forum.opennet.ru

Составление сообщения

Исходное сообщение

"Не работает IPSEC"
Отправлено ZPavel, 16-Фев-06 21:19

3 routerа: 2 cisco 805 хочу связать с cisco 877 с помощью ipsec туннелей. GRE туннели работают
конфиг 877:
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key vpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set nostrong esp-des esp-md5-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 195.16.44.130
set transform-set nostrong
match address 101
crypto map vpn 2 ipsec-isakmp
set peer 81.211.31.149
set transform-set nostrong
match address 102
!
!
!
interface Tunnel0
ip address 10.16.17.1 255.255.255.0
tunnel source ATM0.1
tunnel destination 195.16.44.130
tunnel key 123
tunnel sequence-datagrams
tunnel checksum
crypto map vpn
!
interface Tunnel1
ip address 10.16.18.1 255.255.255.0
tunnel source ATM0.1
tunnel destination 81.211.31.149
tunnel key 123
tunnel sequence-datagrams
tunnel checksum
crypto map vpn
!
interface Loopback0
ip address 82.142.176.125 255.255.255.255
crypto map vpn
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
crypto map vpn
!
interface ATM0.1 point-to-point
ip unnumbered Loopback0
ip nat outside
ip virtual-reassembly
pvc 8/63
  encapsulation aal5snap
!
crypto map vpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.16.13.0 255.255.255.0 Tunnel0
ip route 10.16.15.0 255.255.255.0 Tunnel1
!
!
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.16.12.2
access-list 1 permit 10.16.11.0 0.0.0.255
access-list 101 permit gre host 82.172.176.125 host 195.16.44.130
access-list 102 permit gre host 82.172.176.125 host 81.211.31.149

конфиг 805:
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key vpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set nostrong esp-des esp-md5-hmac
!
crypto map vpn-to-office 1 ipsec-isakmp
set peer 82.142.176.125
set transform-set nostrong
match address 101
!
!
!
!
interface Tunnel0
ip address 10.16.17.2 255.255.255.0
tunnel source Serial0
tunnel destination 82.142.176.125
tunnel key 123
tunnel sequence-datagrams
tunnel checksum
crypto map vpn-to-office
!
interface Ethernet0
ip address 10.16.14.1 255.255.255.0 secondary
ip address 10.16.13.1 255.255.255.0
no ip proxy-arp
ip nat inside
!
interface Serial0
description ISP
ip address 195.16.44.130 255.255.255.252
no ip proxy-arp
ip nat outside
!
ip nat inside source list 18 interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 10.16.11.0 255.255.255.0 Tunnel0
!
access-list 18 permit 10.16.14.2
access-list 18 permit 10.16.13.10
access-list 101 permit gre host 195.16.44.130 host 82.142.176.125

2-я 805 аналогично
как только пытаюсь привязать crypto map к интерфейсу s0 пинг в другую локалку пропадает и появляются сообщения на консоли 805:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
а на 877 просто куча сообщений:
.Feb 16 17:21:57.804: ISAKMP (0:0): received packet from 81.211.31.149 dport 500
sport 500 Global (N) NEW SA
.Feb 16 17:21:57.804: ISAKMP: Created a peer struct for 81.211.31.149, peer port
500
.Feb 16 17:21:57.804: ISAKMP: Locking peer struct 0x8332BE18, IKE refcount 1 for
crypto_isakmp_process_block
.Feb 16 17:21:57.804: ISAKMP: local port 500, remote port 500
.Feb 16 17:21:57.804: insert sa successfully sa = 82FE517C
.Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_
R_MM1
.Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
.Feb 16 17:21:57.804: ISAKMP: Looking for a matching key for 81.211.31.149 in de
fault : success
.Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 81.2
11.31.149
.Feb 16 17:21:57.808: ISAKMP:(0:0:N/A:0): local preshared key found
.Feb 16 17:21:57.808: ISAKMP : Scanning profiles for xauth ...
.Feb 16 17:21:57.808: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri
ority 1 policy
.Feb 16 17:21:57.808: ISAKMP:      encryption DES-CBC
.Feb 16 17:21:57.808: ISAKMP:      hash MD5
.Feb 16 17:21:57.808: ISAKMP:      default group 2
.Feb 16 17:21:57.808: ISAKMP:      auth pre-share
.Feb 16 17:21:57.808: ISAKMP:      life type in seconds
router-elikon#
.Feb 16 17:21:57.808: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
.Feb 16 17:21:57.808: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
.Feb 16 17:21:57.836: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M
AIN_MODE
.Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM1  New State = IKE_R
_MM1
.Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) MM_SA_SETUP
.Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C
OMPLETE
.Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM1  New State = IKE_R
_MM2
.Feb 16 17:21:58.512: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) MM_SA_SETUP
.Feb 16 17:21:58.512: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Feb 16 17:21:58.512: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM2  New State = IKE_R
_MM3
.Feb 16 17:21:58.512: ISAKMP:(0:2:HW:2): processing KE payload. message ID = 0
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2): processing NONCE payload. message ID =
0
.Feb 16 17:21:58.544: ISAKMP: Looking for a matching key for 81.211.31.149 in de
fault : success
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):found peer pre-shared key matching 81.21
1.31.149
router-elikon#
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):SKEYID state generated
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2): processing vendor id payload
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2): speaking to another IOS box!
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M
AIN_MODE
.Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM3  New State = IKE_R
_MM3
.Feb 16 17:21:58.548: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) MM_KEY_EXCH
.Feb 16 17:21:58.548: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C
OMPLETE
.Feb 16 17:21:58.548: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM3  New State = IKE_R
_MM4
.Feb 16 17:21:59.260: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) MM_KEY_EXCH
.Feb 16 17:21:59.260: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM4  New State = IKE_R
_MM5
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2): processing ID payload. message ID = 0
.Feb 16 17:21:59.264: ISAKMP (0:268435458): ID payload
        next-payload : 8
        type         : 1
        address      : 81.211.31.149
        protocol     : 17
        port         : 500
        length       : 12
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):: peer matches *none* of the profiles
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 0
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):SA authentication status:
        authenticated
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):SA has been authenticated with 81.211.31
.149
.Feb 16 17:21:59.264: ISAKMP: Trying to insert a peer 82.142.176.125/81.211.31.1
49/500/,  and inserted successfully 8332BE18.
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M
AIN_MODE
.Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM5  New State = IKE_R
_MM5
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):SA is doing pre-shared key authenticatio
n using id type ID_IPV4_ADDR
.Feb 16 17:21:59.268: ISAKMP (0:268435458): ID payload
        next-payload : 8
        type         : 1
        address      : 82.142.176.125
        protocol     : 17
        port         : 500
        length       : 12
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):Total payload length: 12
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) MM_KEY_EXCH
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C
OMPLETE
.Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM5  New State = IKE_P
1_COMPLETE
.Feb 16 17:21:59.272: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_CO
MPLETE
.Feb 16 17:21:59.272: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE  New State =
IKE_P1_COMPLETE
.Feb 16 17:21:59.356: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) QM_IDLE
.Feb 16 17:21:59.356: ISAKMP: set new node 1198284981 to QM_IDLE
.Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 1
198284981
.Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2): processing SA payload. message ID = 119
8284981
.Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2):Checking IPSec proposal 1
.Feb 16 17:21:59.360: ISAKMP: transform 1, ESP_DES
.Feb 16 17:21:59.360: ISAKMP:   attributes in transform:
.Feb 16 17:21:59.360: ISAKMP:      encaps is 1 (Tunnel)
.Feb 16 17:21:59.360: ISAKMP:      SA life type in seconds
.Feb 16 17:21:59.360: ISAKMP:      SA life duration (basic) of 3600
.Feb 16 17:21:59.360: ISAKMP:      SA life type in kilobytes
.Feb 16 17:21:59.360: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
.Feb 16 17:21:59.360: ISAKMP:      authenticator is HMAC-MD5
.Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2):atts are acceptable.
.Feb 16 17:21:59.360: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 82.142.176.125, remote= 81.211.31.149,
    local_proxy= 82.142.176.125/255.255.255.255/47/0 (type=1),
    remote_proxy= 81.211.31.149/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
.Feb 16 17:21:59.360: Crypto mapdb : proxy_match
        src addr     : 82.142.176.125
        dst addr     : 81.211.31.149
        protocol     : 47
        src port     : 0
        dst port     : 0
.Feb 16 17:21:59.360: Crypto mapdb : proxy_match
        src addr     : 82.142.176.125
        dst addr     : 81.211.31.149
        protocol     : 47
        src port     : 0
        dst port     : 0
.Feb 16 17:21:59.364: map_db_find_best did not find matching map
.Feb 16 17:21:59.364: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi
sts for local address 82.142.176.125
.Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2): IPSec policy invalidated proposal
.Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2): phase 2 SA policy not acceptable! (loca
l 82.142.176.125 remote 81.211.31.149)
.Feb 16 17:21:59.364: ISAKMP: set new node -1026013654 to QM_IDLE
.Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN proto
col 3
        spi 2194346424, message ID = -1026013654
.Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) QM_IDLE
.Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):purging node -1026013654
.Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):deleting node 1198284981 error TRUE reas
on "QM rejected"
.Feb 16 17:21:59.368: ISAKMP (0:268435458): Unknown Input IKE_MESG_FROM_PEER, IK
E_QM_EXCH:  for node 1198284981: state = IKE_QM_READY
.Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):Node 1198284981, Input = IKE_MESG_FROM_P
EER, IKE_QM_EXCH
.Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):Old State = IKE_QM_READY  New State = IK
E_QM_READY
router-elikon#
.Feb 16 17:21:59.368: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 81.211.31.149
router-elikon#
.Feb 16 17:22:27.808: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) QM_IDLE
.Feb 16 17:22:27.808: ISAKMP: set new node 194806817 to QM_IDLE
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 1
94806817
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2): processing SA payload. message ID = 194
806817
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2):Checking IPSec proposal 1
.Feb 16 17:22:27.812: ISAKMP: transform 1, ESP_DES
.Feb 16 17:22:27.812: ISAKMP:   attributes in transform:
.Feb 16 17:22:27.812: ISAKMP:      encaps is 1 (Tunnel)
.Feb 16 17:22:27.812: ISAKMP:      SA life type in seconds
.Feb 16 17:22:27.812: ISAKMP:      SA life duration (basic) of 3600
.Feb 16 17:22:27.812: ISAKMP:      SA life type in kilobytes
.Feb 16 17:22:27.812: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
.Feb 16 17:22:27.812: ISAKMP:      authenticator is HMAC-MD5
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2):atts are acceptable.
.Feb 16 17:22:27.812: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 82.142.176.125, remote= 81.211.31.149,
    local_proxy= 82.142.176.125/255.255.255.255/47/0 (type=1),
    remote_proxy= 81.211.31.149/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
.Feb 16 17:22:27.812: Crypto mapdb : proxy_match
        src addr     : 82.142.176.125
        dst addr     : 81.211.31.149
        protocol     : 47
        src port     : 0
        dst port     : 0
.Feb 16 17:22:27.812: Crypto mapdb : proxy_match
        src addr     : 82.142.176.125
        dst addr     : 81.211.31.149
        protocol     : 47
        src port     : 0
        dst port     : 0
.Feb 16 17:22:27.812: map_db_find_best did not find matching map
.Feb 16 17:22:27.812: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi
sts for local address 82.142.176.125
.Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2): IPSec policy invalidated proposal
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2): phase 2 SA policy not acceptable! (loca
l 82.142.176.125 remote 81.211.31.149)
.Feb 16 17:22:27.816: ISAKMP: set new node -144067496 to QM_IDLE
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN proto
col 3
        spi 2194346424, message ID = -144067496
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port
500 peer_port 500 (R) QM_IDLE
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2):purging node -144067496
.Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2):deleting node 194806817 error TRUE reaso
n "QM rejected"
router-elikon#
.Feb 16 17:22:27.816: ISAKMP (0:268435458): Unknown Input IKE_MESG_FROM_PEER, IK
E_QM_EXCH:  for node 194806817: state = IKE_QM_READY
.Feb 16 17:22:27.820: ISAKMP:(0:2:HW:2):Node 194806817, Input = IKE_MESG_FROM_PE
ER, IKE_QM_EXCH
.Feb 16 17:22:27.820: ISAKMP:(0:2:HW:2):Old State = IKE_QM_READY  New State = IK
E_QM_READY
router-elikon#
.Feb 16 17:22:49.354: ISAKMP:(0:2:HW:2):purging node 1198284981
router-elikon#
.Feb 16 17:22:57.796: ISAKMP (0:268435458): received packet from 81.211.31.149 d
port 500 sport 500 Global (R) QM_IDLE
.Feb 16 17:22:57.796: ISAKMP: set new node 1401338307 to QM_IDLE
.Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 1
401338307
.Feb 16 17:22:57.796: ISAKMP:received payload type 18
.Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2): processing DELETE_WITH_REASON payload,
message ID = 1401338307, reason: DELETE_BY_ERROR
.Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2):peer does not do paranoid keepalives.
.Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2):deleting SA reason "By error" state (R)
QM_IDLE       (peer 81.211.31.149)
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting node 1401338307 error FALSE rea
son "Informational (in) state 1"
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DE
L
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE  New State =
IKE_DEST_SA
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting SA reason "No reason" state (R)
QM_IDLE       (peer 81.211.31.149)
.Feb 16 17:22:57.800: ISAKMP: Unlocking IKE struct 0x8332BE18 for isadb_mark_sa_
deleted(), count 0
.Feb 16 17:22:57.800: ISAKMP: Deleting peer node by peer_reap for 81.211.31.149:
8332BE18
router-elikon#
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting node 194806817 error FALSE reas
on "IKE deleted"
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting node 1401338307 error FALSE rea
son "IKE deleted"
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Old State = IKE_DEST_SA  New State = IKE
_DEST_SA
router-elikon#
.Feb 16 17:23:47.786: ISAKMP:(0:2:HW:2):purging node 194806817
.Feb 16 17:23:47.786: ISAKMP:(0:2:HW:2):purging node 1401338307
router-elikon#
.Feb 16 17:23:57.783: ISAKMP:(0:2:HW:2):purging SA., sa=82FE517C, delme=82FE517C
чего бы поделать?

Исходное сообщение
"Не работает IPSEC" Отправлено ZPavel, 16-Фев-06 21:19
3 routerа: 2 cisco 805 хочу связать с cisco 877 с помощью ipsec туннелей. GRE туннели работают конфиг 877: crypto isakmp policy 1 hash md5 authentication pre-share group 2 crypto isakmp key vpn address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set nostrong esp-des esp-md5-hmac ! crypto map vpn 1 ipsec-isakmp set peer 195.16.44.130 set transform-set nostrong match address 101 crypto map vpn 2 ipsec-isakmp set peer 81.211.31.149 set transform-set nostrong match address 102 ! ! ! interface Tunnel0 ip address 10.16.17.1 255.255.255.0 tunnel source ATM0.1 tunnel destination 195.16.44.130 tunnel key 123 tunnel sequence-datagrams tunnel checksum crypto map vpn ! interface Tunnel1 ip address 10.16.18.1 255.255.255.0 tunnel source ATM0.1 tunnel destination 81.211.31.149 tunnel key 123 tunnel sequence-datagrams tunnel checksum crypto map vpn ! interface Loopback0 ip address 82.142.176.125 255.255.255.255 crypto map vpn ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto crypto map vpn ! interface ATM0.1 point-to-point ip unnumbered Loopback0 ip nat outside ip virtual-reassembly pvc 8/63 encapsulation aal5snap ! crypto map vpn ! ip classless ip route 0.0.0.0 0.0.0.0 ATM0.1 ip route 10.16.13.0 255.255.255.0 Tunnel0 ip route 10.16.15.0 255.255.255.0 Tunnel1 ! ! ip nat inside source list 1 interface Loopback0 overload ! access-list 1 permit 10.16.12.2 access-list 1 permit 10.16.11.0 0.0.0.255 access-list 101 permit gre host 82.172.176.125 host 195.16.44.130 access-list 102 permit gre host 82.172.176.125 host 81.211.31.149 конфиг 805: crypto isakmp policy 1 hash md5 authentication pre-share group 2 crypto isakmp key vpn address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set nostrong esp-des esp-md5-hmac ! crypto map vpn-to-office 1 ipsec-isakmp set peer 82.142.176.125 set transform-set nostrong match address 101 ! ! ! ! interface Tunnel0 ip address 10.16.17.2 255.255.255.0 tunnel source Serial0 tunnel destination 82.142.176.125 tunnel key 123 tunnel sequence-datagrams tunnel checksum crypto map vpn-to-office ! interface Ethernet0 ip address 10.16.14.1 255.255.255.0 secondary ip address 10.16.13.1 255.255.255.0 no ip proxy-arp ip nat inside ! interface Serial0 description ISP ip address 195.16.44.130 255.255.255.252 no ip proxy-arp ip nat outside ! ip nat inside source list 18 interface Serial0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0 ip route 10.16.11.0 255.255.255.0 Tunnel0 ! access-list 18 permit 10.16.14.2 access-list 18 permit 10.16.13.10 access-list 101 permit gre host 195.16.44.130 host 82.142.176.125 2-я 805 аналогично как только пытаюсь привязать crypto map к интерфейсу s0 пинг в другую локалку пропадает и появляются сообщения на консоли 805: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. а на 877 просто куча сообщений: .Feb 16 17:21:57.804: ISAKMP (0:0): received packet from 81.211.31.149 dport 500 sport 500 Global (N) NEW SA .Feb 16 17:21:57.804: ISAKMP: Created a peer struct for 81.211.31.149, peer port 500 .Feb 16 17:21:57.804: ISAKMP: Locking peer struct 0x8332BE18, IKE refcount 1 for crypto_isakmp_process_block .Feb 16 17:21:57.804: ISAKMP: local port 500, remote port 500 .Feb 16 17:21:57.804: insert sa successfully sa = 82FE517C .Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH .Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_ R_MM1 .Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 .Feb 16 17:21:57.804: ISAKMP: Looking for a matching key for 81.211.31.149 in de fault : success .Feb 16 17:21:57.804: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 81.2 11.31.149 .Feb 16 17:21:57.808: ISAKMP:(0:0:N/A:0): local preshared key found .Feb 16 17:21:57.808: ISAKMP : Scanning profiles for xauth ... .Feb 16 17:21:57.808: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri ority 1 policy .Feb 16 17:21:57.808: ISAKMP: encryption DES-CBC .Feb 16 17:21:57.808: ISAKMP: hash MD5 .Feb 16 17:21:57.808: ISAKMP: default group 2 .Feb 16 17:21:57.808: ISAKMP: auth pre-share .Feb 16 17:21:57.808: ISAKMP: life type in seconds router-elikon# .Feb 16 17:21:57.808: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 .Feb 16 17:21:57.808: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 .Feb 16 17:21:57.836: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M AIN_MODE .Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM1 New State = IKE_R _MM1 .Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port 500 peer_port 500 (R) MM_SA_SETUP .Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C OMPLETE .Feb 16 17:21:57.840: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM1 New State = IKE_R _MM2 .Feb 16 17:21:58.512: ISAKMP (0:268435458): received packet from 81.211.31.149 d port 500 sport 500 Global (R) MM_SA_SETUP .Feb 16 17:21:58.512: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH .Feb 16 17:21:58.512: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM2 New State = IKE_R _MM3 .Feb 16 17:21:58.512: ISAKMP:(0:2:HW:2): processing KE payload. message ID = 0 .Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2): processing NONCE payload. message ID = 0 .Feb 16 17:21:58.544: ISAKMP: Looking for a matching key for 81.211.31.149 in de fault : success .Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):found peer pre-shared key matching 81.21 1.31.149 router-elikon# .Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):SKEYID state generated .Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2): processing vendor id payload .Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2): speaking to another IOS box! .Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M AIN_MODE .Feb 16 17:21:58.544: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM3 New State = IKE_R _MM3 .Feb 16 17:21:58.548: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port 500 peer_port 500 (R) MM_KEY_EXCH .Feb 16 17:21:58.548: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C OMPLETE .Feb 16 17:21:58.548: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM3 New State = IKE_R _MM4 .Feb 16 17:21:59.260: ISAKMP (0:268435458): received packet from 81.211.31.149 d port 500 sport 500 Global (R) MM_KEY_EXCH .Feb 16 17:21:59.260: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH .Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM4 New State = IKE_R _MM5 .Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2): processing ID payload. message ID = 0 .Feb 16 17:21:59.264: ISAKMP (0:268435458): ID payload next-payload : 8 type : 1 address : 81.211.31.149 protocol : 17 port : 500 length : 12 .Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):: peer matches none of the profiles .Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 0 .Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):SA authentication status: authenticated .Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):SA has been authenticated with 81.211.31 .149 .Feb 16 17:21:59.264: ISAKMP: Trying to insert a peer 82.142.176.125/81.211.31.1 49/500/, and inserted successfully 8332BE18. .Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M AIN_MODE .Feb 16 17:21:59.264: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM5 New State = IKE_R _MM5 .Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):SA is doing pre-shared key authenticatio n using id type ID_IPV4_ADDR .Feb 16 17:21:59.268: ISAKMP (0:268435458): ID payload next-payload : 8 type : 1 address : 82.142.176.125 protocol : 17 port : 500 length : 12 .Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):Total payload length: 12 .Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port 500 peer_port 500 (R) MM_KEY_EXCH .Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_C OMPLETE .Feb 16 17:21:59.268: ISAKMP:(0:2:HW:2):Old State = IKE_R_MM5 New State = IKE_P 1_COMPLETE .Feb 16 17:21:59.272: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_CO MPLETE .Feb 16 17:21:59.272: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE .Feb 16 17:21:59.356: ISAKMP (0:268435458): received packet from 81.211.31.149 d port 500 sport 500 Global (R) QM_IDLE .Feb 16 17:21:59.356: ISAKMP: set new node 1198284981 to QM_IDLE .Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 1 198284981 .Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2): processing SA payload. message ID = 119 8284981 .Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2):Checking IPSec proposal 1 .Feb 16 17:21:59.360: ISAKMP: transform 1, ESP_DES .Feb 16 17:21:59.360: ISAKMP: attributes in transform: .Feb 16 17:21:59.360: ISAKMP: encaps is 1 (Tunnel) .Feb 16 17:21:59.360: ISAKMP: SA life type in seconds .Feb 16 17:21:59.360: ISAKMP: SA life duration (basic) of 3600 .Feb 16 17:21:59.360: ISAKMP: SA life type in kilobytes .Feb 16 17:21:59.360: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 .Feb 16 17:21:59.360: ISAKMP: authenticator is HMAC-MD5 .Feb 16 17:21:59.360: ISAKMP:(0:2:HW:2):atts are acceptable. .Feb 16 17:21:59.360: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 82.142.176.125, remote= 81.211.31.149, local_proxy= 82.142.176.125/255.255.255.255/47/0 (type=1), remote_proxy= 81.211.31.149/255.255.255.255/47/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 .Feb 16 17:21:59.360: Crypto mapdb : proxy_match src addr : 82.142.176.125 dst addr : 81.211.31.149 protocol : 47 src port : 0 dst port : 0 .Feb 16 17:21:59.360: Crypto mapdb : proxy_match src addr : 82.142.176.125 dst addr : 81.211.31.149 protocol : 47 src port : 0 dst port : 0 .Feb 16 17:21:59.364: map_db_find_best did not find matching map .Feb 16 17:21:59.364: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi sts for local address 82.142.176.125 .Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2): IPSec policy invalidated proposal .Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2): phase 2 SA policy not acceptable! (loca l 82.142.176.125 remote 81.211.31.149) .Feb 16 17:21:59.364: ISAKMP: set new node -1026013654 to QM_IDLE .Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN proto col 3 spi 2194346424, message ID = -1026013654 .Feb 16 17:21:59.364: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port 500 peer_port 500 (R) QM_IDLE .Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):purging node -1026013654 .Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):deleting node 1198284981 error TRUE reas on "QM rejected" .Feb 16 17:21:59.368: ISAKMP (0:268435458): Unknown Input IKE_MESG_FROM_PEER, IK E_QM_EXCH: for node 1198284981: state = IKE_QM_READY .Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):Node 1198284981, Input = IKE_MESG_FROM_P EER, IKE_QM_EXCH .Feb 16 17:21:59.368: ISAKMP:(0:2:HW:2):Old State = IKE_QM_READY New State = IK E_QM_READY router-elikon# .Feb 16 17:21:59.368: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail ed with peer at 81.211.31.149 router-elikon# .Feb 16 17:22:27.808: ISAKMP (0:268435458): received packet from 81.211.31.149 d port 500 sport 500 Global (R) QM_IDLE .Feb 16 17:22:27.808: ISAKMP: set new node 194806817 to QM_IDLE .Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 1 94806817 .Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2): processing SA payload. message ID = 194 806817 .Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2):Checking IPSec proposal 1 .Feb 16 17:22:27.812: ISAKMP: transform 1, ESP_DES .Feb 16 17:22:27.812: ISAKMP: attributes in transform: .Feb 16 17:22:27.812: ISAKMP: encaps is 1 (Tunnel) .Feb 16 17:22:27.812: ISAKMP: SA life type in seconds .Feb 16 17:22:27.812: ISAKMP: SA life duration (basic) of 3600 .Feb 16 17:22:27.812: ISAKMP: SA life type in kilobytes .Feb 16 17:22:27.812: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 .Feb 16 17:22:27.812: ISAKMP: authenticator is HMAC-MD5 .Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2):atts are acceptable. .Feb 16 17:22:27.812: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 82.142.176.125, remote= 81.211.31.149, local_proxy= 82.142.176.125/255.255.255.255/47/0 (type=1), remote_proxy= 81.211.31.149/255.255.255.255/47/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 .Feb 16 17:22:27.812: Crypto mapdb : proxy_match src addr : 82.142.176.125 dst addr : 81.211.31.149 protocol : 47 src port : 0 dst port : 0 .Feb 16 17:22:27.812: Crypto mapdb : proxy_match src addr : 82.142.176.125 dst addr : 81.211.31.149 protocol : 47 src port : 0 dst port : 0 .Feb 16 17:22:27.812: map_db_find_best did not find matching map .Feb 16 17:22:27.812: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi sts for local address 82.142.176.125 .Feb 16 17:22:27.812: ISAKMP:(0:2:HW:2): IPSec policy invalidated proposal .Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2): phase 2 SA policy not acceptable! (loca l 82.142.176.125 remote 81.211.31.149) .Feb 16 17:22:27.816: ISAKMP: set new node -144067496 to QM_IDLE .Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN proto col 3 spi 2194346424, message ID = -144067496 .Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2): sending packet to 81.211.31.149 my_port 500 peer_port 500 (R) QM_IDLE .Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2):purging node -144067496 .Feb 16 17:22:27.816: ISAKMP:(0:2:HW:2):deleting node 194806817 error TRUE reaso n "QM rejected" router-elikon# .Feb 16 17:22:27.816: ISAKMP (0:268435458): Unknown Input IKE_MESG_FROM_PEER, IK E_QM_EXCH: for node 194806817: state = IKE_QM_READY .Feb 16 17:22:27.820: ISAKMP:(0:2:HW:2):Node 194806817, Input = IKE_MESG_FROM_PE ER, IKE_QM_EXCH .Feb 16 17:22:27.820: ISAKMP:(0:2:HW:2):Old State = IKE_QM_READY New State = IK E_QM_READY router-elikon# .Feb 16 17:22:49.354: ISAKMP:(0:2:HW:2):purging node 1198284981 router-elikon# .Feb 16 17:22:57.796: ISAKMP (0:268435458): received packet from 81.211.31.149 d port 500 sport 500 Global (R) QM_IDLE .Feb 16 17:22:57.796: ISAKMP: set new node 1401338307 to QM_IDLE .Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2): processing HASH payload. message ID = 1 401338307 .Feb 16 17:22:57.796: ISAKMP:received payload type 18 .Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2): processing DELETE_WITH_REASON payload, message ID = 1401338307, reason: DELETE_BY_ERROR .Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2):peer does not do paranoid keepalives. .Feb 16 17:22:57.796: ISAKMP:(0:2:HW:2):deleting SA reason "By error" state (R) QM_IDLE (peer 81.211.31.149) .Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting node 1401338307 error FALSE rea son "Informational (in) state 1" .Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DE L .Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA .Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting SA reason "No reason" state (R) QM_IDLE (peer 81.211.31.149) .Feb 16 17:22:57.800: ISAKMP: Unlocking IKE struct 0x8332BE18 for isadb_mark_sa_ deleted(), count 0 .Feb 16 17:22:57.800: ISAKMP: Deleting peer node by peer_reap for 81.211.31.149: 8332BE18 router-elikon# .Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting node 194806817 error FALSE reas on "IKE deleted" .Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):deleting node 1401338307 error FALSE rea son "IKE deleted" .Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH .Feb 16 17:22:57.800: ISAKMP:(0:2:HW:2):Old State = IKE_DEST_SA New State = IKE _DEST_SA router-elikon# .Feb 16 17:23:47.786: ISAKMP:(0:2:HW:2):purging node 194806817 .Feb 16 17:23:47.786: ISAKMP:(0:2:HW:2):purging node 1401338307 router-elikon# .Feb 16 17:23:57.783: ISAKMP:(0:2:HW:2):purging SA., sa=82FE517C, delme=82FE517C чего бы поделать?

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

На сайте действует частичное премодерирование - после публикации некоторые сообщения от анонимов могут автоматически скрываться ботом. После проверки модератором ошибочно скрытые сообщения раскрываются. Для ускорения раскрытия можно воспользоваться ссылкой "Сообщить модератору", указав в качестве причины обращения "скрыто по ошибке".

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру