Проблема: строю ВПН "сеть-сеть" между CISCO1841 и DI-804HV
Использую IPSEC. Без NAT на пути трафика все работает отлично. С NAT - трафик не ходит, хотя обе фазы ISAKMP проходят. Подозреваю проблему с отсутствием проброса протокола ESP, т.к. на эту же 1841 туннели с других 1841 строятся нормально, но через UDP/4500, а DI-804HV с CISCO договариваются только на 500 и без udp-encapsulation.
ЗДЕСЬ обсуждалось подобное, рекомендуют использовать NAT-T:
viewtopic.php?t=25734
В настройках ДЛИНКа я ставлю галку NAT-Tr.../забыл, как именно она там называется...
), но циска не пытается даже согласовать его использование. Т.е. с длинком получаю такое:
Код:
039604: 05:40:53: ISAKMP (0:0): ID payload
next-payload : 13
type : 3
USER FQDN : pz-dlink-01
protocol : 0
port : 0
length : 19
039605: 05:40:53: ISAKMP:(0:0:N/A:0):: peer matches pz-dlink-profile profile
039606: 05:40:53: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.5.102.220 in default
039607: 05:40:53: ISAKMP/xauth: initializing AAA request
039608: 05:40:53: ISAKMP:(0:0:N/A:0): processing vendor id payload
039609: 05:40:53: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
039610: 05:40:53: ISAKMP:(0:0:N/A:0):Profile has no keyring, aborting host key search
039611: 05:40:53: ISAKMP: no pre-shared key based on hostname pz-dlink-01!
039612: 05:40:53: ISAKMP : Looking for xauth in profile pz-dlink-profile
039613: 05:40:53: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 3 policy
039614: 05:40:53: ISAKMP: encryption 3DES-CBC
039615: 05:40:53: ISAKMP: hash SHA
039616: 05:40:53: ISAKMP: auth pre-share
039617: 05:40:53: ISAKMP: default group 2
039618: 05:40:53: ISAKMP: life type in seconds
039619: 05:40:53: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
039620: 05:40:53: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
039621: 05:40:53: ISAKMP:(0:8:SW:1): processing KE payload. message ID = 0
039622: 05:40:53: ISAKMP:(0:8:SW:1): processing NONCE payload. message ID = 0
039623: 05:40:53: ISAKMP:(0:8:SW:1): processing vendor id payload
039624: 05:40:53: ISAKMP:(0:8:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
039625: 05:40:53: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
039626: 05:40:53: ISAKMP:(0:8:SW:1):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
039627: 05:40:53: ISAKMP:(0:8:SW:1):SKEYID state generated
039628: 05:40:53: ISAKMP:(0:8:SW:1):SA is doing pre-shared key authentication using id type ID_USER_FQDN
039629: 05:40:53: ISAKMP (0:134217736): ID payload
next-payload : 10
type : 3
USER FQDN : pz-dlink-01
protocol : 17
port : 0
length : 19
039630: 05:40:53: ISAKMP:(0:8:SW:1):Total payload length: 19
039631: 05:40:53: ISAKMP:(0:8:SW:1): sending packet to 10.5.102.220 my_port 500 peer_port 500 (R) AG_INIT_EXCH
039632: 05:40:53: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
039633: 05:40:53: ISAKMP:(0:8:SW:1):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
039634: 05:40:53: ISAKMP (0:134217736): received packet from 10.5.102.220 dport 500 sport 500 Global (R) AG_INIT_EXCH
039635: 05:40:53: ISAKMP:(0:8:SW:1): processing HASH payload. message ID = 0
039636: 05:40:53: ISAKMP:(0:8:SW:1):SA authentication status:
authenticated
039637: 05:40:53: ISAKMP:(0:8:SW:1):SA has been authenticated with 10.5.102.220
039638: 05:40:53: ISAKMP: Trying to insert a peer 10.5.100.11/10.5.102.220/500/, and inserted successfully 64206CC0.
039639: 05:40:53: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
039640: 05:40:53: ISAKMP:(0:8:SW:1):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
039641: 05:40:53: ISAKMP:(0:8:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
039642: 05:40:53: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
039643: 05:40:53: ISAKMP (0:134217736): received packet from 10.5.102.220 dport 500 sport 500 Global (R) QM_IDLE
039644: 05:40:53: ISAKMP: set new node 226398695 to QM_IDLE
039645: 05:40:53: ISAKMP:(0:8:SW:1): processing HASH payload. message ID = 226398695
039646: 05:40:53: ISAKMP:(0:8:SW:1): processing SA payload. message ID = 226398695
039647: 05:40:53: ISAKMP:(0:8:SW:1):Checking IPSec proposal 1
039648: 05:40:53: ISAKMP: transform 1, ESP_3DES
039649: 05:40:53: ISAKMP: attributes in transform:
039650: 05:40:53: ISAKMP: authenticator is HMAC-MD5
039651: 05:40:53: ISAKMP: encaps is 1 (Tunnel)
039652: 05:40:53: ISAKMP: group is 2
039653: 05:40:53: ISAKMP: SA life type in seconds
039654: 05:40:53: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x1 0x2C
039655: 05:40:53: ISAKMP:(0:8:SW:1):atts are acceptable.
039656: 05:40:53: ISAKMP:(0:8:SW:1): processing NONCE payload. message ID = 226398695
039657: 05:40:53: ISAKMP:(0:8:SW:1): processing KE payload. message ID = 226398695
039658: 05:40:54: ISAKMP:(0:8:SW:1): processing ID payload. message ID = 226398695
039659: 05:40:54: ISAKMP:(0:8:SW:1): processing ID payload. message ID = 226398695
039660: 05:40:54: ISAKMP:(0:8:SW:1): asking for 1 spis from ipsec
039661: 05:40:54: ISAKMP:(0:8:SW:1):Node 226398695, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
039662: 05:40:54: ISAKMP:(0:8:SW:1):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
039663: 05:40:54: ISAKMP: received ke message (2/1)
039664: *Jul 30 20:50:24: %CRYPTO-6-EZVPN_CONNECTION_UP: (Server) Mode=NEM Client_type=UNKNOWN User= Group=pz-dlink-01 Client_public_addr=10.5.102.220 Server_public_addr=10.5.100.11
в то время, как другие циски с этой нормально договариваются как-то так:
Код:
040023: 05:42:02: ISAKMP:(0:5:SW:1):Checking IPSec proposal 6
040024: 05:42:02: ISAKMP: transform 1, ESP_3DES
040025: 05:42:02: ISAKMP: attributes in transform:
040026: 05:42:02: ISAKMP: encaps is 3 (Tunnel-UDP)
040027: 05:42:02: ISAKMP: SA life type in seconds
040028: 05:42:02: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
040029: 05:42:02: ISAKMP: SA life type in kilobytes
040030: 05:42:02: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
040031: 05:42:02: ISAKMP: authenticator is HMAC-MD5
Т.е. как заставить DI-804HV предлагать (и настаивать
) ISAKMP: encaps is 3 (Tunnel-UDP), вместо encaps is 1 (Tunnel) ?
Вход
Регистрация
FAQ
Поиск
