Jump to content
Mexonizator

IPSec-тоннель падает из-за задвоя согласования политик безопасности (SA)

Recommended Posts

Добрый день!

Собственно, как и следует из названия темы, устройство начинает пробрасывать тоннель, причём, по какой-то непостижимой причине, производится сразу несколько попыток. В результате, соединение успешно устанавливается в рамках одного из согласований, а затем благополучно дропается, т.к. другое не получает ответа от Циски и рубит по тайм-ауту. Что характерно, с самим соединений никаких проблем нет: пакеты ходят, компы друг друга видят, пингуют...

Версия прошивки: v2.08(AAUU.4)C2

Версия Циски: 15.4

Логи Кинетика:

Nov 10 13:15:01ipsec
06[MGR] ignoring request with ID 0, already processing 
Nov 10 13:15:08ipsec
16[IKE] remote host is behind NAT 
Nov 10 13:15:08ipsec
14[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] 
Nov 10 13:15:08ipsec
14[CFG] selected peer config 'Test' 
Nov 10 13:15:08ipsec
14[IKE] linked key for crypto map 'Test' is not found, still searching 
Nov 10 13:15:08ipsec
14[IKE] authentication of '192.168.0.2' with pre-shared key successful 
Nov 10 13:15:08ipsec
14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
Nov 10 13:15:08ipsec
14[IKE] linked key for crypto map 'Test' is not found, still searching 
Nov 10 13:15:08ipsec
14[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key 
Nov 10 13:15:08ipsec
14[IKE] IKE_SA Test[4] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] 
Nov 10 13:15:08ipsec
14[IKE] scheduling reauthentication in 3573s 
Nov 10 13:15:08ipsec
14[IKE] maximum IKE_SA lifetime 3593s 
Nov 10 13:15:08ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0.
Nov 10 13:15:08ipsec
14[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ 
Nov 10 13:15:08ipsec
14[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ 
Nov 10 13:15:08ipsec
14[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ 
Nov 10 13:15:08ipsec
14[IKE] CHILD_SA Test{2} established with SPIs c12ee9c8_i c20b83b1_o and TS 192.168.10.0/24 === 192.168.0.0/24 
Nov 10 13:15:08ndm
IpSec::Configurator: crypto map "Test" is up.
Nov 10 13:15:08ndm
IpSec::Configurator: reconnection for crypto map "Test" was cancelled.
Nov 10 13:15:08ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1.
Nov 10 13:15:08ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Nov 10 13:15:08ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Nov 10 13:15:11ipsec
10[IKE] retransmit 1 of request with message ID 0 
Nov 10 13:15:20ipsec
08[IKE] retransmit 2 of request with message ID 0 
Nov 10 13:15:30ipsec
10[IKE] retransmit 3 of request with message ID 0 
Nov 10 13:15:41ipsec
09[IKE] retransmit 4 of request with message ID 0 
Nov 10 13:15:52ipsec
05[IKE] retransmit 5 of request with message ID 0 
Nov 10 13:16:05ipsec
10[IKE] retransmit 6 of request with message ID 0 
Nov 10 13:16:20ipsec
09[IKE] retransmit 7 of request with message ID 0 
Nov 10 13:16:35ipsec
16[IKE] retransmit 8 of request with message ID 0 
Nov 10 13:16:52ipsec
12[IKE] giving up after 8 retransmits 
Nov 10 13:16:52ndm
IpSec::Configurator: remote peer of crypto map "Test" is down.
Nov 10 13:16:52ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0.
Nov 10 13:16:52ndm
IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry.
Nov 10 13:16:52ndm
IpSec::Configurator: schedule reconnect for crypto map "Test".
Nov 10 13:16:52ipsec
12[IKE] establishing IKE_SA failed, peer not responding 
Nov 10 13:17:08ndm
IpSec::Configurator: reconnecting crypto map "Test".
Nov 10 13:17:10ndm
IpSec::Configurator: crypto map "Test" shutdown started.
Nov 10 13:17:10ipsec
12[CFG] received stroke: unroute 'Test' 
Nov 10 13:17:10ipsec
13[CFG] received stroke: terminate 'Test{*}' 
Nov 10 13:17:10ipsec
16[IKE] closing CHILD_SA Test{2} with SPIs c12ee9c8_i (40144 bytes) c20b83b1_o (811908 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 
Nov 10 13:17:10ipsec
16[IKE] sending DELETE for ESP CHILD_SA with SPI c12ee9c8 
Nov 10 13:17:10ipsec
09[IKE] received DELETE for ESP CHILD_SA with SPI c20b83b1 
Nov 10 13:17:10ipsec
09[IKE] CHILD_SA closed 
Nov 10 13:17:10ipsec
14[CFG] received stroke: terminate 'Test[*]' 
Nov 10 13:17:10ndm
IpSec::Configurator: crypto map "Test" shutdown complete.
Nov 10 13:17:11ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0.
Nov 10 13:17:11ipsec
06[IKE] deleting IKE_SA Test[4] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] 
Nov 10 13:17:11ipsec
06[IKE] sending DELETE for IKE_SA Test[4] 
Nov 10 13:17:11ipsec
11[IKE] IKE_SA deleted 
Nov 10 13:17:11ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0.
Nov 10 13:17:11ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Nov 10 13:17:11ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Nov 10 13:17:11ipsec
15[IKE] received Cisco Delete Reason vendor ID 
Nov 10 13:17:11ipsec
15[IKE] CISCO_IP is initiating an IKE_SA 
Nov 10 13:17:11ipsec
15[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# 
Nov 10 13:17:11ipsec
15[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# 
Nov 10 13:17:11ipsec
15[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# 
Nov 10 13:17:11ipsec
12[CFG] received stroke: initiate 'Test' 
Nov 10 13:17:11ndm
IpSec::Configurator: crypto map "Test" initialized.
Nov 10 13:17:13ipsec
07[MGR] ignoring request with ID 0, already processing 
Nov 10 13:17:17ipsec
09[MGR] ignoring request with ID 0, already processing 
Nov 10 13:17:19ipsec
15[IKE] remote host is behind NAT 
Nov 10 13:17:19ipsec
16[IKE] initiating IKE_SA Test[6] to CISCO_IP 
Nov 10 13:17:20ipsec
14[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] 
Nov 10 13:17:20ipsec
14[CFG] selected peer config 'Test' 
Nov 10 13:17:20ipsec
14[IKE] linked key for crypto map 'Test' is not found, still searching 
Nov 10 13:17:20ipsec
14[IKE] authentication of '192.168.0.2' with pre-shared key successful 
Nov 10 13:17:20ipsec
14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
Nov 10 13:17:20ipsec
14[IKE] linked key for crypto map 'Test' is not found, still searching 
Nov 10 13:17:20ipsec
14[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key 
Nov 10 13:17:20ipsec
14[IKE] IKE_SA Test[5] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] 
Nov 10 13:17:20ipsec
14[IKE] scheduling reauthentication in 3569s 
Nov 10 13:17:20ipsec
14[IKE] maximum IKE_SA lifetime 3589s 
Nov 10 13:17:20ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0.
Nov 10 13:17:20ipsec
14[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ 
Nov 10 13:17:20ipsec
14[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ 
Nov 10 13:17:20ipsec
14[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ 
Nov 10 13:17:20ipsec
14[IKE] CHILD_SA Test{3} established with SPIs c96d5999_i 8d98ca14_o and TS 192.168.10.0/24 === 192.168.0.0/24 
Nov 10 13:17:20ndm
IpSec::Configurator: crypto map "Test" is up.
Nov 10 13:17:20ndm
IpSec::Configurator: reconnection for crypto map "Test" was cancelled.
Nov 10 13:17:20ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1.
Nov 10 13:17:20ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Nov 10 13:17:20ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Nov 10 13:17:32ipsec
11[IKE] retransmit 1 of request with message ID 0 
Nov 10 13:17:41ipsec
07[IKE] retransmit 2 of request with message ID 0 
Nov 10 13:17:50ipsec
05[IKE] retransmit 3 of request with message ID 0 
Nov 10 13:18:01ipsec
13[IKE] retransmit 4 of request with message ID 0 
Nov 10 13:18:13ipsec
05[IKE] retransmit 5 of request with message ID 0 
Nov 10 13:18:26ipsec
15[IKE] retransmit 6 of request with message ID 0 
Nov 10 13:18:40ipsec
13[IKE] retransmit 7 of request with message ID 0 
Nov 10 13:18:55ipsec
16[IKE] retransmit 8 of request with message ID 0 
Nov 10 13:19:13ipsec
14[IKE] giving up after 8 retransmits 
Nov 10 13:19:13ndm
IpSec::Configurator: remote peer of crypto map "Test" is down.
Nov 10 13:19:13ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0.
Nov 10 13:19:13ndm
IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry.
Nov 10 13:19:13ndm
IpSec::Configurator: schedule reconnect for crypto map "Test".
Nov 10 13:19:13ipsec
14[IKE] establishing IKE_SA failed, peer not responding 
Nov 10 13:19:29ndm
IpSec::Configurator: reconnecting crypto map "Test".
Nov 10 13:19:31ndm
IpSec::Configurator: crypto map "Test" shutdown started.
Nov 10 13:19:31ipsec
14[CFG] received stroke: unroute 'Test' 
Nov 10 13:19:31ipsec
08[CFG] received stroke: terminate 'Test{*}' 
Nov 10 13:19:31ipsec
16[IKE] closing CHILD_SA Test{3} with SPIs c96d5999_i (24735 bytes) 8d98ca14_o (68197 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 
Nov 10 13:19:31ipsec
16[IKE] sending DELETE for ESP CHILD_SA with SPI c96d5999 
Nov 10 13:19:31ipsec
13[IKE] received DELETE for ESP CHILD_SA with SPI 8d98ca14 
Nov 10 13:19:31ipsec
13[IKE] CHILD_SA closed 
Nov 10 13:19:31ipsec
09[CFG] received stroke: terminate 'Test[*]' 
Nov 10 13:19:31ndm
IpSec::Configurator: crypto map "Test" shutdown complete.
Nov 10 13:19:31ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0.
Nov 10 13:19:31ipsec
10[IKE] deleting IKE_SA Test[5] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] 
Nov 10 13:19:31ipsec
10[IKE] sending DELETE for IKE_SA Test[5] 
Nov 10 13:19:31ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Nov 10 13:19:31ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Nov 10 13:19:32ipsec
12[CFG] received stroke: initiate 'Test' 
Nov 10 13:19:32ndm
IpSec::Configurator: crypto map "Test" initialized.
Nov 10 13:19:39ipsec
15[IKE] unable to create CHILD_SA while deleting IKE_SA 
Nov 10 13:19:39ipsec
05[IKE] IKE_SA deleted 
Nov 10 13:19:39ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0.
Nov 10 13:19:39ipsec
07[IKE] initiating IKE_SA Test[7] to CISCO_IP 
Nov 10 13:19:51ipsec
08[IKE] retransmit 1 of request with message ID 0 
Nov 10 13:20:00ipsec
13[IKE] retransmit 2 of request with message ID 0 
Nov 10 13:20:01ipsec
10[IKE] received Cisco Delete Reason vendor ID 
Nov 10 13:20:01ipsec
10[IKE] CISCO_IP is initiating an IKE_SA 
Nov 10 13:20:01ipsec
10[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# 
Nov 10 13:20:01ipsec
10[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# 
Nov 10 13:20:01ipsec
10[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# 
Nov 10 13:20:03ipsec
14[MGR] ignoring request with ID 0, already processing 
Nov 10 13:20:06ipsec
16[MGR] ignoring request with ID 0, already processing 
Nov 10 13:20:09ipsec
10[IKE] remote host is behind NAT 
Nov 10 13:20:09ipsec
08[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] 
Nov 10 13:20:09ipsec
08[CFG] selected peer config 'Test' 
Nov 10 13:20:09ipsec
08[IKE] linked key for crypto map 'Test' is not found, still searching 
Nov 10 13:20:09ipsec
08[IKE] authentication of '192.168.0.2' with pre-shared key successful 
Nov 10 13:20:09ipsec
08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
Nov 10 13:20:09ipsec
08[IKE] linked key for crypto map 'Test' is not found, still searching 
Nov 10 13:20:09ipsec
08[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key 
Nov 10 13:20:09ipsec
08[IKE] IKE_SA Test[8] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] 
Nov 10 13:20:09ipsec
08[IKE] scheduling reauthentication in 3567s 
Nov 10 13:20:09ipsec
08[IKE] maximum IKE_SA lifetime 3587s 
Nov 10 13:20:09ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0.
Nov 10 13:20:09ipsec
08[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ 
Nov 10 13:20:09ipsec
08[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ 
Nov 10 13:20:09ipsec
08[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ 
Nov 10 13:20:09ipsec
08[IKE] CHILD_SA Test{4} established with SPIs cdeb3b19_i 00d56f15_o and TS 192.168.10.0/24 === 192.168.0.0/24 
Nov 10 13:20:09ndm
IpSec::Configurator: crypto map "Test" is up.
Nov 10 13:20:09ndm
IpSec::Configurator: reconnection for crypto map "Test" was cancelled.
Nov 10 13:20:09ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1.
Nov 10 13:20:09ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Nov 10 13:20:10ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Nov 10 13:20:10ipsec
05[IKE] retransmit 3 of request with message ID 0 
Nov 10 13:20:20ipsec
15[IKE] retransmit 4 of request with message ID 0 
Nov 10 13:20:32ipsec
05[IKE] retransmit 5 of request with message ID 0 
Nov 10 13:20:45ipsec
08[IKE] retransmit 6 of request with message ID 0 
Nov 10 13:20:48ndhcps
_WEBADMIN: DHCPREQUEST received (STATE_SELECTING) for 192.168.10.45 from 74:04:2b:84:60:e8.
Nov 10 13:20:48ndhcps
_WEBADMIN: sending ACK of 192.168.10.45 to 74:04:2b:84:60:e8.
Nov 10 13:20:59ipsec
16[IKE] retransmit 7 of request with message ID 0 
Nov 10 13:21:15ipsec
15[IKE] retransmit 8 of request with message ID 0 
Nov 10 13:21:32ipsec
13[IKE] giving up after 8 retransmits 
Nov 10 13:21:32ndm
IpSec::Configurator: remote peer of crypto map "Test" is down.
Nov 10 13:21:32ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0.
Nov 10 13:21:32ndm
IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry.
Nov 10 13:21:32ndm
IpSec::Configurator: schedule reconnect for crypto map "Test".
Nov 10 13:21:32ipsec
13[IKE] establishing IKE_SA failed, peer not responding 
Nov 10 13:21:48ndm
IpSec::Configurator: reconnecting crypto map "Test".
Nov 10 13:21:50ndm
IpSec::Configurator: crypto map "Test" shutdown started.
Nov 10 13:21:50ipsec
13[CFG] received stroke: unroute 'Test' 
Nov 10 13:21:50ipsec
07[CFG] received stroke: terminate 'Test{*}' 
Nov 10 13:21:50ipsec
15[IKE] closing CHILD_SA Test{4} with SPIs cdeb3b19_i (24726 bytes) 00d56f15_o (85210 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 
Nov 10 13:21:50ipsec
15[IKE] sending DELETE for ESP CHILD_SA with SPI cdeb3b19 
Nov 10 13:21:50ipsec
16[IKE] received DELETE for ESP CHILD_SA with SPI 00d56f15 
Nov 10 13:21:50ipsec
16[IKE] CHILD_SA closed 
Nov 10 13:21:50ipsec
06[CFG] received stroke: terminate 'Test[*]' 
Nov 10 13:21:50ndm
IpSec::Configurator: crypto map "Test" shutdown complete.
Nov 10 13:21:50ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0.
Nov 10 13:21:50ipsec
08[IKE] deleting IKE_SA Test[8] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] 
Nov 10 13:21:50ipsec
08[IKE] sending DELETE for IKE_SA Test[8] 
Nov 10 13:21:50ipsec
05[IKE] IKE_SA deleted 
Nov 10 13:21:50ndm
IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0.

Спасибо!

Edited by Никита Болдин
  • Need more info 1

Share this post


Link to post
Share on other sites

Словил тоже на 2.11.A.8.0-3

решил отключением "Включить IPv6:" в Broadband connection

Share this post


Link to post
Share on other sites

Ничего непонятно.

Начните с установки draft и приложения sefl-test, а также объясните кто у вас инициатор соединения.

Share this post


Link to post
Share on other sites
38 минут назад, Le ecureuil сказал:

Ничего непонятно.

Начните с установки draft и приложения sefl-test, а также объясните кто у вас инициатор соединения.

Инициатор - зухель, который подрубается к циске.

По поводу draft. Можно ли как-то обойтись без него?

Self-test приложу следующим постом.

 

5 часов назад, makc22 сказал:

Словил тоже на 2.11.A.8.0-3

решил отключением "Включить IPv6:" в Broadband connection

Жаль, нет такой опции в настройках соединения.

Share this post


Link to post
Share on other sites
8 минут назад, Mexonizator сказал:

Инициатор - зухель, который подрубается к циске.

По поводу draft. Можно ли как-то обойтись без него?

Self-test приложу следующим постом.

 

Жаль, нет такой опции в настройках соединения.

Копаться в 2.08 у меня желания нет, обращайтесь тогда в официальную техподдержку.

Share this post


Link to post
Share on other sites

Вести с полей. Смена режима ВПН-ки с transport на tunnel убрало ошибку. Зато возник новый глюк. После первого запуска, ВПН-ка проработала некоторое время, а затем стала валиться в лог:

 

Nov 14 19:22:12ipsec
05[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job 
Nov 14 19:22:12ipsec
08[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job 
Nov 14 19:22:15ipsec
06[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job 
Nov 14 19:22:17ipsec
13[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job 
Nov 14 19:22:22ipsec
05[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job 

По всей видимости, ошибка имеет отношение к НАТу, но непонятно, какое именно. Со стороны циски (т.е. между ней и тоннелем) НАТа нет.

Причём, что характерно, перезапуск ВПН-ки не помог. Очевидно, что проблема как-то связана с сопоставлением со стороны НАТа.

UPD: При запуске на следующий день, ВПН-ка снова без проблем поднялась и работает некоторое время.

UPD2: Ошибка снова посыпалась, но, что интересно, данные пока продолжают ходить.

Edited by Mexonizator

Share this post


Link to post
Share on other sites

Дошли до техподдержки, техподдержка дошла до меня :D

Если вкратце, то у меня ощущение, что вам гадит роутер стоящий между вашей cisco и keenetic. Опишите его (вендор, модель, версия ПО). Тогда будет понятнее, как это хотя бы воспроизвести (или же вам починить).

Share this post


Link to post
Share on other sites

:D

TP-LINK RT480T+.

У роутера этого есть фишка IPSEC ALG, которую я вырубил. Что характерно, особого эффекта не оказало.

ЗЫ. Версия прошивки - скрытым постом.

Edited by Mexonizator

Share this post


Link to post
Share on other sites

Итого. Все 3 ошибки удалось побороть, тоннель стабилен, полёт нормальный. :grin:

1. Видимо, ошибка вызывается НАТом на роутере (циска за ним), а также, возможно, его фишкой IPSEC ALG. Инициация соединения со стороны неё, а не Зухеля решило проблему.

05[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job 
Nov 14 19:22:12ipsec

2. Галка Nailed-Up и trasnport mode во второй фазе вызывали разрывы тоннеля даже при успешной установке.

3. Ну и наконец. Оказалось, что эта ошибка возникает из-за слишком сильного шифрования при первой фазе. Кинетик банально не успевал выполнить шифрование при согласовании, и Циска отправляла повторные запросы. Что, в конечном счёте, и приводило к разрыву. Понижение шифра до 128 бит, и переход на SHA1 решило проблему.

10[IKE] retransmit 1 of request with message ID 0 
Nov 10 13:15:20ipsec

Всем спасибо, тему можно считать закрытой.

Edited by Mexonizator

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...