>на пиксе
>debug crypto ipsec 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with b.b.b.2
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with b.b.b.2
IPSEC(key_engine_sa_req): setting timer running retry <1>
После посылки пакетов из локальной сети со стороны пикса появляется следующее:
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x5f5e371f(1600010015) for SA
from b.b.b.2 to a.a.a.61 for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= b.b.b.2, src= a.a.a.61,
dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
src_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= a.a.a.61, src= b.b.b.2,
dest_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4),
src_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x5f5e371f(1600010015), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= a.a.a.61, dest= b.b.b.2,
src_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4),
dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x8e225368(2384614248), conn_id= 2, keysize= 0, flags= 0x4
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= b.b.b.2, src= a.a.a.61,
dest_proxy= 192.168.103.0/255.255.255.0/0/0 (type=4),
src_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= b.b.b.2, src= a.a.a.61,
dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
src_proxy= 192.168.103.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
-----------------------------------------------------------------------------
>debug crypto isakmp 3
ISAKMP msg received
crypto_isakmp_process_block:src:b.b.b.2, dest:a.a.a.61 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:isadb_search returned sa = 0xa2d24c
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
compute_quick_mode_iv:
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x74a728, len 144
des_encdec:
validate_payload: len 172
valid_payload:
valid_payload:
valid_sa:
valid_transform:
valid_payload:
valid_payload:
valid_payload:
OAK_QM exchange
oakley_process_quick_mode:
ipsec_db_get_ipsec_sa_list:
verify_qm_hash:
ipsec_db_get_ipsec_sa_list:
OAK_QM_IDLE
process_isakmp_packet:
process_sa: mess_id 0x5c92175a
ISAKMP (0): processing SA payload. message ID = 1553078106
check_ipsec_proposal:
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
check_prop: acceptable = 1
snoop_id_payloads:
ISAKMP: IPSec policy invalidated proposal
delete_sa_offers:
ISAKMP (0): SA not acceptable!
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): sending NOTIFY message 14 protocol 3
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
compute_quick_mode_iv:
construct_header: message_id 0x59a3127d
ipsec_db_get_ipsec_sa_list:
construct_blank_hash:
construct_notify:
ipsec_db_get_ipsec_sa_list:
construct_qm_hash:
ipsec_db_get_ipsec_sa_list:
throw: mess_id 0x59a3127d
ipsec_db_get_ipsec_sa_list:
isakmp_ce_encrypt_payload: offset 28, length 124
pix_des_encrypt: data 0xaba5b4, len 104
des_encdec:
send_response:
isakmp_send: ip b.b.b.2, port 500
throw: no state, delete ipsec sa list
ipsec_db_delete_ipsec_sa_list:
ipsec_db_delete_sa_list_entry:
process_sa: DONE - status 0x2
delete_sa_offers:
process_payload failed 0x2
return status is IKMP_ERR_NO_RETRANS
PEER_REAPER_TIMER
---------------------------------------------------------------------------
>debug crypto ca 3
ничего не показал =(
>
>теминал на монитор и логи под кат.
насчёт логов... можно пояснить какие логи требуются?
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(ok) on 22-Июн-07, 08:25 
