Есть два офиса. Хотел создать между ними IPsec тоннель.
В точке А установлен DFL-210 и имеет прямой выход в Интернет (реальный IP).
В точке Б установлен DI-804HV, включен в локальную сеть другой компании и через их серевер выходит в Интернет.
Для локальный сетей всех офисов включен DHCP.
СХЕМА:
DFL-210 (WAN 92.60.##.###; LAN 192.168.100.0) <---ИНТЕРНЕТ---> ???.???.???.??? Сервер <-----> DI-804HV (WAN 10.13.12.60; LAN 172.16.0.0)
Настроил оборудование согласно инструкциям:
для DFL-210
http://dlink.ru/ru/faq/92/927.html - Динамический тоннель
для DI-804
http://dlink.ru/ru/faq/92/520.html - Настройка IPSec между межсетевым экраном DFL-210/800 и DI-804HV
на DFL-210 так же настроен PPTP тоннель, но правила для него пока отключены.
Тоннель IPsec не поднимается. В чем может быть причина?
ЛОГИ:
DFl-210
=====
2010-11-10 Info CONN IPsecBeforeRules UDP wan 195.210.###.## 500 conn_close
09:41:30 600002 core 92.60.##.XXX 500 close
conn=close origsent=1616 termsent=0
2010-11-10 Info IPSEC xauth_exchange_done
09:39:27 1803024
statusmsg="Authentication failed"
2010-11-10 Info IPSEC ipsec_sa_statistics
09:39:27 1803021
done=10 success=0 failed=10
2010-11-10 Warning IPSEC ike_quickmode_failed
09:39:27 1800109
local_ip=92.60.##.XXX remote_ip=195.210.###.## cookies=8bf53c54544b12380055b3936baf7ae8 reason="Timeout"
2010-11-10 Warning IPSEC ipsec_sa_failed
09:39:27 1803020 no_ipsec_sa
statusmsg="Timeout"
2010-11-10 Info IPSEC ipsec_event
09:39:27 1800102
message=" Remote Proxy ID 172.16.0.0/24 any"
2010-11-10 Info IPSEC ipsec_event
09:39:27 1800102
message=" Local Proxy ID 192.168.100.0/24 any"
2010-11-10 Info IPSEC ike_sa_negotiation_completed
09:39:27 1802703 ike_sa_completed
local_peer="92.60.##.XXX ID 92.60.##.XXX" remote_peer="195.210.###.## ID 10.13.12.60" initiator_spi="8bf53c54 544b1238" responder_spi="0055b393 6baf7ae8" int_severity=6
2010-11-10 Info IPSEC ipsec_event
09:39:27 1800102
message="IPSec SA [Responder] negotiation failed:"
2010-11-10 Warning IPSEC ike_invalid_payload
09:39:18 1800106
local_ip=92.60.##.XXX remote_ip=195.210.###.## cookies=8bf53c54544b12380055b3936baf7ae8 reason="Delete payload contains invalid protocol id"
2010-11-10 Info IPSEC ike_sa_negotiation_completed
09:38:27 1802703 ike_sa_completed
local_peer="92.60.##.XXX ID 92.60.##.XXX" remote_peer="195.210.###.## ID 10.13.12.60" initiator_spi="8bf53c54 544b1238" responder_spi="0055b393 6baf7ae8" int_severity=6
2010-11-10 Info IPSEC ike_sa_negotiation_completed
09:38:271802024
options=Responder mode="Main Mode" auth="Pre-shared keys" encryption=des-cbc keysize= hash=md5 dhgroup=2 bits=1024 lifetime=28800
2010-11-10 Info CONN IPsecBeforeRules UDP wan 195.210.###.## 500 conn_open
09:38:26 600001 core 92.60.##.XXX 500
conn=open
DI-804HV
========
Sunday November 07, 2010 19:56:48 Send IKE M1(INIT) : 10.13.12.60 --> 92.60.##.XXX
Sunday November 07, 2010 19:56:48 Receive IKE M2(RESP) : 92.60.##.XXX --> 10.13.12.60
Sunday November 07, 2010 19:56:48 Try to match with ENC:DES AUTH:PSK HASH:MD5 Group:Group2
Sunday November 07, 2010 19:56:48 Send IKE M3(KEYINIT) : 10.13.12.60 --> 92.60.##.XXX
Sunday November 07, 2010 19:56:49 Receive IKE M4(KEYRESP) : 92.60.##.XXX --> 10.13.12.60
Sunday November 07, 2010 19:56:49 Send IKE M5(IDINIT) : 10.13.12.60 --> 92.60.##.XXX
Sunday November 07, 2010 19:56:49 Receive IKE M6(IDRESP) : 92.60.##.XXX --> 10.13.12.60
Sunday November 07, 2010 19:56:49 IKE Phase1 (ISAKMP SA) established : 92.60.##.XXX <-> 10.13.12.60
Sunday November 07, 2010 19:56:49 Send IKE Q1(QINIT) : 172.16.0.0 --> 192.168.100.0
Sunday November 07, 2010 19:56:49 Receive XAUTH (REQUEST) : 92.60.##.XXX -> 10.13.12.60, but router is not in client mode
Sunday November 07, 2010 19:56:55 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:00 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:10 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:20 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:40 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:41 Send IKE (INFO) : delete [172.16.0.0|10.13.12.60]-->[92.60.##.XXX|192.168.100.0] phase 2
Sunday November 07, 2010 19:57:41 IKE phase2 (IPSec SA) remove : 172.16.0.0 <-> 192.168.100.0
Sunday November 07, 2010 19:57:41 inbound SPI = 0x200cee6, outbound SPI = 0x0
Sunday November 07, 2010 19:56:48 Send IKE M1(INIT) : 10.13.12.60 --> 92.60.##.XXX
Sunday November 07, 2010 19:56:48 Receive IKE M2(RESP) : 92.60.##.XXX --> 10.13.12.60
Sunday November 07, 2010 19:56:48 Try to match with ENC:DES AUTH:PSK HASH:MD5 Group:Group2
Sunday November 07, 2010 19:56:48 Send IKE M3(KEYINIT) : 10.13.12.60 --> 92.60.##.XXX
Sunday November 07, 2010 19:56:49 Receive IKE M4(KEYRESP) : 92.60.##.XXX --> 10.13.12.60
Sunday November 07, 2010 19:56:49 Send IKE M5(IDINIT) : 10.13.12.60 --> 92.60.##.XXX
Sunday November 07, 2010 19:56:49 Receive IKE M6(IDRESP) : 92.60.##.XXX --> 10.13.12.60
Sunday November 07, 2010 19:56:49 IKE Phase1 (ISAKMP SA) established : 92.60.##.XXX <-> 10.13.12.60
Sunday November 07, 2010 19:56:49 Send IKE Q1(QINIT) : 172.16.0.0 --> 192.168.100.0
Sunday November 07, 2010 19:56:49 Receive XAUTH (REQUEST) : 92.60.##.XXX -> 10.13.12.60, but router is not in client mode
Sunday November 07, 2010 19:56:55 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:00 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:10 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:20 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:40 IKED re-TX : QINIT to 92.60.##.XXX
Sunday November 07, 2010 19:57:41 Send IKE (INFO) : delete [172.16.0.0|10.13.12.60]-->[92.60.##.XXX|192.168.100.0] phase 2
Sunday November 07, 2010 19:57:41 IKE phase2 (IPSec SA) remove : 172.16.0.0 <-> 192.168.100.0
Sunday November 07, 2010 19:57:41 inbound SPI = 0x200cee6, outbound SPI = 0x0
Вход
Регистрация
FAQ
Поиск
