated > Jul 23 10:24:49 10.1.1.1 157164: 108858: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):SA > has been authenticated with X.X.X.X > Jul 23 10:24:49 10.1.1.1 157165: 108859: Jul 23 09:24:48.239 PCTime: ISAKMP: Trying > to insert a peer Y.Y.Y.Y/X.X.X.X/500/, and inser > ted successfully 4468F960. > Jul 23 10:24:49 10.1.1.1 157166: 108860: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Input > = IKE_MESG_FROM_PEER, IKE_MM_EXCH > Jul 23 10:24:49 10.1.1.1 157167: 108861: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Old > State = IKE_I_MM5 New State = IKE_I_MM6 > Jul 23 10:24:49 10.1.1.1 157168: > Jul 23 10:24:49 10.1.1.1 157169: 108862: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE > Jul 23 10:24:49 10.1.1.1 157170: 108863: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Old > State = IKE_I_MM6 New State = IKE_I_MM6 > Jul 23 10:24:49 10.1.1.1 157171: > Jul 23 10:24:49 10.1.1.1 157172: 108864: Jul 23 09:24:48.239 PCTime: CryptoEngine0: clear > dh number for conn id 3 > Jul 23 10:24:49 10.1.1.1 157173: 108865: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE > Jul 23 10:24:49 10.1.1.1 157174: 108866: Jul 23 09:24:48.239 PCTime: ISAKMP:(0:10:SW:1):Old > State = IKE_I_MM6 New State = IKE_P1_COMPLETE > Jul 23 10:24:49 10.1.1.1 157175: > Jul 23 10:24:49 10.1.1.1 157176: 108867: Jul 23 09:24:48.243 PCTime: ISAKMP:(0:10:SW:1):beginning > Quick Mode exchange, M-ID of -818982025 > Jul 23 10:24:49 10.1.1.1 157177: 108868: Jul 23 09:24:48.243 PCTime: CryptoEngine0: generating > alg parameter for connid 10 > Jul 23 10:24:49 10.1.1.1 157178: 108869: Jul 23 09:24:48.263 PCTime: CRYPTO_ENGINE: Dh > phase 1 status: 0 > Jul 23 10:24:49 10.1.1.1 157179: 108870: Jul 23 09:24:48.263 PCTime: CRYPTO_ENGINE: Dh > phase 1 status: OK > Jul 23 10:24:49 10.1.1.1 157180: 108871: Jul 23 09:24:48.267 PCTime: CryptoEngine0: generate > hmac context for conn id 10 > Jul 23 10:24:49 10.1.1.1 157181: 108872: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1): > sending packet to X.X.X.X my_port 500 peer_port 500 > (I) QM_IDLE > Jul 23 10:24:49 10.1.1.1 157182: 108873: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Node > -818982025, Input = IKE_MESG_INTERNAL, IKE_INIT_QM > Jul 23 10:24:49 10.1.1.1 157183: 108874: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Old > State = IKE_QM_READY New State = IKE_QM_I_QM1 > Jul 23 10:24:49 10.1.1.1 157184: 108875: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE > Jul 23 10:24:49 10.1.1.1 157185: 108876: Jul 23 09:24:48.267 PCTime: ISAKMP:(0:10:SW:1):Old > State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE > Jul 23 10:24:49 10.1.1.1 157186: > Jul 23 10:24:49 10.1.1.1 157187: 108877: Jul 23 09:24:48.315 PCTime: ISAKMP (0:134217738): > received packet from X.X.X.X dport 500 sport 500 > Global (I) QM_IDLE > Jul 23 10:24:49 10.1.1.1 157188: 108878: Jul 23 09:24:48.315 PCTime: ISAKMP: set > new node -587284616 to QM_IDLE > Jul 23 10:24:49 10.1.1.1 157189: 108879: Jul 23 09:24:48.315 PCTime: CryptoEngine0: generate > hmac context for conn id 10 > Jul 23 10:24:49 10.1.1.1 157190: 108880: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1): > processing HASH payload. message ID = -587284616 > Jul 23 10:24:49 10.1.1.1 157191: 108881: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1): > processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1 > Jul 23 10:24:49 10.1.1.1 157192: > spi 0, message ID = -587284616, sa = 4463B944 > Jul 23 10:24:49 10.1.1.1 157193: 108882: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):peer > does not do paranoid keepalives. > Jul 23 10:24:49 10.1.1.1 157194: > Jul 23 10:24:49 10.1.1.1 157195: 108883: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):deleting > SA reason "Recevied fatal informational" state (I) > QM_IDLE (peer X.X.X.X) > Jul 23 10:24:49 10.1.1.1 157196: 108884: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):deleting > node -587284616 error FALSE reason "Informational > (in) state 1" > Jul 23 10:24:49 10.1.1.1 157197: 108885: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):Input > = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY > Jul 23 10:24:49 10.1.1.1 157198: 108886: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1):Old > State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE > Jul 23 10:24:49 10.1.1.1 157199: > Jul 23 10:24:49 10.1.1.1 157200: 108887: Jul 23 09:24:48.315 PCTime: ISAKMP: set > new node -1051703389 to QM_IDLE > Jul 23 10:24:49 10.1.1.1 157201: 108888: Jul 23 09:24:48.315 PCTime: CryptoEngine0: generate > hmac context for conn id 10 > Jul 23 10:24:49 10.1.1.1 157202: 108889: Jul 23 09:24:48.315 PCTime: ISAKMP:(0:10:SW:1): > sending packet to X.X.X.X my_port 500 peer_port 500 > (I) QM_IDLE > Jul 23 10:24:49 10.1.1.1 157203: 108890: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):purging > node -1051703389 > Jul 23 10:24:49 10.1.1.1 157204: 108891: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Input > = IKE_MESG_INTERNAL, IKE_PHASE1_DEL > Jul 23 10:24:49 10.1.1.1 157205: 108892: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Old > State = IKE_P1_COMPLETE New State = IKE_DEST_SA > Jul 23 10:24:49 10.1.1.1 157206: > Jul 23 10:24:49 10.1.1.1 157207: 108893: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):deleting > SA reason "No reason" state (I) QM_IDLE > (pee > r X.X.X.X) > Jul 23 10:24:49 10.1.1.1 157208: 108894: Jul 23 09:24:48.319 PCTime: ISAKMP: Unlocking > IKE struct 0x4468F960 for isadb_mark_sa_deleted(), count 0 > Jul 23 10:24:49 10.1.1.1 157209: 108895: Jul 23 09:24:48.319 PCTime: ISAKMP: Deleting > peer node by peer_reap for X.X.X.X: 4468F960 > Jul 23 10:24:49 10.1.1.1 157210: 108896: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):deleting > node -818982025 error FALSE reason "IKE deleted" > Jul 23 10:24:49 10.1.1.1 157211: 108897: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):deleting > node -587284616 error FALSE reason "IKE deleted" > Jul 23 10:24:49 10.1.1.1 157212: 108898: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Input > = IKE_MESG_FROM_PEER, IKE_MM_EXCH > Jul 23 10:24:49 10.1.1.1 157213: 108899: Jul 23 09:24:48.319 PCTime: ISAKMP:(0:10:SW:1):Old > State = IKE_DEST_SA New State = IKE_DEST_SA > Jul 23 10:24:49 10.1.1.1 157214: > Jul 23 10:24:49 10.1.1.1 157215: 108900: Jul 23 09:24:48.319 PCTime: IPSEC(key_engine): > got a queue event with 1 kei messages > при пинга со стороний линукса > лог циско > Jul 23 10:26:51 10.1.1.1 157796: 109341: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1):Checking > IPSec proposal 1 > Jul 23 10:26:51 10.1.1.1 157797: 109342: Jul 23 09:26:50.817 PCTime: ISAKMP: transform > 1, ESP_3DES > Jul 23 10:26:51 10.1.1.1 157798: 109343: Jul 23 09:26:50.817 PCTime: ISAKMP: > attributes in transform: > Jul 23 10:26:51 10.1.1.1 157799: 109344: Jul 23 09:26:50.817 PCTime: ISAKMP: > SA life type in seconds > Jul 23 10:26:51 10.1.1.1 157800: 109345: Jul 23 09:26:50.817 PCTime: ISAKMP: > SA life duration (basic) of 28800 > Jul 23 10:26:51 10.1.1.1 157801: 109346: Jul 23 09:26:50.817 PCTime: ISAKMP: > encaps is 1 (Tunnel) > Jul 23 10:26:51 10.1.1.1 157802: 109347: Jul 23 09:26:50.817 PCTime: ISAKMP: > authenticator is HMAC-MD5 > Jul 23 10:26:51 10.1.1.1 157803: 109348: Jul 23 09:26:50.817 PCTime: ISAKMP: > group is 2 > Jul 23 10:26:51 10.1.1.1 157804: 109349: Jul 23 09:26:50.817 PCTime: CryptoEngine0: validate > proposal > Jul 23 10:26:51 10.1.1.1 157805: 109350: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1):atts > are acceptable. > Jul 23 10:26:51 10.1.1.1 157806: 109351: Jul 23 09:26:50.817 PCTime: IPSEC(validate_proposal_request): > proposal part #1, > Jul 23 10:26:51 10.1.1.1 157807: (key eng. msg.) INBOUND local= > Y.Y.Y.Y, remote= X.X.X.X, > Jul 23 10:26:51 10.1.1.1 157808: local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), > Jul 23 10:26:51 10.1.1.1 157809: remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4), > Jul 23 10:26:51 10.1.1.1 157810: protocol= AH, transform= > ah-md5-hmac (Tunnel), > Jul 23 10:26:51 10.1.1.1 157811: lifedur= 0s and > 0kb, > Jul 23 10:26:51 10.1.1.1 157812: spi= 0x0(0), conn_id= > 0, keysize= 0, flags= 0x22 > Jul 23 10:26:51 10.1.1.1 157813: 109352: Jul 23 09:26:50.817 PCTime: IPSEC(validate_proposal_request): > proposal part #2, > Jul 23 10:26:51 10.1.1.1 157814: (key eng. msg.) INBOUND local= > Y.Y.Y.Y, remote= X.X.X.X, > Jul 23 10:26:51 10.1.1.1 157815: local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), > Jul 23 10:26:51 10.1.1.1 157816: remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4) > Jul 23 10:26:51 10.1.1.1 157817: , > Jul 23 10:26:51 10.1.1.1 157818: protocol= ESP, transform= > esp-3des esp-md5-hmac (Tunnel), > Jul 23 10:26:51 10.1.1.1 157819: lifedur= 0s and > 0kb, > Jul 23 10:26:51 10.1.1.1 157820: spi= 0x0(0), conn_id= > 0, keysize= 0, flags= 0x22 > Jul 23 10:26:51 10.1.1.1 157821: 109353: Jul 23 09:26:50.817 PCTime: CryptoEngine0: validate > proposal request > Jul 23 10:26:51 10.1.1.1 157822: 109354: Jul 23 09:26:50.817 PCTime: IPSEC(validate_transform_proposal): > no IPSEC cryptomap exists for local addres > s Y.Y.Y.Y > Jul 23 10:26:51 10.1.1.1 157823: 109355: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1): > IPSec policy invalidated proposal > Jul 23 10:26:51 10.1.1.1 157824: 109356: Jul 23 09:26:50.817 PCTime: ISAKMP:(0:13:SW:1): > phase 2 SA policy not acceptable! (local Y.Y.Y.Y re > mote X.X.X.X) > Jul 23 10:26:51 10.1.1.1 157825: 109357: Jul 23 09:26:50.817 PCTime: ISAKMP: set > new node -1192811471 to QM_IDLE > Jul 23 10:26:51 10.1.1.1 157826: 109358: Jul 23 09:26:50.817 PCTime: CryptoEngine0: generate > hmac context for conn id 13 > Jul 23 10:26:52 10.1.1.1 157827: 109359: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):Sending > NOTIFY PROPOSAL_NOT_CHOSEN protocol 2 > Jul 23 10:26:52 10.1.1.1 157828: > spi 1142015312, message ID = -1192811471 > Jul 23 10:26:52 10.1.1.1 157829: 109360: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1): > sending packet to X.X.X.X my_port 500 peer_port 500 > (R) QM_IDLE > Jul 23 10:26:52 10.1.1.1 157830: 109361: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):purging > node -1192811471 > Jul 23 10:26:52 10.1.1.1 157831: 109362: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):deleting > node -1410154997 error TRUE reason "QM rejected" > Jul 23 10:26:52 10.1.1.1 157832: 109363: Jul 23 09:26:50.821 PCTime: ISAKMP (0:134217741): > Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: > Jul 23 10:26:52 10.1.1.1 157833: for node -1410154997: state = IKE_QM_READY > Jul 23 10:26:52 10.1.1.1 157834: 109364: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):Node > -1410154997, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH > Jul 23 10:26:52 10.1.1.1 157835: 109365: Jul 23 09:26:50.821 PCTime: ISAKMP:(0:13:SW:1):Old > State = IKE_QM_READY New State = IKE_QM_READY > лог ракуна > Jul 23 10:25:42 mon racoon: INFO: IPsec-SA request for Y.Y.Y.Y queued due > to no phase1 found. > Jul 23 10:25:42 mon racoon: INFO: initiate new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] > Jul 23 10:25:42 mon racoon: INFO: begin Identity Protection mode. > Jul 23 10:25:42 mon racoon: INFO: received Vendor ID: CISCO-UNITY > Jul 23 10:25:42 mon racoon: INFO: received Vendor ID: DPD > Jul 23 10:25:42 mon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt > Jul 23 10:25:42 mon racoon: INFO: ISAKMP-SA established X.X.X.X[500]-Y.Y.Y.Y[500] spi:e7ccebec074add40:66341efea9e314 > 0a > Jul 23 10:25:42 mon racoon: ERROR: unknown Informational exchange received. > Jul 23 10:25:43 mon racoon: INFO: initiate new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500] > Jul 23 10:25:43 mon racoon: ERROR: unknown notify message, no phase2 handle > found. > Jul 23 10:25:58 mon racoon: ERROR: Y.Y.Y.Y give up to get IPsec-SA > due to time up to wait.
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру