jeka64
-
Публикации
5 -
Зарегистрирован
-
Посещение
Сообщения, опубликованные пользователем jeka64
-
-
Опубликовано · Изменено пользователем jeka64 · Жалоба на ответ
Уже пробовал указывать, все равно появляется эта ошибка. Вот если бы можно было посмотреть, что и с чем ASA сравнивает, вот тогда я бы подогнал все значения до нужных.
Вот последний конфиг Cisco ASA:
DC-CiscoASA# sh run : Saved : ASA Version 8.2(1) ! hostname DC-CiscoASA domain-name k.local enable password 2Z/DI1w9CvF4qzMC encrypted passwd 2KFQnbNIdI.2KYOU encrypted ! interface GigabitEthernet0/0 description LAN nameif inside security-level 100 ip address zzz.zzz.0.110 255.255.0.0 ! interface GigabitEthernet0/1 description VLAN604 nameif VLAN604 security-level 0 ip address xxx.xxx.xxx40 255.255.255.0 ! interface GigabitEthernet0/2 description VPN shutdown nameif vpn security-level 0 no ip address ! interface GigabitEthernet0/3 nameif K security-level 0 ip address 192.168.4.10 255.255.255.0 ! interface Management0/0 shutdown nameif management security-level 100 no ip address ! interface GigabitEthernet1/0 shutdown nameif test security-level 0 no ip address ! interface GigabitEthernet1/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! banner login ---------------------------- banner login . . banner login | | banner login ||| ||| banner login .|| ||. .|| ||. banner login .:||| | |||:..:||| | |||:. banner login C i s c o S y s t e m s banner login ---------------------------- banner motd ---------------------------- banner motd . . banner motd | | banner motd ||| ||| banner motd .|| ||. .|| ||. banner motd .:||| | |||:..:||| | |||:. banner motd C i s c o S y s t e m s banner motd ---------------------------- boot system disk0:/asa821-k8.bin boot system disk0:/asa724-k8.bin ftp mode passive clock timezone MSK/MSD 3 clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup inside dns server-group DefaultDNS name-server dc-dc name-server dc-data domain-name k.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit ip any any access-list vpn_access_in extended permit ip any any inactive access-list inside_nat0_outbound extended permit ip any any access-list VLAN604_nat0_outbound extended permit ip any any access-list Test_access_in extended permit ip any any access-list Test_nat0_outbound extended permit ip any any access-list test_access_in extended permit ip any any access-list K_access_in extended permit ip any any access-list test_nat0_outbound extended permit ip any any access-list asd standard permit zzz.zzz.0.0 255.255.0.0 access-list VLAN604_cryptomap_1 extended permit ip zzz.zzz.0.0 255.255.0.0 yyy.yyy.yyy.0 255.255.252.0 pager lines 24 logging enable logging timestamp logging standby logging asdm-buffer-size 512 logging trap informational logging asdm informational logging host inside zzz.zzz.2.2 logging host inside dc-test1 flow-export destination inside dc-netmgm 9996 flow-export destination inside dc-orion 9996 flow-export destination inside dc-test1 9996 flow-export template timeout-rate 1 mtu inside 1500 mtu VLAN604 1500 mtu vpn 1500 mtu management 1500 mtu test 1500 mtu K 1500 ip local pool vpn_pool ***.***.251.1-***.***.251.31 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-621.bin no asdm history enable arp timeout 14400 nat-control nat (inside) 0 access-list inside_nat0_outbound nat (VLAN604) 0 access-list VLAN604_nat0_outbound nat (test) 0 access-list test_nat0_outbound access-group inside_access_in in interface inside access-group outside_access_in in interface VLAN604 access-group vpn_access_in in interface vpn access-group test_access_in in interface test access-group K_access_in in interface K route inside 0.0.0.0 0.0.0.0 zzz.zzz.0.1 1 route VLAN604 yyy.yyy.yyy.0 255.255.252.0 xxx.xxx.xxx.9 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server LDAP_SRV_GRP protocol ldap aaa-server LDAP_SRV_GRP (inside) host dc-dc ldap-base-dn DC=k,DC=local ldap-group-base-dn DC=k,DC=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn cn=backup_account,CN=users,DC=k,DC=local server-type microsoft aaa authentication ssh console LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authorization command LOCAL http server enable http zzz.zzz.0.0 255.255.0.0 inside http Management 255.255.255.0 management snmp-server host inside dc-orion community public version 2c snmp-server host inside dc-test1 community public version 2c snmp-server host inside zzz.zzz.2.2 community public version 2c no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto map VLAN604_map 1 match address VLAN604_cryptomap_1 crypto map VLAN604_map 1 set peer xxx.xxx.xxx.9 crypto map VLAN604_map 1 set transform-set ESP-DES-MD5 crypto map VLAN604_map 1 set security-association lifetime kilobytes 1000 crypto map VLAN604_map 1 set nat-t-disable crypto map VLAN604_map interface VLAN604 crypto ca trustpoint Trust enrollment self serial-number crl configure crypto ca certificate chain Trust certificate 31 308201f0 30820159 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 3e313c30 12060355 0405130b 4a4d5831 3234354c 31524e30 2606092a 864886f7 0d010902 16194443 2d436973 636f4153 412e6b7a 67726f75 702e6c6f 63616c30 1e170d30 39303531 39313431 3130345a 170d3139 30353137 31343131 30345a30 3e313c30 12060355 0405130b 4a4d5831 3234354c 31524e30 2606092a 864886f7 0d010902 16194443 2d436973 636f4153 412e6b7a 67726f75 702e6c6f 63616c30 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 e8fe0c34 f0e33107 2bacce53 e2431f1e d92c5e5c 294f98e9 6ed539b3 3eaf8d66 b76e38d6 df9293ea ead799fd c0fb3e7d fbc34c81 76c8a913 6969c120 1997820a 1c1eea94 4c1c6a3f 21ffee19 3a69c481 c7067ef6 5de5ff3a 75c38128 1aaab56e 52984a0a e02b5c5d a0663b72 73d63260 7d31c776 4ec9873e 443a0730 abe34c6d 02030100 01300d06 092a8648 86f70d01 01040500 03818100 9d0a5cae 7c45a07f 42a67d59 60dfb82f 68df08cf d189f7be b98209ac d2b57f0c 1bd76ffe 1161ad01 8bae1507 9d7c0fb6 43f4102b 2961b8b0 77926012 9273298f 4b05efc6 c2f88b70 688ed72e 4aa82e26 65bb736b 06164f59 d95384a8 f3b47b46 802a13fc 001a3f54 866f3ff2 978cc80c 4fd31f22 e03f3018 4c103e5f 23ec6294 quit crypto isakmp identity key-id 12 crypto isakmp enable inside crypto isakmp enable VLAN604 crypto isakmp enable test crypto isakmp policy 5 authentication pre-share encryption des hash md5 group 2 lifetime 28800 no crypto isakmp nat-traversal telnet zzz.zzz.0.0 255.255.0.0 inside telnet xxx.xxx.xxx.0 255.255.255.0 VLAN604 telnet timeout 15 ssh zzz.zzz.0.0 255.255.0.0 inside ssh timeout 30 console timeout 0 threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server dc-dc source inside ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5 ssl trust-point Trust inside webvpn enable inside svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1 svc enable tunnel-group-list enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec group-policy VPN_GroupPolicy internal group-policy VPN_GroupPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec group-policy Remote_access internal group-policy Remote_access attributes vpn-tunnel-protocol IPSec group-policy clientgroup internal group-policy clientgroup attributes wins-server value zzz.zzz.0.20 zzz.zzz.0.22 dns-server value zzz.zzz.0.20 zzz.zzz.0.22 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value asd webvpn svc keep-installer installed svc rekey time 30 svc rekey method ssl svc ask none default webvpn username admin password 1xxNlg5266fTgQa2 encrypted privilege 15 username nikiforov password XZjHQCraVDdhT63R encrypted privilege 15 tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key * tunnel-group sslgroup type remote-access tunnel-group sslgroup general-attributes address-pool vpn_pool authentication-server-group LDAP_SRV_GRP default-group-policy clientgroup tunnel-group sslgroup webvpn-attributes group-alias k.local enable tunnel-group xxx.xxx.xxx.9 type ipsec-l2l tunnel-group xxx.xxx.xxx.9 ipsec-attributes pre-shared-key * peer-id-validate nocheck isakmp keepalive disable tunnel-group-map default-group VPN_Tunnel ! class-map global-class match any class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 4096 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ipsec-pass-thru class global-class flow-export event-type all destination dc-test1 dc-netmgm dc-orion ! service-policy global_policy global privilege show level 4 mode exec command running-config privilege show level 3 mode exec command asdm privilege show level 4 mode configure command asdm prompt hostname context Cryptochecksum:6ff7f2d50d97139581cb2b46c2685baf : end
и Allied telesis:
# IPSEC configuration create ipsec sas=1 key=isakmp prot=esp enc=des hasha=md5 create ipsec bund=1 key=isakmp string="1" expiryk=1000 create ipsec pol="OZC" int=eth0 ac=ipsec key=isakmp bund=1 peer=xxx.xxx.xxx.40 set ipsec pol="OZC" lad=yyy.yyy.yyy.0 lma=255.255.252.0 rad=zzz.zzz.0.0 rma=255.255.0.0 create ipsec pol="INTERNET" int=eth0 ac=permit # ISAKMP configuration create isakmp pol="OZC" pe=xxx.xxx.xxx.40 has=md5 key=2 set isakmp pol="OZC" expiryk=1000 expirys=28800 gro=2
-
Убрал лайфтайм и на cisco и на Telesis. Тоже не помогает.
Allied Telesis log: (как снять более подробный лог не знаю)
26 14:36:33 3 ISAK IKMP XCHG Exchange 14635: MAIN Phase 1 [resp] started with peer xxx.xxx.xxx.40 local xxx.xxx.xxx.9 Cookie_I 1edd065ae7405cef Cookie_R 2c653ac0fa9a9877 26 14:36:33 3 ISAK IKMP XCHG Exchange 14635: No proposal chosen 26 14:36:33 3 ISAK IKMP XCHG Exchange 14635: Failed. и так далее
Cisco log:
Jun 26 14:38:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:06 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jun 26 14:38:10 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Jun 26 14:38:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:11 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jun 26 14:38:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:16 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jun 26 14:38:18 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE MM Initiator FSM error history (struct &0x2501ba60) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY Jun 26 14:38:18 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA MM:1c0e7432 terminating: flags 0x01000022, refcnt 0, tuncnt 0 Jun 26 14:38:18 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, sending delete/delete with reason message Jun 26 14:38:18 [IKEv1]: IP = xxx.xxx.xxx.9, Removing peer from peer table failed, no match! Jun 26 14:38:18 [IKEv1]: IP = xxx.xxx.xxx.9, Error: Unable to remove PeerTblEntry Jun 26 14:38:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:21 [IKEv1]: IP = xxx.xxx.xxx.9, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.9 local Proxy Address 172.16.0.0, remote Proxy Address 172.17.16.0, Crypto map (VLAN604_map) Jun 26 14:38:21 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload Jun 26 14:38:21 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload Jun 26 14:38:21 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Jun 26 14:38:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:26 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jun 26 14:38:29 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Jun 26 14:38:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:31 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84 Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload Jun 26 14:38:34 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Jun 26 14:38:34 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96 Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, All SA proposals found unacceptable Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, Error processing payload: Payload ID: 1 Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE MM Responder FSM error history (struct &0x276cf3b8) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA MM:3e2f8ebd terminating: flags 0x01000002, refcnt 0, tuncnt 0 Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, sending delete/delete with reason message Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, Removing peer from peer table failed, no match! Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, Error: Unable to remove PeerTblEntry Jun 26 14:38:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:36 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jun 26 14:38:37 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Jun 26 14:38:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:41 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jun 26 14:38:45 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Jun 26 14:38:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:46 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jun 26 14:38:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:51 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jun 26 14:38:53 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE MM Initiator FSM error history (struct &0x2501ba60) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY Jun 26 14:38:53 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA MM:5a06dd1e terminating: flags 0x01000022, refcnt 0, tuncnt 0 Jun 26 14:38:53 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, sending delete/delete with reason message Jun 26 14:38:53 [IKEv1]: IP = xxx.xxx.xxx.9, Removing peer from peer table failed, no match! Jun 26 14:38:53 [IKEv1]: IP = xxx.xxx.xxx.9, Error: Unable to remove PeerTblEntry Jun 26 14:38:55 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jun 26 14:38:56 [IKEv1]: IP = xxx.xxx.xxx.9, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.9 local Proxy Address 172.16.0.0, remote Proxy Address 172.17.16.0, Crypto map (VLAN604_map) Jun 26 14:38:56 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload Jun 26 14:38:56 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload Jun 26 14:38:56 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
-
>> crypto isakmp policy 5
А до 5 полиси есть другие? Учтите, что полиси перебираются по порядку, пока не будет найдена совпадающая.
Нет. Она у меня одна.
>> tunnel-group DefaultL2LGroup ipsec-attributesИ зачем вы пихаете в дефолтную группу? Она нужна, если у конечного устройства динамический адрес, а судя по конфигу, у АТ - это не так. Привяжите группу к адресу АТ, примерно так:
tunnel-g 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attr
pre-shared-key ххх
Привязал группу, но ничего не изменилось. Вот полный debug.
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80 Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Oakley proposal is acceptable Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing IKE SA payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104 Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184 Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ke payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ISA_KE payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing nonce payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ke payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing nonce payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Cisco Unity VID payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing xauth V6 VID payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send IOS VID Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing VID payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9 Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Generating keys for Responder... Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing ID payload Jun 26 12:25:50 [IKEv1 DECODE]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, ID_IPV4_ADDR ID received xxx.xxx.xxx.9 Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing hash payload Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9 Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing ID payload Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing hash payload Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing dpd vid payload Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 82 Jun 26 12:25:50 [IKEv1]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, PHASE 1 COMPLETED Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Keep-alive type for this connection: None Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Keep-alives configured on but peer does not support keep-alives (type = None) Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Starting P1 rekey timer: 450 seconds. Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80 Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Oakley proposal is acceptable Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing IKE SA payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104 Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184 Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ke payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ISA_KE payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing nonce payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ke payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing nonce payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Cisco Unity VID payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing xauth V6 VID payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send IOS VID Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing VID payload Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9 Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Generating keys for Responder... Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing ID payload Jun 26 12:25:50 [IKEv1 DECODE]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, ID_IPV4_ADDR ID received xxx.xxx.xxx.9 Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing hash payload Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9 Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing ID payload Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing hash payload Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing dpd vid payload Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 82 Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Peer negotiated phase 1 rekey Jun 26 12:25:50 [IKEv1]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, PHASE 1 COMPLETED Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Keep-alive type for this connection: None Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Keep-alives configured on but peer does not support keep-alives (type = None) Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Starting P1 rekey timer: 450 seconds. Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80 Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Oakley proposal is acceptable Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing IKE SA payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104 Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184 Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ke payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ISA_KE payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing nonce payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ke payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing nonce payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Cisco Unity VID payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing xauth V6 VID payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send IOS VID Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing VID payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9 Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Generating keys for Responder... Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing ID payload Jun 26 12:25:52 [IKEv1 DECODE]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, ID_IPV4_ADDR ID received xxx.xxx.xxx.9 Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing hash payload Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9 Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing ID payload Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing hash payload Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing dpd vid payload Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 82 Jun 26 12:25:52 [IKEv1]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Failure during phase 1 rekeying attempt due to collision Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, IKE MM Responder FSM error history (struct &0x270be1b0) <state>, <event>: MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, IKE SA MM:ce335734 terminating: flags 0x01000002, refcnt 0, tuncnt 0 Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, sending delete/delete with reason message Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing blank hash payload Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing IKE delete payload Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing qm hash payload Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=63fcec81) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80 Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Oakley proposal is acceptable Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing IKE SA payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104 Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184 Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ke payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ISA_KE payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing nonce payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ke payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing nonce payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Cisco Unity VID payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing xauth V6 VID payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send IOS VID Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing VID payload Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9 Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Generating keys for Responder... Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing ID payload Jun 26 12:25:52 [IKEv1 DECODE]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, ID_IPV4_ADDR ID received xxx.xxx.xxx.9 Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing hash payload Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9 Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing ID payload Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing hash payload Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing dpd vid payload Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 82
-
Здравствуйте!
У меня такая проблема. Есть Allied Telesyn AR770S и Cisco ASA 5550. Между ними необходимо построить VPN.
Конфиг AR770S:
# IPSEC configuration create ipsec sas=1 key=isakmp prot=esp enc=des hasha=md5 create ipsec bund=1 key=isakmp string="1" create ipsec pol="OZC" int=eth0 ac=ipsec key=isakmp bund=1 peer=xxx.xxx.xxx.40 set ipsec pol="OZC" lad=yyy.yyy.16.0 lma=255.255.252.0 rad=zzz.zzz.0.0 rma=255.255.0.0 create ipsec pol="INTERNET" int=eth0 ac=permit enable ipsec # ISAKMP configuration create isakmp pol="OZC" pe=xxx.xxx.xxx.40 key=3 authtype=preshared set isakmp pol="OZC" expirys=600 create enko key=3 type=general value=12 enable isakmp sh enco key=3 0x3132 12 IP Address: -
Конфиг ASA 5550:
access-list VLAN604_cryptomap_1 extended permit ip zzz.zzz.0.0 255.255.0.0 yyy.yyy.16.0 255.255.252.0 crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map VLAN604_map 1 match address VLAN604_cryptomap_1 crypto map VLAN604_map 1 set peer xxx.xxx.xxx.9 crypto map VLAN604_map 1 set transform-set ESP-DES-MD5 crypto map VLAN604_map 1 set security-association lifetime seconds 600 crypto map VLAN604_map 1 set nat-t-disable crypto map VLAN604_map interface VLAN604 crypto isakmp identity key-id 12 crypto isakmp enable VLAN604 crypto isakmp policy 5 authentication pre-share encryption des hash md5 group 1 lifetime 600 no crypto isakmp nat-traversal tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key *
debug на ASA 5550:
Jun 24 08:47:28 [IKEv1]: Group = DefaultL2LGroup, IP = xxx.xxx.xxx.9, Removing peer from peer table failed, no match! Jun 24 08:47:28 [IKEv1]: Group = DefaultL2LGroup, IP = xxx.xxx.xxx.9, Error: Unable to remove PeerTblEntry
debug на AR770S:
24 08:45:47 3 ISAK IKMP XCHG Exchange 12593: MAIN Phase 1 [init] started with peer xxx.xxx.xxx.40 local xxx.xxx.xxx.9 Cookie_I c957d0e70f4e1b89 Cookie_R 000000000000000 24 08:45:47 3 ISAK IKMP XCHG Exchange 12593: Invalid id information 24 08:45:47 3 ISAK IKMP XCHG Exchange 12593: Failed.
VPN между ASA5550 и Cisco851 работает замечательно, а вот между ASA5550 и AR770S ни в какую. Пожалуйста, помогите разобраться.
Судя по логам они не могут пройти 1 фазу.
sh isakmp sa detail SA Id ................................. 2 Initiator Cookie .................... 54dbfd5ff9e4ae22 Responder Cookie .................... 0000000000000000 DOI ................................. IPSEC Policy name ......................... OZC State ............................... DOING_PHASE1 Local address ....................... xxx.xxx.xxx.9 Remote Address ...................... xxx.xxx.xxx.40 Remote Port ......................... 500 Time of establishment ............... **-***-****:**:**:** Commit bit set ...................... FALSE Send notifies ....................... FALSE Send deletes ........................ FALSE Always send ID ...................... FALSE Message Retry Limit ................. 8 Initial Message Retry Timeout (s) ... 4 Message Back-off .................... Incremental Exchange Delete Delay (s) ........... 30 Do Xauth ............................ FALSE Xauth Finished .................... TRUE Expiry Limit (bytes) ................ 0 Soft Expiry Limit (bytes) ........... 0 Bytes seen .......................... 0 Expiry Limit (seconds) .............. 0 Soft Expiry Limit (seconds) ......... 0 Seconds since creation .............. 0 Number of Phase 2 exchanges allowed . 4294967294 Number of acquires queued ........... 1 Sa Definition Information: Authentication Type ................. INVALID Encryption Algorithm ................ INVALID Hash Algorithm ...................... INVALID group Type .......................... INVALID group Description ................... MODP512 DH Private Exponent Bits ............ 160 expiry seconds ...................... 0 expiry kilobytes .................... 0 XAuth Information: Id .................................. 0 Next Message ........................ UNKNOWN Status .............................. FAIL Type ................................ Generic Max Failed Attempts.................. 0 Failed Attempts...................... 0 NAT-Traversal Information: NAT-T enabled ....................... NO Peer NAT-T capable .................. NO NAT discovered ...................... UNKNOWN Heartbeat Information: Send Heartbeats ..................... NO Next sequence number tx ............. 1 Receive Heartbeats .................. NO Last sequence number rx ............. 0
А еще не понятно вот что.
sh crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: xxx.xxx.xxx.9 Type : user Role : initiator Rekey : no State : MM_WAIT_MSG2 Encrypt : aes-256 Hash : SHA Auth : preshared Lifetime: 0
Почему aes-256? Ведь в конфиге прописано des.
VPN между Cisco ASA5550 и Allied Telesyn AR770S
в Активное оборудование Ethernet, IP, MPLS, SDN/NFV...
Опубликовано · Жалоба на ответ
Громаднейшее спасибо. Прописал crypto isakmp ident addr и все заработало.