The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS


Индекс форумов
Составление сообщения

Исходное сообщение
"Проблема с IpSec тунелем"
Отправлено Fiser, 18-Авг-06 12:56 
>>Значит исакампу говорим шифруем используя MD5 а используем SHA - не порядок
>>;))
>>[quote]
>>crypto isakmp policy 1
>>encr 3des
>>hash md5
>>authentication pre-share
>>group 2
>>[/quote]
>>
>>Вот как надо:
>>crypto isakmp policy 10
>> encr 3des
>> authentication pre-share
>> group 2
>> lifetime 10000
>>
>>трансформ сет остается таким же
>>crypto ipsec transform-set dep esp-3des esp-sha-hmac
>
>странно но почему же другие несколько офисов подключены и работаю с таким
>шифрованием
>crypto isakmp policy 1
>encr 3des
>hash md5
>authentication pre-share
>group 2
>
>а моя 877 хоть убей не хочет может из за разной трассировки?
>


Aug 18 08:53:09.268: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 87.103.179.178, remote= 195.162.38.70,
    local_proxy= 172.16.19.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.14.9.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x7035A841(1882564673), conn_id= 0, keysize= 0, flags= 0x400A
Aug 18 08:53:09.268: ISAKMP: local port 500, remote port 500
Aug 18 08:53:09.268: ISAKMP: set new node 0 to QM_IDLE
Aug 18 08:53:09.268: insert sa successfully sa = 81DFCDE4
Aug 18 08:53:09.268: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Ma
in mode.
Aug 18 08:53:09.268: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 195.1
62.38.70
Aug 18 08:53:09.272: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Aug 18 08:53:09.272: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Aug 18 08:53:09.272: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Aug 18 08:53:09.272: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_
MM
Aug 18 08:53:09.272: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I
_MM1

Aug 18 08:53:09.272: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Aug 18 08:53:09.272: ISAKMP:(0:0:N/A:0): sending packet to 195.162.38.70 my_port
500 peer_port 500 (I) MM_NO_STATE
Aug 18 08:53:09.332: ISAKMP (0:0): received packet from 195.162.38.70 dport 500
sport 500 Global (I) MM_NO_STATE
Aug 18 08:53:09.332: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 18 08:53:09.332: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I
_MM2

Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0): processing vendor id payload
Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157
mismatch
Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 195.1
62.38.70
Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0): local preshared key found
Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against prio
rity 10 policy
Aug 18 08:53:09.336: ISAKMP:      encryption DES-CBC
Aug 18 08:53:09.336: ISAKMP:      hash SHA
Aug 18 08:53:09.336: ISAKMP:      default group 1
Aug 18 08:53:09.336: ISAKMP:      auth RSA sig
Aug 18 08:53:09.336: ISAKMP:      life type in seconds
Aug 18 08:53:09.336: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not ma
tch policy!
Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is
0
Aug 18 08:53:09.336: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against prio
rity 65535 policy
Aug 18 08:53:09.336: ISAKMP:      encryption DES-CBC
Aug 18 08:53:09.336: ISAKMP:      hash SHA
Aug 18 08:53:09.336: ISAKMP:      default group 1
Aug 18 08:53:09.336: ISAKMP:      auth RSA sig
Aug 18 08:53:09.336: ISAKMP:      life type in seconds
Aug 18 08:53:09.336: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Aug 18 08:53:09.340: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Aug 18 08:53:09.352: ISAKMP:(0:1:HW:2): processing vendor id payload
Aug 18 08:53:09.352: ISAKMP:(0:1:HW:2): vendor ID seems Unity/DPD but major 157
mismatch
Aug 18 08:53:09.356: ISAKMP:(0:1:HW:2): vendor ID is NAT-T v3
Aug 18 08:53:09.356: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MA
IN_MODE
Aug 18 08:53:09.356: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM2  New State = IKE_I_
MM2

Aug 18 08:53:09.356: ISAKMP:(0:1:HW:2): sending packet to 195.162.38.70 my_port
500 peer_port 500 (I) MM_SA_SETUP
Aug 18 08:53:09.356: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_CO
MPLETE
Aug 18 08:53:09.356: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM2  New State = IKE_I_
MM3

Aug 18 08:53:09.416: ISAKMP (0:268435457): received packet from 195.162.38.70 dp
ort 500 sport 500 Global (I) MM_SA_SETUP
Aug 18 08:53:09.420: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 18 08:53:09.420: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM3  New State = IKE_I_
MM4

Aug 18 08:53:09.420: ISAKMP:(0:1:HW:2): processing KE payload. message ID = 0
Aug 18 08:53:09.432: ISAKMP:(0:1:HW:2): processing NONCE payload. message ID = 0

Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2):SKEYID state generated
Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2): processing CERT_REQ payload. message ID
= 0
Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2): peer wants an unknown cert, abort.
Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2): processing vendor id payload
Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2): vendor ID is DPD
Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2): processing vendor id payload
Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2): speaking to another IOS box!
Aug 18 08:53:09.436: ISAKMP:received payload type 20
Aug 18 08:53:09.436: ISAKMP:received payload type 20
Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MA
IN_MODE
Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM4  New State = IKE_I_
MM4

Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2):Send initial contact
Aug 18 08:53:09.436: ISAKMP:(0:1:HW:2):Unable to get router cert or routerdoes n
ot have a cert: needed to find DN!
Aug 18 08:53:09.440: ISAKMP:(0:1:HW:2):SA is doing RSA signature authentication
using id type ID_IPV4_ADDR
Aug 18 08:53:09.440: ISAKMP (0:268435457): ID payload
        next-payload : 6
        type         : 1
        address      : 87.103.179.178
        protocol     : 17
        port         : 500
        length       : 12
Aug 18 08:53:09.440: ISAKMP:(0:1:HW:2):Total payload length: 12
Aug 18 08:53:09.440: ISAKMP:(0:1:HW:2): no valid cert found to return
Aug 18 08:53:09.440: ISAKMP: set new node -294688449 to QM_IDLE
Aug 18 08:53:09.440: ISAKMP:(0:1:HW:2):Sending NOTIFY CERTIFICATE_UNAVAILABLE pr
otocol 1
        spi 0, message ID = -294688449
Aug 18 08:53:09.440: ISAKMP:(0:1:HW:2): sending packet to 195.162.38.70 my_port
500 peer_port 500 (I) MM_KEY_EXCH
Aug 18 08:53:09.440: ISAKMP:(0:1:HW:2):purging node -294688449
Aug 18 08:53:09.440: ISAKMP (0:268435457): FSM action returned error: 2
Aug 18 08:53:09.444: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_CO
MPLETE
Aug 18 08:53:09.444: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM4  New State = IKE_I_
MM5

Aug 18 08:53:19.417: ISAKMP (0:268435457): received packet from 195.162.38.70 dp
ort 500 sport 500 Global (I) MM_KEY_EXCH
Aug 18 08:53:19.417: ISAKMP:(0:1:HW:2): phase 1 packet is a duplicate of a previ
ous packet.
Aug 18 08:53:19.417: ISAKMP:(0:1:HW:2): retransmitting due to retransmit phase 1

Aug 18 08:53:19.417: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_KEY_EXCH...
Aug 18 08:53:19.917: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_KEY_EXCH...
Aug 18 08:53:19.917: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retrans
mit phase 1
Aug 18 08:53:19.917: ISAKMP:(0:1:HW:2): no outgoing phase 1 packet to retransmit
. MM_KEY_EXCH
Aug 18 08:53:29.415: ISAKMP (0:268435457): received packet from 195.162.38.70 dp
ort 500 sport 500 Global (I) MM_KEY_EXCH
Aug 18 08:53:29.419: ISAKMP:(0:1:HW:2): phase 1 packet is a duplicate of a previ
ous packet.
Aug 18 08:53:29.419: ISAKMP:(0:1:HW:2): retransmitting due to retransmit phase 1

Aug 18 08:53:29.419: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_KEY_EXCH...
Aug 18 08:53:29.919: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_KEY_EXCH...
Aug 18 08:53:29.919: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retrans
mit phase 1
Aug 18 08:53:29.919: ISAKMP:(0:1:HW:2): no outgoing phase 1 packet to retransmit
. MM_KEY_EXCH
Aug 18 08:53:39.260: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 87.103.179.178, remote= 195.162.38.70,
    local_proxy= 172.16.19.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.14.9.0/255.255.255.0/0/0 (type=4)
Aug 18 08:53:39.260: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 87.103.179.178, remote= 195.162.38.70,
    local_proxy= 172.16.19.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.14.9.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xCB91FC89(3415342217), conn_id= 0, keysize= 0, flags= 0x400A
Aug 18 08:53:39.260: ISAKMP: set new node 0 to QM_IDLE
Aug 18 08:53:39.260: ISAKMP:(0:1:HW:2):SA is still budding. Attached new ipsec r
equest to it. (local 87.103.179.178, remote 195.162.38.70)
Aug 18 08:53:39.416: ISAKMP (0:268435457): received packet from 195.162.38.70 dp
ort 500 sport 500 Global (I) MM_KEY_EXCH
Aug 18 08:53:39.416: ISAKMP:(0:1:HW:2): phase 1 packet is a duplicate of a previ
ous packet.
Aug 18 08:53:39.416: ISAKMP:(0:1:HW:2): retransmitting due to retransmit phase 1

Aug 18 08:53:39.420: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_KEY_EXCH...
Aug 18 08:53:39.924: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_KEY_EXCH...
Aug 18 08:53:39.924: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retrans
mit phase 1
Aug 18 08:53:39.924: ISAKMP:(0:1:HW:2): no outgoing phase 1 packet to retransmit
. MM_KEY_EXCH
Aug 18 08:53:49.417: ISAKMP (0:268435457): received packet from 195.162.38.70 dp
ort 500 sport 500 Global (I) MM_KEY_EXCH
Aug 18 08:53:49.417: ISAKMP:(0:1:HW:2): phase 1 packet is a duplicate of a previ
ous packet.
Aug 18 08:53:49.417: ISAKMP:(0:1:HW:2): retransmitting due to retransmit phase 1

Aug 18 08:53:49.417: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_KEY_EXCH...
Aug 18 08:53:49.917: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_KEY_EXCH...
Aug 18 08:53:49.917: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retrans
mit phase 1
Aug 18 08:53:49.917: ISAKMP:(0:1:HW:2): no outgoing phase 1 packet to retransmit
. MM_KEY_EXCH
Aug 18 08:54:09.252: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 87.103.179.178, remote= 195.162.38.70,
    local_proxy= 172.16.19.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.14.9.0/255.255.255.0/0/0 (type=4)
Aug 18 08:54:09.252: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.

Aug 18 08:54:09.252: ISAKMP:(0:1:HW:2):deleting SA reason "P1 delete notify (in)
" state (I) MM_KEY_EXCH (peer 195.162.38.70)
Aug 18 08:54:09.252: ISAKMP:(0:1:HW:2):deleting SA reason "P1 delete notify (in)
" state (I) MM_KEY_EXCH (peer 195.162.38.70)
" state (I) MM_KEY_EXCH (peer 195.162.38.70)
on "IKE deleted"
Aug 18 08:54:09.252: ISAKMP:(0:1:HW:2):deleting node 1723400177 error FALSE reas
on "IKE deleted"
Aug 18 08:54:09.252: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Aug 18 08:54:09.252: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM5  New State = IKE_DE
ST_SA

 

Ваше сообщение
Имя*:
EMail:
Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:
 
При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

На сайте действует частичное премодерирование - после публикации некоторые сообщения от анонимов могут автоматически скрываться ботом. После проверки модератором ошибочно скрытые сообщения раскрываются. Для ускорения раскрытия можно воспользоваться ссылкой "Сообщить модератору", указав в качестве причины обращения "скрыто по ошибке".



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру