Здравствуйте!
Может не в тему, но IPSec на 3.3 с обновления от 20.10.2019 начал работать очень некорректно. При чём, на Kenetic (Ultra (KN-1810) и Keetenic Ultra II) белым IP пашет без проблем, а связка белый IP - серый IP работать не хочет. На стороне Keenetic Ultra (KN-1810) c серыи IP в логе дополнительно указывает 12[IKE] tried 1 shared key fo 'xx.xx.xx.xxx'-'xxx.xx.xxx.xx', but MAC mismatched 12[IKE]linked key for crypto map 'xxx.xx.xxx.xx' is not found, still searching ...
Лог Keenetic Ultra II с белым IP:
IpSec::Configurator: remote peer rejects to authenticate our crypto map "ххх.хх.ххх.хх".
Ноя 17 23:18:23
ndm
IpSec::Configurator: (possibly because of wrong local/remote ID).
Ноя 17 23:18:23
ndm
IpSec::Configurator: "ххх.хх.ххх.хх": crypto map active IKE SA: 0, active CHILD SA: 0.
Ноя 17 23:18:23
ipsec
15[IKE] IKE_SA deleted
Ноя 17 23:18:23
ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Ноя 17 23:18:23
ndm
IpSec::Configurator: "ххх.хх.ххх.хх": crypto map active IKE SA: 0, active CHILD SA: 0.
Ноя 17 23:18:23
ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Ноя 17 23:18:23
ndm
IpSec::Configurator: "ххх.хх.ххх.хх": crypto map active IKE SA: 0, active CHILD SA: 0.
Ноя 17 23:18:23
ndm
Core::Syslog: last message repeated 2 times.
Ноя 17 23:18:23
ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Ноя 17 23:18:24
ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Ноя 17 23:18:42
ipsec
09[IKE] 46.47.7.2 is initiating an IKE_SA
Ноя 17 23:18:42
ipsec
09[CFG] received proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768
Ноя 17 23:18:42
ipsec
09[CFG] configured proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768
Ноя 17 23:18:42
ipsec
09[CFG] selected proposal: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768
Ноя 17 23:18:42
ipsec
09[IKE] remote host is behind NAT
Ноя 17 23:18:42
ipsec
12[CFG] looking for peer configs matching ххх.хх.ххх.хх[ххх.хх.ххх.хх]...хх.хх.х.х[хх.хх.хх.ххх]
Ноя 17 23:18:42
ipsec
12[CFG] selected peer config 'ххх.хх.ххх.хх'
Ноя 17 23:18:42
ipsec
12[IKE] linked key for crypto map 'ххх.хх.ххх.хх' is not found, still searching
Ноя 17 23:18:42
ipsec
12[IKE] authentication of 'хх.хх.хх.ххх' with pre-shared key successful
Ноя 17 23:18:42
ipsec
12[IKE] linked key for crypto map 'ххх.хх.ххх.хх' is not found, still searching
Ноя 17 23:18:42
ipsec
12[IKE] authentication of 'ххх.хх.ххх.хх' (myself) with pre-shared key
Ноя 17 23:18:42
ipsec
12[IKE] IKE_SA ххх.хх.ххх.хх[9099] established between ххх.хх.ххх.хх[ххх.хх.ххх.хх]...хх.хх.х.х[хх.хх.хх.ххх]
Ноя 17 23:18:42
ipsec
12[IKE] scheduling reauthentication in 31535980s
Ноя 17 23:18:42
ipsec
12[IKE] maximum IKE_SA lifetime 31536000s
Ноя 17 23:18:42
ndm
IpSec::Configurator: "ххх.хх.ххх.хх": crypto map active IKE SA: 1, active CHILD SA: 0.
Ноя 17 23:18:42
ipsec
12[CFG] received proposals: ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Ноя 17 23:18:42
ipsec
12[CFG] configured proposals: ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Ноя 17 23:18:42
ipsec
12[CFG] selected proposal: ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Ноя 17 23:18:42
ipsec
12[IKE] CHILD_SA ххх.хх.ххх.хх{9101} established with SPIs cdef24d3_i c3a6603d_o and TS 192.168.1.0/24 === 192.168.3.0/24
Ноя 17 23:18:42
ndm
IpSec::Configurator: crypto map "ххх.хх.ххх.хх" is up.
Ноя 17 23:18:42
ndm
IpSec::Configurator: "ххх.хх.ххх.хх": crypto map active IKE SA: 1, active CHILD SA: 1.
Ноя 17 23:18:42
ipsec
10[IKE] received DELETE for IKE_SA ххх.хх.ххх.хх[9099]
Ноя 17 23:18:42
ipsec
10[IKE] deleting IKE_SA ххх.хх.ххх.хх[9099] between ххх.хх.ххх.хх[ххх.хх.ххх.хх]...хх.хх.х.х[хх.хх.хх.ххх]
Ноя 17 23:18:42
ndm
IpSec::Configurator: remote peer rejects to authenticate our crypto map "ххх.хх.ххх.хх".
Ноя 17 23:18:42
ndm
IpSec::Configurator: (possibly because of wrong local/remote ID).
Ноя 17 23:18:42
ndm
IpSec::Configurator: "ххх.хх.ххх.хх": crypto map active IKE SA: 0, active CHILD SA: 0.
Ноя 17 23:18:42
ipsec
10[IKE] IKE_SA deleted
Ноя 17 23:18:42
ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Ноя 17 23:18:42
ndm
IpSec::Configurator: "ххх.хх.ххх.хх": crypto map active IKE SA: 0, active CHILD SA: 0.
Ноя 17 23:18:43
ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Ноя 17 23:18:43
ndm
IpSec::Configurator: "ххх.хх.ххх.хх": crypto map active IKE SA: 0, active CHILD SA: 0.
Ноя 17 23:18:43
ndm
Core::Syslog: last message repeated 2 times.
Ноя 17 23:18:43
ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Ноя 17 23:18:43
ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.