D-Link • Просмотр темы - Помогите плз снюхать DSR-500N с DFL-860e по IPSec

Сообщения без ответов | Активные темы

Список форумов » Маршрутизаторы и Firewall

Часовой пояс: UTC + 3 часа

Помогите плз снюхать DSR-500N с DFL-860e по IPSec

Модераторы: Sergei Asmankin, Sergik, Vitaliy Korkunov

Страница 1 из 1

[ Сообщений: 3 ]

Предыдущая тема | Следующая тема

Автор

Сообщение

aussie

Заголовок сообщения: Помогите плз снюхать DSR-500N с DFL-860e по IPSec

Добавлено: Пн июл 30, 2012 06:40

Зарегистрирован: Пн апр 16, 2012 10:08
Сообщений: 46

Предистория такая:

Изначально к DFL по IPSec прикрутили DI раутер. Все отлично работало, за исключением, что не устраивала производительность шифрования на DI.

Поэтому решили взять DSR-500 для решения проблемы с производительностью.

Исходя из того, что на стороне DFL все настроено грамотно (т.к. с DI все чудно работало). Пытался настроить DSR по аналогии. Не работает.

Первая проблема которую увидел при чтении логов на DSR было то, что он использует DH1 (728-bit), а на DFL в настройках IPSec туннеля стояло DH2. Поменял в DFL на DH1 и эта ошибка исчезла, однако, так ничего и не заработало. :cry:

Помогите, плз, кто может. Ниже привожу лог на DSR-500N. Что бы было понятно: 10.0.0.1 - адрес DMZ порта на DFL к которому подключаемся. 10.0.0.2 - адрес wan порта на DSR. Они между собой соединены напрямую без интернета. 192.168.5.0 - локалка на DSR, 192.168.0.0 - локалка на DFL

on Jul 30 03:32:35 2012 (GMT +0000): [DSR-500N] [IKE] INFO: an undead schedule has been deleted: 'isakmp_ph2resend'.
Mon Jul 30 03:32:35 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Phase 2 sa deleted 10.0.0.2-10.0.0.1
Mon Jul 30 03:32:35 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Flushing all SAs for peer "10.0.0.1"
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] ERROR: No suitable policy found for 10.0.0.1[0]
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Phase 2 proposal by 10.0.0.1[0] did not match.
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=DES encklen=0 authtype=254)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=1:1)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Local Proposal:
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=TWOFISH encklen=128 authtype=hmac-sha)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=TWOFISH encklen=128 authtype=hmac-md5)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=BLOWFISH encklen=128 authtype=hmac-sha)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=BLOWFISH encklen=128 authtype=hmac-md5)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=CAST encklen=0 authtype=hmac-sha)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=CAST encklen=0 authtype=hmac-md5)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=DES encklen=0 authtype=hmac-sha)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=DES encklen=0 authtype=hmac-md5)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-md5)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-md5)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (proto_id=ESP spisize=4 spi=7001f10d spi_p=00000000 encmode=Tunnel reqid=0:0)
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Peer's Proposal:
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Using IPsec SA configuration: 192.168.5.0/24<->192.168.0.0/23
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Responding to new phase 2 negotiation: 10.0.0.2[0]<=>10.0.0.1[0]
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: ISAKMP-SA established for 10.0.0.2[500]-10.0.0.1[500] with spi:18e7df98aabf6b5a:607df2b699025a74
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Ignore INITIAL-CONTACT notification from 10.0.0.1[500] because it is only accepted after phase1.
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] ERROR: invalied encryption algorithm=65289.
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] ERROR: invalied encryption algorithm=65289.
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received Vendor ID: RFC 3947
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID

Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Beginning Identity Protection mode.
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received request for new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]
Mon Jul 30 03:32:31 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Configuration found for 10.0.0.1[500].
Mon Jul 30 03:32:24 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Initiating new phase 2 negotiation: 10.0.0.2[0]<=>10.0.0.1[0]
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] ERROR: No suitable policy found for 10.0.0.1[0]
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Phase 2 proposal by 10.0.0.1[0] did not match.
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=DES encklen=0 authtype=254)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=1:1)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Local Proposal:
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=TWOFISH encklen=128 authtype=hmac-sha)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=TWOFISH encklen=128 authtype=hmac-md5)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=BLOWFISH encklen=128 authtype=hmac-sha)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=BLOWFISH encklen=128 authtype=hmac-md5)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=CAST encklen=0 authtype=hmac-sha)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=CAST encklen=0 authtype=hmac-md5)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=DES encklen=0 authtype=hmac-sha)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=DES encklen=0 authtype=hmac-md5)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-md5)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-md5)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (proto_id=ESP spisize=4 spi=de6e0dc0 spi_p=00000000 encmode=Tunnel reqid=0:0)
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Peer's Proposal:
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Using IPsec SA configuration: 192.168.5.0/24<->192.168.0.0/23
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Responding to new phase 2 negotiation: 10.0.0.2[0]<=>10.0.0.1[0]
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] INFO: ISAKMP-SA established for 10.0.0.2[500]-10.0.0.1[500] with spi:c0797a382888ee28:be7d4605fea82064
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Ignore INITIAL-CONTACT notification from 10.0.0.1[500] because it is only accepted after phase1.
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] NOTIFY: The packet is retransmitted by 10.0.0.1[500].
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: the packet retransmitted in a short time from 10.0.0.1[500]
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] NOTIFY: The packet is retransmitted by 10.0.0.1[500].
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Configuration found for 10.0.0.1.
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Configuration found for 10.0.0.1.
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Using IPsec SA configuration: 192.168.5.0/24<->192.168.0.0/23
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] ERROR: invalied encryption algorithm=65289.
Mon Jul 30 03:32:23 2012 (GMT +0000): [DSR-500N] [IKE] ERROR: invalied encryption algorithm=65289.
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received Vendor ID: RFC 3947
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID

Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Beginning Identity Protection mode.
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received request for new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]
Mon Jul 30 03:32:22 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Configuration found for 10.0.0.1[500].
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] ERROR: No suitable policy found for 10.0.0.1[0]
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Phase 2 proposal by 10.0.0.1[0] did not match.
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=DES encklen=0 authtype=254)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=1:1)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Local Proposal:
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=TWOFISH encklen=128 authtype=hmac-sha)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=TWOFISH encklen=128 authtype=hmac-md5)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=BLOWFISH encklen=128 authtype=hmac-sha)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=BLOWFISH encklen=128 authtype=hmac-md5)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=CAST encklen=0 authtype=hmac-sha)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=CAST encklen=0 authtype=hmac-md5)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=DES encklen=0 authtype=hmac-sha)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=DES encklen=0 authtype=hmac-md5)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-md5)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-md5)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: (proto_id=ESP spisize=4 spi=7bf8d6b2 spi_p=00000000 encmode=Tunnel reqid=0:0)
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Peer's Proposal:
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Using IPsec SA configuration: 192.168.5.0/24<->192.168.0.0/23
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Responding to new phase 2 negotiation: 10.0.0.2[0]<=>10.0.0.1[0]
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: ISAKMP-SA established for 10.0.0.2[500]-10.0.0.1[500] with spi:4b20364d0894921d:39963cd589fdbda8
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] WARNING: Ignore INITIAL-CONTACT notification from 10.0.0.1[500] because it is only accepted after phase1.
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] ERROR: invalied encryption algorithm=65289.
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] ERROR: invalied encryption algorithm=65289.
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received Vendor ID: RFC 3947
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID

Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received unknown Vendor ID
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Beginning Identity Protection mode.
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Received request for new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]
Mon Jul 30 03:32:11 2012 (GMT +0000): [DSR-500N] [IKE] INFO: Configuration found for 10.0.0.1[500].

Вернуться наверх

aussie

Заголовок сообщения: Re: Помогите плз снюхать DSR-500N с DFL-860e по IPSec

Добавлено: Пн июл 30, 2012 10:23

Зарегистрирован: Пн апр 16, 2012 10:08
Сообщений: 46

Спасибо всем за "помощь"! Проблему решил.
1. Надо было заменить мегакривую RU прошивку на WW прошивку.
2. Надо ставить IKEv2 в настройках IPSec

Вернуться наверх

MTRX

Заголовок сообщения: Re: Помогите плз снюхать DSR-500N с DFL-860e по IPSec

Добавлено: Пн июл 30, 2012 10:38

Зарегистрирован: Пт июл 20, 2007 19:07
Сообщений: 8629
Откуда: Москва

Она не мегакривая,а суперкастрированная под требования ФСБ.

_________________
С уважением, Matrox.
DFL, HPE, QNAP, Netgear и прочее железо...

Вернуться наверх

Страница 1 из 1

[ Сообщений: 3 ]

Список форумов » Маршрутизаторы и Firewall

Часовой пояс: UTC + 3 часа

Кто сейчас на форуме

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 257

Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения