1. Уважаемые посетители форума! Прежде чем помещать в форум новое сообщение о возникшей у Вас проблеме, пожалуйста, поищите ее решение в ответах на часто задаваемые вопросы FAQ, или воспользуйтесь поиском по форуму.
  2. Форум не является системой моментального ответа на вопросы. Если Вам необходимо получить ответ на ваш вопрос в кратчайшие сроки - пожалуйста, позвоните в ближайший к Вам региональный офис D-Link.
faq обучение настройка
Текущее время: Пн июл 28, 2025 12:53

Сообщения без ответов | Активные темы


Список форумов » Маршрутизаторы и Firewall

Часовой пояс: UTC + 3 часа




Начать новую тему Ответить на тему  Страница 1 из 2
  [ Сообщений: 16 ]  На страницу 1, 2  След.
  Предыдущая тема | Следующая тема 
Автор Сообщение
gzhukov
 Заголовок сообщения: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Вт фев 08, 2011 09:48 
Не в сети

Зарегистрирован: Пт июл 02, 2010 11:42
Сообщений: 19
Есть удаленная циска с конфигом:
Код:
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 30
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 40
 encr aes 256
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 50
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 60
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp profile TEST_DC
   vrf TEST_Direct
   keyring TEST_DC
   self-identity address
   match identity address XX.XX.XX.5 255.255.255.255 TEST_Direct
!
crypto ipsec transform-set TEST_DC_DES esp-3des esp-sha-hmac
crypto ipsec transform-set TEST_DC_AES_MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TEST_DC_DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TEST_DC_AES256 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set TEST_DC_AES esp-aes esp-sha-hmac
crypto ipsec transform-set TEST_DC_AES256_MD5 esp-aes 256 esp-md5-hmac
!
crypto map TEST_DC 105 ipsec-isakmp
 description TEST traffic
 set peer XX.XX.XX.5
 set transform-set TEST_DC_DES TEST_DC_DES_MD5 TEST_DC_AES TEST_DC_AES_MD5 TEST_DC_AES256 TEST_DC_AES256_MD5
 set isakmp-profile TEST_DC
 match address TEST_Direct_client15
!
interface GigabitEthernet0/1.209
 description DMZ
 encapsulation dot1Q 209
 ip vrf forwarding TEST_Direct
 ip address YY.YY.YY.201 255.255.255.224
 ip access-group DMZ_IN in
 no snmp trap link-status
 standby 10 ip YY.YY.YY.203
 standby 10 preempt
 standby 10 name DMZ
 standby 10 track GigabitEthernet0/1.203
 crypto map TEST_DC redundancy DMZ stateful
!
ip access-list extended TEST_Direct_client15
 permit tcp host YY.YY.YY.133 eq 5001 host XX.XX.XX.18


И конфиг ДЛИНКА:
Код:
DFL-1600:/> show IKEAlgorithms test
Name:  test
NULLEnabled:  No
DESEnabled:  No
DES3Enabled:  Yes
AESEnabled:  Yes
BlowfishEnabled:  No
TwofishEnabled:  No
CAST128Enabled:  No
AESMinKeySize:  128
AESKeySize:  128
AESMaxKeySize:  256
MD5Enabled:  Yes
SHA1Enabled:  Yes

---------------------

DFL-1600:/> show IPsecAlgorithms test
Name:  test
NULLEnabled:  No
DESEnabled:  No
DES3Enabled:  Yes
AESEnabled:  Yes
BlowfishEnabled:  No
TwofishEnabled:  No
CAST128Enabled:  No
AESMinKeySize:  128
AESKeySize:  128
AESMaxKeySize:  256
MD5Enabled:  Yes
SHA1Enabled:  Yes

DFL-1600:/> show Interface IPsecTunnel Test_Ipsec_2

Property  Value
 --------------------------  --------------------------------
Index:  1
Name:  Test_Ipsec_2
LocalNetwork:  MY_IP/node103_ipsec_2
RemoteNetwork:  test/test_srv_2
RemoteEndpoint:  test/test_Endpoint_2
IKEConfigModePool:  <empty>
IKEAlgorithms:  test
IPsecAlgorithms:  test
IKELifeTimeSeconds:  86400
IPsecLifeTimeSeconds:  3600
IPsecLifeTimeKilobytes:  0
EncapsulationMode:  Tunnel
AuthMethod:  PSK (Pre-shared keying)
PSK:  Test_ipsec_2
LocalIDType:  Auto
XAuth:  Off
DHCPOverIPsec:  No
AddRouteToRemoteNet:  No
PlaintextMTU:  1420
OriginatorIPType:  LocalInterface (Local interface)
IKEMode:  Main (Mainmode)
DHGroup:  2
PFS:  None
SetupSAPer:  Net (Per network)
DeadPeerDetection:  No
NATTraversal:  AlwaysOn (Always on)
KeepAlive:  Disabled
Metric:  90
AutoInterfaceNetworkRoute:  Yes
Comments:  <empty>



В логах:
Feb 8 09:42:17 192.168.1.5 [2011-02-08 09:43:15] FW: IPSEC: prio=3 id=01802022 rev=2 event=ike_sa_failed action=no_ike_sa statusmsg="Timeout" local_peer="XX.XX.XX.5:4500 ID XX.XX.XX.5" remote_peer="YY.YY.YY.203:4500 ID No Id" initiator_spi="ESP=0x93bc0a20, AH=0xe579614b, IPComp=0xb7727927"

Видно что не совпадают методы шифрования и аутентификации, но где и почему-не понятно, т.к. на длинке пробовал менять уже все что можно, отключал DPD, KA, NAT-T и т.д.
Вернуться наверх
 Профиль  
 
Cranium
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Вт фев 08, 2011 11:01 
Не в сети

Зарегистрирован: Чт янв 17, 2008 16:37
Сообщений: 478
Если не совпадают методы шифрования,в логе на длинке обычно ошибка выглядит как "no proposal choosen".
А у вас вообще конет судя по всему не начинает даже устанавливаться.

И ещё конект на DFL идет на 4500 порт, а значит видимо у вас циска находится за натом(или после неё что-то натит...), убедитесь что там включен NAT-T или промежуточное устройство умеет vpn-passthrough, ибо в представленном вами конфиге циски не силен.
Вернуться наверх
 Профиль  
 
gzhukov
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Вт фев 08, 2011 13:19 
Не в сети

Зарегистрирован: Пт июл 02, 2010 11:42
Сообщений: 19
Т.е. на DFL все нормально?
так же в логах:
Feb 8 13:08:32 192.168.1.5 [2011-02-08 13:09:30] FW: CONN: prio=1 id=00600001 rev=1 event=conn_open rule=IPsecBeforeRules conn=open connipproto=UDP connrecvif=wan1 connsrcip=YY.YY.YY.203 connsrcport=500 conndestif=core conndestip=XX.XX.XX.5 conndestport=500
Feb 8 13:08:40 192.168.1.5 [2011-02-08 13:09:39] FW: CONN: prio=1 id=00600002 rev=1 event=conn_close action=close rule=Stock_Allow_All_Rule conn=close conn ipproto=ICMP connrecvif=core connsrcip=XX.XX.XX.18 connsrcid=30948 conndestif=Test_Ipsec_2 conndestip=YY.YY.YY.133 conndestid=30948 origsent=32 termse
nt=0
Feb 8 13:09:32 192.168.1.5 [2011-02-08 13:10:30] FW: IPSEC: prio=1 id=01802708 rev=1 event=ike_sa_destroyed action=ike_sa_killed ike_sa=" Initiator SPI ESP=0x4bab5f38, AH=0x5e5567e2, IPComp=0xb772792"
Feb 8 13:09:32 192.168.1.5 [2011-02-08 13:10:30] FW: IPSEC: prio=1 id=01800317 rev=1 event=peer_is_dead action=IPsec_tunnel_disabled peer=YY.YY.YY.203
Вернуться наверх
 Профиль  
 
Cranium
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Вт фев 08, 2011 13:28 
Не в сети

Зарегистрирован: Чт янв 17, 2008 16:37
Сообщений: 478
что бы понять нормально ли на ДФл , должна начаться хотябы первая фаза Ipsec, у вас нет даже этого( судя по тем логам что вы показываете).
вы так и не ответили - Циска и ДФл напрямую смотрят в инет или есть какието-то промежуточные ус-тва между ними?
Вернуться наверх
 Профиль  
 
gzhukov
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Вт фев 08, 2011 13:48 
Не в сети

Зарегистрирован: Пт июл 02, 2010 11:42
Сообщений: 19
напрямую,
вот вывод ikesnoop:

Sending 1 4-byte ICMP ping to YY.YY.YY.133 from XX.XX.XX.18 using PBR table "main"
2011-02-08 13:45:38: IkeSnoop: Sending IKE packet to YY.YY.YY.203:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x1f57793f13537fb -> 0x00000000
Message ID : 0x00000000
Packet length : 280 bytes
# payloads : 9
Payloads:
SA (Security Association)
Payload data length : 88 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/2
Transform ID : IKE
Encryption algorithm : 3DES-cbc
Hash algorithm : MD5
Authentication method : Pre-Shared Key
Group description : MODP 1024
Life type : Seconds
Life duration : 86400
Transform 2/2
Transform ID : IKE
Encryption algorithm : 3DES-cbc
Hash algorithm : SHA
Authentication method : Pre-Shared Key
Group description : MODP 1024
Life type : Seconds
Life duration : 86400
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b
Description : SSH Communications Security QuickSec 2.1.0
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 27 ba b5 dc 01 ea 07 60 ea 4e 31 90 ac 27 c0 d0
Description : draft-stenberg-ipsec-nat-traversal-01
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 61 05 c4 22 e7 68 47 e4 3f 96 84 80 12 92 ae cd
Description : draft-stenberg-ipsec-nat-traversal-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
Description : draft-ietf-ipsec-nat-t-ike-00
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
Description : draft-ietf-ipsec-nat-t-ike-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Description : draft-ietf-ipsec-nat-t-ike-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Description : draft-ietf-ipsec-nat-t-ike-03
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Description : RFC 3947

2011-02-08 13:45:38: IkeSnoop: Received IKE packet from YY.YY.YY.203:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x1f57793f13537fb -> 0x277972b765d338e6
Message ID : 0x00000000
Packet length : 104 bytes
# payloads : 2
Payloads:
SA (Security Association)
Payload data length : 52 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/1
Transform ID : IKE
Encryption algorithm : 3DES-cbc
Hash algorithm : SHA
Group description : MODP 1024
Authentication method : Pre-Shared Key
Life type : Seconds
Life duration : 86400
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Description : draft-ietf-ipsec-nat-t-ike-03

2011-02-08 13:45:38: IkeSnoop: Sending IKE packet to 217.118.71.203:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x1f57793f13537fb -> 0x277972b765d338e6
Message ID : 0x00000000
Packet length : 228 bytes
# payloads : 4
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 16 bytes
NAT-D (NAT Detection)
Payload data length : 20 bytes
NAT-D (NAT Detection)
Payload data length : 20 bytes

2011-02-08 13:45:38: IkeSnoop: Received IKE packet from YY.YY.YY.203:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0x1f57793f13537fb -> 0x277972b765d338e6
Message ID : 0x00000000
Packet length : 304 bytes
# payloads : 8
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 20 bytes
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Description : CISCO-UNITY
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Description : draft-ietf-ipsec-dpd-00
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : d2 be d5 aa 65 d2 38 e6 d1 d5 f3 98 e2 c8 27 82
Description : (unknown)
VID (Vendor ID)
Payload data length : 8 bytes
Vendor ID : 09 00 26 89 df d6 b7 12
Description : draft-beaulieu-ike-xauth-02
NAT-D (NAT Detection)
Payload data length : 20 bytes
NAT-D (NAT Detection)
Payload data length : 20 bytes

2011-02-08 13:45:38: IkeSnoop: Sending IKE packet to YY.YY.YY.203:4500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0x1f57793f13537fb -> 0x277972b765d338e6
Message ID : 0x00000000
Packet length : 76 bytes
# payloads : 3
Payloads:
ID (Identification)
Payload data length : 8 bytes
ID : ipv4(any:0,[0..3]=XX.XX.XX.5)
HASH (Hash)
Payload data length : 20 bytes
N (Notification)
Payload data length : 8 bytes
Protocol ID : ISAKMP
Notification : Initial contact

2011-02-08 13:45:38: IkeSnoop: Received IKE packet from YY.YY.YY.203:500
2011-02-08 13:45:39: IkeSnoop: Received IKE packet from YY.YY.YY.203:500
Вернуться наверх
 Профиль  
 
Cranium
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Вт фев 08, 2011 14:38 
Не в сети

Зарегистрирован: Чт янв 17, 2008 16:37
Сообщений: 478
gzhukov писал(а):
напрямую,
вот вывод ikesnoop:


Description : draft-beaulieu-ike-xauth-02
NAT-D (NAT Detection)
Payload data length : 20 bytes
NAT-D (NAT Detection)
Payload data length : 20 bytes

2011-02-08 13:45:38: IkeSnoop: Sending IKE packet to YY.YY.YY.203:4500

частенько пользовался ikesnoop но честно это надо уже глубоко понимать всю суть процесса(из того что мог понять - это неверный ключ или тривиальный оишбки в основных настройках), из того что заметил - возможно у вас на циске используеться ike-xauth, и в этом проблема т.к на дфл он у вас отключен.
После этого у вас уже как раз и пытаеться ещё раз подключиться но уже по UPD (4500), видимо с тем же результатом.
Вернуться наверх
 Профиль  
 
gzhukov
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Вт фев 08, 2011 16:58 
Не в сети

Зарегистрирован: Пт июл 02, 2010 11:42
Сообщений: 19
Вот настройки, которые выслали владельцы циски:
PHASE 1
Authentication Algorithm
SHA-1 или
MD5
Authentication Method
Preshared-Key
Encryption Algorithm
3-DES или
AES-128 или
AES-256
Diffie-Hellman Group
Group 2 (1024-bits)
Negotiation Mode
Main
Lifetime Measurement
Time Lifetime
3600

PHASE 2
Authentication Algorithm
SHA-1 или
MD5
Encryption Algorithm
3-DES или
AES-128 или
AES-256
Encapsulation Mode
Tunnel
Perfect Forward Secrecy
Отключена
Lifetime Measurement
Time Lifetime
86400

Они чем-нибудь отличаются от моих на длинке?
IKE XAuth не нужен.
Вернуться наверх
 Профиль  
 
Cranium
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Вт фев 08, 2011 18:16 
Не в сети

Зарегистрирован: Чт янв 17, 2008 16:37
Сообщений: 478
да, с настройками дфл у вас всё в порядке, даже затрудняюсь понять в чем может быть проблема. (если конечно на той стороне настройки именно такиеже), то всё должно было соединиться.

Как вариант, отправьте IKEsnoop в саппорт длинка, с просьбой помочь. Отвечают там быстрее чем на форуме, а лучше позвонить, будет ещё быстрее если вам критично.
Вернуться наверх
 Профиль  
 
Vitaliy Korkunov
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Ср фев 09, 2011 14:49 
Не в сети
Сотрудник D-LINK
Сотрудник D-LINK

Зарегистрирован: Пн авг 17, 2009 17:18
Сообщений: 7330
Логи циски представьте, пожалуйста, не совсем понимаю, почему первая фаза не проходит, у вас точно одинаковые PSK?

_________________
Форум не подразумевает под собой быстрый ответ, хотите быстрый и квалифицированный ответ - звоните в техподдержку компании D-Link 8-800-700-5465
Вернуться наверх
 Профиль  
 
gzhukov
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Ср фев 09, 2011 15:17 
Не в сети

Зарегистрирован: Пт июл 02, 2010 11:42
Сообщений: 19
Вот вроде те логи
Код:
Feb 3 18:19:50: ISAKMP:(0): processing KE payload. message ID = 0
Feb 3 18:19:50: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 3 18:19:50: ISAKMP:(0):found peer pre-shared key matching XX.XX.XX.5
Feb 3 18:19:50: ISAKMP:received payload type 20
Feb 3 18:19:50: ISAKMP:received payload type 20
Feb 3 18:19:50: ISAKMP:(15722):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 3 18:19:50: ISAKMP:(15722):Old State = IKE_R_MM3 New State = IKE_R_MM3

Feb 3 18:19:50: ISAKMP:(15722): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP:(15722):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 3 18:19:50: ISAKMP:(15722):Old State = IKE_R_MM3 New State = IKE_R_MM4

Feb 3 18:19:50: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP: reserved not zero on ID payload!
Feb 3 18:19:50: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.5 failed its sanity check or is malformed
Feb 3 18:19:50: ISAKMP (0:15722): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED
Feb 3 18:19:50: ISAKMP:(15722): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP (0:15722): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
Feb 3 18:19:50: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP: reserved not zero on ID payload!
Feb 3 18:19:50: ISAKMP (0:15722): incrementing error counter on sa, attempt 3 of 5: PAYLOAD_MALFORMED
Feb 3 18:19:50: ISAKMP:(15722): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP (0:15722): incrementing error counter on sa, attempt 4 of 5: reset_retransmission
Feb 3 18:19:51: ISAKMP:(15722): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Feb 3 18:19:51: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_KEY_EXCH
Feb 3 18:19:51: ISAKMP: reserved not zero on ID payload!
Feb 3 18:19:51: ISAKMP (0:15722): incrementing error counter on sa, attempt 5 of 5: PAYLOAD_MALFORMED
Feb 3 18:19:51: ISAKMP:(15722):peer does not do paranoid keepalives.

Feb 3 18:19:51: ISAKMP:(15722):deleting SA reason "Death by retransmission throw" state (R) MM_KEY_EXCH (peer XX.XX.XX.5)
Feb 3 18:19:51: ISAKMP (0:15722): incrementing error counter on sa, attempt 6 of 5: reset_retransmission
Feb 3 18:19:51: ISAKMP:(15722):deleting SA reason "Death by retransmission throw" state (R) MM_KEY_EXCH (peer XX.XX.XX.5)
Feb 3 18:19:51: ISAKMP: Unlocking peer struct 0x5CE96F4 for isadb_mark_sa_deleted(), count 0
Feb 3 18:19:51: ISAKMP: Deleting peer node by peer_reap for XX.XX.XX.5: 5CE96F4
Feb 3 18:19:51: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 3 18:19:51: ISAKMP:(15722):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 3 18:19:51: ISAKMP:(15722):Old State = IKE_R_MM4 New State = IKE_DEST_SA

Feb 3 18:19:53: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_NO_STATE
Feb 3 18:19:57: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_NO_STATE
Feb 3 18:19:57: ISAKMP:(15697):purging node 1544643196
Feb 3 18:20:05: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_NO_STATE
Feb 3 18:20:06: ISAKMP: set new node 1833281819 to QM_IDLE
Feb 3 18:20:06: ISAKMP:(15697): processing HASH payload. message ID = 1833281819
Feb 3 18:20:06: ISAKMP:(15697): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1833281819, sa = 64EC914
Feb 3 18:20:06: ISAKMP:(15697):deleting node 1833281819 error FALSE reason "Informational (in) state 1"
Feb 3 18:20:06: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 3 18:20:06: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE


Вернуться наверх
 Профиль  
 
gzhukov
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Ср фев 09, 2011 16:37 
Не в сети

Зарегистрирован: Пт июл 02, 2010 11:42
Сообщений: 19
Прошивка - последняя. PSK верный, т.к. в высланном мне конфиге циски присутствовал и PSK и я его проверил. В PSK содержались символы ! и <. Длин их нормально распознает?
Вернуться наверх
 Профиль  
 
Sergey Vasiliev
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Чт фев 10, 2011 11:11 
Не в сети
Сотрудник D-LINK
Сотрудник D-LINK

Зарегистрирован: Ср июл 04, 2007 13:48
Сообщений: 7031
Откуда: D-Link. Moscow
Можете привести с циско дебаг ipsec? судя по ikesnoop и cisco, девайсы винят друг друга. Со строны DFL по ikesnoop, DFL заканчивает первую фазу, т.е. обмен ключами был произведен, но cisco не продолжает соединение, со стороны циско тоже очень интересная ситуация.

Какая версия IOS?

_________________
Сообщения в PM игнорируются, задавайте вопросы на форуме.
Вернуться наверх
 Профиль  
 
gzhukov
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Чт фев 10, 2011 13:11 
Не в сети

Зарегистрирован: Пт июл 02, 2010 11:42
Сообщений: 19
По IOS точно пока ответить не могу, но железка стоит c7200p-advsecurityk9-mz.124-4.XD7

Вот полный дебаг, 91.213.ZZ.ZZ отношения к моему подключению вроде не имеет.

Код:
Feb 3 18:19:27: ISAKMP (0:15697): received packet from 91.213.ZZ.ZZ dport 500 sport 500 TEST_Direct (R) QM_IDLE
Feb 3 18:19:27: ISAKMP: set new node 22495338 to QM_IDLE
Feb 3 18:19:27: ISAKMP:(15697): processing HASH payload. message ID = 22495338
Feb 3 18:19:27: ISAKMP:(15697): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 22495338, sa = 64EC914
Feb 3 18:19:27: ISAKMP:(15697):deleting node 22495338 error FALSE reason "Informational (in) state 1"
Feb 3 18:19:27: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 3 18:19:27: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
debug crypto ipsec
Feb 3 18:19:27: ISAKMP:(15697):DPD/R_U_THERE received from peer 91.213.ZZ.ZZ, sequence 0x8B83901
Feb 3 18:19:27: ISAKMP: set new node -1676220755 to QM_IDLE
Feb 3 18:19:27: ISAKMP:(15697):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 99556304, message ID = -1676220755
Feb 3 18:19:27: ISAKMP:(15697): seq. no 0x8B83901
Feb 3 18:19:27: ISAKMP:(15697): sending packet to 91.213.ZZ.ZZ my_port 500 peer_port 500 (R) QM_IDLE
Feb 3 18:19:27: ISAKMP:(15697):purging node -1676220755
Feb 3 18:19:27: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Feb 3 18:19:27: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:19:28: ISAKMP:(15697):purging node -680386247
Feb 3 18:19:37: ISAKMP (0:15697): received packet from 91.213.ZZ.ZZ dport 500 sport 500 TEST_Direct (R) QM_IDLE
Feb 3 18:19:37: ISAKMP: set new node 1456067377 to QM_IDLE
Feb 3 18:19:37: ISAKMP:(15697): processing HASH payload. message ID = 1456067377
Feb 3 18:19:37: ISAKMP:(15697): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1456067377, sa = 64EC914
Feb 3 18:19:37: ISAKMP:(15697):deleting node 1456067377 error FALSE reason "Informational (in) state 1"
Feb 3 18:19:37: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 3 18:19:37: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:19:37: ISAKMP:(15697):DPD/R_U_THERE received from peer 91.213.ZZ.ZZ, sequence 0x8B83902
Feb 3 18:19:37: ISAKMP: set new node -1733589662 to QM_IDLE
Feb 3 18:19:37: ISAKMP:(15697):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 99556304, message ID = -1733589662
Feb 3 18:19:37: ISAKMP:(15697): seq. no 0x8B83902
Feb 3 18:19:37: ISAKMP:(15697): sending packet to 91.213.ZZ.ZZ my_port 500 peer_port 500 (R) QM_IDLE
Feb 3 18:19:37: ISAKMP:(15697):purging node -1733589662
Feb 3 18:19:37: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Feb 3 18:19:37: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:19:41: ISAKMP:(15721):purging SA., sa=4C704E0, delme=4C704E0
Feb 3 18:19:50: ISAKMP (0:0): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (N) NEW SA
Feb 3 18:19:50: ISAKMP: Created a peer struct for XX.XX.XX.5, peer port 500
Feb 3 18:19:50: ISAKMP: New peer created peer = 0x5CE96F4 peer_handle = 0x80003540
Feb 3 18:19:50: ISAKMP: Locking peer struct 0x5CE96F4, refcount 1 for crypto_isakmp_process_block
Feb 3 18:19:50: ISAKMP: local port 500, remote port 500
Feb 3 18:19:50: insert sa successfully sa = 4C704E0
Feb 3 18:19:50: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 3 18:19:50: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Feb 3 18:19:50: ISAKMP:(0): processing SA payload. message ID = 0
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 33 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 3 18:19:50: ISAKMP:(0): vendor ID is NAT-T v2
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 3 18:19:50: ISAKMP:(0): vendor ID is NAT-T v3
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID is DPD
Feb 3 18:19:50: ISAKMP:(0):found peer pre-shared key matching XX.XX.XX.5
Feb 3 18:19:50: ISAKMP:(0): local preshared key found
Feb 3 18:19:50: ISAKMP : Scanning profiles for xauth ... TEST_DC
Feb 3 18:19:50: ISAKMP:(0):Checking ISAKMP transform 0 against priority 10 policy
Feb 3 18:19:50: ISAKMP: encryption AES-CBC
Feb 3 18:19:50: ISAKMP: keylength of 128
Feb 3 18:19:50: ISAKMP: hash MD5
Feb 3 18:19:50: ISAKMP: auth pre-share
Feb 3 18:19:50: ISAKMP: default group 2
Feb 3 18:19:50: ISAKMP: life type in seconds
Feb 3 18:19:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:19:50: ISAKMP:(0):Hash algorithm offered does not match policy!
Feb 3 18:19:50: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:19:50: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Feb 3 18:19:50: ISAKMP: encryption AES-CBC
Feb 3 18:19:50: ISAKMP: keylength of 128
Feb 3 18:19:50: ISAKMP: hash SHA
Feb 3 18:19:50: ISAKMP: auth pre-share
Feb 3 18:19:50: ISAKMP: default group 2
Feb 3 18:19:50: ISAKMP: life type in seconds
Feb 3 18:19:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:19:50: ISAKMP:(0):Proposed key length does not match policy
Feb 3 18:19:50: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:19:50: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
Feb 3 18:19:50: ISAKMP: encryption 3DES-CBC
Feb 3 18:19:50: ISAKMP: hash MD5
Feb 3 18:19:50: ISAKMP: auth pre-share
Feb 3 18:19:50: ISAKMP: default group 2
Feb 3 18:19:50: ISAKMP: life type in seconds
Feb 3 18:19:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:19:50: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 3 18:19:50: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:19:50: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
Feb 3 18:19:50: ISAKMP: encryption 3DES-CBC
Feb 3 18:19:50: ISAKMP: hash SHA
Feb 3 18:19:50: ISAKMP: auth pre-share
Feb 3 18:19:50: ISAKMP: default group 2
Feb 3 18:19:50: ISAKMP: life type in seconds
Feb 3 18:19:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:19:50: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 3 18:19:50: ISAKMP:(0):atts are not acceptable. Next payload is 0
Feb 3 18:19:50: ISAKMP:(0):Checking ISAKMP transform 0 against priority 20 policy
Feb 3 18:19:50: ISAKMP: encryption AES-CBC
Feb 3 18:19:50: ISAKMP: keylength of 128
Feb 3 18:19:50: ISAKMP: hash MD5
Feb 3 18:19:50: ISAKMP: auth pre-share
Feb 3 18:19:50: ISAKMP: default group 2
Feb 3 18:19:50: ISAKMP: life type in seconds
Feb 3 18:19:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:19:50: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 3 18:19:50: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:19:50: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
Feb 3 18:19:50: ISAKMP: encryption AES-CBC
Feb 3 18:19:50: ISAKMP: keylength of 128
Feb 3 18:19:50: ISAKMP: hash SHA
Feb 3 18:19:50: ISAKMP: auth pre-share
Feb 3 18:19:50: ISAKMP: default group 2
Feb 3 18:19:50: ISAKMP: life type in seconds
Feb 3 18:19:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:19:50: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 3 18:19:50: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:19:50: ISAKMP:(0):Checking ISAKMP transform 2 against priority 20 policy
Feb 3 18:19:50: ISAKMP: encryption 3DES-CBC
Feb 3 18:19:50: ISAKMP: hash MD5
Feb 3 18:19:50: ISAKMP: auth pre-share
Feb 3 18:19:50: ISAKMP: default group 2
Feb 3 18:19:50: ISAKMP: life type in seconds
Feb 3 18:19:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:19:50: ISAKMP:(0):Hash algorithm offered does not match policy!
Feb 3 18:19:50: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:19:50: ISAKMP:(0):Checking ISAKMP transform 3 against priority 20 policy
Feb 3 18:19:50: ISAKMP: encryption 3DES-CBC
Feb 3 18:19:50: ISAKMP: hash SHA
Feb 3 18:19:50: ISAKMP: auth pre-share
Feb 3 18:19:50: ISAKMP: default group 2
Feb 3 18:19:50: ISAKMP: life type in seconds
Feb 3 18:19:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:19:50: ISAKMP:(0):atts are acceptable. Next payload is 0
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 33 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 3 18:19:50: ISAKMP:(0): vendor ID is NAT-T v2
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 3 18:19:50: ISAKMP:(0): vendor ID is NAT-T v3
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 3 18:19:50: ISAKMP:(0): processing vendor id payload
Feb 3 18:19:50: ISAKMP:(0): vendor ID is DPD
Feb 3 18:19:50: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 3 18:19:50: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Feb 3 18:19:50: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 3 18:19:50: ISAKMP:(0): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_SA_SETUP
Feb 3 18:19:50: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 3 18:19:50: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Feb 3 18:19:50: ISAKMP (0:0): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_SA_SETUP
Feb 3 18:19:50: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 3 18:19:50: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Feb 3 18:19:50: ISAKMP:(0): processing KE payload. message ID = 0
Feb 3 18:19:50: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 3 18:19:50: ISAKMP:(0):found peer pre-shared key matching XX.XX.XX.5
Feb 3 18:19:50: ISAKMP:received payload type 20
Feb 3 18:19:50: ISAKMP:received payload type 20
Feb 3 18:19:50: ISAKMP:(15722):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 3 18:19:50: ISAKMP:(15722):Old State = IKE_R_MM3 New State = IKE_R_MM3

Feb 3 18:19:50: ISAKMP:(15722): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP:(15722):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 3 18:19:50: ISAKMP:(15722):Old State = IKE_R_MM3 New State = IKE_R_MM4

Feb 3 18:19:50: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP: reserved not zero on ID payload!
Feb 3 18:19:50: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.5 failed its sanity check or is malformed
Feb 3 18:19:50: ISAKMP (0:15722): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED
Feb 3 18:19:50: ISAKMP:(15722): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP (0:15722): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
Feb 3 18:19:50: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP: reserved not zero on ID payload!
Feb 3 18:19:50: ISAKMP (0:15722): incrementing error counter on sa, attempt 3 of 5: PAYLOAD_MALFORMED
Feb 3 18:19:50: ISAKMP:(15722): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 3 18:19:50: ISAKMP (0:15722): incrementing error counter on sa, attempt 4 of 5: reset_retransmission
Feb 3 18:19:51: ISAKMP:(15722): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Feb 3 18:19:51: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_KEY_EXCH
Feb 3 18:19:51: ISAKMP: reserved not zero on ID payload!
Feb 3 18:19:51: ISAKMP (0:15722): incrementing error counter on sa, attempt 5 of 5: PAYLOAD_MALFORMED
Feb 3 18:19:51: ISAKMP:(15722):peer does not do paranoid keepalives.

Feb 3 18:19:51: ISAKMP:(15722):deleting SA reason "Death by retransmission throw" state (R) MM_KEY_EXCH (peer XX.XX.XX.5)
Feb 3 18:19:51: ISAKMP (0:15722): incrementing error counter on sa, attempt 6 of 5: reset_retransmission
Feb 3 18:19:51: ISAKMP:(15722):deleting SA reason "Death by retransmission throw" state (R) MM_KEY_EXCH (peer XX.XX.XX.5)
Feb 3 18:19:51: ISAKMP: Unlocking peer struct 0x5CE96F4 for isadb_mark_sa_deleted(), count 0
Feb 3 18:19:51: ISAKMP: Deleting peer node by peer_reap for XX.XX.XX.5: 5CE96F4
Feb 3 18:19:51: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 3 18:19:51: ISAKMP:(15722):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 3 18:19:51: ISAKMP:(15722):Old State = IKE_R_MM4 New State = IKE_DEST_SA

Feb 3 18:19:53: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_NO_STATE
Feb 3 18:19:57: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_NO_STATE
Feb 3 18:19:57: ISAKMP:(15697):purging node 1544643196
Feb 3 18:20:05: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_NO_STATE
Feb 3 18:20:06: ISAKMP (0:15697): received packet from 91.213.ZZ.ZZ dport 500 sport 500 TEST_Direct (R) QM_IDLE
Feb 3 18:20:06: ISAKMP: set new node 1833281819 to QM_IDLE
Feb 3 18:20:06: ISAKMP:(15697): processing HASH payload. message ID = 1833281819
Feb 3 18:20:06: ISAKMP:(15697): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1833281819, sa = 64EC914
Feb 3 18:20:06: ISAKMP:(15697):deleting node 1833281819 error FALSE reason "Informational (in) state 1"
Feb 3 18:20:06: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 3 18:20:06: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:20:06: ISAKMP:(15697):DPD/R_U_THERE received from peer 91.213.ZZ.ZZ, sequence 0x8B83903
Feb 3 18:20:06: ISAKMP: set new node -1572851113 to QM_IDLE
Feb 3 18:20:06: ISAKMP:(15697):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 99556304, message ID = -1572851113
Feb 3 18:20:06: ISAKMP:(15697): seq. no 0x8B83903
Feb 3 18:20:06: ISAKMP:(15697): sending packet to 91.213.ZZ.ZZ my_port 500 peer_port 500 (R) QM_IDLE
Feb 3 18:20:06: ISAKMP:(15697):purging node -1572851113
Feb 3 18:20:06: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Feb 3 18:20:06: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:20:07: ISAKMP:(15697):purging node -1253042868
Feb 3 18:20:16: ISAKMP (0:15697): received packet from 91.213.ZZ.ZZ dport 500 sport 500 TEST_Direct (R) QM_IDLE
Feb 3 18:20:16: ISAKMP: set new node -893855766 to QM_IDLE
Feb 3 18:20:16: ISAKMP:(15697): processing HASH payload. message ID = -893855766
Feb 3 18:20:16: ISAKMP:(15697): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -893855766, sa = 64EC914
Feb 3 18:20:16: ISAKMP:(15697):deleting node -893855766 error FALSE reason "Informational (in) state 1"
Feb 3 18:20:16: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 3 18:20:16: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:20:16: ISAKMP:(15697):DPD/R_U_THERE received from peer 91.213.ZZ.ZZ, sequence 0x8B83904
Feb 3 18:20:16: ISAKMP: set new node -1369450272 to QM_IDLE
Feb 3 18:20:16: ISAKMP:(15697):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 99556304, message ID = -1369450272
Feb 3 18:20:16: ISAKMP:(15697): seq. no 0x8B83904
Feb 3 18:20:16: ISAKMP:(15697): sending packet to 91.213.ZZ.ZZ my_port 500 peer_port 500 (R) QM_IDLE
Feb 3 18:20:16: ISAKMP:(15697):purging node -1369450272
Feb 3 18:20:16: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Feb 3 18:20:16: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:20:17: ISAKMP:(15697):purging node 22495338
Feb 3 18:20:21: ISAKMP (0:15722): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_NO_STATE
Feb 3 18:20:26: ISAKMP (0:15697): received packet from 91.213.ZZ.ZZ dport 500 sport 500 TEST_Direct (R) QM_IDLE
Feb 3 18:20:26: ISAKMP: set new node -283372215 to QM_IDLE
Feb 3 18:20:26: ISAKMP:(15697): processing HASH payload. message ID = -283372215
Feb 3 18:20:26: ISAKMP:(15697): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -283372215, sa = 64EC914
Feb 3 18:20:26: ISAKMP:(15697):deleting node -283372215 error FALSE reason "Informational (in) state 1"
Feb 3 18:20:26: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 3 18:20:26: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:20:26: ISAKMP:(15697):DPD/R_U_THERE received from peer 91.213.ZZ.ZZ, sequence 0x8B83905
Feb 3 18:20:26: ISAKMP: set new node -290646524 to QM_IDLE
Feb 3 18:20:26: ISAKMP:(15697):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 99556304, message ID = -290646524
Feb 3 18:20:26: ISAKMP:(15697): seq. no 0x8B83905
Feb 3 18:20:26: ISAKMP:(15697): sending packet to 91.213.ZZ.ZZ my_port 500 peer_port 500 (R) QM_IDLE
Feb 3 18:20:26: ISAKMP:(15697):purging node -290646524
Feb 3 18:20:26: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Feb 3 18:20:26: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:20:27: ISAKMP:(15697):purging node 1456067377
Feb 3 18:20:36: ISAKMP (0:15697): received packet from 91.213.ZZ.ZZ dport 500 sport 500 TEST_Direct (R) QM_IDLE
Feb 3 18:20:36: ISAKMP: set new node -779277500 to QM_IDLE
Feb 3 18:20:36: ISAKMP:(15697): processing HASH payload. message ID = -779277500
Feb 3 18:20:36: ISAKMP:(15697): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -779277500, sa = 64EC914
Feb 3 18:20:36: ISAKMP:(15697):deleting node -779277500 error FALSE reason "Informational (in) state 1"
Feb 3 18:20:36: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 3 18:20:36: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:20:36: ISAKMP:(15697):DPD/R_U_THERE received from peer 91.213.ZZ.ZZ, sequence 0x8B83906
Feb 3 18:20:36: ISAKMP: set new node -586699832 to QM_IDLE
Feb 3 18:20:36: ISAKMP:(15697):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 99556304, message ID = -586699832
Feb 3 18:20:36: ISAKMP:(15697): seq. no 0x8B83906
Feb 3 18:20:36: ISAKMP:(15697): sending packet to 91.213.ZZ.ZZ my_port 500 peer_port 500 (R) QM_IDLE
Feb 3 18:20:36: ISAKMP:(15697):purging node -586699832
Feb 3 18:20:36: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Feb 3 18:20:36: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:20:51: ISAKMP:(15722):purging SA., sa=4C704E0, delme=4C704E0
Feb 3 18:20:56: ISAKMP:(15697):purging node 1833281819
Feb 3 18:21:00: ISAKMP (0:0): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (N) NEW SA
Feb 3 18:21:00: ISAKMP: Created a peer struct for XX.XX.XX.5, peer port 500
Feb 3 18:21:00: ISAKMP: New peer created peer = 0x5CE96F4 peer_handle = 0x80000EDB
Feb 3 18:21:00: ISAKMP: Locking peer struct 0x5CE96F4, refcount 1 for crypto_isakmp_process_block
Feb 3 18:21:00: ISAKMP: local port 500, remote port 500
Feb 3 18:21:00: insert sa successfully sa = 4C704E0
Feb 3 18:21:00: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 3 18:21:00: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Feb 3 18:21:00: ISAKMP:(0): processing SA payload. message ID = 0
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 33 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 3 18:21:00: ISAKMP:(0): vendor ID is NAT-T v2
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 3 18:21:00: ISAKMP:(0): vendor ID is NAT-T v3
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID is DPD
Feb 3 18:21:00: ISAKMP:(0):found peer pre-shared key matching XX.XX.XX.5
Feb 3 18:21:00: ISAKMP:(0): local preshared key found
Feb 3 18:21:00: ISAKMP : Scanning profiles for xauth ... TEST_DC
Feb 3 18:21:00: ISAKMP:(0):Checking ISAKMP transform 0 against priority 10 policy
Feb 3 18:21:00: ISAKMP: encryption AES-CBC
Feb 3 18:21:00: ISAKMP: keylength of 128
Feb 3 18:21:00: ISAKMP: hash MD5
Feb 3 18:21:00: ISAKMP: auth pre-share
Feb 3 18:21:00: ISAKMP: default group 2
Feb 3 18:21:00: ISAKMP: life type in seconds
Feb 3 18:21:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:21:00: ISAKMP:(0):Hash algorithm offered does not match policy!
Feb 3 18:21:00: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:21:00: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Feb 3 18:21:00: ISAKMP: encryption AES-CBC
Feb 3 18:21:00: ISAKMP: keylength of 128
Feb 3 18:21:00: ISAKMP: hash SHA
Feb 3 18:21:00: ISAKMP: auth pre-share
Feb 3 18:21:00: ISAKMP: default group 2
Feb 3 18:21:00: ISAKMP: life type in seconds
Feb 3 18:21:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:21:00: ISAKMP:(0):Proposed key length does not match policy
Feb 3 18:21:00: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:21:00: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
Feb 3 18:21:00: ISAKMP: encryption 3DES-CBC
Feb 3 18:21:00: ISAKMP: hash MD5
Feb 3 18:21:00: ISAKMP: auth pre-share
Feb 3 18:21:00: ISAKMP: default group 2
Feb 3 18:21:00: ISAKMP: life type in seconds
Feb 3 18:21:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:21:00: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 3 18:21:00: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:21:00: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
Feb 3 18:21:00: ISAKMP: encryption 3DES-CBC
Feb 3 18:21:00: ISAKMP: hash SHA
Feb 3 18:21:00: ISAKMP: auth pre-share
Feb 3 18:21:00: ISAKMP: default group 2
Feb 3 18:21:00: ISAKMP: life type in seconds
Feb 3 18:21:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:21:00: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 3 18:21:00: ISAKMP:(0):atts are not acceptable. Next payload is 0
Feb 3 18:21:00: ISAKMP:(0):Checking ISAKMP transform 0 against priority 20 policy
Feb 3 18:21:00: ISAKMP: encryption AES-CBC
Feb 3 18:21:00: ISAKMP: keylength of 128
Feb 3 18:21:00: ISAKMP: hash MD5
Feb 3 18:21:00: ISAKMP: auth pre-share
Feb 3 18:21:00: ISAKMP: default group 2
Feb 3 18:21:00: ISAKMP: life type in seconds
Feb 3 18:21:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:21:00: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 3 18:21:00: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:21:00: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
Feb 3 18:21:00: ISAKMP: encryption AES-CBC
Feb 3 18:21:00: ISAKMP: keylength of 128
Feb 3 18:21:00: ISAKMP: hash SHA
Feb 3 18:21:00: ISAKMP: auth pre-share
Feb 3 18:21:00: ISAKMP: default group 2
Feb 3 18:21:00: ISAKMP: life type in seconds
Feb 3 18:21:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:21:00: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 3 18:21:00: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:21:00: ISAKMP:(0):Checking ISAKMP transform 2 against priority 20 policy
Feb 3 18:21:00: ISAKMP: encryption 3DES-CBC
Feb 3 18:21:00: ISAKMP: hash MD5
Feb 3 18:21:00: ISAKMP: auth pre-share
Feb 3 18:21:00: ISAKMP: default group 2
Feb 3 18:21:00: ISAKMP: life type in seconds
Feb 3 18:21:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:21:00: ISAKMP:(0):Hash algorithm offered does not match policy!
Feb 3 18:21:00: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 3 18:21:00: ISAKMP:(0):Checking ISAKMP transform 3 against priority 20 policy
Feb 3 18:21:00: ISAKMP: encryption 3DES-CBC
Feb 3 18:21:00: ISAKMP: hash SHA
Feb 3 18:21:00: ISAKMP: auth pre-share
Feb 3 18:21:00: ISAKMP: default group 2
Feb 3 18:21:00: ISAKMP: life type in seconds
Feb 3 18:21:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 3 18:21:00: ISAKMP:(0):atts are acceptable. Next payload is 0
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 33 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 3 18:21:00: ISAKMP:(0): vendor ID is NAT-T v2
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 3 18:21:00: ISAKMP:(0): vendor ID is NAT-T v3
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 3 18:21:00: ISAKMP:(0): processing vendor id payload
Feb 3 18:21:00: ISAKMP:(0): vendor ID is DPD
Feb 3 18:21:00: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 3 18:21:00: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Feb 3 18:21:00: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 3 18:21:00: ISAKMP:(0): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_SA_SETUP
Feb 3 18:21:00: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 3 18:21:00: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Feb 3 18:21:00: ISAKMP (0:0): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_SA_SETUP
Feb 3 18:21:00: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 3 18:21:00: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Feb 3 18:21:00: ISAKMP:(0): processing KE payload. message ID = 0
Feb 3 18:21:00: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 3 18:21:00: ISAKMP:(0):found peer pre-shared key matching XX.XX.XX.5
Feb 3 18:21:00: ISAKMP:received payload type 20
Feb 3 18:21:00: ISAKMP:received payload type 20
Feb 3 18:21:00: ISAKMP:(15723):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 3 18:21:00: ISAKMP:(15723):Old State = IKE_R_MM3 New State = IKE_R_MM3

Feb 3 18:21:00: ISAKMP:(15723): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 3 18:21:00: ISAKMP:(15723):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 3 18:21:00: ISAKMP:(15723):Old State = IKE_R_MM3 New State = IKE_R_MM4

Feb 3 18:21:00: ISAKMP (0:15723): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_KEY_EXCH
Feb 3 18:21:00: ISAKMP: reserved not zero on ID payload!
Feb 3 18:21:00: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.5 failed its sanity check or is malformed
Feb 3 18:21:00: ISAKMP (0:15723): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED
Feb 3 18:21:00: ISAKMP:(15723): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 3 18:21:00: ISAKMP (0:15723): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
Feb 3 18:21:00: ISAKMP (0:15723): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_KEY_EXCH
Feb 3 18:21:00: ISAKMP: reserved not zero on ID payload!
Feb 3 18:21:00: ISAKMP (0:15723): incrementing error counter on sa, attempt 3 of 5: PAYLOAD_MALFORMED
Feb 3 18:21:00: ISAKMP:(15723): sending packet to XX.XX.XX.5 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 3 18:21:00: ISAKMP (0:15723): incrementing error counter on sa, attempt 4 of 5: reset_retransmission
Feb 3 18:21:01: ISAKMP:(15723): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Feb 3 18:21:01: ISAKMP (0:15723): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_KEY_EXCH
Feb 3 18:21:01: ISAKMP: reserved not zero on ID payload!
Feb 3 18:21:01: ISAKMP (0:15723): incrementing error counter on sa, attempt 5 of 5: PAYLOAD_MALFORMED
Feb 3 18:21:01: ISAKMP:(15723):peer does not do paranoid keepalives.

Feb 3 18:21:01: ISAKMP:(15723):deleting SA reason "Death by retransmission throw" state (R) MM_KEY_EXCH (peer XX.XX.XX.5)
Feb 3 18:21:01: ISAKMP (0:15723): incrementing error counter on sa, attempt 6 of 5: reset_retransmission
Feb 3 18:21:01: ISAKMP:(15723):deleting SA reason "Death by retransmission throw" state (R) MM_KEY_EXCH (peer XX.XX.XX.5)
Feb 3 18:21:01: ISAKMP: Unlocking peer struct 0x5CE96F4 for isadb_mark_sa_deleted(), count 0
Feb 3 18:21:01: ISAKMP: Deleting peer node by peer_reap for XX.XX.XX.5: 5CE96F4
Feb 3 18:21:01: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 3 18:21:01: ISAKMP:(15723):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 3 18:21:01: ISAKMP:(15723):Old State = IKE_R_MM4 New State = IKE_DEST_SA

Feb 3 18:21:03: ISAKMP (0:15723): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_NO_STATE
Feb 3 18:21:05: ISAKMP (0:15697): received packet from 91.213.ZZ.ZZ dport 500 sport 500 TEST_Direct (R) QM_IDLE
Feb 3 18:21:05: ISAKMP: set new node 1098450522 to QM_IDLE
Feb 3 18:21:05: ISAKMP:(15697): processing HASH payload. message ID = 1098450522
Feb 3 18:21:05: ISAKMP:(15697): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1098450522, sa = 64EC914
Feb 3 18:21:05: ISAKMP:(15697):deleting node 1098450522 error FALSE reason "Informational (in) state 1"
Feb 3 18:21:05: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 3 18:21:05: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:21:05: ISAKMP:(15697):DPD/R_U_THERE received from peer 91.213.ZZ.ZZ, sequence 0x8B83907
Feb 3 18:21:05: ISAKMP: set new node 1117759990 to QM_IDLE
Feb 3 18:21:05: ISAKMP:(15697):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 99556304, message ID = 1117759990
Feb 3 18:21:05: ISAKMP:(15697): seq. no 0x8B83907
Feb 3 18:21:05: ISAKMP:(15697): sending packet to 91.213.ZZ.ZZ my_port 500 peer_port 500 (R) QM_IDLE
Feb 3 18:21:05: ISAKMP:(15697):purging node 1117759990
Feb 3 18:21:05: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Feb 3 18:21:05: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Feb 3 18:21:06: ISAKMP:(15697):purging node -893855766
Feb 3 18:21:07: ISAKMP (0:15723): received packet from XX.XX.XX.5 dport 500 sport 500 TEST_Direct (R) MM_NO_STATEund a
Feb 3 18:21:15: ISAKMP (0:15697): received packet from 91.213.ZZ.ZZ dport 500 sport 500 TEST_Direct (R) QM_IDLE
Feb 3 18:21:15: ISAKMP: set new node -548881405 to QM_IDLE
Feb 3 18:21:15: ISAKMP:(15697): processing HASH payload. message ID = -548881405
Feb 3 18:21:15: ISAKMP:(15697): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -548881405, sa = 64EC914
Feb 3 18:21:15: ISAKMP:(15697):deleting node -548881405 error FALSE reason "Informational (in) state 1"
Feb 3 18:21:15: ISAKMP:(15697):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 3 18:21:15: ISAKMP:(15697):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE


Вернуться наверх
 Профиль  
 
Sergey Vasiliev
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Чт фев 10, 2011 13:42 
Не в сети
Сотрудник D-LINK
Сотрудник D-LINK

Зарегистрирован: Ср июл 04, 2007 13:48
Сообщений: 7031
Откуда: D-Link. Moscow
Проверил с IOS c1700-advsecurityk9-mz.124-25c.bin и c1700-adventerprisek9-mz.124-19.bin, с похожим на вашу конфигурацию, проблем с поднятием тоннеля не возникло. У вас используется не последний IOS, возможно проблема в этом.

DFL проверялся на прошивке 2.27.03

-------------------
crypto isakmp key 1234567890 address x.x.x.x

crypto isakmp policy 12
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800

crypto ipsec transform-set DFL esp-3des esp-md5-hmac

crypto map D200 12 ipsec-isakmp
set peer х.x.x.x
set transform-set DFL
match address 110

access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
--------------------------
Настройки интерфейсов не привожу, это не существенно.

_________________
Сообщения в PM игнорируются, задавайте вопросы на форуме.
Вернуться наверх
 Профиль  
 
gzhukov
 Заголовок сообщения: Re: Не поднимается ipsec tunnel, DFL-1600
СообщениеДобавлено: Пн фев 28, 2011 11:39 
Не в сети

Зарегистрирован: Пт июл 02, 2010 11:42
Сообщений: 19
Ipsec поднял в итоге на Cisco ASA, при чем туннель не поднимался пока ACL'ы не прописал зеркально вплоть до разрешенных портов. В Длинке ip rules, как я понимаю, в процессе поднятия ipsec-туннеля не участвуют? Или это не из-за этого?
Вернуться наверх
 Профиль  
 
Показать сообщения за:  Сортировать по:  
Начать новую тему Ответить на тему  Страница 1 из 2
  [ Сообщений: 16 ]  На страницу 1, 2  След.

Список форумов » Маршрутизаторы и Firewall

Часовой пояс: UTC + 3 часа


Кто сейчас на форуме

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 245

Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Русская поддержка phpBB