Форум программистов, компьютерный форум, киберфорум
Наши страницы
Cisco
Войти
Регистрация
Восстановить пароль
 
Рейтинг 4.86/14: Рейтинг темы: голосов - 14, средняя оценка - 4.86
illznn
0 / 0 / 0
Регистрация: 02.11.2012
Сообщений: 29
1

Site to Site IPSec VPN CIsco 800 & Cisco SRP 500 series

20.06.2013, 14:23. Просмотров 2509. Ответов 1
Метки нет (Все метки)

Доброго времени суток. Есть филиал на котором установлена Cisco 881 и есть удаленная точка на которой стоит Cisco SRP 527W. Задача настроить между ними безопасный канал связи.
Для реализации задачи в Cisco SRP 527W имеется Site to Site IPSec VPN.
В руководстве был пример настройки канала с использованием Cryptomap который я не смог реализовать в полной мере из за отсутствия физического интерфейса на который я смог бы повесить cryptomap.
На данный момент имею вот такую конфигурацию.
Cisco SRP 500 series
IKE Policy
IPSec Policy
Cisco 881
Кликните здесь для просмотра всего текста
Current configuration : 4564 bytes
!
! Last configuration change at 11:24:03 UTC Wed Jun 19 2013 by admin
! NVRAM config last updated at 11:23:57 UTC Wed Jun 19 2013 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ZTR1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$QI0.$SgyXd
enable password 7 09444B
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
!
!
ip source-route
!
!
!
ip dhcp pool vpn
network 10.26.19.160 255.255.255.224
default-router 10.26.19.161
dns-server 10.26.71.3
!
!
ip cef
ip domain name zapgaz.net
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
ip pmtu
ip mtu adjust
!
license udi pid CISCO881-SEC-K9 sn FCZ1620C757
!
!
username admin privilege 15 secret 5 z..$66rZ33
username Point501 password 7 1229150
username Point502 password 7 03344B1F1
username Point503 password 7 107E190D1
username Point504 password 7 0236144F1
!
!
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address 77.239.163.165
!
!
crypto ipsec transform-set Points esp-3des esp-sha-hmac
!
crypto ipsec profile PointsIPSec
set transform-set Points
!
!
!
!
!
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
tunnel source Dialer0
tunnel mode ipsec ipv4
tunnel destination 77.239.163.165
tunnel protection ipsec profile PointsIPSec
!
!
interface Tunnel2
description ==mGRE to Zpmain via ISP Kyivstar==
ip address 10.26.0.72 255.255.255.224
no ip redirects
ip nhrp map 10.26.0.94 192.168.26.254
ip nhrp map multicast 192.168.26.254
ip nhrp network-id 26
ip nhrp nhs 10.26.0.94
ip nhrp registration no-unique
ip ospf network broadcast
ip ospf priority 0
tunnel source Vlan100
tunnel mode gre multipoint
!
!
interface FastEthernet0
description -Link to Local Network-
switchport access vlan 50
!
!
interface FastEthernet1
description -Link to ISP Kyivstar-
switchport access vlan 100
!
!
interface FastEthernet2
switchport access vlan 200
!
!
interface FastEthernet3
shutdown
!
!
interface FastEthernet4
description -Link ti ISP U-Tel-
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
no cdp enable
!
!
interface Virtual-Template1
ip address 10.26.19.161 255.255.255.224
ip virtual-reassembly
ip tcp adjust-mss 1400
no logging event link-status
peer default ip address dhcp-pool vpn
ppp encrypt mppe auto
ppp authentication chap eap ms-chap ms-chap-v2
!
!
interface Vlan1
no ip address
shutdown
!
!
interface Vlan50
ip address 10.26.71.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan100
description -ISP Kyivstar-
ip address 192.168.26.18 255.255.255.252
!
!
interface Vlan200
ip address 192.168.1.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *******
ppp chap password 7 *********
ppp pap sent-username ****** password 7 ***********
ppp ipcp dns request
!
!
router ospf 100
log-adjacency-changes
area 16 stub
network 10.26.0.64 0.0.0.31 area 16
network 10.26.19.160 0.0.0.31 area 16
network 10.26.71.0 0.0.0.255 area 16
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 25 interface Dialer0 25
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 3389 interface Dialer0 3310
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.26.0 255.255.255.0 192.168.26.17
ip route 192.168.200.0 255.255.255.0 Tunnel0
!
access-list 1 permit 192.168.1.0 0.0.0.7
access-list 2 permit 10.26.71.48 0.0.0.7
access-list 3 permit 10.26.71.0 0.0.0.7
!
!
!
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 1524222C2130E14
transport input ssh
!
scheduler max-task-time 5000
end

При которой понятное дело ничего не работает. Подскажите как правильно сконфигурировать девайсы для моей задачи.

Добавлено через 3 часа 44 минуты
Создал заново повесив криптокарту на Dialer ... Со стороны SRP конекта нет, со стороны IOS дебаг ---
XML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
Jun 20 09:14:23.011: ISAKMP (2001): received packet from 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 09:14:23.011: ISAKMP: set new node -463320881 to QM_IDLE      
Jun 20 09:14:23.011: ISAKMP:(2001): processing HASH payload. message ID = -463320881
Jun 20 09:14:23.011: ISAKMP:(2001): processing SA payload. message ID = -463320881
Jun 20 09:14:23.011: ISAKMP:(2001):Checking IPSec proposal 0
Jun 20 09:14:23.011: ISAKMP: transform 0, ESP_3DES
Jun 20 09:14:23.011: ISAKMP:   attributes in transform:
Jun 20 09:14:23.011: ISAKMP:      encaps is 1 (Tunnel)
Jun 20 09:14:23.011: ISAKMP:      SA life type in seconds
Jun 20 09:14:23.011: ISAKMP:      SA life duration (basic) of 7800
Jun 20 09:14:23.011: ISAKMP:      authenticator is HMAC-SHA
Jun 20 09:14:23.011: ISAKMP:(2001):atts are acceptable.
Jun 20 09:14:23.011: IPSEC(validate_proposal_request): proposal part #1
Jun 20 09:14:23.011: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 82.207.88.64, remote= 82.207.88.220, 
    local_proxy= 10.26.71.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 20 09:14:23.011: Crypto mapdb : proxy_match
        src addr     : 10.26.71.0
        dst addr     : 192.168.1.0
        protocol     : 0
        src port     : 0
        dst port     : 0
Jun 20 09:14:23.011: Crypto mapdb : proxy_match
        src addr     : 10.26.71.0
        dst addr     : 192.168.1.0
        protocol     : 0
        src port     : 0
        dst port     : 0
Jun 20 09:14:23.011: map_db_find_best did not find matching map
Jun 20 09:14:23.011: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 20 09:14:23.011: ISAKMP:(2001): IPSec policy invalidated proposal with error 32
Jun 20 09:14:23.011: ISAKMP:(2001): phase 2 SA policy not acceptable! (local 82.207.88.64 remote 82.207.88.220)
Jun 20 09:14:23.011: ISAKMP: set new node -1674800423 to QM_IDLE      
Jun 20 09:14:23.011: ISAKMP:(2001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2237404416, message ID = -1674800423
Jun 20 09:14:23.011: ISAKMP:(2001): sending packet to 82.207.88.220 my_port 500 peer_port 500 (R) QM_IDLE      
Jun 20 09:14:23.011: ISAKMP:(2001):Sending an IKE IPv4 Packet.
Jun 20 09:14:23.015: ISAKMP:(2001):purging node -1674800423
Jun 20 09:14:23.015: ISAKMP:(2001):deleting node -463320881 error TRUE reason "QM rejected"
Jun 20 09:14:23.015: ISAKMP:(2001):Node -463320881, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 20 09:14:23.015: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_READY
Jun 20 09:14:23.015: ISAKMP (2001): received packet from 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 09:14:23.015: ISAKMP: set new node -768894711 to QM_IDLE      
Jun 20 09:14:23.015: ISAKMP:(2001): processing HASH payload. message ID = -768894711
Jun 20 09:14:23.015: ISAKMP:(2001): processing SA payload. message ID = -768894711
Jun 20 09:14:23.015: ISAKMP:(2001):Checking IPSec proposal 0
Jun 20 09:14:23.015: ISAKMP: transform 0, ESP_3DES
Jun 20 09:14:23.015: ISAKMP:   attributes in transform:
Jun 20 09:14:23.015: ISAKMP:      encaps is 1 (Tunnel)
Jun 20 09:14:23.015: ISAKMP:      SA life type in seconds
Jun 20 09:14:23.015: ISAKMP:      SA life duration (basic) of 7800
Jun 20 09:14:23.015: ISAKMP:      authenticator is HMAC-SHA
Jun 20 09:14:23.015: ISAKMP:(2001):atts are acceptable.
Jun 20 09:14:23.015: IPSEC(validate_proposal_request): proposal part #1
Jun 20 09:14:23.015: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 82.207.88.64, remote= 82.207.88.220, 
    local_proxy= 10.26.71.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 20 09:14:23.019: Crypto mapdb : proxy_match
        src addr     : 10.26.71.0
        dst addr     : 192.168.1.0
        protocol     : 0
        src port     : 0
        dst port     : 0
Jun 20 09:14:23.019: Crypto mapdb : proxy_match
        src addr     : 10.26.71.0
        dst addr     : 192.168.1.0
        protocol     : 0
        src port     : 0
        dst port     : 0
Jun 20 09:14:23.019: map_db_find_best did not find matching map
Jun 20 09:14:23.019: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 20 09:14:23.019: ISAKMP:(2001): IPSec policy invalidated proposal with error 32
Jun 20 09:14:23.019: ISAKMP:(2001): phase 2 SA policy not acceptable! (local 82.207.88.64 remote 82.207.88.220)
Jun 20 09:14:23.019: ISAKMP: set new node -2024693913 to QM_IDLE      
Jun 20 09:14:23.019: ISAKMP:(2001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2237404416, message ID = -2024693913
Jun 20 09:14:23.019: ISAKMP:(2001): sending packet to 82.207.88.220 my_port 500 peer_port 500 (R) QM_IDLE      
Jun 20 09:14:23.019: ISAKMP:(2001):Sending an IKE IPv4 Packet.
Jun 20 09:14:23.019: ISAKMP:(2001):purging node -2024693913
Jun 20 09:14:23.019: ISAKMP:(2001):deleting node -768894711 error TRUE reason "QM rejected"terminal monitor 
Jun 20 09:14:23.019: ISAKMP:(2001):Node -768894711, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 20 09:14:23.019: ISAKMP:(2001):Old State = IKE_QM_READY  New State = IKE_QM_READY
Jun 20 09:14:33.227: ISAKMP (2001): received packet from 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 09:14:33.227: ISAKMP:(2001): phase 2 packet is a duplicate of a previous packet.
Jun 20 09:14:33.227: ISAKMP:(2001): retransmitting due to retransmit phase 2
Jun 20 09:14:33.227: ISAKMP:(2001): ignoring retransmission,because phase2 node marked dead -768894711
Jun 20 09:14:33.231: ISAKMP (2001): received packet from 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 09:14:33.231: ISAKMP:(2001): phase 2 packet is a duplicate of a previous packet.
Jun 20 09:14:33.231: ISAKMP:(2001): retransmitting due to retransmit phase 2
Jun 20 09:14:33.231: ISAKMP:(2001): ignoring retransmission,because phase2 node marked dead -463320881
Jun 20 09:14:52.699: ISAKMP (2001): received packet from 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 09:14:52.699: ISAKMP:(2001): phase 2 packet is a duplicate of a previous packet.
Jun 20 09:14:52.699: ISAKMP:(2001): retransmitting due to retransmit phase 2
Jun 20 09:14:52.699: ISAKMP:(2001): ignoring retransmission,because phase2 node marked dead -463320881
Jun 20 09:14:52.703: ISAKMP (2001): received packet from 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 09:14:52.703: ISAKMP:(2001): phase 2 packet is a duplicate of a previous packet.
Jun 20 09:14:52.703: ISAKMP:(2001): retransmitting due to retransmit phase 2
Jun 20 09:14:52.703: ISAKMP:(2001): ignoring retransmission,because phase2 node marked dead -768894711
Jun 20 09:15:13.015: ISAKMP:(2001):purging node -463320881
Jun 20 09:15:13.019: ISAKMP:(2001):purging node -768894711
Jun 20 09:15:32.711: ISAKMP (2001): received packet from 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 09:15:32.711: ISAKMP: set new node -189830879 to QM_IDLE      
Jun 20 09:15:32.711: ISAKMP:(2001): processing HASH payload. message ID = -189830879
Jun 20 09:15:32.711: ISAKMP:(2001): processing SA payload. message ID = -189830879
Jun 20 09:15:32.711: ISAKMP:(2001):Checking IPSec proposal 0
Jun 20 09:15:32.711: ISAKMP: transform 0, ESP_3DES
Jun 20 09:15:32.711: ISAKMP:   attributes in transform:
Jun 20 09:15:32.711: ISAKMP:      encaps is 1 (Tunnel)
Jun 20 09:15:32.711: ISAKMP:      SA life type in seconds
Jun 20 09:15:32.711: ISAKMP:      SA life duration (basic) of 7800
Jun 20 09:15:32.711: ISAKMP:      authenticator is HMAC-SHA
Jun 20 09:15:32.711: ISAKMP:(2001):atts are acceptable.
Jun 20 09:15:32.711: IPSEC(validate_proposal_request): proposal part #1
Jun 20 09:15:32.711: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 82.207.88.64, remote= 82.207.88.220, 
    local_proxy= 10.26.71.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 20 09:15:32.711: Crypto mapdb : proxy_match
        src addr     : 10.26.71.0
        dst addr     : 192.168.1.0
        protocol     : 0
        src port     : 0
        dst port     : 0
Jun 20 09:15:32.711: Crypto mapdb : proxy_match
        src addr     : 10.26.71.0
        dst addr     : 192.168.1.0
        protocol     : 0
        src port     : 0
        dst port     : 0
Добавлено через 9 минут
Конфиг с криптомапом

Кликните здесь для просмотра всего текста
Current configuration : 4484 bytes
!
! Last configuration change at 09:13:53 UTC Thu Jun 20 2013 by admin
! NVRAM config last updated at 09:10:14 UTC Thu Jun 20 2013 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ZTR1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$QI0.$SgyXd3mjnZLbx4WYzsdvr.
enable password 7 09444B05151603000E0910
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
!
!
ip source-route
!
!
!
ip dhcp pool vpn
network 10.26.19.160 255.255.255.224
default-router 10.26.19.161
dns-server 10.26.71.3
!
!
ip cef
ip domain name zapgaz.net
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
ip pmtu
ip mtu adjust
!
license udi pid CISCO881-SEC-K9 sn FCZ1620C757
!
!
username admin privilege 15 secret 5 $1$Bz..$66rZ
username Point501 password 7 12291503
username Point502 password 7 03344B1F1
username Point503 password 7 107E190D
username Point504 password 7 0236144F1
!
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key **************** address 82.207.88.220
!
!
crypto ipsec transform-set Points esp-3des esp-sha-hmac
!
crypto map CISO 1 ipsec-isakmp
set peer 82.207.88.220
set transform-set Points
set pfs group2
match address 110
!
!
!
!
!
interface Tunnel2
description ==mGRE to Zpmain via ISP Kyivstar==
ip address 10.26.0.72 255.255.255.224
no ip redirects
ip nhrp map multicast 192.168.26.254
ip nhrp map 10.26.0.94 192.168.26.254
ip nhrp network-id 26
ip nhrp nhs 10.26.0.94
ip nhrp registration no-unique
ip ospf network broadcast
ip ospf priority 0
tunnel source Vlan100
tunnel mode gre multipoint
!
!
interface FastEthernet0
description -Link to Local Network-
switchport access vlan 50
!
!
interface FastEthernet1
description -Link to ISP Kyivstar-
switchport access vlan 100
!
!
interface FastEthernet2
switchport access vlan 200
!
!
interface FastEthernet3
shutdown
!
!
interface FastEthernet4
description -Link ti ISP U-Tel-
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
no cdp enable
!
!
interface Virtual-Template1
ip address 10.26.19.161 255.255.255.224
ip virtual-reassembly
ip tcp adjust-mss 1400
no logging event link-status
peer default ip address dhcp-pool vpn
ppp encrypt mppe auto
ppp authentication chap eap ms-chap ms-chap-v2
!
!
interface Vlan1
no ip address
shutdown
!
!
interface Vlan50
ip address 10.26.71.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan100
description -ISP Kyivstar-
ip address 192.168.26.18 255.255.255.252
!
!
interface Vlan200
ip address 192.168.1.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ***********
ppp chap password 7 12E1B12113C
ppp pap sent-username ***************** password 7 06123B
ppp ipcp dns request
crypto map CISO
!
!
router ospf 100
log-adjacency-changes
area 16 stub
network 10.26.0.64 0.0.0.31 area 16
network 10.26.19.160 0.0.0.31 area 16
network 10.26.71.0 0.0.0.255 area 16
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 25 interface Dialer0 25
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 3389 interface Dialer0 3310
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.26.0 255.255.255.0 192.168.26.17
!
access-list 1 permit 192.168.1.0 0.0.0.7
access-list 2 permit 10.26.71.48 0.0.0.7
access-list 3 permit 10.26.71.0 0.0.0.7
access-list 110 permit ip 10.26.71.0 0.0.0.255 host 192.168.1.8
!
!
!
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 1502041B01382
transport input ssh
!
scheduler max-task-time 5000


Добавлено через 52 минуты
Debug 2

Oracle 11 SQL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
1un 20 10:21:02.499: ISAKMP (2001): received packet FROM 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 10:21:02.499: ISAKMP:(2001): phase 2 packet IS a duplicate OF a PREVIOUS packet.
Jun 20 10:21:02.499: ISAKMP:(2001): retransmitting due TO retransmit phase 2
Jun 20 10:21:02.499: ISAKMP:(2001): ignoring retransmission,because phase2 node marked dead 213869651
Jun 20 10:21:02.499: ISAKMP (2001): received packet FROM 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 10:21:02.499: ISAKMP:(2001): phase 2 packet IS a duplicate OF a PREVIOUS packet.
Jun 20 10:21:02.499: ISAKMP:(2001): retransmitting due TO retransmit phase 2
Jun 20 10:21:02.499: ISAKMP:(2001): ignoring retransmission,because phase2 node marked dead -404377325
Jun 20 10:21:02.503: ISAKMP (0): received packet FROM 82.207.88.220 dport 500 sport 500 Global (N) NEW SA
Jun 20 10:21:02.503: ISAKMP: Found a peer struct FOR 82.207.88.220, peer port 500
Jun 20 10:21:02.503: ISAKMP: Locking peer struct 0x85636D34, refcount 2 FOR crypto_isakmp_process_block
Jun 20 10:21:02.503: ISAKMP: local port 500, remote port 500
Jun 20 10:21:02.503: ISAKMP: Find a dup sa IN the avl tree during calling isadb_insert sa = 85EAD3E4
Jun 20 10:21:02.503: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 10:21:02.503: ISAKMP:(0):Old State = IKE_READY  NEW State = IKE_R_MM1 
 
Jun 20 10:21:02.503: ISAKMP:(0): processing SA payload. message ID = 0
Jun 20 10:21:02.503: ISAKMP:(0): processing vendor id payload
Jun 20 10:21:02.503: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jun 20 10:21:02.503: ISAKMP:(0): processing vendor id payload
Jun 20 10:21:02.503: ISAKMP:(0): vendor ID IS DPD
Jun 20 10:21:02.503: ISAKMP:(0):found peer pre-shared KEY matching 82.207.88.220
Jun 20 10:21:02.503: ISAKMP:(0): local preshared KEY found
Jun 20 10:21:02.503: ISAKMP : Scanning profiles FOR xauth ...
Jun 20 10:21:02.503: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy
Jun 20 10:21:02.503: ISAKMP:      life TYPE IN seconds
Jun 20 10:21:02.503: ISAKMP:      life duration (basic) OF 3600
Jun 20 10:21:02.503: ISAKMP:      encryption 3DES-CBC
Jun 20 10:21:02.503: ISAKMP:      hash SHA
Jun 20 10:21:02.503: ISAKMP:      auth pre-SHARE
Jun 20 10:21:02.503: ISAKMP:      DEFAULT GROUP 2
Jun 20 10:21:02.503: ISAKMP:(0):atts are acceptable. Next payload IS 0
Jun 20 10:21:02.503: ISAKMP:(0):Acceptable atts:actual life: 0
Jun 20 10:21:02.503: ISAKMP:(0):Acceptable atts:life: 0
Jun 20 10:21:02.503: ISAKMP:(0):Basic life_in_seconds:3600
Jun 20 10:21:02.503: ISAKMP:(0):RETURNING Actual lifetime: 3600
Jun 20 10:21:02.503: ISAKMP:(0)::Started lifetime timer: 3600.
 
Jun 20 10:21:02.503: ISAKMP:(0): processing vendor id payload
Jun 20 10:21:02.503: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jun 20 10:21:02.503: ISAKMP:(0): processing vendor id payload
Jun 20 10:21:02.503: ISAKMP:(0): vendor ID IS DPD
Jun 20 10:21:02.503: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 10:21:02.503: ISAKMP:(0):Old State = IKE_R_MM1  NEW State = IKE_R_MM1 
 
Jun 20 10:21:02.503: ISAKMP:(0): sending packet TO 82.207.88.220 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jun 20 10:21:02.503: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 20 10:21:02.507: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 10:21:02.507: ISAKMP:(0):Old State = IKE_R_MM1  NEW State = IKE_R_MM2 
 
Jun 20 10:21:02.631: ISAKMP (0): received packet FROM 82.207.88.220 dport 500 sport 500 Global (R) MM_SA_SETUP
Jun 20 10:21:02.631: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 10:21:02.631: ISAKMP:(0):Old State = IKE_R_MM2  NEW State = IKE_R_MM3 
 
Jun 20 10:21:02.631: ISAKMP:(0): processing KE payload. message ID = 0
Jun 20 10:21:02.659: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 20 10:21:02.659: ISAKMP:(0):found peer pre-shared KEY matching 82.207.88.220
Jun 20 10:21:02.659: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 10:21:02.659: ISAKMP:(2002):Old State = IKE_R_MM3  NEW State = IKE_R_MM3 
 
Jun 20 10:21:02.659: ISAKMP:(2002): sending packet TO 82.207.88.220 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jun 20 10:21:02.659: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 20 10:21:02.659: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 10:21:02.659: ISAKMP:(2002):Old State = IKE_R_MM3  NEW State = IKE_R_MM4 
 
Jun 20 10:21:02.767: ISAKMP (2002): received packet FROM 82.207.88.220 dport 500 sport 500 Global (R) MM_KEY_EXCH
Jun 20 10:21:02.767: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 10:21:02.767: ISAKMP:(2002):Old State = IKE_R_MM4  NEW State = IKE_R_MM5 
 
Jun 20 10:21:02.767: ISAKMP:(2002): processing ID payload. message ID = 0
Jun 20 10:21:02.767: ISAKMP (2002): ID payload 
        next-payload : 8
        TYPE         : 1 
        address      : 82.207.88.220 
        protocol     : 0 
        port         : 0 
        LENGTH       : 12
Jun 20 10:21:02.767: ISAKMP:(0):: peer matches *none* OF the profiles
Jun 20 10:21:02.767: ISAKMP:(2002): processing HASH payload. message ID = 0
Jun 20 10:21:02.767: ISAKMP:(2002):SA authentication status:
        authenticated
Jun 20 10:21:02.767: ISAKMP:(2002):SA has been authenticated WITH 82.207.88.220
Jun 20 10:21:02.767: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 10:21:02.767: ISAKMP:(2002):Old State = IKE_R_MM5  NEW State = IKE_R_MM5 
 
Jun 20 10:21:02.767: ISAKMP:(2002):SA IS doing pre-shared KEY authentication USING id TYPE ID_IPV4_ADDR
Jun 20 10:21:02.767: ISAKMP (2002): ID payload 
        next-payload : 8
        TYPE         : 1 
        address      : 82.207.88.64 
        protocol     : 17 
        port         : 500 
        LENGTH       : 12
Jun 20 10:21:02.767: ISAKMP:(2002):Total payload LENGTH: 12
Jun 20 10:21:02.767: ISAKMP:(2002): sending packet TO 82.207.88.220 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jun 20 10:21:02.767: ISAKMP:(2002):Sending an IKE IPv4 Packet.
Jun 20 10:21:02.771: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 10:21:02.771: ISAKMP:(2002):Old State = IKE_R_MM5  NEW State = IKE_P1_COMPLETE 
 
Jun 20 10:21:02.771: ISAKMP:(2002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 20 10:21:02.771: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  NEW State = IKE_P1_COMPLETE 
 
Jun 20 10:21:18.999: ISAKMP (2001): received packet FROM 82.207.88.220 dport 500 sport 500 Global (R) QM_IDLE      
Jun 20 10:21:18.999: ISAKMP: SET NEW node 340619819 TO QM_IDLE      
Jun 20 10:21:18.999: ISAKMP:(2001): processing HASH payload. message ID = 340619819
Jun 20 10:21:18.999: ISAKMP:(2001): processing DELETE payload. message ID = 340619819
Jun 20 10:21:18.999: ISAKMP:(2001):peer does NOT DO paranoid keepalives.
 
Jun 20 10:21:18.999: ISAKMP:(2001):deleting SA reason "No reason" state (R) QM_IDLE       (peer 82.207.88.220)
Jun 20 10:21:19.003: ISAKMP:(2001):deleting node 340619819 error FALSE reason "Informational (in) state 1"
Jun 20 10:21:19.003: ISAKMP: SET NEW node 1311867063 TO QM_IDLE      
Jun 20 10:21:19.003: ISAKMP:(2001): sending packet TO 82.207.88.220 my_port 500 peer_port 500 (R) QM_IDLE      
Jun 20 10:21:19.003: ISAKMP:(2001):Sending an IKE IPv4 Packet.
Jun 20 10:21:19.003: ISAKMP:(2001):purging node 1311867063
Jun 20 10:21:19.003: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 20 10:21:19.003: ISAKMP:(2001):Old State = IKE_P1_COMPLETE  NEW State = IKE_DEST_SA 
 
Jun 20 10:21:19.003: ISAKMP:(2001):deleting SA reason "No reason" state (R) QM_IDLE       (peer 82.207.88.220) 
Jun 20 10:21:19.003: ISAKMP: Unlocking peer struct 0x85636D34 FOR isadb_mark_sa_deleted(), COUNT 1
Jun 20 10:21:19.003: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 10:21:19.003: ISAKMP:(2001):Old State = IKE_DEST_SA  NEW State = IKE_DEST_SA 
 
Jun 20 10:21:23.191: ISAKMP:(2001):purging node 213869651
Jun 20 10:21:23.191: ISAKMP:(2001):purging node -404377325
0
Надоела реклама? Зарегистрируйтесь и она исчезнет полностью.
Similar
Эксперт
41792 / 34177 / 6122
Регистрация: 12.04.2006
Сообщений: 57,940
20.06.2013, 14:23
Ответы с готовыми решениями:

Site to Site IPSec VPN CISCO891-K9 & Cisco RV120W Wireless-N VPN Firewall
Добрый день. Есть роутер CISCO891-K9 на котором есть один site to site vpn...

Не могу создать vpn site to site на cisco asa 5506-x
Ребята нужна помощь в создании vpn на firewall cisco asa 5506-x, в гугле нет...

Cisco ASA, отваливается Site-to-Site VPN
Добрый день. Предыстория: На бранч офисе был установлен роутер D-link, который...

CISCO Site-to-Site VPN по сертификатам
Здравствуйте. Пытаюсь разобраться с VPN на CISCO ASA, который мне достался в...

Cisco ASA, 2 site-to-site vpn
Здравствуйте! У меня вопросик.. А можно ли будет сделать так, чтобы между двумя...

1
Jabbson
Эксперт по компьютерным сетям
3348 / 2423 / 746
Регистрация: 03.11.2009
Сообщений: 7,759
Записей в блоге: 3
20.06.2013, 17:04 2
Для потомков:
Проблема решилась переделываением настроек isakmp policy, acl и nat [удаленно по скайпу]
0
MoreAnswers
Эксперт
37091 / 29110 / 5898
Регистрация: 17.06.2006
Сообщений: 43,301
20.06.2013, 17:04

Cisco VPN Site-to-Site
Всем доброго вечера! Возникла проблема с настройкой VPN SitetoSite! Схема, ...

Пересекающиеся сети туннеля site-to-site между Cisco ASA и TMG
Всем добрый день! Необходимо реализовать следующую схему. Есть главный и...

Cisco site-to-site +NAT +redirection
Здравствуйте, помогите нубу в сетевых вопросах. Картинка "как сейчас"...


Искать еще темы с ответами

Или воспользуйтесь поиском по форуму:
2
Ответ Создать тему
Опции темы

КиберФорум - форум программистов, компьютерный форум, программирование
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Рейтинг@Mail.ru