The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"Непонятная проблема с классическим ipsec"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Изначальное сообщение [ Отслеживать ]

"Непонятная проблема с классическим ipsec"  +/
Сообщение от vidershpan email(ok) on 27-Май-14, 07:12 
Всем привет, может кто сталкивался.
Ситуация следующая: Есть 2821, на ней терминируются порядка 100 ipsec тунелей site-to-site.
Все реализовано на crypto map. все прекрасно и все хорошо работает уже не один месяц, но.... в какой то момент все тунели падают в одно время.

конфиг касающийся тунелей на 2821:

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 5 periodic
crypto isakmp nat keepalive 10

crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac

crypto map Inet 1 ipsec-isakmp
description ---
set peer A.A.A.A
set transform-set 3DES_MD5
match address 124
reverse-route static

interface GigabitEthernet0/1
description --- Internet ---
ip address B.B.B.B
standby version 2
standby 2 ip C.C.C.C
standby 2 priority 200
standby 2 preempt
standby 2 name Internet
duplex auto
speed auto
crypto map Inet redundancy Internet
......
access-list 124 permit ip 192.168.0.0 0.0.255.255 192.168.15.200 0.0.0.3

Со второй стороны стоит 871, с аналогичным конфигом.
Так вот после падения туннеля, трафик между внешними интерфейсами ходит, первая и вторая фаза ipsec проходят, но полезный трафик дропается почему то. Экспериментальным путем выяснилось что лечится это изменением шифрования с 3DES_MD5 на 3DES_SHA. Как только меняю метод шифрования с двух сторон - все сразу поднимается.
Уже голову сломал чего не так....

Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "Непонятная проблема с классическим ipsec"  +/
Сообщение от vidershpan email(ok) on 27-Май-14, 09:04 
debug crypto isa c 870ой железки:

*May 27 12:44:11: ISAKMP:(0): SA request profile is (NULL)
*May 27 12:44:11: ISAKMP: Found a peer struct for C.C.C.C, peer port 500
*May 27 12:44:11: ISAKMP: Locking peer struct 0x83F14820, refcount 3 for isakmp_initiator
*May 27 12:44:11: ISAKMP: local port 500, remote port 500
*May 27 12:44:11: ISAKMP: set new node 0 to QM_IDLE
*May 27 12:44:11: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8571A10C
*May 27 12:44:11: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 27 12:44:11: ISAKMP:(0):found peer pre-shared key matching C.C.C.C
*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*May 27 12:44:11: ISAKMP:(0): beginning Main Mode exchange
*May 27 12:44:11: ISAKMP:(0): sending packet to C.C.C.C my_port 500 peer_port 500 (I) MM_NO_STATE
*May 27 12:44:11: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP (0): received packet from C.C.C.C dport 500 sport 500 Global (R) MM_SA_SETUP
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*May 27 12:44:11: ISAKMP:(0): processing KE payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0):found peer pre-shared key matching C.C.C.C
*May 27 12:44:11: ISAKMP:(2010): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2010): vendor ID is DPD
*May 27 12:44:11: ISAKMP:(2010): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2010): speaking to another IOS box!
*May 27 12:44:11: ISAKMP:(2010): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2010): vendor ID seems Unity/DPD but major 204 mismatch
*May 27 12:44:11: ISAKMP:(2010): vendor ID is XAUTH
*May 27 12:44:11: ISAKMP:received payload type 20
*May 27 12:44:11: ISAKMP (2010): His hash no match - this node outside NAT
*May 27 12:44:11: ISAKMP:received payload type 20
*May 27 12:44:11: ISAKMP (2010): No NAT Found for self or peer
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM3  New State = IKE_R_MM3

*May 27 12:44:11: ISAKMP (0): received packet from C.C.C.C dport 500 sport 500 Global (I) MM_NO_STATE
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*May 27 12:44:11: ISAKMP:(2010): sending packet to C.C.C.C my_port 500 peer_port 500 (R) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2010):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM3  New State = IKE_R_MM4

*May 27 12:44:11: ISAKMP:(0): processing SA payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0): processing vendor id payload
*May 27 12:44:11: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*May 27 12:44:11: ISAKMP (0): vendor ID is NAT-T RFC 3947
*May 27 12:44:11: ISAKMP:(0):found peer pre-shared key matching C.C.C.C
*May 27 12:44:11: ISAKMP:(0): local preshared key found
*May 27 12:44:11: ISAKMP : Scanning profiles for xauth ...
*May 27 12:44:11: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*May 27 12:44:11: ISAKMP:      encryption AES-CBC
*May 27 12:44:11: ISAKMP:      keylength of 256
*May 27 12:44:11: ISAKMP:      hash SHA
*May 27 12:44:11: ISAKMP:      default group 2
*May 27 12:44:11: ISAKMP:      auth pre-share
*May 27 12:44:11: ISAKMP:      life type in seconds
*May 27 12:44:11: ISAKMP:      life duration (basic) of 36000
*May 27 12:44:11: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 27 12:44:11: ISAKMP:(0):Acceptable atts:actual life: 0
*May 27 12:44:11: ISAKMP:(0):Acceptable atts:life: 0
*May 27 12:44:11: ISAKMP:(0):Basic life_in_seconds:36000
*May 27 12:44:11: ISAKMP:(0):Returning Actual lifetime: 36000
*May 27 12:44:11: ISAKMP:(0)::Started lifetime timer: 36000.

*May 27 12:44:11: ISAKMP:(0): processing vendor id payload
*May 27 12:44:11: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*May 27 12:44:11: ISAKMP (0): vendor ID is NAT-T RFC 3947
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*May 27 12:44:11: ISAKMP:(0): sending packet to C.C.C.C my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 27 12:44:11: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*May 27 12:44:11: ISAKMP (2010): received packet from C.C.C.C dport 500 sport 500 Global (R) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM4  New State = IKE_R_MM5

*May 27 12:44:11: ISAKMP:(2010): processing ID payload. message ID = 0
*May 27 12:44:11: ISAKMP (2010): ID payload
        next-payload : 8
        type         : 1
        address      : C.C.C.C
        protocol     : 17
        port         : 500
        length       : 12
*May 27 12:44:11: ISAKMP:(0):: peer matches *none* of the profiles
*May 27 12:44:11: ISAKMP:(2010): processing HASH payload. message ID = 0
*May 27 12:44:11: ISAKMP:received payload type 17
*May 27 12:44:11: ISAKMP:(2010):SA authentication status:
        authenticated
*May 27 12:44:11: ISAKMP:(2010):SA has been authenticated with C.C.C.C
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM5  New State = IKE_R_MM5

*May 27 12:44:11: ISAKMP:(2010):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 27 12:44:11: ISAKMP (2010): ID payload
        next-payload : 8
        type         : 1
        address      : A.A.A.A
        protocol     : 17
        port         : 500
        length       : 12
*May 27 12:44:11: ISAKMP:(2010):Total payload length: 12
*May 27 12:44:11: ISAKMP:(2010): sending packet to C.C.C.C my_port 500 peer_port 500 (R) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2010):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*May 27 12:44:11: ISAKMP (0): received packet from C.C.C.C dport 500 sport 500 Global (I) MM_SA_SETUP
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*May 27 12:44:11: ISAKMP:(0): processing KE payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0):found peer pre-shared key matching C.C.C.C
*May 27 12:44:11: ISAKMP:(2011): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2011): vendor ID is Unity
*May 27 12:44:11: ISAKMP:(2011): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2011): vendor ID is DPD
*May 27 12:44:11: ISAKMP:(2011): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2011): speaking to another IOS box!
*May 27 12:44:11: ISAKMP:received payload type 20
*May 27 12:44:11: ISAKMP (2011): His hash no match - this node outside NAT
*May 27 12:44:11: ISAKMP:received payload type 20
*May 27 12:44:11: ISAKMP (2011): No NAT Found for self or peer
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM4  New State = IKE_I_MM4

*May 27 12:44:11: ISAKMP (2010): received packet from C.C.C.C dport 500 sport 500 Global (R) QM_IDLE
*May 27 12:44:11: ISAKMP: set new node -818656473 to QM_IDLE
*May 27 12:44:11: ISAKMP:(2010): processing HASH payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010): processing SA payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010):Checking IPSec proposal 1
*May 27 12:44:11: ISAKMP: transform 1, ESP_AES
*May 27 12:44:11: ISAKMP:   attributes in transform:
*May 27 12:44:11: ISAKMP:      encaps is 1 (Tunnel)
*May 27 12:44:11: ISAKMP:      SA life type in seconds
*May 27 12:44:11: ISAKMP:      SA life duration (basic) of 3600
*May 27 12:44:11: ISAKMP:      SA life type in kilobytes
*May 27 12:44:11: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*May 27 12:44:11: ISAKMP:      authenticator is HMAC-MD5
*May 27 12:44:11: ISAKMP:      key length is 256
*May 27 12:44:11: ISAKMP:(2010):atts are acceptable.
*May 27 12:44:11: ISAKMP:(2010): processing NONCE payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010): processing ID payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010): processing ID payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010):QM Responder gets spi
*May 27 12:44:11: ISAKMP:(2010):Node -818656473, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*May 27 12:44:11: ISAKMP:(2010): Creating IPSec SAs
*May 27 12:44:11:         inbound SA from C.C.C.C to A.A.A.A (f/i)  0/ 0
        (proxy 192.168.0.0 to 192.168.36.200)
*May 27 12:44:11:         has spi 0xAC5F0D53 and conn_id 0
*May 27 12:44:11:         lifetime of 3600 seconds
*May 27 12:44:11:         lifetime of 4608000 kilobytes
*May 27 12:44:11:         outbound SA from A.A.A.A to C.C.C.C (f/i) 0/0
        (proxy 192.168.36.200 to 192.168.0.0)
*May 27 12:44:11:         has spi  0x7522BDAB and conn_id 0
*May 27 12:44:11:         lifetime of 3600 seconds
*May 27 12:44:11:         lifetime of 4608000 kilobytes
*May 27 12:44:11: ISAKMP:(2010): sending packet to C.C.C.C my_port 500 peer_port 500 (R) QM_IDLE
*May 27 12:44:11: ISAKMP:(2010):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2010):Node -818656473, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
*May 27 12:44:11: ISAKMP:(2011):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 27 12:44:11: ISAKMP (2011): ID payload
        next-payload : 8
        type         : 1
        address      : A.A.A.A
        protocol     : 17
        port         : 500
        length       : 12
*May 27 12:44:11: ISAKMP:(2011):Total payload length: 12
*May 27 12:44:11: ISAKMP:(2011): sending packet to C.C.C.C my_port 500 peer_port 500 (I) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2011):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM4  New State = IKE_I_MM5

*May 27 12:44:11: ISAKMP (2010): received packet from C.C.C.C dport 500 sport 500 Global (R) QM_IDLE
*May 27 12:44:11: ISAKMP: set new node -884856606 to QM_IDLE
*May 27 12:44:11: ISAKMP:(2010): processing HASH payload. message ID = -884856606
*May 27 12:44:11: ISAKMP:(2010): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2891910483, message ID = -884856606, sa = 8570CDF4
*May 27 12:44:11: ISAKMP:(2010): deleting spi 2891910483 message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010):deleting node -818656473 error TRUE reason "Delete Larval"
*May 27 12:44:11: ISAKMP:(2010):peer does not do paranoid keepalives.

*May 27 12:44:11: ISAKMP:(2010):deleting node -884856606 error FALSE reason "Informational (in) state 1"
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*May 27 12:44:11: ISAKMP (2011): received packet from C.C.C.C dport 500 sport 500 Global (I) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2011): processing ID payload. message ID = 0
*May 27 12:44:11: ISAKMP (2011): ID payload
        next-payload : 8
        type         : 1
        address      : C.C.C.C
        protocol     : 17
        port         : 500
        length       : 12
*May 27 12:44:11: ISAKMP:(0):: peer matches *none* of the profiles
*May 27 12:44:11: ISAKMP:(2011): processing HASH payload. message ID = 0
*May 27 12:44:11: ISAKMP:(2011):SA authentication status:
        authenticated
*May 27 12:44:11: ISAKMP:(2011):SA has been authenticated with C.C.C.C
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM5  New State = IKE_I_MM6

*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM6  New State = IKE_I_MM6

*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*May 27 12:44:11: ISAKMP:(2011):beginning Quick Mode exchange, M-ID of -2029979089
*May 27 12:44:11: ISAKMP:(2011):QM Initiator gets spi
*May 27 12:44:11: ISAKMP:(2011): sending packet to C.C.C.C my_port 500 peer_port 500 (I) QM_IDLE
*May 27 12:44:11: ISAKMP:(2011):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2011):Node -2029979089, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*May 27 12:44:11: ISAKMP (2011): received packet from C.C.C.C dport 500 sport 500 Global (I) QM_IDLE
*May 27 12:44:11: ISAKMP: set new node -1489836278 to QM_IDLE
*May 27 12:44:11: ISAKMP:(2011): processing HASH payload. message ID = -1489836278
*May 27 12:44:11: ISAKMP:(2011): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2448897278, message ID = -1489836278, sa = 8571A10C
*May 27 12:44:11: ISAKMP:(2011): deleting spi 2448897278 message ID = -2029979089
*May 27 12:44:11: ISAKMP:(2011):deleting node -2029979089 error TRUE reason "Delete Larval"
*May 27 12:44:11: ISAKMP:(2011):deleting node -1489836278 error FALSE reason "Informational (in) state 1"
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру