Коллеги и комрады, приветствую. ПоможИте чем можете.
Не работает IPSEC. Выдает следующее %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at xx.xx.xx.xx
Debug показывает что:
001907: Jun 2 08:26:47.472 PCTime: ISAKMP: set new node 1843512227 to QM_IDLE
001908: Jun 2 08:26:47.472 PCTime: ISAKMP:(0:31:SW:1): processing HASH payload. message ID = 1843512227
001909: Jun 2 08:26:47.472 PCTime: ISAKMP:(0:31:SW:1): processing SA payload. message ID = 1843512227
001910: Jun 2 08:26:47.472 PCTime: ISAKMP:(0:31:SW:1):Checking IPSec proposal 1
001911: Jun 2 08:26:47.472 PCTime: ISAKMP: transform 1, ESP_3DES
001912: Jun 2 08:26:47.472 PCTime: ISAKMP: attributes in transform:
001913: Jun 2 08:26:47.472 PCTime: ISAKMP: encaps is 1 (Tunnel)
001914: Jun 2 08:26:47.472 PCTime: ISAKMP: SA life type in seconds
001915: Jun 2 08:26:47.472 PCTime: ISAKMP: SA life duration (basic) of 3600
001916: Jun 2 08:26:47.472 PCTime: ISAKMP: SA life type in kilobytes
001917: Jun 2 08:26:47.472 PCTime: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
001918: Jun 2 08:26:47.472 PCTime: ISAKMP: authenticator is HMAC-SHA
001919: Jun 2 08:26:47.472 PCTime: ISAKMP:(0:31:SW:1):atts are acceptable.
001920: Jun 2 08:26:47.472 PCTime: ISAKMP:(0:31:SW:1): IPSec policy invalidated proposal
001921: Jun 2 08:26:47.472 PCTime: ISAKMP:(0:31:SW:1): phase 2 SA policy not acceptable! (local x.x.x.x remote y.y.y.y)
001922: Jun 2 08:26:47.472 PCTime: ISAKMP: set new node 555992376 to QM_IDLE
001923: Jun 2 08:26:47.476 PCTime: ISAKMP:(0:31:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1886336296, message ID = 555992376
002060: Jun 2 08:28:35.076 PCTime: IPSEC(validate_transform_proposal): invalid local address x.x.x.x
002061: Jun 2 08:28:38.332 PCTime: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x, remote= y.y.y.y,
local_proxy= 10.10.0.0/255.255.224.0/0/0 (type=4),
remote_proxy= 10.10.76.0/255.255.252.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Конфиги следующие:
1)
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Cisco address zzzzzzzzzzz
crypto isakmp key Cisco address y.y.y.y
!
!
crypto ipsec transform-set Set esp-3des esp-sha-hmac
!
crypto map HW 10 ipsec-isakmp
set peer zzzzzzzzzzz
set transform-set Set
match address 101
crypto map HW 20 ipsec-isakmp
set peer x.x.x.x
set transform-set Set
match address 102
!
!
!
!
interface GigabitEthernet0/0
description Link_to_leased_channel
ip address x.x.x.x 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
media-type rj45
negotiation auto
no mop enabled
!
interface GigabitEthernet0/1
description Link_to_LAN$ES_LAN$
ip address 10.20.10.10 255.255.0.0 secondary
ip address 10.10.1.10 255.255.224.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
media-type rj45
negotiation auto
no mop enabled
crypto map HW
!
!
!
!
!
end
2)
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Cisco address zzzzzzzzzzzzzzz
crypto isakmp key Cisco address x.x.x.x
crypto isakmp nat keepalive 20
!
crypto isakmp peer address x.x.x.x
!
!
crypto ipsec transform-set Set esp-3des esp-sha-hmac
!
crypto map Link 10 ipsec-isakmp
set peer x.x.x.x
set transform-set Set
match address 101
crypto map Link 20 ipsec-isakmp
set peer zzzzzzzzzzzz
set transform-set Set
match address 103
!
!
!
interface GigabitEthernet0/3
description Link_to_Internet
ip address y.y.y.y 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex full
speed 1000
media-type rj45
negotiation auto
no cdp enable
no mop enabled
crypto map Link
Что с эти поделать и как с этим бороться?