Здравствуйте!В сети есть PIX 515E, на который приходит VPN туннель от Cisco 3002 Hardware Client. Все отлично работает. Сейчас поставили задачу наладить VPN с удаленными компьютерами с использованием встроенного в Windows 2000 VPN Client. Попробовал настроить, работать никак не хочет. Debug показывает, что по поводу IKE они договариваются, выбирают вторую политику (первая используется для 3002 Hardware Client), а потом PIX говорит, что "Peer Info for x.y.z.1/500 not found". Что ему не хватает для счастья?
Debug:
crypto_isakmp_process_block:src:x.y.z.1, dest:q.w.e.129 spt:21922 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 2 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 2 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 2 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payloadISAKMP (0): speaking to a MSWIN2K client
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.y.z.1, dest:q.w.e.129 spt:21922 dpt:500
VPN Peer:ISAKMP: Peer Info for x.y.z.1/500 not found - peers:0ISAKMP: larval sa found
crypto_isakmp_process_block:src:x.y.z.1, dest:q.w.e.129 spt:21922 dpt:500
VPN Peer:ISAKMP: Peer Info for x.y.z.1/500 not found - peers:0ISAKMP: larval sa found
crypto_isakmp_process_block:src:x.y.z.1, dest:q.w.e.129 spt:21922 dpt:500
VPN Peer:ISAKMP: Peer Info for x.y.z.1/500 not found - peers:0ISAKMP: larval sa found
crypto_isakmp_process_block:src:x.y.z.1, dest:q.w.e.129 spt:21922 dpt:500
VPN Peer:ISAKMP: Peer Info for x.y.z.1/500 not found - peers:0ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
crypto_isakmp_process_block:src:x.y.z.1, dest:q.w.e.129 spt:21922 dpt:500
VPN Peer:ISAKMP: Peer Info for x.y.z.1/500 not found - peers:0ISAKMP: larval sa found
ISAKMP (0): deleting SA: src x.y.z.1, dst q.w.e.129
ISADB: reaper checking SA 0x12a3d4c, conn_id = 0 DELETE IT!VPN Peer:ISAKMP: Peer Info for x.y.z.1/21922 not found - peers:0
crypto_isakmp_process_block:src:x.y.z.1, dest:q.w.e.129 spt:21922 dpt:500
ISAKMP: sa not found for ike msg
x.y.z.1 - машина с Windows 2000 VPN, q.w.e.129 - PIX.Спасибо!
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_con...