Andreevskiy

Forum Members

View Profile See their activity

Posts
2
Joined
December 1, 2017
Last visited
December 4, 2017

Equipment

Keenetic
Keenetic Start II Rev A

Andreevskiy's Achievements

Newbie (1/5)

Reputation

site-to-site ZyXEL Keenetic 4G III и CISCO ASA 5505

Andreevskiy replied to Andrey Lazarev's topic in Обсуждение IPsec, OpenVPN и других туннелей

Спасибо за наводку все заработало.
- December 2, 2017
- 10 replies
site-to-site ZyXEL Keenetic 4G III и CISCO ASA 5505

Andreevskiy replied to Andrey Lazarev's topic in Обсуждение IPsec, OpenVPN и других туннелей

Напишу сюда, проблема аналогична. Лог циски ciscoasa# show Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500 Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 316 Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing SA payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ke payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ISA_KE payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing nonce payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ID payload Dec 02 02:46:33 [IKEv1 DECODE]IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR ID received XXX.XXX.XXX.XXX Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received DPD VID Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received Fragmentation VID Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received NAT-Traversal RFC VID Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received NAT-Traversal ver 02 VID Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group XXX.XXX.XXX.XXX Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing IKE SA payload Dec 02 02:46:33 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ISAKMP SA payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ke payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing nonce payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Generating keys for Responder... Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ID payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Computing hash for ISAKMP Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing Cisco Unity VID payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing xauth V6 VID payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing dpd vid payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Traversal VID ver RFC payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Discovery payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Discovery payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing Fragmentation VID + extended capabilities payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 408 Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500 Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 100 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Computing hash for ISAKMP Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing NAT-Discovery payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing NAT-Discovery payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, PHASE 1 COMPLETED Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, Keep-alive type for this connection: DPD Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Starting P1 rekey timer: 2700 seconds. Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500 Dec 02 02:46:33 [IKEv1 DECODE]IP = XXX.XXX.XXX.XXX, IKE Responder starting QM: msg id = 9f24aad1 Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=9f24aad1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 284 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing SA payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing nonce payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ke payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ISA_KE for PFS in phase 2 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ID payload Dec 02 02:46:33 [IKEv1 DECODE]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--192.168.121.0--255.255.255.0 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.121.0, Mask 255.255.255.0, Protocol 0, Port 0 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ID payload Dec 02 02:46:33 [IKEv1 DECODE]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--192.168.50.0--255.255.255.0 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Received local IP Proxy Subnet data in ID Payload: Address 192.168.50.0, Mask 255.255.255.0, Protocol 0, Port 0 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, QM IsRekeyed old sa not found by addr Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, checking map = mymap, seq = 10... Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, map = mymap, seq = 10, ACL does not match proxy IDs src:192.168.121.0 dst:192.168.50.0 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, checking map = mymap, seq = 11... Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, map mymap, seq = 11 is a successful match Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE Remote Peer configured for crypto map: mymap Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing IPSec SA payload Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, All IPSec SA proposals found unacceptable! Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending notify message Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing blank hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ipsec notify payload for msg id 9f24aad1 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing qm hash payload Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=78e848eb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, QM FSM error (P2 struct &0xce5df4c0, mess id 0x9f24aad1)! Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE QM Responder FSM error history (struct &0xce5df4c0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending delete/delete with reason message Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Removing peer from correlator table failed, no match! Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA AM:8fbc8e72 rcv'd Terminate: state AM_ACTIVE flags 0x00000041, refcnt 1, tuncnt 0 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA AM:8fbc8e72 terminating: flags 0x01000001, refcnt 0, tuncnt 0 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending delete/delete with reason message Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing blank hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing IKE delete payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing qm hash payload Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=8d98427d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Session is being torn down. Reason: Phase 2 Mismatch Dec 02 02:46:33 [IKEv1]Ignoring msg to mark SA with dsID 1601536 dead because SA deleted конфиги циски crypto ipsec ikev1 transform-set myset2 esp-des esp-sha-hmac crypto map mymap 11 set ikev1 transform-set myset2 crypto map mymap 11 match address L2LDima crypto map mymap 11 set peer XXX.XXX.XXX.XXX crypto map mymap 11 set ikev1 phase1-mode aggressive crypto map mymap 11 set ikev1 transform-set myset2 crypto map mymap 11 set reverse-route crypto ikev1 policy 11 authentication pre-share encryption aes hash sha group 1 lifetime 3600
- December 2, 2017
- 10 replies

Sign In

Andreevskiy

Posts

Joined

Last visited

Equipment

Andreevskiy's Achievements

Newbie (1/5)

Reputation

site-to-site ZyXEL Keenetic 4G III и CISCO ASA 5505

site-to-site ZyXEL Keenetic 4G III и CISCO ASA 5505

Browse

Activity

Store

My Details