Добрый день.
Организован тунель Cisco PIX 515 и DI-804HV. При попынке по "интересному" трафику поднять тунель с сети за PIX, возникают ошибки на второй фазе:
DI-804HV log:
15:53:50 Send IKE (INFO) : delete X.X.X.103 -> Y.Y.Y.214 phase 1
15:53:50 IKE phase1 (ISAKMP SA) remove : 82.207.118.103 <-> Y.Y.Y.214
15:53:21 Requested routing is [10.10.20.0|Y.Y.Y.214]<->[X.X.X.103|10.10.27.0]
15:53:21 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-DES AUTH:MD5 HASH:Others PFS(Group):Group2
15:53:25 Receive IKE Q1(QINIT) : [Y.Y.Y.214]-->[X.X.X.103]
15:53:25 Requested routing is [10.10.20.0|Y.Y.Y.214]<->[X.X.X.103|10.10.27.0]
15:53:25 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-DES AUTH:MD5 HASH:Others PFS(Group):Group2
15:53:30 Receive IKE Q1(QINIT) : [Y.Y.Y.214]-->[X.X.X.103]
15:53:30 Requested routing is [10.10.20.0|Y.Y.Y.214]<->[X.X.X.103|10.10.27.0]
15:53:30 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-DES AUTH:MD5 HASH:Others PFS(Group):Group2
15:53:36 Receive IKE Q1(QINIT) : [Y.Y.Y.214]-->[X.X.X.103]
15:53:36 Requested routing is [10.10.20.0|Y.Y.Y.214]<->X.X.X.103|10.10.27.0]
О последней записи в форуме уже упоминалось: http://dlink.ru/phorum/viewtopic.php?t= ... hlight=pix. Тема уже закрыта. Поделитесь решением, возможно у меня аналогичная промлема.
PIX log:
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:X.X.X.103, dest:Y.Y.Y.214 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x1c 0x20
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:X.X.X.103, dest:Y.Y.Y.214 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:X.X.X.103, dest:Y.Y.Y.214 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 2052341857:7a544061IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xd8f8fa52(3640195666) for SA
from X.X.X.103 to Y.Y.Y.214 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:X.X.X.103/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:X.X.X.103/500 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x7a544061
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x7a544061
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x7a544061
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x7a544061
ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x7a544061IPSEC(key_engine): request timer fired: count = 1,
(identity) local= Y.Y.Y.214, remote= X.X.X.103,
local_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.27.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1676206450:9c171e8eIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xab499acf(2873727695) for SA
from X.X.X.103 to Y.Y.Y.214 for prot 3

ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x7a544061
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x9c171e8e
ISAKMP (0): retransmitting phase 2 (6/0)... mess_id 0x7a544061

Конфигурацию не привожу она взята с faq на dlink.ru.
Подскажите где искать грабли.
Благодарен.

Всё-таки приложите конфиг 804-го
если подозрение, что масочка кривовата.

IKE: Group2 3DES MD5 86400
IPSec: Group2 ESP 3DES None 28800

давайте так.
Вы выложите _настройки_ и кошки и 804, если будут слишком громоздские высылайте в мыло. Чтобы xx и yy не писать.

Добрый день.
дополнительная информация о возникшей проблеме:
Конфиги:
D-Link DI-804HV
IKE: Group2 3DES MD5 86400
IPSec: Group2 ESP 3DES None 28800

PIX 515
ip address outside Y.Y.Y.214 255.255.255.252
crypto ipsec transform-set vpn_novo esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600 kilobytes 400000
crypto map map_vpn 10 ipsec-isakmp
crypto map map_vpn 10 match address novo
crypto map map_vpn 10 set pfs group2
crypto map map_vpn 10 set peer Х.Х.Х.103
crypto map map_vpn 10 set transform-set vpn_novo
crypto map map_vpn interface outside
isakmp enable outside
isakmp key ******** address Х.Х.Х.103 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 7200

А дальше начинаетса всё самое интересное, в зависимости от инициатора соединения
тунель ведёт себя по разному. В случае когда инициатором выступает PIX
PIX log:
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:Х.Х.Х.103, dest:Y.Y.Y.214 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x1c 0x20
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:Х.Х.Х.103, dest:Y.Y.Y.214 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:Х.Х.Х.103, dest:Y.Y.Y.214 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of

2052341857:7a544061IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xd8f8fa52(3640195666) for SA
from Х.Х.Х.103 to Y.Y.Y.214 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:Х.Х.Х.103/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:Х.Х.Х.103/500 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x7a544061
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x7a544061
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x7a544061
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x7a544061
ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x7a544061IPSEC(key_engine): request

timer fired: count = 1,
(identity) local= Y.Y.Y.214, remote= Х.Х.Х.103,
local_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.27.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of

-1676206450:9c171e8eIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xab499acf(2873727695) for SA
from Х.Х.Х.103 to Y.Y.Y.214 for prot 3

ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x7a544061
.....
ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x9c171e8e
ISAKMP (0): retransmitting phase 2 (10/0)... mess_id 0x7a544061IPSEC(key_engine): request

timer fired: count = 2,
(identity) local= Y.Y.Y.214, remote= Х.Х.Х.103,
local_proxy= 10.10.20.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.27.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2 (5/1)... mess_id 0x9c171e8e
ISAKMP (0): retransmitting phase 2 (6/1)... mess_id 0x9c171e8e

DI-804HV log:
15:53:50 Send IKE (INFO) : delete X.X.X.103 -> Y.Y.Y.214 phase 1
15:53:50 IKE phase1 (ISAKMP SA) remove : X.X.X.103 <-> Y.Y.Y.214
15:53:21 Requested routing is [10.10.20.0|Y.Y.Y.214]<->[X.X.X.103|10.10.27.0]
15:53:21 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-DES AUTH:MD5 HASH:Others
PFS(Group):Group2
15:53:25 Receive IKE Q1(QINIT) : [Y.Y.Y.214]-->[X.X.X.103]
15:53:25 Requested routing is [10.10.20.0|Y.Y.Y.214]<->[X.X.X.103|10.10.27.0]
15:53:25 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-DES AUTH:MD5 HASH:Others
PFS(Group):Group2
15:53:30 Receive IKE Q1(QINIT) : [Y.Y.Y.214]-->[X.X.X.103]
15:53:30 Requested routing is [10.10.20.0|Y.Y.Y.214]<->[X.X.X.103|10.10.27.0]
15:53:30 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-DES AUTH:MD5 HASH:Others
PFS(Group):Group2
15:53:36 Receive IKE Q1(QINIT) : [Y.Y.Y.214]-->[X.X.X.103]
15:53:36 Requested routing is [10.10.20.0|Y.Y.Y.214]<->X.X.X.103|10.10.27.0]

В случае когда инициатор D-Link, ошибки следуюющие:
DI-804HV log:
Friday May 05, 2006 01:06:37 Send IKE M1(INIT) : X.X.X.103 --> Y.Y.Y.214
Friday May 05, 2006 01:06:37 Receive IKE M2(RESP) : Y.Y.Y.214 --> X.X.X.103
Friday May 05, 2006 01:06:37 Try to match with ENC:3DES AUTH:PSK HASH:MD5 Group:Group2
Friday May 05, 2006 01:06:37 Send IKE M3(KEYINIT) : X.X.X.103 --> Y.Y.Y.214
Friday May 05, 2006 01:06:38 Receive IKE M4(KEYRESP) : Y.Y.Y.214 --> X.X.X.103
Friday May 05, 2006 01:06:38 Send IKE M5(IDINIT) : X.X.X.103 --> Y.Y.Y.214
Friday May 05, 2006 01:06:38 Receive IKE M6(IDRESP) : Y.Y.Y.214 --> X.X.X.103
Friday May 05, 2006 01:06:38 IKE Phase1 (ISAKMP SA) established : Y.Y.Y.214 <-> X.X.X.103
Friday May 05, 2006 01:06:38 Send IKE Q1(QINIT) : 10.10.27.0 --> 10.10.20.0
Friday May 05, 2006 01:06:38 Receive IKE INFO : Y.Y.Y.214 --> X.X.X.103
Friday May 05, 2006 01:06:38 Receive IKE INFO : Y.Y.Y.214 --> X.X.X.103
Friday May 05, 2006 01:06:38 Receive IKE INFO : 2Y.Y.Y.214 --> X.X.X.103
Friday May 05, 2006 01:06:43 IKED re-TX : QINIT to Y.Y.Y.214
Friday May 05, 2006 01:06:48 IKED re-TX : QINIT to Y.Y.Y.214
Friday May 05, 2006 01:06:58 IKED re-TX : QINIT to Y.Y.Y.214
Friday May 05, 2006 01:07:08 IKED re-TX : QINIT to Y.Y.Y.214
Friday May 05, 2006 01:07:28 IKED re-TX : QINIT to Y.Y.Y.214
Friday May 05, 2006 01:07:29 Send IKE (INFO) : delete [10.10.27.0|X.X.X.103]-->[Y.Y.Y.214|10.10.20.0] phase 2
Friday May 05, 2006 01:07:29 Send IKE (INFO) : delete [10.10.27.0|X.X.X.103]-->[Y.Y.Y.214|10.10.20.0] phase 2
Friday May 05, 2006 01:07:29 IKE phase2 (IPSec SA) remove : 10.10.27.0 <-> 10.10.20.0
Friday May 05, 2006 01:07:29 inbound SPI = 0x2000010, outbound SPI = 0x0

PIX log:
crypto_isakmp_process_block:src:82.207.118.103, dest:213.179.229.214 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:X.X.X.103, dest:Y.Y.Y.214 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:X.X.X.103, dest:Y.Y.Y.214 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:X.X.X.103/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:X.X.X.103/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:X.X.X.103, dest:Y.Y.Y.214 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 249174456

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authentication algorithm... What? 0?
ISAKMP: encaps is 1
ISAKMP: group is 2
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0x70 0x80 IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 0) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:X.X.X.103, dest:Y.Y.Y.214 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:X.X.X.103, dest:Y.Y.Y.214 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
crypto_isakmp_process_block:src:X.X.X.103, dest:2Y.Y.Y.214 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xeda19b8
crypto_isakmp_process_block:src:X.X.X.103, dest:Y.Y.Y.214 spt:500 dpt:500
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0xeda19b8
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0xeda19b8
При этом:
pix# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
Y.Y.Y.214 X.X.X.103 QM_IDLE 0 0
Почему в dst указан адрес PIXa? Выходит что dst и src поменялись местами, но в конфигурации явно указано set peer Х.Х.Х.103.
Благодарен.