Здравствуйте,

Проблема с настройкой ipsec между dfl-200 (fw 1.34.00) и di-804hv (fw 1.43). Логи с di-804hv:
---------------------------------------------
Tuesday January 22, 2008 12:43:37 Receive IKE M1(INIT) : 85.140.1.150 --> 62.5.147.42
Tuesday January 22, 2008 12:43:37 Try to match with ENC:None AUTH:PSK HASH:SHA1 Group:Group2
Tuesday January 22, 2008 12:43:37 Try to match with ENC:None AUTH:PSK HASH:MD5 Group:Group2
Tuesday January 22, 2008 12:43:37 Try to match with ENC:3DES AUTH:PSK HASH:SHA1 Group:Group2
Tuesday January 22, 2008 12:43:37 Send IKE M2(RESP) : 62.5.147.42 --> 85.140.1.150
Tuesday January 22, 2008 12:43:38 Receive IKE M3(KEYINIT) : 85.140.1.150 --> 62.5.147.42
Tuesday January 22, 2008 12:43:38 Send IKE M4(KEYRESP) : 62.5.147.42 --> 85.140.1.150
Tuesday January 22, 2008 12:43:38 Receive IKE M5(IDINIT) : 85.140.1.150 --> 62.5.147.42
Tuesday January 22, 2008 12:43:38 Send IKE M6(IDRESP) : 62.5.147.42 --> 85.140.1.150
Tuesday January 22, 2008 12:43:38 IKE Phase1 (ISAKMP SA) established : 62.5.147.42 <-> 85.140.1.150
Tuesday January 22, 2008 12:43:38 Receive IKE Q1(QINIT) : [85.140.1.150]-->[62.5.147.42]
Tuesday January 22, 2008 12:43:38 SPD : add dynamic user [192.168.111.0]<->[192.168.12.0] OK
Tuesday January 22, 2008 12:43:38 Requested routing is [192.168.12.0|85.140.1.150]<->[62.5.147.42|192.168.111.0]
Tuesday January 22, 2008 12:43:38 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:SHA1 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:38 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:MD5 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:39 Receive IKE Q1(QINIT) : [85.140.1.150]-->[62.5.147.42]
Tuesday January 22, 2008 12:43:39 Requested routing is [192.168.12.0|85.140.1.150]<->[62.5.147.42|192.168.111.0]
Tuesday January 22, 2008 12:43:39 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:SHA1 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:39 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:MD5 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:40 Receive IKE Q1(QINIT) : [85.140.1.150]-->[62.5.147.42]
Tuesday January 22, 2008 12:43:40 Receive IKE Q1(QINIT) : [85.140.1.150]-->[62.5.147.42]
Tuesday January 22, 2008 12:43:40 Requested routing is [192.168.12.0|85.140.1.150]<->[62.5.147.42|192.168.111.0]
Tuesday January 22, 2008 12:43:40 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:SHA1 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:40 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:MD5 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:42 Receive IKE Q1(QINIT) : [85.140.1.150]-->[62.5.147.42]
Tuesday January 22, 2008 12:43:42 Requested routing is [192.168.12.0|85.140.1.150]<->[62.5.147.42|192.168.111.0]
Tuesday January 22, 2008 12:43:42 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:SHA1 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:42 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:MD5 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:46 Receive IKE Q1(QINIT) : [85.140.1.150]-->[62.5.147.42]
Tuesday January 22, 2008 12:43:46 Requested routing is [192.168.12.0|85.140.1.150]<->[62.5.147.42|192.168.111.0]
Tuesday January 22, 2008 12:43:46 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:SHA1 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:46 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:MD5 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:54 Receive IKE Q1(QINIT) : [85.140.1.150]-->[62.5.147.42]
Tuesday January 22, 2008 12:43:54 Requested routing is [192.168.12.0|85.140.1.150]<->[62.5.147.42|192.168.111.0]
Tuesday January 22, 2008 12:43:54 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:SHA1 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:43:54 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:MD5 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:44:10 Receive IKE Q1(QINIT) : [85.140.1.150]-->[62.5.147.42]
Tuesday January 22, 2008 12:44:10 Requested routing is [192.168.12.0|85.140.1.150]<->[62.5.147.42|192.168.111.0]
Tuesday January 22, 2008 12:44:10 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:SHA1 HASH:Others PFS(Group):NONE
Tuesday January 22, 2008 12:44:10 Try to match ESP with MODE:Tunnel PROTOCAL:Others AUTH:MD5 HASH:Others PFS(Group):NONE
---------------------------------------------
и т.д.
Похоже не могут подобрать подходящие параметры для тунеля, но установки на них крайне банальны. И с этими установками устойчиво работают тунели между несколькими di-804hv.
Что можете посоветовать?

_________________
Maxim

ИКЕ установилось, а вот ЕСП не может согласовать параметры.
Смотри, где различия .

ESP

di-804hv: DHGROUP: none, 3DES, MD5, 3600
DFL-200: 3DES, MD5, 3600

Можно еще добавить, что с этими же настройками другой di-804hv (но fw 1.50) устанавливает соединение. Понимаю, что возникает естественный вопрос почему бы не перепрошить и этот. Ответ: надо туда ехать. И непонятно в чем причина сбоя. Не факт что и после прошивки все заработает, может быть там и аппаратный релиз другой.

_________________
Maxim