на телефоне iphone )
debug ikev2 включен но там везде пасс
ASR-1001-OFFICE#sh debug
General OS:
AAA Authorization debugging is on
IOSXE Conditional Debug Configs:
Conditional Debug Global State: Stop
Radius protocol debugging is on
Radius packet protocol debugging is on
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
IKEV2:
IKEv2 error debugging is on
IKEv2 default debugging is on
PKI:
verbose debug output debugging is on
вот полные логи:
032985: Jan 31 18:21:40: IKEv2:Received Packet [From xxxxxxxx:512/To yyyyyyyy:500/VRF i0:f0]
Initiator SPI : 23A9F58A5DEE618E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(REDIRECT_SUPPORTED) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)
032986: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Verify SA init message
032987: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Insert SA
032988: Jan 31 18:21:40: IKEv2:Searching Policy with fvrf 0, local address yyyyyyyy
032989: Jan 31 18:21:40: IKEv2:Found Policy 'VPN'
032990: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Processing IKE_SA_INIT message
032991: Jan 31 18:21:40: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
032992: Jan 31 18:21:40: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
032993: Jan 31 18:21:40: IKEv2:Failed to retrieve Certificate Issuer list
032994: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
032995: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Request queued for computation of DH key
032996: Jan 31 18:21:40: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
032997: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
032998: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Request queued for computation of DH secret
032999: Jan 31 18:21:40: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
033000: Jan 31 18:21:40: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
033001: Jan 31 18:21:40: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
033002: Jan 31 18:21:40: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
033003: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Generating IKE_SA_INIT message
033004: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14
033005: Jan 31 18:21:40: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
033006: Jan 31 18:21:40: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
033007: Jan 31 18:21:40: IKEv2:Failed to retrieve Certificate Issuer list
033008: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Sending Packet [To xxxxxxxx:512/From yyyyyyyy:500/VRF i0:f0]
Initiator SPI : 23A9F58A5DEE618E - Responder SPI : 2F530865CE1CF8B6 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
033009: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Completed SA init exchange
033010: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Starting timer (30 sec) to wait for auth message
033011: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Received Packet [From xxxxxxxx:5079/To yyyyyyyy:500/VRF i0:f0]
Initiator SPI : 23A9F58A5DEE618E - Responder SPI : 2F530865CE1CF8B6 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi NOTIFY(INITIAL_CONTACT) IDr AUTH CFG NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) SA TSi TSr NOTIFY(Unknown - 16396)
033012: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Stopping timer to wait for auth message
033013: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Checking NAT discovery
033014: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):NAT OUTSIDE found
033015: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):NAT detected float to init port 5079, resp port 4500
033016: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Searching policy based on peer's identity 'aaaaa@bbbb.ru' of type 'RFC822 address'
033017: Jan 31 18:21:40: IKEv2:found matching IKEv2 profile 'VPN'
033018: Jan 31 18:21:40: ISAKMP: (0):peer matches VPN profile
033019: Jan 31 18:21:40: IKEv2:% Getting preshared key from profile keyring VPN
033020: Jan 31 18:21:40: IKEv2:% Matched peer block 'all'
033021: Jan 31 18:21:40: IKEv2:Searching Policy with fvrf 0, local address yyyyyyyy
033022: Jan 31 18:21:40: IKEv2:Found Policy 'VPN'
033023: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Verify peer's policy
033024: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Peer's policy verified
033025: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Get peer's authentication method
033026: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Peer's authentication method is 'PSK'
033027: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Get peer's preshared key for aaaaa@bbbb.ru
033028: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Verify peer's authentication data
033029: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Use preshared key for id aaaaa@bbbb.ru, key len 10
033030: Jan 31 18:21:40: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
033031: Jan 31 18:21:40: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
033032: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Verification of peer's authenctication data PASSED
033033: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Processing INITIAL_CONTACT
033034: Jan 31 18:21:40: IKEv2:Using mlist IKEv2 and username VPN for group author request
033035: Jan 31 18:21:40: AAA/BIND(00000575): Bind i/f
033036: Jan 31 18:21:40: AAA/AUTHOR (0x575): Pick method list 'IKEv2'
033037: Jan 31 18:21:40: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
033038: Jan 31 18:21:40: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
033039: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Received valid config mode data
033040: Jan 31 18:21:40: IKEv2:Config data recieved:
033041: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Config-type: Config-request
033042: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-addr, length: 0
033043: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-netmask, length: 0
033044: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033045: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-dns, length: 0
033046: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv6-addr, length: 0
033047: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033048: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv6-dns, length: 0
033049: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033050: Jan 31 18:21:40: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
033051: Jan 31 18:21:40: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
033052: Jan 31 18:21:40: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
033053: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Set received config mode data
033054: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Processing IKE_AUTH message
033055: Jan 31 18:21:40: IKEv2:% DVTI create request sent for profile VPN with PSH index 1.
033056: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):
033057: Jan 31 18:21:40: IPSEC(key_engine): got a queue event with 1 KMI message(s)
033058: Jan 31 18:21:40: Cannot find crypto swsb : in crypto_ipsec_notify_isakmp_delete (), 604
033059: Jan 31 18:21:40: Cannot find crypto swsb : in crypto_ipsec_notify_isakmp_delete (), 604
033060: Jan 31 18:21:40: ISAKMP-ERROR: (0):ignoring request to send delete notify (no ISAKMP sa) src yyyyyyyy dst xxxxxxxx for SPI 0x0
033061: Jan 31 18:21:41: IKEv2-ERROR:: Negotiation context locked currently in use
033062: Jan 31 18:21:43: IKEv2-ERROR:: Negotiation context locked currently in use
033064: Jan 31 18:21:47: IKEv2-ERROR:: Negotiation context locked currently in use
033065: Jan 31 18:21:55: IKEv2-ERROR:: Negotiation context locked currently in use
033079: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Verification of peer's authentication data FAILED
033080: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Sending authentication failure notify
033081: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
033082: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Sending Packet [To xxxxxxxx:5079/From yyyyyyyy:4500/VRF i0:f0]
Initiator SPI : 23A9F58A5DEE618E - Responder SPI : 2F530865CE1CF8B6 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
033083: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Auth exchange failed
033084: Jan 31 18:22:05: IKEv2-ERROR:(SESSION ID = 326,SA ID = 1):: Auth exchange failed
033085: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Abort exchange
033086: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Deleting SA
С компа завтра попробую
