fizik051 Опубликовано 24 апреля, 2014 · Жалоба Всем привет, пытаюсь настроить VPN между Mikrotik RouterBoard RB951 и Cisco ASA 5505: у микротика настроено 2 интерфейса: 10.34.1.50 - внешний, 192.168.88.1 - интерфейс внутренней сети у Cisco ASA настроено 2 SVI: vlan1 10.34.1.51 - внешний; vlan2 192.168.1.1 - интерфейс другой внутренней сети. Конфиг Cisco ASA: : Saved : ASA Version 7.2(4) ! hostname ASA enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif outside security-level 0 ip address 10.34.1.51 255.255.254.0 ! interface Vlan2 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/0 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone MSD 4 access-list HELP_ACL extended permit ip 192.168.1.0 255.255.255.0 192.168.88.0 255.255.255.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (inside) 1 interface nat (outside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set DES_SHA esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 144000 crypto map TEST_MAP 10 match address HELP_ACL crypto map TEST_MAP 10 set pfs crypto map TEST_MAP 10 set peer 10.34.1.50 crypto map TEST_MAP 10 set transform-set DES_SHA crypto map TEST_MAP interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 1800 client-update enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config inside ! tunnel-group 10.34.1.50 type ipsec-l2l tunnel-group 10.34.1.50 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 message-length maximum client auto policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:b82ecf870d8dcc3c3c233f112298e761 : end Настройки VPN Mikrotik приложены в картинках. На вкладке Installed SAs периодически появляются и исчезают SAs. При отладке debug crypto isakmp 7 выводятся следующие сообщения: ASA# Apr 24 16:14:51 [iKEv1]: IP = 10.34.1.50, Received encrypted packet with no matching SA, dropping Apr 24 16:15:01 [iKEv1]: IP = 10.34.1.50, Received encrypted packet with no matching SA, dropping Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104 Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing SA payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Oakley proposal is acceptable Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing VID payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Received DPD VID Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing IKE SA payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing ISAKMP SA payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing Fragmentation VID + extended capabilities payload Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188 Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing ke payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing ISA_KE payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing nonce payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing ke payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing nonce payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing Cisco Unity VID payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing xauth V6 VID payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Send IOS VID Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing VID payload Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, Connection landed on tunnel_group 10.34.1.50 Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Generating keys for Responder... Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60 Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ID payload Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing hash payload Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Computing hash for ISAKMP Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, Connection landed on tunnel_group 10.34.1.50 Apr 24 16:15:15 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Freeing previously allocated memory for authorization-dn-attributes Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing ID payload Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing hash payload Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Computing hash for ISAKMP Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing dpd vid payload Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80 Apr 24 16:15:15 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, PHASE 1 COMPLETED Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, Keep-alive type for this connection: DPD Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Starting P1 rekey timer: 1350 seconds. Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, sending notify message Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing blank hash payload Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing qm hash payload Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=163c7a52) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Sending keep-alive of type DPD R-U-THERE (seq number 0x6471339c) Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing blank hash payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing qm hash payload Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=88e17178) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=8c477232) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing hash payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing notify payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6471339c) Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=a1994cf2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 292 Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing hash payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing SA payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing nonce payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ke payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ISA_KE for PFS in phase 2 Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ID payload Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.88.0, Mask 255.255.255.0, Protocol 0, Port 0 Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ID payload Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Received local IP Proxy Subnet data in ID Payload: Address 192.168.1.0, Mask 255.255.255.0, Protocol 0, Port 0 Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, QM IsRekeyed old sa not found by addr Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Static Crypto Map check, checking map = TEST_MAP, seq = 10... Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Static Crypto Map check, map TEST_MAP, seq = 10 is a successful match Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, IKE Remote Peer configured for crypto map: TEST_MAP Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing IPSec SA payload Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, All IPSec SA proposals found unacceptable! Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, sending notify message Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing blank hash payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing ipsec notify payload for msg id a1994cf2 Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing qm hash payload Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=f5c3cc1d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, QM FSM error (P2 struct &0x175bec8, mess id 0xa1994cf2)! Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, IKE QM Responder FSM error history (struct &0x175bec8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, sending delete/delete with reason message Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Removing peer from correlator table failed, no match! Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, IKE SA MM:0ddf4fef rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0 Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, IKE SA MM:0ddf4fef terminating: flags 0x01000002, refcnt 0, tuncnt 0 Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, sending delete/delete with reason message Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing blank hash payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing IKE delete payload Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing qm hash payload Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=c9b9dc3a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76 Apr 24 16:15:26 [iKEv1]: IP = 10.34.1.50, Received encrypted packet with no matching SA, dropping Apr 24 16:15:36 [iKEv1]: IP = 10.34.1.50, Received encrypted packet with no matching SA, dropping Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
fizik051 Опубликовано 24 апреля, 2014 · Жалоба http://i60.tinypic.com/3097ce8.jpg http://i60.tinypic.com/33za4a0.jpg http://i57.tinypic.com/vp9qfk.jpg Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...