Помогите настроить IPSEC туннель между ... что не так? Циска:
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key SecretKey address 195.245.XX.XXX
!
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 195.245.XX.XXX
set transform-set VPN
set pfs group2
match address WU
!
interface Tunnel0
description Western Union
ip address 172.19.13.26 255.255.255.252
tunnel source Dialer1
tunnel destination 195.245.XX.XXX
tunnel mode ipip
crypto map VPN
!
interface Ethernet0
no ip address
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0
ip address 192.168.1.250 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
speed auto
full-duplex
no cdp enable
!
interface Dialer1
ip address negotiated
!
! получает адрес 82.207.XXX.XXX
!
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname -----------
ppp chap password 7 --------------
ppp pap sent-username --------- password 7 ------------------
!
ip nat inside source list 105 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
ip access-list extended WU
permit ip host 82.207.XXX.XXX host 195.245.XX.XXX
!
-------------------------------------------------------------------------------------
Настройки удаленного линуха
02.04.2007 16:36:52, Igor- WU
#log debug;
log notify;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 195.245.XX.XXX;
strict_address; # required all addresses must be bound.
}
timer
{
# These value can be changed per remote node.
counter 60; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 60 sec;
phase2 60 sec;
}
#passive on;
remote anonymous
{
exchange_mode main,aggressive ;
doi ipsec_doi;
send_cert off;
send_cr off;
verify_cert off;
situation identity_only;
my_identifier address 195.245.XX.XXX;
nonce_size 16;
lifetime time 24 hour; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
lifetime time 24 hour; # sec,min,hour
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 24 hour ;
encryption_algorithm 3des, des, cast128, blowfish ;
authentication_algorithm hmac_md5, hmac_sha1 ;
compression_algorithm deflate ;
}
-------------------------------------------------------------------------------------
Логи циски
IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 82.207.XXX.XXX, remote= 195.245.XX.XXX,
local_proxy= 172.19.13.26/255.255.255.255/0/0 (type=1),
remote_proxy= 172.19.13.25/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xEE0C5089(3993784457), conn_id= 0, keysize= 0, flags= 0x400B
Apr 4 11:01:38.106: ISAKMP: received ke message (1/1)
Apr 4 11:01:38.106: ISAKMP (0:0): SA request profile is (NULL)
Apr 4 11:01:38.106: ISAKMP: local port 500, remote port 500
Apr 4 11:01:38.106: ISAKMP: set new node 0 to QM_IDLE
Apr 4 11:01:38.106: ISAKMP: insert sa successfully sa = 8228F948
Apr 4 11:01:38.110: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Apr 4 11:01:38.110: ISAKMP: Looking for a matching key for 195.245.XX.XXX in default : success
Apr 4 11:01:38.110: ISAKMP (0:1): found peer pre-shared key matching 195.245.XX.XXX
Apr 4 11:01:38.110: ISAKMP (0:1): constructed NAT-T vendor-07 ID
Apr 4 11:01:38.110: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Apr 4 11:01:38.110: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Apr 4 11:01:38.110: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 4 11:01:38.110: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
Apr 4 11:01:38.110: ISAKMP (0:1): beginning Main Mode exchange
Apr 4 11:01:38.110: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 4 11:01:38.254: ISAKMP (0:1): received packet from 195.245.XX.XXX dport 500 sport 500 Global (I) MM_NO_STATE
Apr 4 11:01:38.254: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 4 11:01:38.254: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
Apr 4 11:01:38.254: ISAKMP (0:1): processing SA payload. message ID = 0
Apr 4 11:01:38.254: ISAKMP (0:1): processing vendor id payload
Apr 4 11:01:38.254: ISAKMP (0:1): vendor ID seems Unity/DPD but major 139 mismatch
Apr 4 11:01:38.254: ISAKMP: Looking for a matching key for 195.245.XX.XXX in default : success
Apr 4 11:01:38.258: ISAKMP (0:1): found peer pre-shared key matching 195.245.XX.XXX
Apr 4 11:01:38.258: ISAKMP (0:1) local preshared key found
Apr 4 11:01:38.258: ISAKMP : Scanning profiles for xauth ...
Apr 4 11:01:38.258: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
Apr 4 11:01:38.258: ISAKMP: encryption 3DES-CBC
Apr 4 11:01:38.258: ISAKMP: hash MD5
Apr 4 11:01:38.258: ISAKMP: default group 2
Apr 4 11:01:38.258: ISAKMP: auth pre-share
Apr 4 11:01:38.258: ISAKMP: life type in seconds
Apr 4 11:01:38.258: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Apr 4 11:01:38.258: ISAKMP (0:1): atts are acceptable. Next payload is 0
Apr 4 11:01:38.258: CryptoEngine0: generate alg parameter
Apr 4 11:01:38.478: CRYPTO_ENGINE: Dh phase 1 status: 0
Apr 4 11:01:38.478: CRYPTO_ENGINE: Dh phase 1 status: 0
Apr 4 11:01:38.478: ISAKMP (0:1): processing vendor id payload
Apr 4 11:01:38.478: ISAKMP (0:1): vendor ID seems Unity/DPD but major 139 mismatch
Apr 4 11:01:38.478: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 4 11:01:38.482: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
Apr 4 11:01:38.522: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) MM_SA_SETUP
Apr 4 11:01:38.522: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 4 11:01:38.522: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
Apr 4 11:01:38.738: ISAKMP (0:1): received packet from 195.245.XX.XXX dport 500 sport 500 Global (I) MM_SA_SETUP
Apr 4 11:01:38.742: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 4 11:01:38.742: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
Apr 4 11:01:38.742: ISAKMP (0:1): processing KE payload. message ID = 0
Apr 4 11:01:38.742: CryptoEngine0: generate alg parameter
Apr 4 11:01:39.026: ISAKMP (0:1): processing NONCE payload. message ID = 0
Apr 4 11:01:39.026: ISAKMP: Looking for a matching key for 195.245.XX.XXX in default : success
Apr 4 11:01:39.026: ISAKMP (0:1): found peer pre-shared key matching 195.245.XX.XXX
Apr 4 11:01:39.026: CryptoEngine0: create ISAKMP SKEYID for conn id 1
Apr 4 11:01:39.030: ISAKMP (0:1): SKEYID state generated
Apr 4 11:01:39.030: ISAKMP (0:1): processing vendor id payload
Apr 4 11:01:39.030: ISAKMP (0:1): vendor ID seems Unity/DPD but major 139 mismatch
Apr 4 11:01:39.030: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 4 11:01:39.030: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
Apr 4 11:01:39.034: ISAKMP (0:1): Send initial contact
Apr 4 11:01:39.034: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Apr 4 11:01:39.034: ISAKMP (0:1): ID payload
next-payload : 8
type : 1
address : 82.207.XXX.XXX
protocol : 17
port : 500
length : 12
Apr 4 11:01:39.034: ISAKMP (1): Total payload length: 12
Apr 4 11:01:39.038: CryptoEngine0: generate hmac context for conn id 1
Apr 4 11:01:39.038: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) MM_KEY_EXCH
Apr 4 11:01:39.038: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 4 11:01:39.038: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
Apr 4 11:01:39.178: ISAKMP (0:1): received packet from 195.245.XX.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH
Apr 4 11:01:39.182: ISAKMP (0:1): processing ID payload. message ID = 0
Apr 4 11:01:39.182: ISAKMP (0:1): ID payload
next-payload : 8
type : 1
address : 195.245.XX.XXX
protocol : 17
port : 500
length : 12
Apr 4 11:01:39.182: ISAKMP (0:1): processing HASH payload. message ID = 0
Apr 4 11:01:39.182: CryptoEngine0: generate hmac context for conn id 1
Apr 4 11:01:39.186: ISAKMP (0:1): SA authentication status:
authenticated
Apr 4 11:01:39.186: ISAKMP (0:1): SA has been authenticated with 195.245.XX.XXX
Apr 4 11:01:39.186: ISAKMP (0:1): peer matches *none* of the profiles
Apr 4 11:01:39.186: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Apr 4 11:01:39.186: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6
Apr 4 11:01:39.186: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Apr 4 11:01:39.190: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6
Apr 4 11:01:39.190: CryptoEngine0: clear dh number for conn id 1
Apr 4 11:01:39.190: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Apr 4 11:01:39.190: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Apr 4 11:01:39.194: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -2098754477
Apr 4 11:01:39.194: CryptoEngine0: generate alg parameter
Apr 4 11:01:39.414: CRYPTO_ENGINE: Dh phase 1 status: 0
Apr 4 11:01:39.414: CRYPTO_ENGINE: Dh phase 1 status: 0
Apr 4 11:01:39.418: CryptoEngine0: generate hmac context for conn id 1.
Apr 4 11:01:39.422: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) QM_IDLE
Apr 4 11:01:39.422: ISAKMP (0:1): Node -2098754477, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Apr 4 11:01:39.422: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Apr 4 11:01:39.422: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Apr 4 11:01:39.422: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Apr 4 11:01:49.422: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -2098754477 ...
Apr 4 11:01:49.422: ISAKMP (0:1): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Apr 4 11:01:49.422: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
Apr 4 11:01:49.422: ISAKMP (0:1): retransmitting phase 2 -2098754477 QM_IDLE
Apr 4 11:01:49.422: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) QM_IDLE
Apr 4 11:01:59.422: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -2098754477 ...
Apr 4 11:01:59.422: ISAKMP (0:1): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
Apr 4 11:01:59.422: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
Apr 4 11:01:59.422: ISAKMP (0:1): retransmitting phase 2 -2098754477 QM_IDLE
Apr 4 11:01:59.422: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) QM_IDLE
Apr 4 11:02:08.102: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 82.207.XXX.XXX, remote= 195.245.XX.XXX,
local_proxy= 172.19.13.26/255.255.255.255/0/0 (type=1),
remote_proxy= 172.19.13.25/255.255.255.255/0/0 (type=1)
Apr 4 11:02:08.102: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 82.207.XXX.XXX, remote= 195.245.XX.XXX,
local_proxy= 172.19.13.26/255.255.255.255/0/0 (type=1),
remote_proxy= 172.19.13.25/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xEB5BC667(3948660327), conn_id= 0, keysize= 0, flags= 0x400B
Apr 4 11:02:08.106: ISAKMP: received ke message (1/1)
Apr 4 11:02:08.106: ISAKMP: set new node 0 to QM_IDLE
Apr 4 11:02:08.106: ISAKMP (0:1): sitting IDLE. Starting QM immediately (QM_IDLE )
Apr 4 11:02:08.106: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1799340855
Apr 4 11:02:08.106: CryptoEngine0: generate alg parameter
Apr 4 11:02:08.322: CRYPTO_ENGINE: Dh phase 1 status: 0
Apr 4 11:02:08.322: CRYPTO_ENGINE: Dh phase 1 status: 0
Apr 4 11:02:08.326: CryptoEngine0: generate hmac context for conn id 1
Apr 4 11:02:08.326: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) QM_IDLE
Apr 4 11:02:08.330: ISAKMP (0:1): Node -1799340855, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Apr 4 11:02:08.330: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Apr 4 11:02:09.422: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -2098754477 ...
Apr 4 11:02:09.422: ISAKMP (0:1): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
Apr 4 11:02:09.422: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
Apr 4 11:02:09.422: ISAKMP (0:1): retransmitting phase 2 -2098754477 QM_IDLE
Apr 4 11:02:09.422: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) QM_IDLE
Apr 4 11:02:18.330: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -1799340855 ...
Apr 4 11:02:18.330: ISAKMP (0:1): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Apr 4 11:02:18.330: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
Apr 4 11:02:18.330: ISAKMP (0:1): retransmitting phase 2 -1799340855 QM_IDLE
Apr 4 11:02:18.330: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) QM_IDLE on
Apr 4 11:02:19.422: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -2098754477 ...
Apr 4 11:02:19.422: ISAKMP (0:1): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
Apr 4 11:02:19.422: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
Apr 4 11:02:19.422: ISAKMP (0:1): retransmitting phase 2 -2098754477 QM_IDLE
Apr 4 11:02:19.422: ISAKMP (0:1): sending packet to 195.245.XX.XXX my_port 500 peer_port 500 (I) QM_IDLE
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(ok) on 04-Апр-07, 15:13 
