Привет всем!Никак не получается поднять ipsec тунель между cisco 2900 и Linux Centos 6. Со стороны Linux за ipsec отвечает libreswan. Концифиги со стороны циско:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 10.0.64.16
set transform-set TS
match address CRYPTOACL
interface Loopback10
ip address 10.0.165.1 255.255.255.0interface GigabitEthernet0/0.248
encapsulation dot1Q 248
ip address 10.0.248.15 255.255.255.0
crypto map CRYPTOMAPip access-list extended CRYPTOACL
permit ip 10.0.165.0 0.0.0.255 10.0.164.0 0.0.0.255Со стороны libreswan:
conn mysubnet
also=odetun
leftsubnet=10.0.164.0/24
rightsubnet=10.0.165.0/24conn odetun
authby=secret
auto=start
type=tunnel
left=10.0.64.16
right=10.0.248.15
keyexchange=ike
phase2alg=aes128-sha1
remote_peer_type=cisco
phase2=espcisco output:
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.248.15 10.0.64.16 QM_IDLE 1275 ACTIVEcisco: show crypto ipsec sa
interface: GigabitEthernet0/0.248
Crypto map tag: CRYPTOMAP, local addr 10.0.248.15protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.165.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.164.0/255.255.255.0/0/0)
current_peer 10.0.64.16 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0local crypto endpt.: 10.0.248.15, remote crypto endpt.: 10.0.64.16
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.248
current outbound spi: 0xC927068D(3374777997)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xC65A7222(3327816226)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5015, flow_id: Onboard VPN:3015, sibling_flags 80000040, crypto map: CRYPTOMAP
sa timing: remaining key lifetime (k/sec): (4608000/3588)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC927068D(3374777997)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5016, flow_id: Onboard VPN:3016, sibling_flags 80000040, crypto map: CRYPTOMAP
sa timing: remaining key lifetime (k/sec): (4608000/3588)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)outbound ah sas:
outbound pcp sas:
Трафик не идёт
Лог pluto.log...
Dec 13 10:01:11: "odetun" #3: max number of retransmissions (8) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Dec 13 10:01:11: "odetun" #3: starting keying attempt 2 of an unlimited number
Dec 13 10:01:11: "odetun" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to replace #3 {using isakmp#2 msgid:ebf991c9 proposal=AES(12)_128-SHA1(2)_000 pfsgroup=OAKLEY_GROUP_MODP1024}
Dec 13 10:01:11: deleting state #3 (STATE_QUICK_I1)
Dec 13 10:01:11: "mysubnet" #2: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=28
Dec 13 10:01:11: | ISAKMP Notification Payload
Dec 13 10:01:11: | 00 00 00 1c 00 00 00 01 03 04 00 0e
Dec 13 10:01:11: "mysubnet" #2: received and ignored informational message
....
Вообщем решил я эту проблему! Удалил libreswan, установил ipsec-tools(он же racoon) поднял на gre тунелях с первого раза.
> Вообщем решил я эту проблему! Удалил libreswan, установил ipsec-tools(он же racoon) поднял
> на gre тунелях с первого раза.Если не лень, скиньте сюда конфиги на которых заработало, комрады интересуются.