Друзья, несколько дней не вылазию из cisco.com, перечитал на opennet.ru похожие темы, но никак не получается поднять ipsec между pix 501 v.6 и cisco 2800. Ниже приводятся конфиги обоих устройств. взгляните острым глазом если можно.
Pix:
LAN-192.168.103.1 255.255.255.240
WAN-a.a.a.61 255.255.255.240Router:
Lan-189.141.1.252 255.255.0.0
Wan-b.b.b.2 255.255.255.252-------------------
Pix:
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NacBank
domain-name aaa
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ipsec permit ip 192.168.103.0 255.255.255.240 189.141.0.0 255.255.0.0
access-list nonat permit ip 192.168.103.0 255.255.255.240 189.141.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside a.a.a.61 255.255.255.240
ip address inside 192.168.103.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.103.0 255.255.255.240 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 a.a.a.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map forsberg 21 ipsec-isakmp
crypto map forsberg 21 match address ipsec
crypto map forsberg 21 set peer b.b.b.2
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside
isakmp enable outside
isakmp enable outside
isakmp key ******** address b.b.b.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:470836fa592db376008d5aa353b8ce53
: end
------------------------------------------------------
------------------------------------------------------Router:
D#sh run
Building configuration...Current configuration : 11503 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname D
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!
aaa session-id common
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect name 232323 http urlfilter
!
!
ip domain name yourdomain.com
ip urlfilter exclusive-domain deny www.sex.ru
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4105601128
revocation-check none
rsakeypair TP-self-signed-4105601128
!
!
crypto pki certificate chain TP-self-signed-4105601128
certificate self-signed 01
30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
AC581219 0EBF123B D097BC5B E5CFCB10 55F75CB7 6CDBCF86
quit
username fff privilege 15 secret 5 $1$0roh$nMMRrBNOk7k6Bh8Dc.Frt1
username dsd password 0 vvv
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key 123 address a.a.a.61
!
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
!
crypto map vpnmap1 local-address FastEthernet0/0
crypto map vpnmap1 90 ipsec-isakmp
set peer a.a.a.61
set transform-set trans2
match address 109
!
!
!
interface FastEthernet0/0
description to_internet
ip address b.b.b.2 255.255.255.252
ip nat outside
ip virtual-reassembly
ip policy route-map bank
duplex auto
speed auto
crypto map vpnmap2
!
interface FastEthernet0/1
description to_local_network
ip address 189.141.1.252 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip unnumbered FastEthernet0/0
peer default ip address pool testpool
ppp authentication pap chap
!
ip local pool testpool 192.168.111.1 192.168.111.10
ip classless
ip route 0.0.0.0 0.0.0.0 b.b.b.1
!
ip http access-class 24
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 160 interface FastEthernet0/0 overload
!
access-list 23 deny any
access-list 24 permit 189.141.1.13
access-list 109 permit ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.255
access-list 160 deny ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.15
access-list 160 permit ip 189.141.0.0 0.0.255.255 any
route-map bank permit 10
match ip address 165
set ip next-hop 192.168.4.62
!
!
!
control-plane
!
!
banner login ^C
-----------------------------------------------------------------------
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
access-class 23 in
privilege level 15
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
!
end
--------------------------------------------------Причём если послать пакеты (ping) из подсети PIX-а то видно как эти пакеты приходят к маршрутизатору и даже судя по всему компьютеры из подсети router-a отвечают, но пакеты не возвращаются... =(
Router:
----------------------
D#sh access-lists 160
Extended IP access list 160
10 deny ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.15 (175 matches)
20 permit ip 189.141.0.0 0.0.255.255 any (130 matches)
D#sh access-lists 109
Extended IP access list 109
10 permit ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.255 (358 matches)
D#
--------------------------Спасибо
Нет зацепок?
>Нет зацепок?
vpn точно поднимается?
sh crypto isakmp saпроверь матчатся ли пакеты со стороны роутера
deb ip packet 109
>>Нет зацепок?
>
>
>vpn точно поднимается?
>sh crypto isakmp saD#sh crypto isakmp sa
dst src state conn-id slot status
b.b.b.2 a.a.a.61 QM_IDLE 3 0 ACTIVE
b.b.b.2 a.a.a.61 MM_NO_STATE 2 0 ACTIVE (deleted)---------------------------- если убрать ping с подсети PIX-а на 189.141.1.252 (подсеть на стороне роутера) то становится так:
D#sh crypto isakmp sa
dst src state conn-id slot status
b.b.b.2 a.a.a.61 QM_IDLE 3 0 ACTIVE>
>проверь матчатся ли пакеты со стороны роутера
>deb ip packet 109
---------------------------- на каждый пакет с подсети PIX-а на подсеть Rоuter-а выходит следующий дебаг:D#
*Jun 25 12:47:59.747: IP: tableid=0, s=189.141.1.252 (local), d=192.168.103.2 (FastEthernet0/0), routed via FIB
*Jun 25 12:47:59.747: IP: s=189.141.1.252 (local), d=192.168.103.2 (FastEthernet0/0), len 60, sending
*Jun 25 12:47:59.747: IP: s=189.141.1.252 (local), d=192.168.103.2 (FastEthernet0/0), len 60, output crypto map check failed.
на пиксе
debug crypto ipsec 3
debug crypto isakmp 3
debug crypto ca 3теминал на монитор и логи под кат.
>на пиксе
>debug crypto ipsec 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with b.b.b.2
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with b.b.b.2
IPSEC(key_engine_sa_req): setting timer running retry <1>
После посылки пакетов из локальной сети со стороны пикса появляется следующее:IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x5f5e371f(1600010015) for SA
from b.b.b.2 to a.a.a.61 for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= b.b.b.2, src= a.a.a.61,
dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
src_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= a.a.a.61, src= b.b.b.2,
dest_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4),
src_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x5f5e371f(1600010015), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= a.a.a.61, dest= b.b.b.2,
src_proxy= 192.168.103.0/255.255.255.240/0/0 (type=4),
dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x8e225368(2384614248), conn_id= 2, keysize= 0, flags= 0x4
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= b.b.b.2, src= a.a.a.61,
dest_proxy= 192.168.103.0/255.255.255.0/0/0 (type=4),
src_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= b.b.b.2, src= a.a.a.61,
dest_proxy= 189.141.0.0/255.255.0.0/0/0 (type=4),
src_proxy= 192.168.103.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported-----------------------------------------------------------------------------
>debug crypto isakmp 3ISAKMP msg received
crypto_isakmp_process_block:src:b.b.b.2, dest:a.a.a.61 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:isadb_search returned sa = 0xa2d24cipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
compute_quick_mode_iv:
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x74a728, len 144
des_encdec:
validate_payload: len 172
valid_payload:
valid_payload:
valid_sa:
valid_transform:
valid_payload:
valid_payload:
valid_payload:
OAK_QM exchange
oakley_process_quick_mode:
ipsec_db_get_ipsec_sa_list:
verify_qm_hash:
ipsec_db_get_ipsec_sa_list:
OAK_QM_IDLE
process_isakmp_packet:
process_sa: mess_id 0x5c92175a
ISAKMP (0): processing SA payload. message ID = 1553078106check_ipsec_proposal:
ISAKMP : Checking IPSec proposal 1ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
check_prop: acceptable = 1
snoop_id_payloads:
ISAKMP: IPSec policy invalidated proposal
delete_sa_offers:
ISAKMP (0): SA not acceptable!
ipsec_db_get_ipsec_sa_list:
ISAKMP (0): sending NOTIFY message 14 protocol 3
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
compute_quick_mode_iv:
construct_header: message_id 0x59a3127d
ipsec_db_get_ipsec_sa_list:
construct_blank_hash:
construct_notify:
ipsec_db_get_ipsec_sa_list:
construct_qm_hash:
ipsec_db_get_ipsec_sa_list:
throw: mess_id 0x59a3127d
ipsec_db_get_ipsec_sa_list:
isakmp_ce_encrypt_payload: offset 28, length 124
pix_des_encrypt: data 0xaba5b4, len 104
des_encdec:
send_response:
isakmp_send: ip b.b.b.2, port 500
throw: no state, delete ipsec sa list
ipsec_db_delete_ipsec_sa_list:
ipsec_db_delete_sa_list_entry:
process_sa: DONE - status 0x2
delete_sa_offers:
process_payload failed 0x2
return status is IKMP_ERR_NO_RETRANS
PEER_REAPER_TIMER
---------------------------------------------------------------------------
>debug crypto ca 3
ничего не показал =(>
>теминал на монитор и логи под кат.
насчёт логов... можно пояснить какие логи требуются?
Здравствуйте. Есть ли зацепки?
>Здравствуйте. Есть ли зацепки?Есть зацепки.
-------------------
Pix:
:
PIX Version 6.3(5)...
access-list ipsec permit ip 192.168.103.0 255.255.255.240 189.141.0.0 255.255.0.0
...
------------------------------------------------------
Router:
D#sh run
Building configuration...
Current configuration : 11503 bytes
!...
access-list 109 permit ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.255
...
аксес листы не совпадают. маска на пиксе /28 (255.255.255.240), а на роутере /24 (0.0.0.255)
так работать не будет :)