Существует сеть из 5 объединенных офисов. В центре DFL-800, по перефирии 3 DFL-210 и 1 DFL-200. Сегодня утром было обнаружено что пользователи 2-х филиалов не могут соединиться с головным офисом по причине падения VPN. Пользователи 2-х других офисов работают без проблем.
VPN построены на сертификатах. При переводе не работающих офисов на PSK VPN'ы поднялись. Просьба помочь разобраться почему же не работают VPN на сертификатах. Вывод команды ikesnoop -on -verbose представлен ниже.
Лог удаленного устройства
Код:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.09.14 11:18:10 =~=~=~=~=~=~=~=~=~=~=~=
Logged in as administrator - admin
DFL-210:/> ikesnoop -on -verbose
Ike snooping is active - verbose mode; snooping address *
DFL-210:/>
2009-09-14 11:18:58: IkeSnoop: Received IKE packet from xx.xx.xx.xx:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x33b7c2e564d2d5 -> 0x00000000
Message ID : 0x00000000
Packet length : 276 bytes
# payloads : 2
Payloads:
SA (Security Association)
Payload data length : 224 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/6
Transform ID : IKE
Encryption algorithm : Rijndael-cbc (aes)
Key length : 128
Hash algorithm : MD5
Authentication method : RSA Signatures
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
Transform 2/6
Transform ID : IKE
Encryption algorithm : Rijndael-cbc (aes)
Key length : 128
Hash algorithm : SHA
Authentication method : RSA Signatures
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
Transform 3/6
Transform ID : IKE
Encryption algorithm : 3DES-cbc
Hash algorithm : MD5
Authentication method : RSA Signatures
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
Transform 4/6
Transform ID : IKE
Encryption algorithm : 3DES-cbc
Hash algorithm : SHA
Authentication method : RSA Signatures
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
Transform 5/6
Transform ID : IKE
Encryption algorithm : Blowfish-cbc
Key length : 128
Hash algorithm : MD5
Authentication method : RSA Signatures
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
Transform 6/6
Transform ID : IKE
Encryption algorithm : Blowfish-cbc
Key length : 128
Hash algorithm : SHA
Authentication method : RSA Signatures
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b
Description : SSH Communications Security QuickSec 2.1.0
2009-09-14 11:18:58: IkeSnoop: Sending IKE packet to xx.xx.xx.xx:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x33b7c2e564d2d5 -> 0x1f54b0a482445a
Message ID : 0x00000000
Packet length : 104 bytes
# payloads : 2
Payloads:
SA (Security Association)
Payload data length : 52 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/1
Transform ID : IKE
Encryption algorithm : Rijndael-cbc (aes)
Key length : 128
Hash algorithm : MD5
Authentication method : RSA Signatures
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b
Description : SSH Communications Security QuickSec 2.1.0
2009-09-14 11:18:58: IkeSnoop: Received IKE packet from xx.xx.xx.xx:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x33b7c2e564d2d5 -> 0x1f54b0a482445a
Message ID : 0x00000000
Packet length : 240 bytes
# payloads : 3
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 16 bytes
CR (Certificate Request)
Payload data length : 56 bytes
Certificate type : X.509 signature
2009-09-14 11:18:58: IkeSnoop: Sending IKE packet to xx.xx.xx.xx:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x33b7c2e564d2d5 -> 0x1f54b0a482445a
Message ID : 0x00000000
Packet length : 240 bytes
# payloads : 3
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 16 bytes
CR (Certificate Request)
Payload data length : 56 bytes
Certificate type : X.509 signature
Лог локального устройства
Код:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.09.14 11:18:40 =~=~=~=~=~=~=~=~=~=~=~=
Logged in as administrator - admin
DFL-800:/> ikesnoop -om n - verboseverbose
Ike snooping is active - verbose mode; snooping address *
DFL-800:/>
2009-09-14 11:18:57: IkeSnoop: Received IKE packet from yy.yy.yy.yy:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x33b7c2e564d2d5 -> 0x1f54b0a482445a
Message ID : 0x00000000
Packet length : 104 bytes
# payloads : 2
Payloads:
SA (Security Association)
Payload data length : 52 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/1
Transform ID : IKE
Encryption algorithm : Rijndael-cbc (aes)
Key length : 128
Hash algorithm : MD5
Authentication method : RSA Signatures
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b
Description : SSH Communications Security QuickSec 2.1.0
2009-09-14 11:18:58: IkeSnoop: Sending IKE packet to yy.yy.yy.yy:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x33b7c2e564d2d5 -> 0x1f54b0a482445a
Message ID : 0x00000000
Packet length : 240 bytes
# payloads : 3
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 16 bytes
CR (Certificate Request)
Payload data length : 56 bytes
Certificate type : X.509 signature
2009-09-14 11:18:58: IkeSnoop: Received IKE packet from yy.yy.yy.yy:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x33b7c2e564d2d5 -> 0x1f54b0a482445a
Message ID : 0x00000000
Packet length : 240 bytes
# payloads : 3
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 16 bytes
CR (Certificate Request)
Payload data length : 56 bytes
Certificate type : X.509 signature
2009-09-14 11:18:58: IkeSnoop: Sending IKE packet to yy.yy.yy.yy:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0x33b7c2e564d2d5 -> 0x1f54b0a482445a
Message ID : 0x00000000
Packet length : 4023 bytes
# payloads : 5
Payloads:
ID (Identification)
Payload data length : 123 bytes
ID : der_asn1_dn(any:0,[0..118]=C=RU, ST=16, L=Kazan, O=Saman, OU=IT, CN=DFL-800, MAILTO=saman@mi.ru)
CERT (Certificate)
Payload data length : 1360 bytes
Encoding type : X.509 signature
Issuer : DC=DOMAIN, CN=SAMAN-Sertification
Subject : DC=DOMAIN, CN=ISOLATION CA SAMAN
Valid from : 2009 Feb 27th, 12:03:03 GMT
Valid to : 2011 Feb 27th, 12:13:03 GMT
CERT (Certificate)
Payload data length : 1038 bytes
Encoding type : CRL - Certificate Revocation List
CERT (Certificate)
Payload data length : 1326 bytes
Encoding type : X.509 signature
Issuer : DC=DOMAIN, CN=ISOLATION CA SAMAN
Subject : C=RU, ST=16, L=Kazan, O=Saman, OU=IT, CN=DFL-800, MAILTO=saman@mi.ru
Valid from : 2009 Apr 26th, 10:44:33 GMT
Valid to : 2010 Apr 26th, 10:54:33 GMT
SIG (Signature)
Payload data length : 128 bytes
2009-09-14 11:18:58: IkeSnoop: Received IKE packet from yy.yy.yy.yy:500
2009-09-14 11:18:58: IkeSnoop: Other end retransmitted its packet
2009-09-14 11:18:58: IkeSnoop: Cannot resend response; packet just sent
2009-09-14 11:18:59: IkeSnoop: Received IKE packet from 91.144.154.158:500
2009-09-14 11:18:59: IkeSnoop: Other end retransmitted its packet
2009-09-14 11:18:59: IkeSnoop: Cannot resend response; packet just sent
2009-09-14 11:19:01: IkeSnoop: Received IKE packet from 91.144.154.158:500
2009-09-14 11:19:01: IkeSnoop: Other end retransmitted its packet
2009-09-14 11:19:05: IkeSnoop: Received IKE packet from 91.144.154.158:500
2009-09-14 11:19:05: IkeSnoop: Other end retransmitted its packet
2009-09-14 11:19:13: IkeSnoop: Received IKE packet from 91.144.154.158:500
2009-09-14 11:19:13: IkeSnoop: Other end retransmitted its packet
2009-09-14 11:19:29: IkeSnoop: Received IKE packet from 91.144.154.158:500
2009-09-14 11:19:29: IkeSnoop: Other end retransmitted its packet
Вход
Регистрация
FAQ
Поиск
