The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"Одновременно CiscoVPNClients и VPN c сервером с динамическим..."
Вариант для распечатки  
Пред. тема | След. тема 
Форумы Маршрутизаторы CISCO и др. оборудование. (Public)
Изначальное сообщение [ Отслеживать ]

"Одновременно CiscoVPNClients и VPN c сервером с динамическим..."  
Сообщение от MichelLazarenko (ok) on 17-Апр-09, 02:32 
Помогите разобраться.
Имеем Cisco 871 Adv Services.
На ней крутятся 4 VPN-на. Плюс настроен доступ для клиентов с Cisco VPN Client.
Пока все работает хорошо.

Теперь появляется новый VPN к серверу без статического IP. На обратной стороне D-Link G804V. На вопрос как расшарить shared key - пробую так:
===
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 no-xauth
===
Все настраивается хорошо - VPN подключен. Вроде все хорошо. Но нет! После этой строки не авторизируются Cisco VPN Clients!

Как я понял лог (ниже), проблема в этой строке -
037542: .Apr 17 00:19:19.488 EEST: ISAKMP: Looking for a matching key for x.x.x.x in default : success

Очевидно, циска взяла ключ, который был предназначен для сервака с динамическим IP и на этом споткнулась.

Причем если поставить
===
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
===
(без no-xauth) - то Cisco VPN Clients коннектятся! Но перестает коннектится сервак. :(

Ставил одинаковый ключ для обоих - не помогло.

По маскам адресов разделять не решаюсь - вполне возможны пересечения.

Как же быть???
Есть ли какое решение?

Заранее спасибо!

=[Лог]=====
037540: .Apr 17 00:19:19.488 EEST: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpnciscoclient
        protocol     : 17
        port         : 500
        length       : 17
037541: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0):: peer matches ciscovpnprofile profile
037542: .Apr 17 00:19:19.488 EEST: ISAKMP: Looking for a matching key for x.x.x.x in default : success
037543: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0):Setting client config settings 82C6FC18
037544: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): processing vendor id payload
037545: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 215 mismatch
037546: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): vendor ID is XAUTH
037547: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): processing vendor id payload
037548: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): vendor ID is DPD
037549: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): processing vendor id payload
037550: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
037551: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
037552: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): processing vendor id payload
037553: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
037554: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): processing vendor id payload
037555: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): vendor ID is Unity
037556: .Apr 17 00:19:19.488 EEST: ISAKMP : Looking for xauth in profile vpnprofile
037557: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0): Authentication by xauth preshared
037558: .Apr 17 00:19:19.488 EEST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
037559: .Apr 17 00:19:19.488 EEST: ISAKMP:      encryption AES-CBC
037560: .Apr 17 00:19:19.488 EEST: ISAKMP:      hash SHA
037561: .Apr 17 00:19:19.488 EEST: ISAKMP:      default group 2
037562: .Apr 17 00:19:19.488 EEST: ISAKMP:      auth XAUTHInitPreShared
037563: .Apr 17 00:19:19.488 EEST: ISAKMP:      life type in seconds
037564: .Apr 17 00:19:19.488 EEST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
037565: .Apr 17 00:19:19.492 EEST: ISAKMP:      keylength of 256
037566: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
037567: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
037568: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 1 policy
037569: .Apr 17 00:19:19.492 EEST: ISAKMP:      encryption AES-CBC
037570: .Apr 17 00:19:19.492 EEST: ISAKMP:      hash MD5
037571: .Apr 17 00:19:19.492 EEST: ISAKMP:      default group 2
037572: .Apr 17 00:19:19.492 EEST: ISAKMP:      auth XAUTHInitPreShared
037573: .Apr 17 00:19:19.492 EEST: ISAKMP:      life type in seconds
037574: .Apr 17 00:19:19.492 EEST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
037575: .Apr 17 00:19:19.492 EEST: ISAKMP:      keylength of 256
037576: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
037577: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
037578: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 1 policy
037579: .Apr 17 00:19:19.492 EEST: ISAKMP:      encryption AES-CBC
037580: .Apr 17 00:19:19.492 EEST: ISAKMP:      hash SHA
037581: .Apr 17 00:19:19.492 EEST: ISAKMP:      default group 2
037582: .Apr 17 00:19:19.492 EEST: ISAKMP:      auth pre-share
037583: .Apr 17 00:19:19.492 EEST: ISAKMP:      life type in seconds
037584: .Apr 17 00:19:19.492 EEST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
037585: .Apr 17 00:19:19.492 EEST: ISAKMP:      keylength of 256
037586: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
037587: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
037588: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 1 policy
037589: .Apr 17 00:19:19.492 EEST: ISAKMP:      encryption AES-CBC
037590: .Apr 17 00:19:19.492 EEST: ISAKMP:      hash MD5
037591: .Apr 17 00:19:19.492 EEST: ISAKMP:      default group 2
037592: .Apr 17 00:19:19.492 EEST: ISAKMP:      auth pre-share
037593: .Apr 17 00:19:19.492 EEST: ISAKMP:      life type in seconds
037594: .Apr 17 00:19:19.492 EEST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
037595: .Apr 17 00:19:19.492 EEST: ISAKMP:      keylength of 256
037596: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
037597: .Apr 17 00:19:19.492 EEST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
037598: .Apr 17 00:19:19.496 EEST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against priority 1 policy
037599: .Apr 17 00:19:19.496 EEST: ISAKMP:      encryption AES-CBC
037600: .Apr 17 00:19:19.496 EEST: ISAKMP:      hash SHA
037601: .Apr 17 00:19:19.496 EEST: ISAKMP:      default group 2
037602: .Apr 17 00:19:19.496 EEST: ISAKMP:      auth XAUTHInitPreShared
037603: .Apr 17 00:19:19.496 EEST: ISAKMP:      life type in seconds
037604: .Apr 17 00:19:19.496 EEST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
037605: .Apr 17 00:19:19.496 EEST: ISAKMP:      keylength of 128
037606: .Apr 17 00:19:19.496 EEST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
037607: .Apr 17 00:19:19.496 EEST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
037608: .Apr 17 00:19:19.496 EEST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 6 against priority 1 policy
037609: .Apr 17 00:19:19.496 EEST: ISAKMP:      encryption AES-CBC
037610: .Apr 17 00:19:19.496 EEST: ISAKMP:      hash MD5
037611: .Apr 17 00:19:19.496 EEST: ISAKMP:      default group 2
037612: .Apr 17 00:19:19.496 EEST: ISAKMP:      auth XAUTHInitPreShared
037613: .Apr 17 00:19:19.496 EEST: ISAKMP:      life type in seconds
037614: .Apr 17 00:19:19.496 EEST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
037615: .Apr 17 00:19:19.496 EEST: ISAKMP:      keylength of 128
037616: .Apr 17 00:19:19.496 EEST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
...
037950: .Apr 17 00:19:19.560 EEST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
037951: .Apr 17 00:19:19.560 EEST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 65535 policy
037952: .Apr 17 00:19:19.560 EEST: ISAKMP:      encryption DES-CBC
037953: .Apr 17 00:19:19.560 EEST: ISAKMP:      hash MD5
037954: .Apr 17 00:19:19.560 EEST: ISAKMP:      default group 2
037955: .Apr 17 00:19:19.560 EEST: ISAKMP:      auth pre-share
037956: .Apr 17 00:19:19.560 EEST: ISAKMP:      life type in seconds
037957: .Apr 17 00:19:19.560 EEST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
037958: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
037959: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
037960: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0):no offers accepted!
037961: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local x.x.x.x remote x.x.x.x)
037962: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

037963: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer x.x.x.x)
037964: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0
037965: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128
037966: .Apr 17 00:19:19.564 EEST: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
037967: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
037968: .Apr 17 00:19:19.564 EEST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY

037969: .Apr 17 00:19:19.564 EEST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at x.x.x.x
037970: .Apr 17 00:19:19.584 EEST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer x.x.x.x)
037971: .Apr 17 00:19:19.584 EEST: ISAKMP: Unlocking IKE struct 0x825BEC44 for isadb_mark_sa_deleted(), count 0
037972: .Apr 17 00:19:19.584 EEST: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 825BEC44
037973: .Apr 17 00:19:19.584 EEST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
037974: .Apr 17 00:19:19.584 EEST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA
==========

Высказать мнение | Ответить | Правка | Cообщить модератору

 Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "Одновременно CiscoVPNClients и VPN c сервером с динамическим..."  
Сообщение от MichelLazarenko (ok) on 17-Апр-09, 04:00 
После рестартов D-Link-а - VPN поднялся во всех направлениях.
Тема закрыта.
Если что могу подсказать как настроить такую схему.
Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема
Оцените тред (1=ужас, 5=супер)? [ 1 | 2 | 3 | 4 | 5 ] [Рекомендовать для помещения в FAQ]




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру