URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 18265
[ Назад ]

Исходное сообщение
"Pix ------ ISA"
Отправлено gladkov , 17-Фев-09 15:51

Народ, кто крестил PIX - ISA , помогите есть уже существующий туннель,  создал на подобе, но не чего не помогает. Не создает соединения.
конфинг
tunnel-group 84.52.79.85 type ipsec-l2l
tunnel-group 84.52.79.85 ipsec-attributes
pre-shared-key *
pixfirewall# sh run crypto ip
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-MD5 ESP-DES-SHA
access-list inside_nat0_outbound extended permit ip object-group ххх.ххх.ххх.ххх Novo_Net 255.255.255.0
access-list outside_cryptomap_40 extended permit ip object-group ххх.ххх.ххх.ххх Novo_Net 255.255.255.0

crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer Novo_Inet
crypto map outside_map 40 set transform-set ESP-DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 3600
crypto map outside_map 40 set security-association lifetime kilobytes 100000

name 192.168.70.0 Novo_Net

Дебаг
|Feb 17 2009 13:40:44|113019: Group = 84.52.79.85, Username = 84.52.79.85, IP = Novo_Inet, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3|Feb 17 2009 13:40:44|713214: Group = 84.52.79.85, IP = 84.52.79.85, Could not delete route for L2L peer that came in on a dynamic map. address: 84.52.79.85, mask: 0.0.0.0
3|Feb 17 2009 13:40:44|713902: Group = 84.52.79.85, IP = 84.52.79.85, Removing peer from correlator table failed, no match!
3|Feb 17 2009 13:40:44|713902: Group = 84.52.79.85, IP = 84.52.79.85, QM FSM error (P2 struct &0x23bd4d0, mess id 0x2e0d04b4)!
5|Feb 17 2009 13:40:44|713904: Group = 84.52.79.85, IP = 84.52.79.85, All IPSec SA proposals found unacceptable!
3|Feb 17 2009 13:40:44|713122: IP = 84.52.79.85, Keep-alives configured on but peer does not support keep-alives (type = None)
3|Feb 17 2009 13:40:44|713119: Group = 84.52.79.85, IP = 84.52.79.85, PHASE 1 COMPLETED
6|Feb 17 2009 13:40:44|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 84.52.79.85
6|Feb 17 2009 13:40:44|713172: Group = 84.52.79.85, IP = 84.52.79.85, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
4|Feb 17 2009 13:40:44|113019: Group = 84.52.79.85, Username = 84.52.79.85, IP = Novo_Inet, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3|Feb 17 2009 13:40:44|713214: Group = 84.52.79.85, IP = 84.52.79.85, Could not delete route for L2L peer that came in on a dynamic map. address: 84.52.79.85, mask: 0.0.0.0
3|Feb 17 2009 13:40:44|713902: Group = 84.52.79.85, IP = 84.52.79.85, Removing peer from correlator table failed, no match!
3|Feb 17 2009 13:40:44|713902: Group = 84.52.79.85, IP = 84.52.79.85, QM FSM error (P2 struct &0x23bd4d0, mess id 0xff890a9d)!
5|Feb 17 2009 13:40:44|713904: Group = 84.52.79.85, IP = 84.52.79.85, All IPSec SA proposals found unacceptable!
3|Feb 17 2009 13:40:44|713122: IP = 84.52.79.85, Keep-alives configured on but peer does not support keep-alives (type = None)
3|Feb 17 2009 13:40:44|713119: Group = 84.52.79.85, IP = 84.52.79.85, PHASE 1 COMPLETED
6|Feb 17 2009 13:40:44|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 84.52.79.85
6|Feb 17 2009 13:40:44|713172: Group = 84.52.79.85, IP = 84.52.79.85, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

с другой
с стороны ISA

Local Tunnel Endpoint: 84.52.79.85
Remote Tunnel Endpoint: 84.204.ххх.ххх

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication Method: Pre-shared secret (0987654321qwerty)
    Security Association Lifetime: 28800 seconds

IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time Rekeying: ON
    Security Association Lifetime: 3600 seconds

    Kbyte Rekeying: ON
    Rekey After Sending: 100000 Kbytes

Remote Network 'VPN' IP Subnets:
    Subnet: 192.168.44.0/255.255.255.0
    Subnet: 192.168.40.0/255.255.255.0
    Subnet: 192.168.32.0/255.255.255.0
    Subnet: 192.168.0.0/255.255.255.0

Local Network 'Internal' IP Subnets:
    Subnet: 192.168.70.0/255.255.255.0

Routable Local IP Addresses:
    Subnet: 192.168.70.0/255.255.255.0

Содержание

Pix ------ ISA,visaversa, 14:25 , 20-Фев-09

Сообщения в этом обсуждении

"Pix ------ ISA"
Отправлено visaversa , 20-Фев-09 14:25

Я в свое время тоже решал проблему связать 2 офиса между isa и cisco и получилось правда только через pptp. Правда у меня был не PIX а 1811.
возможно тебе поможет это
http://www.isaserver.org/tutorials/Implementing-IPSEC-Site-t...

>[оверквотинг удален]
>
>Local Network 'Internal' IP Subnets:
>
> Subnet: 192.168.70.0/255.255.255.0
>
>
>
>Routable Local IP Addresses:
>
> Subnet: 192.168.70.0/255.255.255.0