Здравствуйте. нужно объеденить две сети. В одно в качестве шлюза cisco 891 во второй dlink dsr-1000
настройки dlink
Policy Name ikcpolicy
Policy Type Auto Policy
IP Protocol Version IPv4
IKE Version IKEv1
L2TP Mode None
IPSec Mode Tunnel Mode
Select Local Gateway
wan1Remote Endpoint
IP Address / FQDN
x.x.30.214
Enable Mode Config Disabled
Enable NetBIOS Disabled
Enable RollOver Disabled
Protocol ESP
Enable DHCP Disabled
Local IP
Local Start IP Address
172.22.32.1
Local Subnet Mask
255.255.254.0
Remote IP
Remote Start IP Address
192.168.11.1
Remote Subnet Mask
255.255.255.0
Enable Keepalive Disabled
Phase1(IKE SA Parameters)
Exchange Mode Main
Direction / Type Both
Nat Traversal off
Local Identifier Type
Remote Identifier Type
Encryption Algorithm
DES
Authentication Algorithm
SHA-1Authentication Method Pre-Shared key
Pre-Shared Key secret_key
Diffie-Hellman (DH) Group Group 2 (1024 bit)
SA-Lifetime 86400
Enable Dead Peer Detection Disabled
Extended Authentication None
Phase2-(Auto Policy Parameters)
SA Lifetime 3600 Seconds
Encryption Algorithm
DESIntegrity Algorithm
SHA-1 ONPFS Key Group Disabled
настройки cisco
crypto keyring wgsecret
pre-shared-key address 0.0.0.0 0.0.0.0 key secret_key
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp profile WGprofile
keyring wgsecret
match identity address 0.0.0.0
!
!
crypto ipsec transform-set WGTS esp-des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map WGDM 10
set transform-set WGTS
set isakmp-profile WGprofile
match address WGCLUBNET
reverse-route
!
!
!
crypto map WGMap 10 ipsec-isakmp dynamic WGDM
!
!
!
!
!
interface Loopback1
ip address 10.11.12.1 255.255.255.0
ip nat enable
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Virtual-Template1
ip address 10.11.11.1 255.255.255.0
peer default ip address pool vpnpool
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap ms-chap-v2
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname 381035811
ppp chap password 7 050E050B2443480C13
ppp pap sent-username 381035811 password 7 050E050B2443480C13
no cdp enable
crypto map WGMap
!
ip local pool vpnpool 10.11.11.32 10.11.11.127
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 122 interface Dialer1 overload
ip nat inside source static tcp 192.168.11.6 22 x.x.30.214 22 extendable
ip nat inside source static tcp 192.168.11.6 80 x.x.30.214 80 extendable
ip nat inside source static tcp 192.168.11.5 3389 x.x.30.214 33891 extendable
ip nat inside source static tcp 192.168.11.22 3389 x.x.30.214 33892 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.22.32.0 255.255.254.0 Dialer1
!
ip access-list extended WGCLUBNET
permit ip host x.x.30.214 host x.x.54.66
permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255
!
dialer-list 1 protocol ip permit
!
!
access-list 23 permit 192.168.11.0 0.0.0.255
access-list 122 permit ip 192.168.11.0 0.0.0.255 any
!
фаза 1 проходит, фаза 2 нет. Вот что пишет в логи длинк:Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found.
Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: accept a request to establish IKE-SA: x.x.30.214
Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Sun Oct 09 12:04:19 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0]а вот логи cisco
*Oct 9 11:34:45.078: ISAKMP (2003): received packet from 195.206.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 9 11:34:45.078: ISAKMP: set new node -598716224 to QM_IDLE
*Oct 9 11:34:45.078: ISAKMP:(2003): processing HASH payload. message ID = 3696251072
*Oct 9 11:34:45.078: ISAKMP:(2003): processing SA payload. message ID = 3696251072
*Oct 9 11:34:45.078: ISAKMP:(2003):Checking IPSec proposal 1
*Oct 9 11:34:45.078: ISAKMP: transform 1, ESP_DES
*Oct 9 11:34:45.078: ISAKMP: attributes in transform:
*Oct 9 11:34:45.078: ISAKMP: SA life type in seconds
*Oct 9 11:34:45.078: ISAKMP: SA life duration (basic) of 3600
*Oct 9 11:34:45.078: ISAKMP: encaps is 1 (Tunnel)
*Oct 9 11:34:45.078: ISAKMP: authenticator is HMAC-SHA
*Oct 9 11:34:45.078: ISAKMP:(2003):atts are acceptable.
*Oct 9 11:34:45.078: IPSEC(validate_proposal_request): proposal part #1
*Oct 9 11:34:45.078: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct 9 11:34:45.082: ISAKMP:(2003): IPSec policy invalidated proposal with error 32
*Oct 9 11:34:45.082: ISAKMP:(2003): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)
*Oct 9 11:34:45.082: ISAKMP: set new node 1773506091 to QM_IDLE
cisco-gw#sh run
*Oct 9 11:34:45.082: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2371042928, message ID = 1773506091
*Oct 9 11:34:45.082: ISAKMP:(2003): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 9 11:34:45.082: ISAKMP:(2003):Sending an IKE IPv4 Packet.
*Oct 9 11:34:45.082: ISAKMP:(2003):purging node 1773506091
*Oct 9 11:34:45.082: ISAKMP:(2003):deleting node -598716224 error TRUE reason "QM rejected"
*Oct 9 11:34:45.082: ISAKMP:(2003):Node 3696251072, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 9 11:34:45.082: ISAKMP:(2003):Old State = IKE_QM_READY New State = IKE_QM_READY
cisco-gw#sh run
*Oct 9 11:34:55.110: ISAKMP (2003): received packet from 195.206.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 9 11:34:55.110: ISAKMP:(2003): phase 2 packet is a duplicate of a previous packet.
*Oct 9 11:34:55.110: ISAKMP:(2003): retransmitting due to retransmit phase 2
*Oct 9 11:34:55.110: ISAKMP:(2003): Quick Mode is being processed. Ignoring retransmissionСудя по ошибкам и гуглению по этим ошибкам что то не так с access листами, но вот что. Помогите разобраться. Уже неделю тунель поднять не могу. Все перепробовал.
> crypto dynamic-map WGDM 10а с какой целью динамическая мапа?
> permit ip host x.x.30.214 host x.x.54.66
это лишнее
> Encryption Algorithm
> DES
> Authentication Algorithm
> SHA-1Алгортимы очень слабые на сегодняшний день.
> crypto dynamic-map WGDM 10
> set transform-set WGTS
> set isakmp-profile WGprofile
> match address WGCLUBNET
> reverse-routeДумаю что match address тут лишнее.
>> crypto dynamic-map WGDM 10
>> set transform-set WGTS
>> set isakmp-profile WGprofile
>> match address WGCLUBNET
>> reverse-route
> Думаю что match address тут лишнее.Динамическая мапа, потому что будет несколько подключений. Пробовал делать через статические мапы, результат тот же.
permit ip host host
Убирал результат тот же.match address убирал не помогло.
Подскажите что еще можно попробовать и где посмотреть. Может еще какой то дебуг, где будет более понятно что именно не нравится.
> Local Start IP Address
> 172.22.32.1
> Local Subnet Mask
> 255.255.254.0
> Remote IP
> Remote Start IP Address
> 192.168.11.1
> Remote Subnet Mask
> 255.255.255.0а вот тут не .0 должно быть в адресах?
>> Local Start IP Address
>> 172.22.32.1
>> Local Subnet Mask
>> 255.255.254.0
>> Remote IP
>> Remote Start IP Address
>> 192.168.11.1
>> Remote Subnet Mask
>> 255.255.255.0
> а вот тут не .0 должно быть в адресах?Он там не дает 0 ставить. тоже показалось странным, адрес сети ведь нулевой адрес. Но у них в длинке видимо по другому.
>[оверквотинг удален]
>>> Local Subnet Mask
>>> 255.255.254.0
>>> Remote IP
>>> Remote Start IP Address
>>> 192.168.11.1
>>> Remote Subnet Mask
>>> 255.255.255.0
>> а вот тут не .0 должно быть в адресах?
> Он там не дает 0 ставить. тоже показалось странным, адрес сети ведь
> нулевой адрес. Но у них в длинке видимо по другому.show debug
debug crypto ipsec включен?
>[оверквотинг удален]
>>>> Remote IP
>>>> Remote Start IP Address
>>>> 192.168.11.1
>>>> Remote Subnet Mask
>>>> 255.255.255.0
>>> а вот тут не .0 должно быть в адресах?
>> Он там не дает 0 ставить. тоже показалось странным, адрес сети ведь
>> нулевой адрес. Но у них в длинке видимо по другому.
> show debug
> debug crypto ipsec включен?
show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is onДа. Попробовал убрать динамические мапы вот новый конфиг:
crypto keyring wgsecret
pre-shared-key address x.x.54.66 255.255.255.252 key DEVopengl1982
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp profile WGprofile
keyring wgsecret
match identity address x.x.54.66 255.255.255.252
!
!
crypto ipsec transform-set WGTS esp-des esp-sha-hmac
mode tunnel
!
!
!
!
!
!
crypto map WGMAp 10 ipsec-isakmp
! Incomplete
set transform-set WGTS
set isakmp-profile WGprofile
match address WGCLUBNET
reverse-route
!
ip access-list extended WGCLUBNET
permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255Результат тот же. Уже и не знаю что думать. Все перепробовал. Этот же длин с другим таким же длинком ipsec тунель держит нормально.
ВОт логи с циски:
*Oct 10 07:52:36.557: ISAKMP (0): received packet from x.x.54.66 dport 500 sport 500 Global (N) NEW SA
*Oct 10 07:52:36.557: ISAKMP: Created a peer struct for x.x.54.66, peer port 500
*Oct 10 07:52:36.557: ISAKMP: New peer created peer = 0x8B88D9E8 peer_handle = 0x8000000D
*Oct 10 07:52:36.557: ISAKMP: Locking peer struct 0x8B88D9E8, refcount 1 for crypto_isakmp_process_block
*Oct 10 07:52:36.557: ISAKMP: local port 500, remote port 500
*Oct 10 07:52:36.557: ISAKMP:(0):insert sa successfully sa = 8E0E6128
*Oct 10 07:52:36.557: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 10 07:52:36.557: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1*Oct 10 07:52:36.557: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 10 07:52:36.557: ISAKMP:(0): processing vendor id payload
*Oct 10 07:52:36.557: ISAKMP:(0): vendor ID is DPD
*Oct 10 07:52:36.557: ISAKMP:(0):found peer pre-shared key matching x.x.54.66
*Oct 10 07:52:36.557: ISAKMP:(0): local preshared key found
*Oct 10 07:52:36.557: ISAKMP : Scanning profiles for xauth ... WGprofile
*Oct 10 07:52:36.557: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 10 07:52:36.557: ISAKMP: life type in seconds
*Oct 10 07:52:36.557: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 10 07:52:36.557: ISAKMP: encryption DES-CBC
*Oct 10 07:52:36.557: ISAKMP: auth pre-share
*Oct 10 07:52:36.557: ISAKMP: hash SHA
*Oct 10 07:52:36.557: ISAKMP: default group 2
*Oct 10 07:52:36.557: ISAKMP:(0):atts are acceptable. Next payload is 0
*Oct 10 07:52:36.557: ISAKMP:(0):Acceptable atts:actual life: 86400
*Oct 10 07:52:36.557: ISAKMP:(0):Acceptable atts:life: 0
*Oct 10 07:52:36.557: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct 10 07:52:36.557: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Oct 10 07:52:36.557: ISAKMP:(0):Returning Actual lifetime: 86400
*Oct 10 07:52:36.557: ISAKMP:(0)::Started lifetime timer: 86400.*Oct 10 07:52:36.561: ISAKMP:(0): processing vendor id payload
*Oct 10 07:52:36.561: ISAKMP:(0): vendor ID is DPD
*Oct 10 07:52:36.561: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 10 07:52:36.561: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1*Oct 10 07:52:36.561: ISAKMP:(0): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 10 07:52:36.561: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 10 07:52:36.561: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 10 07:52:36.561: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2*Oct 10 07:52:36.809: ISAKMP (0): received packet from x.x.54.66 dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 10 07:52:36.809: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 10 07:52:36.809: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3*Oct 10 07:52:36.809: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 10 07:52:36.829: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct 10 07:52:36.829: ISAKMP:(0):found peer pre-shared key matching x.x.54.66
*Oct 10 07:52:36.829: ISAKMP:(2004): processing vendor id payload
*Oct 10 07:52:36.829: ISAKMP:(2004): vendor ID seems Unity/DPD but major 139 mismatch
*Oct 10 07:52:36.833: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 10 07:52:36.833: ISAKMP:(2004):Old State = IKE_R_MM3 New State = IKE_R_MM3*Oct 10 07:52:36.833: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 10 07:52:36.833: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:52:36.833: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 10 07:52:36.833: ISAKMP:(2004):Old State = IKE_R_MM3 New State = IKE_R_MM4*Oct 10 07:52:37.497: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM4 New State = IKE_R_MM5*Oct 10 07:52:37.501: ISAKMP:(2004): processing ID payload. message ID = 0
*Oct 10 07:52:37.501: ISAKMP (2004): ID payload
next-payload : 8
type : 1
address : x.x.54.66
protocol : 17
port : 500
length : 12
*Oct 10 07:52:37.501: ISAKMP:(0):: peer matches WGprofile profile
*Oct 10 07:52:37.501: ISAKMP:(2004):Found ADDRESS key in keyring wgsecret
*Oct 10 07:52:37.501: ISAKMP:(2004): processing HASH payload. message ID = 0
*Oct 10 07:52:37.501: ISAKMP:(2004):SA authentication status:
authenticated
*Oct 10 07:52:37.501: ISAKMP:(2004):SA has been authenticated with x.x.54.66
*Oct 10 07:52:37.501: ISAKMP: Trying to insert a peer x.x.30.214/x.x.54.66/500/, and inserted successfully 8B88D9E8.
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM5 New State = IKE_R_MM5*Oct 10 07:52:37.501: ISAKMP:(2004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 10 07:52:37.501: ISAKMP (2004): ID payload
next-payload : 8
type : 1
address : x.x.30.214
protocol : 17
port : 500
length : 12
*Oct 10 07:52:37.501: ISAKMP:(2004):Total payload length: 12
*Oct 10 07:52:37.501: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 10 07:52:37.501: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE*Oct 10 07:52:37.521: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:37.521: ISAKMP: set new node -328894163 to QM_IDLE
*Oct 10 07:52:37.521: ISAKMP:(2004): processing HASH payload. message ID = 3966073133
*Oct 10 07:52:37.521: ISAKMP:(2004): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 3966073133, sa = 0x8E0E6128
*Oct 10 07:52:37.521: ISAKMP:(2004):SA authentication status:
authenticated
*Oct 10 07:52:37.521: ISAKMP:(2004): Process initial contact,
bring down existing phase 1 and 2 SA's with local x.x.30.214 remote x.x.54.66 remote port 500
cisco-gw#
*Oct 10 07:52:37.521: ISAKMP:(2004):deleting node -328894163 error FALSE reason "Informational (in) state 1"
*Oct 10 07:52:37.521: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 10 07:52:37.521: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE*Oct 10 07:52:37.521: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 10 07:52:38.537: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:38.537: ISAKMP: set new node -1813039523 to QM_IDLE
*Oct 10 07:52:38.537: ISAKMP:(2004): processing HASH payload. message ID = 2481927773
*Oct 10 07:52:38.537: ISAKMP:(2004): processing SA payload. message ID = 2481927773
*Oct 10 07:52:38.537: ISAKMP:(2004):Checking IPSec proposal 1
*Oct 10 07:52:38.537: ISAKMP: transform 1, ESP_DES
*Oct 10 07:52:38.537: ISAKMP: attributes in transform:
*Oct 10 07:52:38.537: ISAKMP: SA life type in seconds
*Oct 10 07:52:38.537: ISAKMP: SA life duration (basic) of 3600
*Oct 10 07:52:38.537: ISAKMP: encaps is 1 (Tunnel)
*Oct 10 07:52:38.537: ISAKMP: authenticator is HMAC-SHA
*Oct 10 07:52:38.537: ISAKMP:(2004):atts are acceptable.
*Oct 10 07:52:38.537: IPSEC(validate_proposal_request): proposal part #1
*Oct 10 07:52:38.537: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct 10 07:52:38.537: ISAKMP:(2004): IPSec policy invalidated proposal with error 32
*Oct 10 07:52:38.537: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)
*Oct 10 07:52:38.537: ISAKMP: set new node 1494915460 to QM_IDLE
cisco-gw#
*Oct 10 07:52:38.537: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2371042928, message ID = 1494915460
*Oct 10 07:52:38.537: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 10 07:52:38.537: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:52:38.537: ISAKMP:(2004):purging node 1494915460
*Oct 10 07:52:38.537: ISAKMP:(2004):deleting node -1813039523 error TRUE reason "QM rejected"
*Oct 10 07:52:38.537: ISAKMP:(2004):Node 2481927773, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 10 07:52:38.537: ISAKMP:(2004):Old State = IKE_QM_READY New State = IKE_QM_READY
cisco-gw#
*Oct 10 07:52:48.557: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:48.557: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:52:48.557: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:52:48.557: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:52:58.573: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:58.573: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:52:58.573: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:52:58.573: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:53:08.585: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:08.585: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:53:08.585: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:53:08.585: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:53:18.601: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:18.601: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:53:18.601: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:53:18.601: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:53:27.521: ISAKMP:(2004):purging node -328894163
cisco-gw#
*Oct 10 07:53:28.537: ISAKMP:(2004):purging node -1813039523
*Oct 10 07:53:28.977: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:28.977: ISAKMP: set new node -1813039523 to QM_IDLE
*Oct 10 07:53:28.977: ISAKMP:(2004): processing HASH payload. message ID = 2481927773
*Oct 10 07:53:28.977: ISAKMP:(2004): processing SA payload. message ID = 2481927773
*Oct 10 07:53:28.977: ISAKMP:(2004):Checking IPSec proposal 1
*Oct 10 07:53:28.977: ISAKMP: transform 1, ESP_DES
*Oct 10 07:53:28.977: ISAKMP: attributes in transform:
*Oct 10 07:53:28.977: ISAKMP: SA life type in seconds
*Oct 10 07:53:28.977: ISAKMP: SA life duration (basic) of 3600
*Oct 10 07:53:28.977: ISAKMP: encaps is 1 (Tunnel)
*Oct 10 07:53:28.977: ISAKMP: authenticator is HMAC-SHA
*Oct 10 07:53:28.977: ISAKMP:(2004):atts are acceptable.
*Oct 10 07:53:28.977: IPSEC(validate_proposal_request): proposal part #1
*Oct 10 07:53:28.977: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct 10 07:53:28.977: ISAKMP:(2004): IPSec policy invalidated proposal with error 32
*Oct 10 07:53:28.977: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)
*Oct 10 07:53:28.977: ISAKMP: set new node 23007779 to QM_IDLE
cisco-gw#
*Oct 10 07:53:28.977: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2371042928, message ID = 23007779
*Oct 10 07:53:28.977: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 10 07:53:28.977: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:53:28.977: ISAKMP:(2004):purging node 23007779
*Oct 10 07:53:28.977: ISAKMP:(2004):deleting node -1813039523 error TRUE reason "QM rejected"
*Oct 10 07:53:28.977: ISAKMP:(2004):Node 2481927773, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 10 07:53:28.977: ISAKMP:(2004):Old State = IKE_QM_READY New State = IKE_QM_READY
cisco-gw#
*Oct 10 07:53:37.997: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:37.997: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:53:37.997: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:53:37.997: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
вот лог с длинка
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: accept a request to establish IKE-SA: x.x.30.214
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Beginning Identity Protection mode.
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 1 negotiation: x.x.54.66[500]<=>x.x.30.214[500]
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received unknown Vendor ID
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: CISCO-UNITY
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: DPD
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mon Oct 10 08:19:12 2016 (GMT +0000): [DSR-1000] [IKE] INFO: ISAKMP-SA established for x.x.54.66[500]-x.x.30.214[500] with spi:7a71f16e02d182e4:c7b75d7981d40948
Mon Oct 10 08:19:12 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found.
Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0]
Mon Oct 10 08:20:04 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found.
Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Phase 2 negotiation failed due to time up. 7a71f16e02d182e4:c7b75d7981d40948:93ef365d
Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] INFO: an undead schedule has been deleted: 'quick_i1prep'.
У меня такая же проблема, удалось решить.
Проблема в настройке local и remote subnet на dlink.
При поднятии второй фазы IPSec туннеля происходит сравнение
crypto ACL со стороны cisco и параметров local remote subnets на dlink.
т.к. со стороны dlink эти сети описаны в поле start address как x.x.x.1/24
они не совпадают с subnet которые описаны на cisco как x.x.x.0/24 и туннель не
поднимается.
В dlink некоторые прошивки не позволяют ставить x.x.x.0 в поле
start address (можно попробовать маску меньше чем /24, например x.x.x.128/25)
если получиться прописать тогда туннель должен подняться, если нет экспериментировать с прошивкой.
>[оверквотинг удален]
> message from x.x.30.214[500].No phase2 handle found.
> Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new
> phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0]
> Mon Oct 10 08:20:04 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify
> message from x.x.30.214[500].No phase2 handle found.
> Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Phase 2
> negotiation failed due to time up. 7a71f16e02d182e4:c7b75d7981d40948:93ef365d
> Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] INFO: an undead
> schedule has been deleted: 'quick_i1prep'.
>
here is your problem :
*Oct 10 07:52:38.537: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct 10 07:52:38.537: ISAKMP:(2004): IPSec policy invalidated proposal with error 32
*Oct 10 07:52:38.537: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)
which means ACL for interesting traffic does not match on both ends