Перейти к содержимому
Калькуляторы

VPN между Cisco ASA5550 и Allied Telesyn AR770S не поднимается VPN

Ответить

jeka64   

jeka64
Опубликовано · Жалоба

Здравствуйте!

 

У меня такая проблема. Есть Allied Telesyn AR770S и Cisco ASA 5550. Между ними необходимо построить VPN.

 

Конфиг AR770S:

 

# IPSEC configuration 
create ipsec sas=1 key=isakmp prot=esp enc=des hasha=md5 
create ipsec bund=1 key=isakmp string="1" 
create ipsec pol="OZC" int=eth0 ac=ipsec key=isakmp bund=1 peer=xxx.xxx.xxx.40 
set ipsec pol="OZC" lad=yyy.yyy.16.0 lma=255.255.252.0 rad=zzz.zzz.0.0 rma=255.255.0.0 
create ipsec pol="INTERNET" int=eth0 ac=permit 
enable ipsec 

# ISAKMP configuration 
create isakmp pol="OZC" pe=xxx.xxx.xxx.40 key=3 authtype=preshared
set isakmp pol="OZC" expirys=600
create enko key=3 type=general value=12 
enable isakmp 

sh enco key=3 

0x3132 
12 
IP Address: 
-

 

 

Конфиг ASA 5550:

 

access-list VLAN604_cryptomap_1 extended permit ip zzz.zzz.0.0 255.255.0.0 yyy.yyy.16.0 255.255.252.0 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto map VLAN604_map 1 match address VLAN604_cryptomap_1 
crypto map VLAN604_map 1 set peer xxx.xxx.xxx.9 
crypto map VLAN604_map 1 set transform-set ESP-DES-MD5 
crypto map VLAN604_map 1 set security-association lifetime seconds 600 
crypto map VLAN604_map 1 set nat-t-disable 
crypto map VLAN604_map interface VLAN604 

crypto isakmp identity key-id 12 
crypto isakmp enable VLAN604 

crypto isakmp policy 5 
authentication pre-share 
encryption des 
hash md5 
group 1 
lifetime 600 
no crypto isakmp nat-traversal

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *

 

debug на ASA 5550:

 

Jun 24 08:47:28 [IKEv1]: Group = DefaultL2LGroup, IP = xxx.xxx.xxx.9, Removing peer from peer table failed, no match! 
Jun 24 08:47:28 [IKEv1]: Group = DefaultL2LGroup, IP = xxx.xxx.xxx.9, Error: Unable to remove PeerTblEntry

 

debug на AR770S:

 

24 08:45:47 3 ISAK IKMP XCHG Exchange 12593: MAIN Phase 1 [init] started with peer xxx.xxx.xxx.40 local xxx.xxx.xxx.9 Cookie_I c957d0e70f4e1b89 Cookie_R 000000000000000 
24 08:45:47 3 ISAK IKMP XCHG Exchange 12593: Invalid id information 
24 08:45:47 3 ISAK IKMP XCHG Exchange 12593: Failed.

 

VPN между ASA5550 и Cisco851 работает замечательно, а вот между ASA5550 и AR770S ни в какую. Пожалуйста, помогите разобраться.

 

Судя по логам они не могут пройти 1 фазу.

 

sh isakmp sa detail 

SA Id ................................. 2 
  Initiator Cookie .................... 54dbfd5ff9e4ae22 
  Responder Cookie .................... 0000000000000000 
  DOI ................................. IPSEC 
  Policy name ......................... OZC 
  State ............................... DOING_PHASE1 
  Local address ....................... xxx.xxx.xxx.9 
  Remote Address ...................... xxx.xxx.xxx.40 
  Remote Port ......................... 500 
  Time of establishment ............... **-***-****:**:**:** 
  Commit bit set ...................... FALSE 
  Send notifies ....................... FALSE 
  Send deletes ........................ FALSE 
  Always send ID ...................... FALSE 
  Message Retry Limit ................. 8 
  Initial Message Retry Timeout (s) ... 4 
  Message Back-off .................... Incremental 
  Exchange Delete Delay (s) ........... 30 
  Do Xauth ............................ FALSE 
    Xauth Finished .................... TRUE 
  Expiry Limit (bytes) ................ 0 
  Soft Expiry Limit (bytes) ........... 0 
  Bytes seen .......................... 0 
  Expiry Limit (seconds) .............. 0 
  Soft Expiry Limit (seconds) ......... 0 
  Seconds since creation .............. 0 
  Number of Phase 2 exchanges allowed . 4294967294 
  Number of acquires queued ........... 1 

Sa Definition Information: 
  Authentication Type ................. INVALID 
  Encryption Algorithm ................ INVALID 
  Hash Algorithm ...................... INVALID 
  group Type .......................... INVALID 
  group Description ................... MODP512 
  DH Private Exponent Bits ............ 160 
  expiry seconds ...................... 0 
  expiry kilobytes .................... 0 

XAuth Information: 
  Id .................................. 0 
  Next Message ........................ UNKNOWN 
  Status .............................. FAIL 
  Type ................................ Generic 
  Max Failed Attempts.................. 0 
  Failed Attempts...................... 0 

NAT-Traversal Information: 
  NAT-T enabled ....................... NO 
  Peer NAT-T capable .................. NO 
  NAT discovered ...................... UNKNOWN 

Heartbeat Information: 
  Send Heartbeats ..................... NO 
  Next sequence number tx ............. 1 
  Receive Heartbeats .................. NO 
  Last sequence number rx ............. 0

 

 

А еще не понятно вот что.

 

sh crypto isakmp sa detail

   Active SA: 1
   Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: xxx.xxx.xxx.9
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2
    Encrypt : aes-256         Hash    : SHA
    Auth    : preshared       Lifetime: 0

 

Почему aes-256? Ведь в конфиге прописано des.

 

 

 

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

chainick   

chainick
Опубликовано · Жалоба

>> crypto isakmp policy 5

 

А до 5 полиси есть другие? Учтите, что полиси перебираются по порядку, пока не будет найдена совпадающая.

 

>> tunnel-group DefaultL2LGroup ipsec-attributes

 

И зачем вы пихаете в дефолтную группу? Она нужна, если у конечного устройства динамический адрес, а судя по конфигу, у АТ - это не так. Привяжите группу к адресу АТ, примерно так:

 

tunnel-g 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attr

pre-shared-key ххх

 

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

jeka64   

jeka64
Опубликовано · Жалоба
>> crypto isakmp policy 5

 

А до 5 полиси есть другие? Учтите, что полиси перебираются по порядку, пока не будет найдена совпадающая.

Нет. Она у меня одна.

 

>> tunnel-group DefaultL2LGroup ipsec-attributes

 

И зачем вы пихаете в дефолтную группу? Она нужна, если у конечного устройства динамический адрес, а судя по конфигу, у АТ - это не так. Привяжите группу к адресу АТ, примерно так:

 

tunnel-g 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attr

pre-shared-key ххх

Привязал группу, но ничего не изменилось. Вот полный debug.

 

Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Oakley proposal is acceptable
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing IKE SA payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104

Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ke payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ISA_KE payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing nonce payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ke payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing nonce payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Cisco Unity VID payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing xauth V6 VID payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send IOS VID
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing VID payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Generating keys for Responder...
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing ID payload
Jun 26 12:25:50 [IKEv1 DECODE]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, ID_IPV4_ADDR ID received xxx.xxx.xxx.9
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing hash payload
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing ID payload
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing hash payload
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing dpd vid payload
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 82

Jun 26 12:25:50 [IKEv1]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, PHASE 1 COMPLETED
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Keep-alive type for this connection: None
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Keep-alives configured on but peer does not support keep-alives (type = None)
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Starting P1 rekey timer: 450 seconds.

Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Oakley proposal is acceptable
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing IKE SA payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104

Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ke payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ISA_KE payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing nonce payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ke payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing nonce payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Cisco Unity VID payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing xauth V6 VID payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send IOS VID
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing VID payload
Jun 26 12:25:50 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Generating keys for Responder...
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing ID payload
Jun 26 12:25:50 [IKEv1 DECODE]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, ID_IPV4_ADDR ID received xxx.xxx.xxx.9
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing hash payload
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing ID payload
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing hash payload
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing dpd vid payload
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 82

Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Peer negotiated phase 1 rekey
Jun 26 12:25:50 [IKEv1]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, PHASE 1 COMPLETED
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Keep-alive type for this connection: None
Jun 26 12:25:50 [IKEv1]: IP = xxx.xxx.xxx.9, Keep-alives configured on but peer does not support keep-alives (type = None)
Jun 26 12:25:50 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Starting P1 rekey timer: 450 seconds.

Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Oakley proposal is acceptable
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing IKE SA payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104


Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ke payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ISA_KE payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing nonce payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ke payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing nonce payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Cisco Unity VID payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing xauth V6 VID payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send IOS VID
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing VID payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Generating keys for Responder...
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256


Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing ID payload
Jun 26 12:25:52 [IKEv1 DECODE]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, ID_IPV4_ADDR ID received xxx.xxx.xxx.9
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing hash payload
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing ID payload
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing hash payload
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing dpd vid payload
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 82

Jun 26 12:25:52 [IKEv1]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Failure during phase 1 rekeying attempt due to collision
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, IKE MM Responder FSM error history (struct &0x270be1b0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, IKE SA MM:ce335734 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, sending delete/delete with reason message
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing blank hash payload
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing IKE delete payload
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing qm hash payload
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=63fcec81) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Oakley proposal is acceptable
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing IKE SA payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104


Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ke payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing ISA_KE payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing nonce payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ke payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing nonce payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Cisco Unity VID payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing xauth V6 VID payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send IOS VID
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing VID payload
Jun 26 12:25:52 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Generating keys for Responder...
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing ID payload
Jun 26 12:25:52 [IKEv1 DECODE]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, ID_IPV4_ADDR ID received xxx.xxx.xxx.9
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, processing hash payload
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, Connection landed on tunnel_group xxx.xxx.xxx.9
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing ID payload
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing hash payload
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, Computing hash for ISAKMP
Jun 26 12:25:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.9, IP = xxx.xxx.xxx.9, constructing dpd vid payload
Jun 26 12:25:52 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 82

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

chainick   

chainick
Опубликовано · Жалоба

лайфтайм не совпадает. Попробуйте убрать crypto map VLAN604_map 1 set security-association lifetime seconds 600 и что кажет АТ в логах?

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

jeka64   

jeka64
Опубликовано · Жалоба

Убрал лайфтайм и на cisco и на Telesis. Тоже не помогает.

 

Allied Telesis log: (как снять более подробный лог не знаю)

26 14:36:33 3 ISAK IKMP  XCHG  Exchange 14635: MAIN Phase 1 [resp] started with  peer xxx.xxx.xxx.40 local xxx.xxx.xxx.9 Cookie_I 1edd065ae7405cef Cookie_R 2c653ac0fa9a9877
26 14:36:33 3 ISAK IKMP  XCHG  Exchange 14635: No proposal chosen
26 14:36:33 3 ISAK IKMP  XCHG  Exchange 14635: Failed. 

и так далее

 

Cisco log: 

Jun 26 14:38:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:06 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 26 14:38:10 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Jun 26 14:38:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:11 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 26 14:38:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:16 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 26 14:38:18 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE MM Initiator FSM error history (struct &0x2501ba60)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jun 26 14:38:18 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA MM:1c0e7432 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Jun 26 14:38:18 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, sending delete/delete with reason message
Jun 26 14:38:18 [IKEv1]: IP = xxx.xxx.xxx.9, Removing peer from peer table failed, no match!
Jun 26 14:38:18 [IKEv1]: IP = xxx.xxx.xxx.9, Error: Unable to remove PeerTblEntry
Jun 26 14:38:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:21 [IKEv1]: IP = xxx.xxx.xxx.9, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.9  local Proxy Address 172.16.0.0, remote Proxy Address 172.17.16.0,  Crypto map (VLAN604_map)
Jun 26 14:38:21 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload
Jun 26 14:38:21 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload
Jun 26 14:38:21 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Jun 26 14:38:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:26 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 26 14:38:29 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Jun 26 14:38:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:31 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84
Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, processing SA payload
Jun 26 14:38:34 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Jun 26 14:38:34 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96

Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, All SA proposals found unacceptable
Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, Error processing payload: Payload ID: 1
Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE MM Responder FSM error history (struct &0x276cf3b8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA MM:3e2f8ebd terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jun 26 14:38:34 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, sending delete/delete with reason message
Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, Removing peer from peer table failed, no match!
Jun 26 14:38:34 [IKEv1]: IP = xxx.xxx.xxx.9, Error: Unable to remove PeerTblEntry
Jun 26 14:38:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:36 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 26 14:38:37 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Jun 26 14:38:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:41 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 26 14:38:45 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Jun 26 14:38:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:46 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 26 14:38:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 26 14:38:51 [IKEv1]: IP = xxx.xxx.xxx.9, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 26 14:38:53 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE MM Initiator FSM error history (struct &0x2501ba60)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jun 26 14:38:53 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, IKE SA MM:5a06dd1e terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Jun 26 14:38:53 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, sending delete/delete with reason message
Jun 26 14:38:53 [IKEv1]: IP = xxx.xxx.xxx.9, Removing peer from peer table failed, no match!
Jun 26 14:38:53 [IKEv1]: IP = xxx.xxx.xxx.9, Error: Unable to remove PeerTblEntry
Jun 26 14:38:55 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jun 26 14:38:56 [IKEv1]: IP = xxx.xxx.xxx.9, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.9  local Proxy Address 172.16.0.0, remote Proxy Address 172.17.16.0,  Crypto map (VLAN604_map)
Jun 26 14:38:56 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing ISAKMP SA payload
Jun 26 14:38:56 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.9, constructing Fragmentation VID + extended capabilities payload
Jun 26 14:38:56 [IKEv1]: IP = xxx.xxx.xxx.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

chainick   

chainick
Опубликовано · Жалоба

Ну не совпадают значит дефолтные значения на железках. Вы их явно укажите - что-то типа create ipsec bundle=1 keyman=isakmp string="1" expirys=3600 и crypto map VLAN604_map 1 set security-association lifetime seconds 3600 соответственно.

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

jeka64   

jeka64
Опубликовано (изменено) · Жалоба

Уже пробовал указывать, все равно появляется эта ошибка. Вот если бы можно было посмотреть, что и с чем ASA сравнивает, вот тогда я бы подогнал все значения до нужных.

 

Вот последний конфиг Cisco ASA:

DC-CiscoASA# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname DC-CiscoASA
domain-name k.local
enable password 2Z/DI1w9CvF4qzMC encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

!
interface GigabitEthernet0/0
description LAN
nameif inside
security-level 100
ip address zzz.zzz.0.110 255.255.0.0
!
interface GigabitEthernet0/1
description VLAN604
nameif VLAN604
security-level 0
ip address xxx.xxx.xxx40 255.255.255.0
!
interface GigabitEthernet0/2
description VPN
shutdown
nameif vpn
security-level 0
no ip address
!
interface GigabitEthernet0/3
nameif K
security-level 0
ip address 192.168.4.10 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
!
interface GigabitEthernet1/0
shutdown
nameif test
security-level 0
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
banner login                           ----------------------------
banner login                                  .            .
banner login                                  |            |
banner login                                 |||          |||
banner login                               .|| ||.      .|| ||.
banner login                            .:||| | |||:..:||| | |||:.
banner login                             C i s c o  S y s t e m s
banner login                           ----------------------------
banner motd                           ----------------------------
banner motd                                  .            .
banner motd                                  |            |
banner motd                                 |||          |||
banner motd                               .|| ||.      .|| ||.
banner motd                            .:||| | |||:..:||| | |||:.
banner motd                             C i s c o  S y s t e m s
banner motd                           ----------------------------
boot system disk0:/asa821-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server dc-dc
name-server dc-data
domain-name k.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn_access_in extended permit ip any any inactive
access-list inside_nat0_outbound extended permit ip any any
access-list VLAN604_nat0_outbound extended permit ip any any
access-list Test_access_in extended permit ip any any
access-list Test_nat0_outbound extended permit ip any any
access-list test_access_in extended permit ip any any
access-list K_access_in extended permit ip any any
access-list test_nat0_outbound extended permit ip any any
access-list asd standard permit zzz.zzz.0.0 255.255.0.0
access-list VLAN604_cryptomap_1 extended permit ip zzz.zzz.0.0 255.255.0.0 yyy.yyy.yyy.0 255.255.252.0
pager lines 24
logging enable
logging timestamp
logging standby
logging asdm-buffer-size 512
logging trap informational
logging asdm informational
logging host inside zzz.zzz.2.2
logging host inside dc-test1
flow-export destination inside dc-netmgm 9996
flow-export destination inside dc-orion 9996
flow-export destination inside dc-test1 9996
flow-export template timeout-rate 1
mtu inside 1500
mtu VLAN604 1500
mtu vpn 1500
mtu management 1500
mtu test 1500
mtu K 1500
ip local pool vpn_pool ***.***.251.1-***.***.251.31 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
nat (inside) 0 access-list inside_nat0_outbound
nat (VLAN604) 0 access-list VLAN604_nat0_outbound
nat (test) 0 access-list test_nat0_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface VLAN604
access-group vpn_access_in in interface vpn
access-group test_access_in in interface test
access-group K_access_in in interface K
route inside 0.0.0.0 0.0.0.0 zzz.zzz.0.1 1
route VLAN604 yyy.yyy.yyy.0 255.255.252.0 xxx.xxx.xxx.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host dc-dc
ldap-base-dn DC=k,DC=local
ldap-group-base-dn DC=k,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=backup_account,CN=users,DC=k,DC=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http zzz.zzz.0.0 255.255.0.0 inside
http Management 255.255.255.0 management
snmp-server host inside dc-orion community public version 2c
snmp-server host inside dc-test1 community public version 2c
snmp-server host inside zzz.zzz.2.2 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map VLAN604_map 1 match address VLAN604_cryptomap_1
crypto map VLAN604_map 1 set peer xxx.xxx.xxx.9
crypto map VLAN604_map 1 set transform-set ESP-DES-MD5
crypto map VLAN604_map 1 set security-association lifetime kilobytes 1000
crypto map VLAN604_map 1 set nat-t-disable
crypto map VLAN604_map interface VLAN604
crypto ca trustpoint Trust
enrollment self
serial-number
crl configure
crypto ca certificate chain Trust
certificate 31
    308201f0 30820159 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
    3e313c30 12060355 0405130b 4a4d5831 3234354c 31524e30 2606092a 864886f7
    0d010902 16194443 2d436973 636f4153 412e6b7a 67726f75 702e6c6f 63616c30
    1e170d30 39303531 39313431 3130345a 170d3139 30353137 31343131 30345a30
    3e313c30 12060355 0405130b 4a4d5831 3234354c 31524e30 2606092a 864886f7
    0d010902 16194443 2d436973 636f4153 412e6b7a 67726f75 702e6c6f 63616c30
    819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 e8fe0c34
    f0e33107 2bacce53 e2431f1e d92c5e5c 294f98e9 6ed539b3 3eaf8d66 b76e38d6
    df9293ea ead799fd c0fb3e7d fbc34c81 76c8a913 6969c120 1997820a 1c1eea94
    4c1c6a3f 21ffee19 3a69c481 c7067ef6 5de5ff3a 75c38128 1aaab56e 52984a0a
    e02b5c5d a0663b72 73d63260 7d31c776 4ec9873e 443a0730 abe34c6d 02030100
    01300d06 092a8648 86f70d01 01040500 03818100 9d0a5cae 7c45a07f 42a67d59
    60dfb82f 68df08cf d189f7be b98209ac d2b57f0c 1bd76ffe 1161ad01 8bae1507
    9d7c0fb6 43f4102b 2961b8b0 77926012 9273298f 4b05efc6 c2f88b70 688ed72e
    4aa82e26 65bb736b 06164f59 d95384a8 f3b47b46 802a13fc 001a3f54 866f3ff2
    978cc80c 4fd31f22 e03f3018 4c103e5f 23ec6294
  quit
crypto isakmp identity key-id 12
crypto isakmp enable inside
crypto isakmp enable VLAN604
crypto isakmp enable test
crypto isakmp policy 5
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet zzz.zzz.0.0 255.255.0.0 inside
telnet xxx.xxx.xxx.0 255.255.255.0 VLAN604
telnet timeout 15
ssh zzz.zzz.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server dc-dc source inside
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
ssl trust-point Trust inside
webvpn
enable inside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy VPN_GroupPolicy internal
group-policy VPN_GroupPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy Remote_access internal
group-policy Remote_access attributes
vpn-tunnel-protocol IPSec
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value zzz.zzz.0.20 zzz.zzz.0.22
dns-server value zzz.zzz.0.20 zzz.zzz.0.22
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value asd
webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default webvpn
username admin password 1xxNlg5266fTgQa2 encrypted privilege 15
username nikiforov password XZjHQCraVDdhT63R encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpn_pool
authentication-server-group LDAP_SRV_GRP
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias k.local enable
tunnel-group xxx.xxx.xxx.9 type ipsec-l2l
tunnel-group xxx.xxx.xxx.9 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group-map default-group VPN_Tunnel
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 4096
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ipsec-pass-thru
class global-class
  flow-export event-type all destination dc-test1 dc-netmgm dc-orion
!
service-policy global_policy global
privilege show level 4 mode exec command running-config
privilege show level 3 mode exec command asdm
privilege show level 4 mode configure command asdm
prompt hostname context
Cryptochecksum:6ff7f2d50d97139581cb2b46c2685baf
: end

 

и Allied telesis:

# IPSEC configuration
create ipsec sas=1 key=isakmp prot=esp enc=des hasha=md5
create ipsec bund=1 key=isakmp string="1" expiryk=1000
create ipsec pol="OZC" int=eth0 ac=ipsec key=isakmp bund=1 peer=xxx.xxx.xxx.40
set ipsec pol="OZC" lad=yyy.yyy.yyy.0 lma=255.255.252.0 rad=zzz.zzz.0.0 rma=255.255.0.0
create ipsec pol="INTERNET" int=eth0 ac=permit

# ISAKMP configuration
create isakmp pol="OZC" pe=xxx.xxx.xxx.40 has=md5 key=2
set isakmp pol="OZC" expiryk=1000 expirys=28800 gro=2

Изменено пользователем jeka64

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

chainick   

chainick
Опубликовано · Жалоба

crypto isakmp ident addr

 

crypto map VLAN604_map 1 set security-association lifetime sec 28800

 

create ipsec bund=1 key=isakmp string="1" expiryk=1000 expirys=28800

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

jeka64   

jeka64
Опубликовано · Жалоба

Громаднейшее спасибо. Прописал crypto isakmp ident addr и все заработало.

 

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

chainick   

chainick
Опубликовано · Жалоба

Да не за что. И пожалейте железки, напишите нормальные таймауты на обмен ключами! Каждые 100к делать рекей - такого железа еще человечество не придумало, чтобы расшифровать за такое время эти ключи.

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Гость
Ответить в тему...

×   Вставлено в виде отформатированного текста.   Вставить в виде обычного текста

  Разрешено не более 75 смайлов.

×   Ваша ссылка была автоматически встроена.   Отобразить как ссылку

×   Ваш предыдущий контент был восстановлен.   Очистить редактор

×   Вы не можете вставить изображения напрямую. Загрузите или вставьте изображения по ссылке.

×
Подписчики 0
Перейти к списку тем Активное оборудование Ethernet, IP, MPLS, SDN/NFV...