The OpenNET Project / Index page

[ новости /+++ | форум | wiki | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"cisco-2811 + ipsec по ключам"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Изначальное сообщение [ Отслеживать ]

"cisco-2811 + ipsec по ключам"  +/
Сообщение от dct (??) on 28-Мрт-11, 20:36 
Привет всем!

Возникла небольшая необходимость настроить cisco как ipsec шлюз для нескольких удаленных устройств.

В качестве устройства выступает точка доступа, которая из vpn имеет только ipsec, причем в силу своей специфики не понимает preshare keys, а только RSA certificates.

Если на прешаред я бы еще смог разобраться, на ключах, не могу понять порядок настройки.

Схема сети:

IP адреса WAN
Cisco: FE/0.5 - 10.154.0.1/24
AP: 10.154.0.2/24

Адреса LAN
cisco
cisco: 192.168.168.0/24
AP: 192.168.169.0/24


Что я смог сделать.

Создал на cisco собственный самоподписанный CA.
Экспортировал root CA и импортировал на точку доступа.
Сгенерировал на точке доступа запрос, импортировал его в cisco, заацептил, и загрузил обратно в точку подписанный сертификат. Точка сертификат приняла.
Создал на cisco сертификат и подписал его своим же, цисковским CA.

точка видит рутовый сертификат:
ID: CA-0
Issuer name: /CN=ortr
Subject: /NC=ortr

и подписаный циской сертификат:
ID: 1
Issuer name: /CN=ortr
Subject: /NC=ap1
Serial number: 03
Expiry: xxxxxxx


Выставил на точке доступа следующие параметры ipsec:

VPN settings:
local wan: 10.154.0.2
remote gw: 10.154.0.1
remote subnet: 192.168.168.0/24

Auto key settings:
perfect forward security: no
AH Auth: md5
ESP type: ESP with authentication
ESP encryption: ESP
ESP Authentication: MD5

IKE settings:
Mode: Main mode
Local ID: FQDN, ap1.local
Remote ID: FQDN, zero.local
IKE Authentication: RSA Certificates
IKE Encryption: 3DES
Diffie-Helfman group: group2


Поставил за точкой доступа комп, при пинге IP 192.168.168.1, вижу что AP пытается лезть на cisco и поднимать туннель.

По аналогии с preshared keys сделал конфигурацию ipsec на циско:

Building configuration...

Current configuration : 9284 bytes
!
! Last configuration change at 21:03:51 AsEkat Mon Mar 28 2011 by admino
! NVRAM config last updated at 21:03:52 AsEkat Mon Mar 28 2011 by admino
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname zero
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
clock timezone AsEkat 5
clock calendar-valid
ip subnet-zero
!
!
ip cef
!
!
ip domain name local
ip host zero 10.154.0.1
ip name-server 10.154.0.100
ip ssh rsa keypair-name zerossh
!
pseudowire-class aux
! Incomplete config
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki server ortr
!
crypto pki trustpoint ortr
revocation-check crl
rsakeypair ortr
!
crypto pki trustpoint zerortr
enrollment terminal pem
revocation-check crl
rsakeypair zerortr 1024 1024
!
crypto pki trustpoint TP-self-signed-1860382650
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1860382650
revocation-check none
rsakeypair TP-self-signed-1860382650
!
crypto pki trustpoint imzero
enrollment terminal pem
revocation-check crl
!
crypto pki trustpoint zero
enrollment url http://zero.local:80
serial-number
revocation-check crl
!
!
crypto pki certificate chain ortr
certificate ca 01
  C93E006B 3A7166AF DF706AD8 56218064 B2B0BFBE 89914E66 568B7746 A98E5D3D
.....skip
E48197E0 40
  quit
crypto pki certificate chain zerortr
crypto pki certificate chain TP-self-signed-1860382650
certificate self-signed 01
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38363033
....skip
  3C94E9B0 822E8688 452B41FD DA
  quit
crypto pki certificate chain imzero
crypto pki certificate chain zero
certificate 02
  BED0D502 03010001 A34F304D 300B0603 551D0F04 04030205 A0301F06 03551D23
.....skip
  AFC4C89F 7813A593 95341FB1
  quit
  certificate ca 01
699CE787 2ED313B1 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
.....skip
E48197E0 40
  quit

!
!
!
crypto isakmp policy 10
encr 3des
group 2
lifetime 3600
!
crypto isakmp client configuration group company
dns 10.154.0.100
pool company
!
crypto isakmp peer address 10.154.0.2
description ap1
!
!
crypto ipsec transform-set gw5 ah-sha-hmac esp-3des esp-md5-hmac
crypto ipsec transform-set gwap ah-md5-hmac esp-3des
mode transport
!
crypto dynamic-map OMAP 1
set security-association idle-time 600
set transform-set gwap
!
!
crypto map core_map 65535 ipsec-isakmp dynamic OMAP
!
crypto map vpns local-address FastEthernet0/0.5
crypto map vpns client configuration address respond
crypto map vpns 1 ipsec-isakmp
description ap1
set peer 10.154.0.2
set transform-set gwap
match address 111
!
!        
!
!
interface Tunnel0
description ap1
ip address 192.168.255.2 255.255.255.252
ip virtual-reassembly
tunnel source 10.154.0.1
tunnel destination 10.154.0.2
crypto map vpns
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/0.5
encapsulation dot1Q 5
ip address 10.154.0.1 255.255.255.0
ip access-group 140 in
ip access-group 140 out
ip virtual-reassembly
no snmp trap link-status
crypto map vpns
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
description $ES_LAN$
ip address 192.168.168.1 255.255.255.0
!
interface Async0/2/0
no ip address
!
ip local pool company 192.168.100.10 192.168.100.20
ip classless
ip route 192.168.169.0 255.255.255.0 Tunnel0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.154.0.0 0.0.0.255
access-list 102 permit ip 192.168.168.0 0.0.0.255 192.168.169.0 0.0.0.255
access-list 102 permit ip 192.168.169.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 111 permit gre host 10.154.0.2 any
access-list 111 permit gre any host 10.154.0.2
access-list 111 permit gre host 10.154.0.1 any
access-list 140 permit ip any any
!
!        
!
!
control-plane
!
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/3/0
!
voice-port 0/3/1
!
voice-port 0/3/2
!
voice-port 0/3/3
!
!
!
!
!
!
!
!
line con 0
login local
line aux 0
line 0/2/0
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 10.154.0.10
!
end


по debug crypto ipsec и debug crypto isakmp получаю логи:


Mar 28 16:43:03.003: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.154.0.1, remote= 10.154.0.2,
    local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),
    remote_proxy= 10.154.0.2/255.255.255.255/47/0 (type=1),
    protocol= AH, transform= ah-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x594D64F7(1498244343), conn_id= 0, keysize= 0, flags= 0x400E
Mar 28 16:43:03.003: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.154.0.1, remote= 10.154.0.2,
    local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),
    remote_proxy= 10.154.0.2/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-3des  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xFAD1FA9B(4208065179), conn_id= 0, keysize= 0, flags= 0x400E
Mar 28 16:43:03.003: ISAKMP: received ke message (1/2)
Mar 28 16:43:03.003: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Mar 28 16:43:03.003: ISAKMP: Created a peer struct for 10.154.0.2, peer port 500
Mar 28 16:43:03.003: ISAKMP: New peer created peer = 0x47115454 peer_handle = 0x80000005
Mar 28 16:43:03.003: ISAKMP: Locking peer struct 0x47115454, IKE refcount 1 for isakmp_initiator
Mar 28 16:43:03.003: ISAKMP:(0:0:N/A:0):Setting client config settings 471039D4
Mar 28 16:43:03.003: ISAKMP: local port 500, remote port 500
Mar 28 16:43:03.007: ISAKMP: set new node 0 to QM_IDLE      
Mar 28 16:43:03.007: insert sa successfully sa = 469BCFE0
Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.154.0.2 in default
Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0):No pre-shared key with 10.154.0.2!
Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Mar 28 16:43:03.007: ISAKMP:(0:0:N/A:0): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 28 16:43:03.011: ISAKMP (0:0): received packet from 10.154.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
Mar 28 16:43:03.011: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 28 16:43:03.011: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Mar 28 16:43:03.011: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Mar 28 16:43:03.011: ISAKMP : Scanning profiles for xauth ...
Mar 28 16:43:03.011: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Mar 28 16:43:03.011: ISAKMP:      encryption 3DES-CBC
Mar 28 16:43:03.011: ISAKMP:      hash SHA
Mar 28 16:43:03.011: ISAKMP:      default group 2
Mar 28 16:43:03.011: ISAKMP:      auth RSA sig
Mar 28 16:43:03.011: ISAKMP:      life type in seconds
Mar 28 16:43:03.011: ISAKMP:      life duration (basic) of 3600
Mar 28 16:43:03.011: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Mar 28 16:43:03.051: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 28 16:43:03.051: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

Mar 28 16:43:03.051: ISAKMP (0:134217729): constructing CERT_REQ for issuer cn=ortr
Mar 28 16:43:03.051: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Mar 28 16:43:03.051: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 28 16:43:03.055: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

Mar 28 16:43:03.255: ISAKMP (0:134217729): received packet from 10.154.0.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Mar 28 16:43:03.255: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 28 16:43:03.255: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

Mar 28 16:43:03.255: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
Mar 28 16:43:03.303: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
Mar 28 16:43:03.303: ISAKMP:(0:1:SW:1):SKEYID state generated
Mar 28 16:43:03.303: ISAKMP:(0:1:SW:1): processing CERT_REQ payload. message ID = 0
Mar 28 16:43:03.303: ISAKMP:(0:1:SW:1): peer wants a CT_X509_SIGNATURE cert
Mar 28 16:43:03.303: ISAKMP:(0:1:SW:1): peer want cert issued by
M.ar 28 16:43:03.303: ISAKMP:(0:1:SW:1): Choosing trustpoint zero as issuer
Mar 28 16:43:03.303: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 28 16:43:03.303: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

Mar 28 16:43:03.307: ISAKMP:(0:1:SW:1):Send initial contact
Mar 28 16:43:03.307: ISAKMP:(0:1:SW:1):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 28 16:43:03.307: ISAKMP:(0:1:SW:1):Using FQDN as My ID
Mar 28 16:43:03.307: ISAKMP:(0:1:SW:1):SA is doing RSA signature authentication using id type ID_FQDN
Mar 28 16:43:03.307: ISAKMP (0:134217729): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : zero.local
        protocol     : 17
        port         : 500
        length       : 25
Mar 28 16:43:03.307: ISAKMP:(0:1:SW:1):Total payload length: 25
Mar 28 16:43:03.311: ISAKMP (0:134217729): constructing CERT payload for serialNumber=6EE32FBA+hostname=zero.local
Mar 28 16:43:03.311: ISAKMP:(0:1:SW:1): using the zero trustpoint's keypair to sign
Mar 28 16:43:03.343: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 28 16:43:03.343: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 28 16:43:03.343: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

Mar 28 16:43:03.583: ISAKMP (0:134217729): received packet from 10.154.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar 28 16:43:03.587: ISAKMP: set new node -1598174787 to QM_IDLE      
Mar 28 16:43:03.587: ISAKMP (0:134217729): received packet from 10.154.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar 28 16:43:03.587: ISAKMP (0:134217729): received packet from 10.154.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar 28 16:43:03.587: ISAKMP (0:134217729): received packet from 10.154.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar 28 16:43:03.587: ISAKMP (0:134217729): received packet from 10.154.0.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar 28 16:43:03.587: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 10.154.0.2 to 10.154.0.1.....
Success rate is 0 percent (0/5)
zero#
Mar 28 16:43:13.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 28 16:43:13.343: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 28 16:43:13.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 28 16:43:13.343: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 28 16:43:23.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 28 16:43:23.343: ISAKMP (0:134217729): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 28 16:43:23.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 28 16:43:23.343: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 28 16:43:32.999: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 10.154.0.1, remote= 10.154.0.2,
    local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),
    remote_proxy= 10.154.0.2/255.255.255.255/47/0 (type=1)
Mar 28 16:43:32.999: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.154.0.1, remote= 10.154.0.2,
    local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),
    remote_proxy= 10.154.0.2/255.255.255.255/47/0 (type=1),
    protocol= AH, transform= ah-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x4746FB42(1195834178), conn_id= 0, keysize= 0, flags= 0x400E
Mar 28 16:43:32.999: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.154.0.1, remote= 10.154.0.2,
    local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),
    remote_proxy= 10.154.0.2/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-3des  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xDAE6F950(3672570192), conn_id= 0, keysize= 0, flags= 0x400E
Mar 28 16:43:32.999: ISAKMP: received ke message (1/2)
Mar 28 16:43:32.999: ISAKMP: set new node 0 to QM_IDLE      
Mar 28 16:43:32.999: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local 10.154.0.1, remote 10.154.0.2)
Mar 28 16:43:33.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 28 16:43:33.343: ISAKMP (0:134217729): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Mar 28 16:43:33.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 28 16:43:33.343: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 28 16:43:43.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 28 16:43:43.343: ISAKMP (0:134217729): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 28 16:43:43.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 28 16:43:43.343: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 28 16:43:53.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 28 16:43:53.343: ISAKMP (0:134217729): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 28 16:43:53.343: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 28 16:43:53.343: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 28 16:44:02.999: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 10.154.0.1, remote= 10.154.0.2,
    local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),
    remote_proxy= 10.154.0.2/255.255.255.255/47/0 (type=1)
Mar 28 16:44:02.999: ISAKMP: received ke message (3/1)
Mar 28 16:44:02.999: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

Mar 28 16:44:02.999: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 10.154.0.2)
Mar 28 16:44:02.999: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 10.154.0.2)
Mar 28 16:44:02.999: ISAKMP: Unlocking IKE struct 0x47115454 for isadb_mark_sa_deleted(), count 0
Mar 28 16:44:02.999: ISAKMP: Deleting peer node by peer_reap for 10.154.0.2: 47115454
Mar 28 16:44:02.999: ISAKMP:(0:1:SW:1):deleting node -1232125865 error FALSE reason "IKE deleted"
Mar 28 16:44:02.999: ISAKMP:(0:1:SW:1):deleting node -1598174787 error FALSE reason "IKE deleted"
Mar 28 16:44:02.999: ISAKMP:(0:1:SW:1):deleting node -90026410 error FALSE reason "IKE deleted"
Mar 28 16:44:02.999: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 28 16:44:02.999: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_DEST_SA

Mar 28 16:44:03.003: IPSEC(key_engine): got a queue event with 1 kei messages
Mar 28 16:44:52.999: ISAKMP:(0:1:SW:1):purging node -1232125865
Mar 28 16:44:52.999: ISAKMP:(0:1:SW:1):purging node -1598174787
Mar 28 16:44:52.999: ISAKMP:(0:1:SW:1):purging node -90026410
Mar 28 16:45:02.999: ISAKMP:(0:1:SW:1):purging SA., sa=469BCFE0, delme=469BCFE0

На точке досутпа логи поскуднее:
Mar 28 16:42:54 localhost  id=firewall time="2011-03-28 16:42:54" fw=AP-51xx pri=5 proto=17(udp) src=10.154.0.2 dst=10.154.0.1 vpn=tunnel type=1 mid= 4017 mtp= 20 msg=IKE Init Cookie:1d663f9095050fe9& Resp Cookie: 2c15d567896f4140Started phas-I negotiation  agent=iSecure 1.0  
Mar 28 16:42:55 localhost  id=firewall time="2011-03-28 16:42:55" fw=AP-51xx pri=5 proto=17(udp) src=10.154.0.2 dst=10.154.0.1 vpn=tunnel type=1 mid= 4020 mtp= 20 msg=IKE Init Cookie:1d663f9095050fe9& Resp Cookie: 2c15d567896f4140Sending phase-I notify INVALID_CERTIFICATE agent=iSecure 1.0  
Mar 28 16:42:55 localhost  id=firewall time="2011-03-28 16:42:55" fw=AP-51xx pri=5 proto=17(udp) src=10.154.0.2 dst=10.154.0.1 vpn=tunnel type=1 mid= 4017 mtp= 20 msg=IKE Init Cookie:1d663f9095050fe9& Resp Cookie: 2c15d567896f4140Phase-I negotiation failed  agent=iSecure 1.0  
Mar 28 16:42:55 localhost  id=firewall time="2011-03-28 16:42:55" fw=AP-51xx pri=5 proto=17(udp) src=10.154.0.2 dst=10.154.0.1 vpn=tunnel type=1 mid= 4001 mtp= 20 msg=IKE Init Cookie:1d663f9095050fe9& Resp Cookie: 2c15d567896f4140Deleting the IsakmpSA  agent=iSecure 1.0


В общем вот.
Сможет ктонибудь подсказать чего?


Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "cisco-2811 + ipsec по ключам"  +/
Сообщение от dct (??) on 31-Мрт-11, 18:37 

Спасибо что вы есть!
Хоть пожаловаться есть кому... ;)

В общем решил пока уйти от rsa чтобы убедиться что у меня хоть чтото работает. Оказывается не очень работает.

С прешаред кейs, у меня первая фаза закочилась удачно.

---------------cut---

Mar 31 14:41:00.563: ISAKMP: Trying to insert a peer 10.154.0.1/10.154.0.2/500/,  and inserted successfully 46583508.
Mar 31 14:41:00.563: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 31 14:41:00.563: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

Mar 31 14:41:00.563: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 31 14:41:00.563: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

Mar 31 14:41:00.567: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 31 14:41:00.567: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Mar 31 14:41:00.567: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of -1088245112
Mar 31 14:41:00.567: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) QM_IDLE      
Mar 31 14:41:00.567: ISAKMP:(0:1:SW:1):Node -1088245112, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 31 14:41:00.567: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Mar 31 14:41:00.571: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 31 14:41:00.571: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

---cut-----------


Но потом в логах вот такая картина. Куда рыть:


Mar 31 14:41:10.567: ISAKMP:(0:1:SW:1): retransmitting phase 2 QM_IDLE       -1088245112 ...
Mar 31 14:41:10.567: ISAKMP (0:134217729): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Mar 31 14:41:10.567: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
Mar 31 14:41:10.567: ISAKMP:(0:1:SW:1): retransmitting phase 2 -1088245112 QM_IDLE      
Mar 31 14:41:10.567: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) QM_IDLE      
Mar 31 14:41:20.567: ISAKMP:(0:1:SW:1): retransmitting phase 2 QM_IDLE       -1088245112 ...
Mar 31 14:41:20.567: ISAKMP (0:134217729): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
Mar 31 14:41:20.567: ISAKMP (0:134217729): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
Mar 31 14:41:20.567: ISAKMP:(0:1:SW:1): retransmitting phase 2 -1088245112 QM_IDLE      
Mar 31 14:41:20.567: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) QM_IDLE      
Mar 31 14:41:30.019: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 10.154.0.1, remote= 10.154.0.2,
    local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),
    remote_proxy= 10.154.0.2/255.255.255.255/47/0 (type=1)
Mar 31 14:41:30.019: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.154.0.1, remote= 10.154.0.2,
    local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),
    remote_proxy= 10.154.0.2/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-3des  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xBD26EBD3(3173444563), conn_id= 0, keysize= 0, flags= 0x400E
Mar 31 14:41:30.019: ISAKMP: received ke message (1/1)
Mar 31 14:41:30.019: ISAKMP: set new node 0 to QM_IDLE      
Mar 31 14:41:30.019: ISAKMP:(0:1:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE      )
Mar 31 14:41:30.019: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 100587362
Mar 31 14:41:30.023: ISAKMP:(0:1:SW:1): sending packet to 10.154.0.2 my_port 500 peer_port 500 (I) QM_IDLE      
Mar 31 14:41:30.023: ISAKMP:(0:1:SW:1):Node 100587362, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 31 14:41:30.023: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Mar 31 14:41:30.567: ISAKMP:(0:1:SW:1): retransmitting phase 2 QM_IDLE       -1088245112 ...
Mar 31 14:41:30.567: ISAKMP (0:134217729): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
Mar 31 14:41:30.567: ISAKMP (0:134217729): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Спонсоры:
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2021 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру