URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 21359
[ Назад ]

Исходное сообщение
"cisco1841 ipsec + CiscoVpnClient + сертификаты"

Отправлено sadko812 , 22-Июл-10 12:15 
Всем привет!
возникла проблема с IPSEC на роутере 1841 и клиенте CiscoVpnClient с аутентификацией по сертификатам. при попытке коннекта выдается сообщение

"Contacting the security gateway at 192.168.1.133...

Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding. "

вот дебаг и конфиг. помогите разобраться что не так. сразу оговорюсь, что поднимаю это дело в первый раз и ошибка может быть самой тупой и очевидной :) все это грязное дело происходит в локалке.

**********************************************************************************
*********************************************************************************
***************************** DEBUG ***********************************************


Jul 21 10:37:43.196: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:37:43.196: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT


Jul 21 10:38:03.195: PKI: Shadow timer went off for second_trustpoint
Jul 21 10:38:03.195: CRYPTO_PKI: Sending Next CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetNextCACert&message=second_trustpoint HTT
P/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133


Jul 21 10:38:03.195: CRYPTO_PKI: locked trustpoint second_trustpoint, refcount i
s 1
Jul 21 10:38:03.195: CRYPTO_PKI: can not resolve server name/IP address
Jul 21 10:38:03.195: CRYPTO_PKI: Using unresolved IP Address 192.168.1.133
Jul 21 10:38:03.195: CRYPTO_PKI: http connection opened
Jul 21 10:38:03.195: CRYPTO_PKI: Sending HTTP message

Jul 21 10:38:03.195: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133


Jul 21 10:38:18.193: CRYPTO_PKI: Retry 1
Jul 21 10:38:33.192: CRYPTO_PKI: Retry 2
Jul 21 10:38:33.192: %PKI-3-SOCKETSEND: Failed to send out message to CA server.

Jul 21 10:38:33.192: CRYPTO_PKI: unlocked trustpoint second_trustpoint, refcount
is 0
Jul 21 10:38:33.192: CRYPTO_PKI: status = 65535: failed to send out the pki mess
age
Jul 21 10:38:33.192: %Error in connection to Certificate Authority:    status =
FAIL

Jul 21 10:38:33.192: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:38:33.192: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT

Jul 21 10:38:53.219: PKI: Shadow timer went off for second_trustpoint
Jul 21 10:38:53.219: CRYPTO_PKI: Sending Next CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetNextCACert&message=second_trustpoint HTT
P/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133


Jul 21 10:38:53.219: CRYPTO_PKI: locked trustpoint second_trustpoint, refcount i
s 1
Jul 21 10:38:53.219: CRYPTO_PKI: can not resolve server name/IP address
Jul 21 10:38:53.219: CRYPTO_PKI: Using unresolved IP Address 192.168.1.133
Jul 21 10:38:53.219: CRYPTO_PKI: http connection opened
Jul 21 10:38:53.219: CRYPTO_PKI: Sending HTTP message

Jul 21 10:38:53.219: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133


Jul 21 10:39:00.650: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pa
cket. (ip) vrf/dest_addr= /192.168.1.255, src_addr= 192.168.1.93, prot= 17
Jul 21 10:39:08.218: CRYPTO_PKI: Retry 1
Jul 21 10:39:23.216: CRYPTO_PKI: Retry 2
Jul 21 10:39:23.216: %PKI-3-SOCKETSEND: Failed to send out message to CA server.

Jul 21 10:39:23.216: CRYPTO_PKI: unlocked trustpoint second_trustpoint, refcount
is 0
Jul 21 10:39:23.216: CRYPTO_PKI: status = 65535: failed to send out the pki mess
age
Jul 21 10:39:23.216: %Error in connection to Certificate Authority:    status =
FAIL

Jul 21 10:39:23.216: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:39:23.220: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT

Jul 21 10:39:43.219: PKI: Shadow timer went off for second_trustpoint
Jul 21 10:39:43.219: CRYPTO_PKI: Sending Next CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetNextCACert&message=second_trustpoint HTT
P/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133


Jul 21 10:39:43.219: CRYPTO_PKI: locked trustpoint second_trustpoint, refcount i
s 1
Jul 21 10:39:43.219: CRYPTO_PKI: can not resolve server name/IP address
Jul 21 10:39:43.219: CRYPTO_PKI: Using unresolved IP Address 192.168.1.133
Jul 21 10:39:43.219: CRYPTO_PKI: http connection opened
Jul 21 10:39:43.219: CRYPTO_PKI: Sending HTTP message

Jul 21 10:39:43.219: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133


Jul 21 10:39:58.218: CRYPTO_PKI: Retry 1

Jul 21 10:40:13.216: CRYPTO_PKI: Retry 2
Jul 21 10:40:13.216: %PKI-3-SOCKETSEND: Failed to send out message to CA server.

Jul 21 10:40:13.216: CRYPTO_PKI: unlocked trustpoint second_trustpoint, refcount
is 0
Jul 21 10:40:13.216: CRYPTO_PKI: status = 65535: failed to send out the pki mess
age
Jul 21 10:40:13.216: %Error in connection to Certificate Authority:    status =
FAIL

Jul 21 10:40:13.216: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:40:13.216: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT

Jul 21 10:40:19.456: ISAKMP (0): received packet from 192.168.1.222 dport 500 sp
ort 4836 Global (N) NEW SA
Jul 21 10:40:19.456: ISAKMP: Created a peer struct for 192.168.1.222, peer port
4836
Jul 21 10:40:19.456: ISAKMP: New peer created peer = 0x67861900 peer_handle = 0x
80000017
Jul 21 10:40:19.456: ISAKMP: Locking peer struct 0x67861900, refcount 1 for cryp
to_isakmp_process_block
Jul 21 10:40:19.456: ISAKMP: local port 500, remote port 4836
Jul 21 10:40:19.460: ISAKMP:(0):insert sa successfully sa = 67597414
Jul 21 10:40:19.460: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 21 10:40:19.460: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

Jul 21 10:40:19.460: ISAKMP:(0): processing SA payload. message ID = 0
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatc
h
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID is XAUTH
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID is DPD
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): processing IKE frag vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatc
h
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID is NAT-T v2
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID is Unity
Jul 21 10:40:19.460: ISAKMP : Scanning profiles for xauth ...
Jul 21 10:40:19.460: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10
policy
Jul 21 10:40:19.460: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.460: ISAKMP:      hash SHA
Jul 21 10:40:19.460: ISAKMP:      default group 5
Jul 21 10:40:19.460: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.460: ISAKMP:      life type in seconds
Jul 21 10:40:19.460: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.464: ISAKMP:      keylength of 256
Jul 21 10:40:19.464: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.464: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.464: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10
policy
Jul 21 10:40:19.464: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.464: ISAKMP:      hash MD5
Jul 21 10:40:19.464: ISAKMP:      default group 5
Jul 21 10:40:19.464: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.464: ISAKMP:      life type in seconds
Jul 21 10:40:19.464: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.464: ISAKMP:      keylength of 256
Jul 21 10:40:19.464: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.464: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.464: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10
policy
Jul 21 10:40:19.464: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.464: ISAKMP:      hash SHA
Jul 21 10:40:19.464: ISAKMP:      default group 5
Jul 21 10:40:19.464: ISAKMP:      auth RSA sig
Jul 21 10:40:19.464: ISAKMP:      life type in seconds
Jul 21 10:40:19.464: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.464: ISAKMP:      keylength of 256
Jul 21 10:40:19.464: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.464: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.464: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10
policy
Jul 21 10:40:19.464: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.464: ISAKMP:      hash MD5
Jul 21 10:40:19.464: ISAKMP:      default group 5
Jul 21 10:40:19.464: ISAKMP:      auth RSA sig
Jul 21 10:40:19.464: ISAKMP:      life type in seconds
Jul 21 10:40:19.464: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.464: ISAKMP:      keylength of 256
Jul 21 10:40:19.464: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.464: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.464: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10
policy
Jul 21 10:40:19.464: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.464: ISAKMP:      hash SHA
Jul 21 10:40:19.464: ISAKMP:      default group 2
Jul 21 10:40:19.464: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.464: ISAKMP:      life type in seconds
Jul 21 10:40:19.464: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP:      keylength of 256
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP:      hash MD5
Jul 21 10:40:19.468: ISAKMP:      default group 2
Jul 21 10:40:19.468: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.468: ISAKMP:      life type in seconds
Jul 21 10:40:19.468: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP:      keylength of 256
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP:      hash SHA
Jul 21 10:40:19.468: ISAKMP:      default group 2
Jul 21 10:40:19.468: ISAKMP:      auth RSA sig
Jul 21 10:40:19.468: ISAKMP:      life type in seconds
Jul 21 10:40:19.468: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP:      keylength of 256
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP:      hash MD5
Jul 21 10:40:19.468: ISAKMP:      default group 2
Jul 21 10:40:19.468: ISAKMP:      auth RSA sig
Jul 21 10:40:19.468: ISAKMP:      life type in seconds
Jul 21 10:40:19.468: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP:      keylength of 256
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP:      hash SHA
Jul 21 10:40:19.468: ISAKMP:      default group 5
Jul 21 10:40:19.468: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.468: ISAKMP:      life type in seconds
Jul 21 10:40:19.468: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP:      keylength of 128
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP:      hash MD5
Jul 21 10:40:19.468: ISAKMP:      default group 5
Jul 21 10:40:19.468: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.472: ISAKMP:      life type in seconds
Jul 21 10:40:19.472: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP:      keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP:      hash SHA
Jul 21 10:40:19.472: ISAKMP:      default group 5
Jul 21 10:40:19.472: ISAKMP:      auth RSA sig
Jul 21 10:40:19.472: ISAKMP:      life type in seconds
Jul 21 10:40:19.472: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP:      keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP:      hash MD5
Jul 21 10:40:19.472: ISAKMP:      default group 5
Jul 21 10:40:19.472: ISAKMP:      auth RSA sig
Jul 21 10:40:19.472: ISAKMP:      life type in seconds
Jul 21 10:40:19.472: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP:      keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP:      hash SHA
Jul 21 10:40:19.472: ISAKMP:      default group 2
Jul 21 10:40:19.472: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.472: ISAKMP:      life type in seconds
Jul 21 10:40:19.472: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP:      keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP:      hash MD5
Jul 21 10:40:19.472: ISAKMP:      default group 2
Jul 21 10:40:19.472: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.472: ISAKMP:      life type in seconds
Jul 21 10:40:19.472: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP:      keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 15 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP:      hash SHA
Jul 21 10:40:19.472: ISAKMP:      default group 2
Jul 21 10:40:19.472: ISAKMP:      auth RSA sig
Jul 21 10:40:19.472: ISAKMP:      life type in seconds
Jul 21 10:40:19.472: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP:      keylength of 128
Jul 21 10:40:19.476: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 16 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP:      encryption AES-CBC
Jul 21 10:40:19.476: ISAKMP:      hash MD5
Jul 21 10:40:19.476: ISAKMP:      default group 2
Jul 21 10:40:19.476: ISAKMP:      auth RSA sig
Jul 21 10:40:19.476: ISAKMP:      life type in seconds
Jul 21 10:40:19.476: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP:      keylength of 128
Jul 21 10:40:19.476: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 17 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP:      encryption 3DES-CBC
Jul 21 10:40:19.476: ISAKMP:      hash SHA
Jul 21 10:40:19.476: ISAKMP:      default group 5
Jul 21 10:40:19.476: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.476: ISAKMP:      life type in seconds
Jul 21 10:40:19.476: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 18 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP:      encryption 3DES-CBC
Jul 21 10:40:19.476: ISAKMP:      hash MD5
Jul 21 10:40:19.476: ISAKMP:      default group 5
Jul 21 10:40:19.476: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.476: ISAKMP:      life type in seconds
Jul 21 10:40:19.476: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP:(0):Xauth authentication by RSA offered but does not
match policy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 19 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP:      encryption 3DES-CBC
Jul 21 10:40:19.476: ISAKMP:      hash SHA
Jul 21 10:40:19.476: ISAKMP:      default group 5
Jul 21 10:40:19.476: ISAKMP:      auth RSA sig
Jul 21 10:40:19.476: ISAKMP:      life type in seconds
Jul 21 10:40:19.476: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 20 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP:      encryption 3DES-CBC
Jul 21 10:40:19.476: ISAKMP:      hash MD5
Jul 21 10:40:19.476: ISAKMP:      default group 5
Jul 21 10:40:19.476: ISAKMP:      auth RSA sig
Jul 21 10:40:19.476: ISAKMP:      life type in seconds
Jul 21 10:40:19.476: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Diffie-Hellman group offered does not match poli
cy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 21 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP:      encryption 3DES-CBC
Jul 21 10:40:19.480: ISAKMP:      hash SHA
Jul 21 10:40:19.480: ISAKMP:      default group 2
Jul 21 10:40:19.480: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.480: ISAKMP:      life type in seconds
Jul 21 10:40:19.480: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 22 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP:      encryption 3DES-CBC
Jul 21 10:40:19.480: ISAKMP:      hash MD5
Jul 21 10:40:19.480: ISAKMP:      default group 2
Jul 21 10:40:19.480: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.480: ISAKMP:      life type in seconds
Jul 21 10:40:19.480: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Xauth authentication by RSA offered but does not
match policy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 23 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP:      encryption 3DES-CBC
Jul 21 10:40:19.480: ISAKMP:      hash SHA
Jul 21 10:40:19.480: ISAKMP:      default group 2
Jul 21 10:40:19.480: ISAKMP:      auth RSA sig
Jul 21 10:40:19.480: ISAKMP:      life type in seconds
Jul 21 10:40:19.480: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 24 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP:      encryption 3DES-CBC
Jul 21 10:40:19.480: ISAKMP:      hash MD5
Jul 21 10:40:19.480: ISAKMP:      default group 2
Jul 21 10:40:19.480: ISAKMP:      auth RSA sig
Jul 21 10:40:19.480: ISAKMP:      life type in seconds
Jul 21 10:40:19.480: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Diffie-Hellman group offered does not match poli
cy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 25 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP:      encryption DES-CBC
Jul 21 10:40:19.480: ISAKMP:      hash MD5
Jul 21 10:40:19.480: ISAKMP:      default group 1
Jul 21 10:40:19.480: ISAKMP:      auth XAUTHInitRSA
Jul 21 10:40:19.480: ISAKMP:      life type in seconds
Jul 21 10:40:19.480: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.484: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.484: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.484: ISAKMP:(0):Checking ISAKMP transform 26 against priority 10
policy
Jul 21 10:40:19.484: ISAKMP:      encryption DES-CBC
Jul 21 10:40:19.484: ISAKMP:      hash MD5
Jul 21 10:40:19.484: ISAKMP:      default group 1
Jul 21 10:40:19.484: ISAKMP:      auth RSA sig
Jul 21 10:40:19.484: ISAKMP:      life type in seconds
Jul 21 10:40:19.484: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.484: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.484: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 21 10:40:19.484: ISAKMP:(0):no offers accepted!
Jul 21 10:40:19.484: ISAKMP:(0): phase 1 SA policy not acceptable! (local 192.16
8.1.133 remote 192.168.1.222)
Jul 21 10:40:19.484: ISKAMP: growing send buffer from 1024 to 3072
Jul 21 10:40:19.484: ISAKMP (0): incrementing error counter on sa, attempt 1 of
5: construct_fail_ag_init
Jul 21 10:40:19.484: ISAKMP:(0): Failed to construct AG informational message.
Jul 21 10:40:19.484: ISAKMP:(0): sending packet to 192.168.1.222 my_port 500 pee
r_port 4836 (R) MM_NO_STATE
Jul 21 10:40:19.484: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 10:40:19.484: ISAKMP:(0):peer does not do paranoid keepalives.

Jul 21 10:40:19.484: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) MM_NO_STATE (peer 192.168.1.222)
Jul 21 10:40:19.484: ISAKMP (0): FSM action returned error: 2
Jul 21 10:40:19.484: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jul 21 10:40:19.488: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jul 21 10:40:19.488: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) MM_NO_STATE (peer 192.168.1.222)
Jul 21 10:40:19.488: ISAKMP: Unlocking peer struct 0x67861900 for isadb_mark_sa_
deleted(), count 0
Jul 21 10:40:19.488: ISAKMP: Deleting peer node by peer_reap for 192.168.1.222:
67861900
Jul 21 10:40:19.488: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 21 10:40:19.488: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

Jul 21 10:40:19.488: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jul 21 10:40:19.488: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_S
TATE (peer 192.168.1.222)
Jul 21 10:40:19.492: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Jul 21 10:40:19.492: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA


Jul 21 10:40:24.648: ISAKMP (0): received packet from 192.168.1.222 dport 500 sp
ort 4836 Global (R) MM_NO_STATE
Jul 21 10:40:29.647: ISAKMP (0): received packet from 192.168.1.222 dport 500 sp
ort 4836 Global (R) MM_NO_STATE
Jul 21 10:40:33.215: PKI: Shadow timer went off for second_trustpoint
Jul 21 10:40:33.215: CRYPTO_PKI: Sending Next CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetNextCACert&message=second_trustpoint HTT
P/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133


Jul 21 10:40:33.215: CRYPTO_PKI: locked trustpoint second_trustpoint, refcount i
s 1
Jul 21 10:40:33.215: CRYPTO_PKI: can not resolve server name/IP address
Jul 21 10:40:33.215: CRYPTO_PKI: Using unresolved IP Address 192.168.1.133
Jul 21 10:40:33.215: CRYPTO_PKI: http connection opened
Jul 21 10:40:33.215: CRYPTO_PKI: Sending HTTP message

Jul 21 10:40:33.215: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133


Jul 21 10:40:34.647: ISAKMP (0): received packet from 192.168.1.222 dport 500 sp
ort 4836 Global (R) MM_NO_STATE
Jul 21 10:40:48.214: CRYPTO_PKI: Retry 1
Jul 21 10:41:03.213: CRYPTO_PKI: Retry 2
Jul 21 10:41:03.213: %PKI-3-SOCKETSEND: Failed to send out message to CA server.

Jul 21 10:41:03.213: CRYPTO_PKI: unlocked trustpoint second_trustpoint, refcount
is 0
Jul 21 10:41:03.213: CRYPTO_PKI: status = 65535: failed to send out the pki mess
age
Jul 21 10:41:03.213: %Error in connection to Certificate Authority:    status =
FAIL

Jul 21 10:41:03.213: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:41:03.217: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT

Jul 21 10:41:06.700: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pa
cket. (ip) vrf/dest_addr= /192.168.1.255, src_addr= 192.168.1.80, prot= 17

поможите чем можите!



Содержание

Сообщения в этом обсуждении
"cisco1841 ipsec + CiscoVpnClient + сертификаты"
Отправлено sadko812 , 22-Июл-10 12:16 
а вот и горе-конфиг:

*******************************************************************************
********************************************************************************
******************************* CONFIG ***********************************


!
! Last configuration change at 12:04:49 msk Thu Jul 22 2010 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname cisco1841
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
memory-size iomem 25
clock timezone msk 4
dot11 syslog
ip source-route
no ip gratuitous-arps
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.250
!
ip dhcp pool dc
   host 192.168.1.50 255.255.255.0
   client-identifier 0100.1517.6461.24
   dns-server 192.168.1.143 192.168.1.50
   default-router 192.168.1.133
   domain-name vk-service.ru
!
ip dhcp pool vks
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.133
   dns-server 192.168.1.50
!
!
ip cef
ip domain name vks.ru
ip host cisco1841 192.168.1.133
ip name-server 213.170.61.33
ip name-server 213.170.62.33
ip name-server 8.8.8.8
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
request-dialin
  protocol pptp
  rotary-group 0
initiate-to ip 81.203.27.195
!
vpdn-group 2
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 2
!

parameter-map type urlfpolicy local global_policy
allow-mode on
block-page message "SORRY, SITE IS BLOCKED"
parameter-map type urlf-glob urlfilter_param
pattern vkontakte.ru
pattern *.vkontakte.ru
pattern *youtube*
pattern *porn*
pattern *piski*

parameter-map type urlf-glob urlfilter_param_allowed
pattern *

!
crypto pki server cisco1841.vks.ru
grant auto
lifetime certificate 1095
database url flash:
!
crypto pki trustpoint cisco1841.vks.ru
enrollment url http://192.168.1.133:80
revocation-check crl
rsakeypair cisco1841.vks.ru
storage flash:
!
crypto pki trustpoint second_trustpoint
enrollment url http://192.168.1.133:80
serial-number
revocation-check crl
!
!
crypto pki certificate chain cisco1841.vks.ru
certificate ca 01
  30820198 30820142 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  22312030 1E060355 04031317 63697363 6F313834 312E766B 2D736572 76696365
  2E727530 1E170D31 30303731 39313132 3731315A 170D3133 30373138 31313237
  31315A30 22312030 1E060355 04031317 63697363 6F313834 312E766B 2D736572
  76696365 2E727530 5C300D06 092A8648 86F70D01 01010500 034B0030 48024100
  C8467984 F30650E2 73E0C5EE DED29A27 2A5C691F FF6B29D0 FB206932 77F0D20C
  0F909732 4B2CA800 9D82A513 2A728A7A A4DC6CCF 18EBCDE1 71EC20F3 890636BF
  02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
  0F0101FF 04040302 0186301F 0603551D 23041830 168014A2 6BD3C864 A957A279
  88B57F90 162A17D8 D34EF730 1D060355 1D0E0416 0414A26B D3C864A9 57A27988
  B57F9016 2A17D8D3 4EF7300D 06092A86 4886F70D 01010405 00034100 4A61273F
  E8244788 34249789 886A6F51 318FB71B 222B737E 38DD6208 74916812 46FBF15C
  F5BCBA3C 42FD8B88 8C9ED9C3 D9FB540C 23D94D6C A08ED2FE 78F9D432
      quit
crypto pki certificate chain second_trustpoint
certificate 02
  3082019E 30820148 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
  22312030 1E060355 04031317 63697363 6F313834 312E766B 2D736572 76696365
  2E727530 1E170D31 30303731 39313135 3233325A 170D3133 30373138 31313237
  31315A30 3C313A30 12060355 0405130B 46435A31 33343839 30483230 2406092A
  864886F7 0D010902 16176369 73636F31 3834312E 766B2D73 65727669 63652E72
  75305C30 0D06092A 864886F7 0D010101 0500034B 00304802 4100C846 7984F306
  50E273E0 C5EEDED2 9A272A5C 691FFF6B 29D0FB20 693277F0 D20C0F90 97324B2C
  A8009D82 A5132A72 8A7AA4DC 6CCF18EB CDE171EC 20F38906 36BF0203 010001A3
  4F304D30 0B060355 1D0F0404 030205A0 301F0603 551D2304 18301680 14A26BD3
  C864A957 A27988B5 7F90162A 17D8D34E F7301D06 03551D0E 04160414 A26BD3C8
  64A957A2 7988B57F 90162A17 D8D34EF7 300D0609 2A864886 F70D0101 04050003
  4100855D DAD74C95 DED2E729 4B96B1EB 2F807C54 8AEC50E4 8447B6D6 7CBE713A
  F0E1F32F FAB10C07 E377E987 0518B949 DE93E439 EA0E6425 FBB3FD0A 0177EF49 0962
      quit
certificate ca 01
  30820198 30820142 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  22312030 1E060355 04031317 63697363 6F313834 312E766B 2D736572 76696365
  2E727530 1E170D31 30303731 39313132 3731315A 170D3133 30373138 31313237
  31315A30 22312030 1E060355 04031317 63697363 6F313834 312E766B 2D736572
  76696365 2E727530 5C300D06 092A8648 86F70D01 01010500 034B0030 48024100
  C8467984 F30650E2 73E0C5EE DED29A27 2A5C691F FF6B29D0 FB206932 77F0D20C
  0F909732 4B2CA800 9D82A513 2A728A7A A4DC6CCF 18EBCDE1 71EC20F3 890636BF
  02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
  0F0101FF 04040302 0186301F 0603551D 23041830 168014A2 6BD3C864 A957A279
  88B57F90 162A17D8 D34EF730 1D060355 1D0E0416 0414A26B D3C864A9 57A27988
  B57F9016 2A17D8D3 4EF7300D 06092A86 4886F70D 01010405 00034100 4A61273F
  E8244788 34249789 886A6F51 318FB71B 222B737E 38DD6208 74916812 46FBF15C
  F5BCBA3C 42FD8B88 8C9ED9C3 D9FB540C 23D94D6C A08ED2FE 78F9D432
      quit
!
!
username admin privilege 15 secret 5 $1$125F$Oc4ofCWPqfQDWsIApNsWF/
username vks password 7 01000D05550207
archive
log config
  hidekeys
!
!
crypto isakmp policy 10
encr 3des
hash md5
crypto isakmp client configuration address-pool local ipsec_pool
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto dynamic-map ipsec_dyn_map 1
! Incomplete
set transform-set myset
match address ipsec_crypto_acl
!
!
crypto map ipsec client configuration address initiate
!
crypto map ipsec_crypto_map 1 ipsec-isakmp dynamic ipsec_dyn_map
!
!
!
ip ssh authentication-retries 5
ip ssh version 1
!
class-map type inspect match-any to_lan
match access-group name guests
class-map type inspect match-any from_lan
match access-group name from_lan
class-map type inspect match-all inet_users
match protocol http
match access-group name inet_users_filtered
class-map type urlfilter match-any blacklist_class
match  server-domain urlf-glob urlfilter_param
class-map type urlfilter match-any whitelist_class
match  server-domain urlf-glob urlfilter_param_allowed
class-map type inspect match-all vpn_class
match access-group name vpn_servers
class-map type inspect match-all inet_full
match protocol http
match protocol https
match access-group name inet_users
!
!
policy-map type inspect vpn_policy
class type inspect vpn_class
  inspect
class class-default
  drop
policy-map type inspect urlfilter urlf_policy
class type urlfilter blacklist_class
  log
  reset
class type urlfilter whitelist_class
  allow
policy-map type inspect from_lan_policy
class type inspect inet_full
  inspect
class type inspect inet_users
  inspect
  service-policy urlfilter urlf_policy
class type inspect from_lan
  inspect
class class-default
  drop
policy-map type inspect to_lan_policy
class type inspect to_lan
  inspect
class class-default
  drop
!
zone security inside_zone
zone security outside_zone
zone security vpn
zone-pair security inside_to_outside source inside_zone destination outside_zone
service-policy type inspect from_lan_policy
zone-pair security outside_to_inside source outside_zone destination inside_zone
service-policy type inspect to_lan_policy
zone-pair security inside_to_vpn source inside_zone destination vpn
service-policy type inspect vpn_policy
!
!
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.1.133 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside_zone
duplex auto
speed auto
crypto map ipsec_crypto_map
!
interface FastEthernet0/1
description $ES_LAN$
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security outside_zone
duplex auto
speed auto
crypto map ipsec_crypto_map
!
interface Virtual-Template2
ip unnumbered FastEthernet0/1
zone-member security outside_zone
peer default ip address pool vpn
ppp encrypt mppe auto
ppp authentication pap chap ms-chap ms-chap-v2
!
interface Dialer0
ip address negotiated
ip pim dense-mode
ip nat outside
ip virtual-reassembly
zone-member security outside_zone
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 111
dialer vpdn
dialer-group 1
no cdp enable
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp chap hostname xxxxx
ppp chap password 7 09681E05490E1141
!
ip local pool vpn 192.168.1.223 192.168.1.225
ip local pool ipsec_pool 192.168.1.231 192.168.1.240
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 213.170.103.9
ip route 192.168.58.0 255.255.255.0 Dialer0
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.1.51 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.1.250 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.1.50 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.250 110 interface FastEthernet0/1 110
ip nat inside source static tcp 192.168.1.50 80 interface FastEthernet0/1 80
ip nat inside source list nat interface FastEthernet0/1 overload
ip nat inside source list to_vpn interface Dialer0 overload
!
ip access-list standard vpn_servers
permit 192.168.58.0 0.0.0.255
!
ip access-list extended crypto_ipsec_acl
ip access-list extended from_lan
permit udp any any eq domain
permit udp any any eq ntp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any source-quench
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit tcp any any eq www
permit tcp host 192.168.1.201 any eq 3389 established
permit tcp host 192.168.1.222 any eq 3389 established
permit tcp host 192.168.1.201 any eq 5938 established
permit tcp host 192.168.1.80 any eq 5938 established
permit tcp host 192.168.1.93 any eq 5938 established
permit tcp host 192.168.1.59 any eq 5938 established
permit tcp host 192.168.1.68 any eq 5938 established
permit tcp host 192.168.1.98 any eq 5938 established
permit tcp any any eq 1959 established
permit tcp any any eq 1961 established
permit tcp host 192.168.1.10 any eq 1024 established
permit tcp any any eq pop3
permit tcp any any eq 69 established
permit tcp any any eq 1723
permit tcp any any eq 443
permit tcp any any eq 587
permit tcp any any eq 995
permit tcp any host 91.103.153.27 eq 30586
permit tcp any any eq 47
permit gre any any
permit ip any any
permit tcp host 192.168.1.250 any eq smtp
ip access-list extended guests
permit tcp host 195.189.83.63 any eq 3389 www
permit tcp host 93.81.243.45 any eq 3389 www
permit tcp host 84.52.80.52 any eq 3389 www
permit tcp host 195.189.83.63 any eq 3389 www established
permit tcp host 93.81.243.45 any eq 3389 www established
permit tcp host 84.52.80.52 any eq 3389 www established
permit tcp host 93.81.243.76 any established
permit tcp host 93.100.31.195 any eq 3389 www established
permit tcp host 82.140.75.11 any eq 3389 www established
permit tcp host 93.100.57.196 any eq 3389 www established
permit tcp host 89.179.125.204 any established
permit tcp any any eq smtp
permit tcp any any eq 1723
permit tcp any any eq 47
permit gre any any
permit tcp any any eq 1024
permit ip any any
permit udp any any eq domain
permit udp any any eq ntp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any source-quench
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit tcp any any eq www
ip access-list extended inet_users_filtered
deny   tcp host 192.168.1.222 any eq www
deny   ip host 192.158.1.53 any
deny   ip host 192.158.1.253 any
deny   tcp host 192.168.1.201 any
permit ip any any
ip access-list extended ipsec_crypto_acl
ip access-list extended ipser_crypto_acl
ip access-list extended nat
deny   ip 192.168.1.0 0.0.0.255 192.168.58.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended to-lan
permit tcp any any eq smtp
permit ip any any
ip access-list extended to_gis
permit ip 192.168.1.0 0.0.0.255 192.168.58.0 0.0.0.255
permit ip any any
ip access-list extended to_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.58.0 0.0.0.255
ip access-list extended vpn
permit ip any any
!
logging 208.87.33.151
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 13 permit yyy.yyy.yyy.yyy
access-list 13 permit 192.168.1.222
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map to_gis permit 10
match ip address to_gis
match interface Dialer0
!
!
!
!
control-plane
!
!
banner exec  
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------

banner login  
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------

!
line con 0
line aux 0
line vty 0 4
access-class 13 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp authenticate
ntp update-calendar
ntp server ntp2.imvp.ru
ntp server ntp1.imvp.ru
end