URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 13880
[ Назад ]

Исходное сообщение
"проблема с ipsec и двумя кошками =("
Отправлено Osirix , 28-Июн-07 22:43

Здравствуйте многоуважаемые.
Поднимаю ipsec между двумя кошкам и вроде бы все поднимается и работает но только при условии прохождения первого пакета с нужной стороны. Поясняю подробнее на примерах.
Шифруем траф между сетями 10.0.0.0/24 и 10.0.254.0/24. Канал поднят между двумя loopback интерфейсами. На физических интерфейсах так же реальные ипы.
Поле настройки как и полагается сессии опущены
Interface: Loopback0
Session status: DOWN
Если я на пытаюсь пинговать с 10.0.0.10 -> 10.0.254.1 то пинги не идут но сессии переходят в состояние
Interface: Loopback0
Session status: UP-IDLE
И это с обоих сторон.
Как только я пускаю пинг с 10.0.254.1 на 10.0.0.10 то сесии сразу становятся активными и начинают ходить пинги.
Interface: Loopback0
Session status: UP-ACTIVE
Peer: 80.250.218.2 port 500
IKE SA: local 82.148.15.64/500 remote 80.250.218.2/500 Active
То есть начинает все сразу работать если я пущу пакеты с всегде одной стороны. Хоть пинги оставляй что бы канал не падал. =(
Надеюсь я понятно объяснил суть проблемы. Теперь дам частично конфиги железок
сторона где сеть 10.0.0.0/24
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key superkey address 82.148.15.64 no-xauth
crypto ipsec transform-set BRANCH_VPN esp-aes 256 esp-sha-hmac
crypto map VPN local-address Loopback1
crypto map VPN client configuration address respond
crypto map VPN 41 ipsec-isakmp
description MO_BACKUP
set peer 82.148.15.64
set transform-set BRANCH_VPN
match address VPN_MO_BACKUP
reverse-route remote-peer 82.148.15.64 static
ip access-list extended VPN_MO_BACKUP
permit ip 10.0.0.0 0.0.0.255 10.0.254.0 0.0.0.255
permit ip host 80.250.218.2 host 82.148.15.64
Конфиг второй стороны
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key superkey address 80.250.218.2 no-xauth
crypto ipsec transform-set BRANCH_VPN esp-aes 256 esp-sha-hmac
crypto map VPN local-address Loopback0
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
set peer 80.250.218.2
set transform-set BRANCH_VPN
set pfs group2
match address VPN_MO9
reverse-route remote-peer 80.250.218.2 static
ip access-list extended VPN_MO9
permit ip host 82.148.15.64 host 80.250.218.2
permit ip 10.0.254.0 0.0.0.255 10.0.0.0 0.0.0.255

Конфиги раельные но сильно урезанные. Вроде как все абсолютно нормально но не работает как хочется хотя все роуты нормально светятся и все пакеты между реальными интерфейсами маршрутера ходят без проблем.
По сему вопрос скорее теоритический. Почему возможна ситуация когда если с одной стороны начинаешь пинговать то тунель поднимается сразу и пакеты бегают, но если на положенной сессии начать пинговать с другой стороны сессия переходит в UP-IDLE но пакеты не ходят до первого пакета с другой стороны???
Я уже голову сломал. Неделю бьюсь. Все варианты ACL перепробовал но ничего не помогает =(((

Содержание

проблема с ipsec и двумя кошками =(,Osirix, 22:49 , 28-Июн-07
- проблема с ipsec и двумя кошками =(,Osirix, 12:09 , 29-Июн-07
  - проблема с ipsec и двумя кошками =(,Alexey, 10:55 , 13-Мрт-10

Сообщения в этом обсуждении

"проблема с ipsec и двумя кошками =("
Отправлено Osirix , 28-Июн-07 22:49

Вот логи установки соединения той стороны которая 10.0.254.0/24
Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):deleting SA reason "No reason" state (R) QM_IDLE       (peer 80.250.218.2)
Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):deleting node 687874368 error FALSE reason "Informational (in) state 1"
Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 28 18:10:57.491: ISAKMP:(0:28:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):deleting SA reason "No reason" state (R) QM_IDLE       (peer 80.250.218.2)
Jun 28 18:10:57.495: ISAKMP: Unlocking IKE struct 0x658C3FD0 for isadb_mark_sa_deleted(), count 0
Jun 28 18:10:57.495: ISAKMP: Deleting peer node by peer_reap for 80.250.218.2: 658C3FD0
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):deleting node 876229975 error FALSE reason "IKE deleted"
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):deleting node 687874368 error FALSE reason "IKE deleted"
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 28 18:10:57.495: ISAKMP:(0:28:HW:2):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
Jun 28 18:11:29.355: ISAKMP: received ke message (1/1)
Jun 28 18:11:29.355: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jun 28 18:11:29.355: ISAKMP: Created a peer struct for 80.250.218.2, peer port 500
Jun 28 18:11:29.355: ISAKMP: New peer created peer = 0x646608C8 peer_handle = 0x80000015
Jun 28 18:11:29.355: ISAKMP: Locking peer struct 0x646608C8, IKE refcount 1 for isakmp_initiator
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Setting client config settings 6466AE28
Jun 28 18:11:29.359: ISAKMP: local port 500, remote port 500
Jun 28 18:11:29.359: ISAKMP: set new node 0 to QM_IDLE
Jun 28 18:11:29.359: insert sa successfully sa = 646BBE68
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): : success
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 80.250.218.2
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jun 28 18:11:29.359: ISAKMP:(0:0:N/A:0): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 28 18:11:29.371: ISAKMP (0:0): received packet from 80.250.218.2 dport 500 sport 500 Global (I) MM_NO_STATE
Jun 28 18:11:29.371: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 28 18:11:29.371: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2
Jun 28 18:11:29.371: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Jun 28 18:11:29.375: ISAKMP (0:0): vendor ID is NAT-T v7
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): : success
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 80.250.218.2
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0): local preshared key found
Jun 28 18:11:29.375: ISAKMP : Scanning profiles for xauth ...
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Jun 28 18:11:29.375: ISAKMP:      encryption AES-CBC
Jun 28 18:11:29.375: ISAKMP:      keylength of 256
Jun 28 18:11:29.375: ISAKMP:      hash SHA
Jun 28 18:11:29.375: ISAKMP:      default group 2
Jun 28 18:11:29.375: ISAKMP:      auth pre-share
Jun 28 18:11:29.375: ISAKMP:      life type in seconds
Jun 28 18:11:29.375: ISAKMP:      life duration (basic) of 3600
Jun 28 18:11:29.375: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2): processing vendor id payload
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2): vendor ID seems Unity/DPD but major 245 mismatch
Jun 28 18:11:29.383: ISAKMP (0:268435485): vendor ID is NAT-T v7
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM2  New State = IKE_I_MM2
Jun 28 18:11:29.383: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun 28 18:11:29.387: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 28 18:11:29.387: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM2  New State = IKE_I_MM3
Jun 28 18:11:29.403: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun 28 18:11:29.403: ISAKMP:(0:29:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 28 18:11:29.403: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM3  New State = IKE_I_MM4
Jun 28 18:11:29.403: ISAKMP:(0:29:HW:2): processing KE payload. message ID = 0
Jun 28 18:11:29.411: ISAKMP:(0:29:HW:2): processing NONCE payload. message ID = 0
Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default
Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0): : success
Jun 28 18:11:29.411: ISAKMP:(0:29:HW:2):found peer pre-shared key matching 80.250.218.2
Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0):Looking for a matching key for 80.250.218.2 in default
Jun 28 18:11:29.411: ISAKMP:(0:0:N/A:0): : success
Jun 28 18:11:29.411: ISAKMP:(0:29:HW:2):found peer pre-shared key matching 80.250.218.2
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2):SKEYID state generated
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): processing vendor id payload
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): vendor ID is Unity
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): processing vendor id payload
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): vendor ID is DPD
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): processing vendor id payload
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2): speaking to another IOS box!
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 28 18:11:29.415: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM4  New State = IKE_I_MM4
Jun 28 18:11:29.419: ISAKMP:(0:29:HW:2):Send initial contact
Jun 28 18:11:29.419: ISAKMP:(0:29:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 28 18:11:29.419: ISAKMP (0:268435485): ID payload
        next-payload : 8
        type         : 1
        address      : 82.148.15.64
        protocol     : 17
        port         : 500
        length       : 12
Jun 28 18:11:29.419: ISAKMP:(0:29:HW:2):Total payload length: 12
Jun 28 18:11:29.423: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 28 18:11:29.423: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 28 18:11:29.423: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM4  New State = IKE_I_MM5
Jun 28 18:11:29.427: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2): processing ID payload. message ID = 0
Jun 28 18:11:29.431: ISAKMP (0:268435485): ID payload
        next-payload : 8
        type         : 1
        address      : 80.250.218.2
        protocol     : 17
        port         : 500
        length       : 12
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2):: peer matches *none* of the profiles
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = 0
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2):SA authentication status:
        authenticated
Jun 28 18:11:29.431: ISAKMP:(0:29:HW:2):SA has been authenticated with 80.250.218.2
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):IKE_DPD is enabled, initializing timers
Jun 28 18:11:29.435: ISAKMP: Trying to insert a peer 82.148.15.64/80.250.218.2/500/,  and inserted successfully 646608C8.
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM5  New State = IKE_I_MM6
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM6  New State = IKE_I_MM6
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
Jun 28 18:11:29.435: ISAKMP:(0:29:HW:2):beginning Quick Mode exchange, M-ID of 80228627
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Node 80228627, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 28 18:11:29.447: ISAKMP:(0:29:HW:2):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Jun 28 18:11:29.475: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) QM_IDLE
Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = 80228627
Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2): processing SA payload. message ID = 80228627
Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2):Checking IPSec proposal 1
Jun 28 18:11:29.479: ISAKMP: transform 1, ESP_AES
Jun 28 18:11:29.479: ISAKMP:   attributes in transform:
Jun 28 18:11:29.479: ISAKMP:      encaps is 1 (Tunnel)
Jun 28 18:11:29.479: ISAKMP:      SA life type in seconds
Jun 28 18:11:29.479: ISAKMP:      SA life duration (basic) of 3600
Jun 28 18:11:29.479: ISAKMP:      SA life type in kilobytes
Jun 28 18:11:29.479: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Jun 28 18:11:29.479: ISAKMP:      authenticator is HMAC-SHA
Jun 28 18:11:29.479: ISAKMP:      key length is 256
Jun 28 18:11:29.479: ISAKMP:      group is 2
Jun 28 18:11:29.479: ISAKMP:(0:29:HW:2):atts are acceptable.
Jun 28 18:11:29.483: ISAKMP:(0:29:HW:2): processing NONCE payload. message ID = 80228627
Jun 28 18:11:29.483: ISAKMP:(0:29:HW:2): processing KE payload. message ID = 80228627
Jun 28 18:11:29.487: ISAKMP:(0:29:HW:2): processing ID payload. message ID = 80228627
Jun 28 18:11:29.487: ISAKMP:(0:29:HW:2): processing ID payload. message ID = 80228627
Jun 28 18:11:29.499: ISAKMP: Locking peer struct 0x646608C8, IPSEC refcount 1 for for stuff_ke
Jun 28 18:11:29.499: ISAKMP:(0:29:HW:2): Creating IPSec SAs
Jun 28 18:11:29.499:         inbound SA from 80.250.218.2 to 82.148.15.64 (f/i)  0/ 0
        (proxy 10.0.0.0 to 10.0.254.0)
Jun 28 18:11:29.499:         has spi 0x4B1337A and conn_id 0 and flags 23
Jun 28 18:11:29.499:         lifetime of 3600 seconds
Jun 28 18:11:29.499:         lifetime of 4608000 kilobytes
Jun 28 18:11:29.499:         has client flags 0x0
Jun 28 18:11:29.499:         outbound SA from 82.148.15.64 to 80.250.218.2 (f/i) 0/0
        (proxy 10.0.254.0 to 10.0.0.0)
Jun 28 18:11:29.499:         has spi -1882863622 and conn_id 0 and flags 2B
Jun 28 18:11:29.499:         lifetime of 3600 seconds
Jun 28 18:11:29.499:         lifetime of 4608000 kilobytes
Jun 28 18:11:29.499:         has client flags 0x0
Jun 28 18:11:29.499: ISAKMP: Locking peer struct 0x646608C8, IPSEC refcount 2 for from create_transforms
Jun 28 18:11:29.503: ISAKMP: Unlocking IPSEC struct 0x646608C8 from create_transforms, count 1
Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE
Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2):deleting node 80228627 error FALSE reason "No Error"
Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2):Node 80228627, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 28 18:11:29.503: ISAKMP:(0:29:HW:2):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
Jun 28 18:11:47.496: ISAKMP:(0:28:HW:2):purging node 876229975
Jun 28 18:11:47.496: ISAKMP:(0:28:HW:2):purging node 687874368
Jun 28 18:11:57.496: ISAKMP:(0:28:HW:2):purging SA., sa=646B799C, delme=646B799C
Jun 28 18:12:19.496: ISAKMP:(0:29:HW:2):purging node 80228627
Jun 28 18:45:08.969: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) QM_IDLE
Jun 28 18:45:08.969: ISAKMP: set new node 1196849088 to QM_IDLE
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = 1196849088
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): processing SA payload. message ID = 1196849088
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2):Checking IPSec proposal 1
Jun 28 18:45:08.973: ISAKMP: transform 1, ESP_AES
Jun 28 18:45:08.973: ISAKMP:   attributes in transform:
Jun 28 18:45:08.973: ISAKMP:      encaps is 1 (Tunnel)
Jun 28 18:45:08.973: ISAKMP:      SA life type in seconds
Jun 28 18:45:08.973: ISAKMP:      SA life duration (basic) of 3600
Jun 28 18:45:08.973: ISAKMP:      SA life type in kilobytes
Jun 28 18:45:08.973: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Jun 28 18:45:08.973: ISAKMP:      authenticator is HMAC-SHA
Jun 28 18:45:08.973: ISAKMP:      key length is 256
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2):atts are acceptable.
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): IPSec policy invalidated proposal
Jun 28 18:45:08.973: ISAKMP:(0:29:HW:2): phase 2 SA policy not acceptable! (local 82.148.15.64 remote 80.250.218.2)
Jun 28 18:45:08.977: ISAKMP: set new node 411620218 to QM_IDLE
Jun 28 18:45:08.977: ISAKMP:(0:29:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1697941984, message ID = 411620218
Jun 28 18:45:08.977: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE
Jun 28 18:45:08.977: ISAKMP:(0:29:HW:2):purging node 411620218
Jun 28 18:45:08.981: ISAKMP:(0:29:HW:2):deleting node 1196849088 error TRUE reason "QM rejected"
Jun 28 18:45:08.981: ISAKMP (0:268435485): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node 1196849088: state = IKE_QM_READY
Jun 28 18:45:08.981: ISAKMP:(0:29:HW:2):Node 1196849088, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 28 18:45:08.981: ISAKMP:(0:29:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_READY
Jun 28 18:45:08.981: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 80.250.218.2
Jun 28 18:45:38.965: ISAKMP (0:268435485): received packet from 80.250.218.2 dport 500 sport 500 Global (I) QM_IDLE
Jun 28 18:45:38.965: ISAKMP: set new node -1614916990 to QM_IDLE
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): processing HASH payload. message ID = -1614916990
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): processing SA payload. message ID = -1614916990
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2):Checking IPSec proposal 1
Jun 28 18:45:38.969: ISAKMP: transform 1, ESP_AES
Jun 28 18:45:38.969: ISAKMP:   attributes in transform:
Jun 28 18:45:38.969: ISAKMP:      encaps is 1 (Tunnel)
Jun 28 18:45:38.969: ISAKMP:      SA life type in seconds
Jun 28 18:45:38.969: ISAKMP:      SA life duration (basic) of 3600
Jun 28 18:45:38.969: ISAKMP:      SA life type in kilobytes
Jun 28 18:45:38.969: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Jun 28 18:45:38.969: ISAKMP:      authenticator is HMAC-SHA
Jun 28 18:45:38.969: ISAKMP:      key length is 256
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2):atts are acceptable.
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): IPSec policy invalidated proposal
Jun 28 18:45:38.969: ISAKMP:(0:29:HW:2): phase 2 SA policy not acceptable! (local 82.148.15.64 remote 80.250.218.2)
Jun 28 18:45:38.973: ISAKMP: set new node -1227785736 to QM_IDLE
Jun 28 18:45:38.973: ISAKMP:(0:29:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1697941984, message ID = -1227785736
Jun 28 18:45:38.973: ISAKMP:(0:29:HW:2): sending packet to 80.250.218.2 my_port 500 peer_port 500 (I) QM_IDLE
Jun 28 18:45:38.973: ISAKMP:(0:29:HW:2):purging node -1227785736
Jun 28 18:45:38.977: ISAKMP:(0:29:HW:2):deleting node -1614916990 error TRUE reason "QM rejected"
Jun 28 18:45:38.977: ISAKMP (0:268435485): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -1614916990: state = IKE_QM_READY
Jun 28 18:45:38.977: ISAKMP:(0:29:HW:2):Node -1614916990, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 28 18:45:38.977: ISAKMP:(0:29:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_READY
Jun 28 18:45:58.981: ISAKMP:(0:29:HW:2):purging node 1196849088

"проблема с ipsec и двумя кошками =("
Отправлено Osirix , 29-Июн-07 12:09

Нашел в чем проблема была. Даже самому обидно что столько времени убил.
Лишнюю строчку пометил. После ее удаления и переинициализации криптосессии все разаботало в обе стороны как и положено.
crypto map VPN local-address Loopback0
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
set peer a.a.a.a
set transform-set BRANCH_VPN
>>set pfs group2
match address VPN_MO9
reverse-route remote-peer a.a.a.a static

"проблема с ipsec и двумя кошками =("
Отправлено Alexey , 13-Мрт-10 10:55

>[оверквотинг удален]
>обе стороны как и положено.
>
>crypto map VPN local-address Loopback0
>crypto map VPN client configuration address respond
>crypto map VPN 10 ipsec-isakmp
>set peer a.a.a.a
>set transform-set BRANCH_VPN
>>>set pfs group2
>match address VPN_MO9
>reverse-route remote-peer a.a.a.a static
У меня сейчас точно такая же проблема, но pfs group нету ни на одной стороне =/