Всем привет!
возникла проблема с IPSEC на роутере 1841 и клиенте CiscoVpnClient с аутентификацией по сертификатам. при попытке коннекта выдается сообщение "Contacting the security gateway at 192.168.1.133...
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding. "
вот дебаг и конфиг. помогите разобраться что не так. сразу оговорюсь, что поднимаю это дело в первый раз и ошибка может быть самой тупой и очевидной :) все это грязное дело происходит в локалке.
**********************************************************************************
*********************************************************************************
***************************** DEBUG ***********************************************
Jul 21 10:37:43.196: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:37:43.196: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
Jul 21 10:38:03.195: PKI: Shadow timer went off for second_trustpoint
Jul 21 10:38:03.195: CRYPTO_PKI: Sending Next CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetNextCACert&message=second_trustpoint HTT
P/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133
Jul 21 10:38:03.195: CRYPTO_PKI: locked trustpoint second_trustpoint, refcount i
s 1
Jul 21 10:38:03.195: CRYPTO_PKI: can not resolve server name/IP address
Jul 21 10:38:03.195: CRYPTO_PKI: Using unresolved IP Address 192.168.1.133
Jul 21 10:38:03.195: CRYPTO_PKI: http connection opened
Jul 21 10:38:03.195: CRYPTO_PKI: Sending HTTP message
Jul 21 10:38:03.195: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133
Jul 21 10:38:18.193: CRYPTO_PKI: Retry 1
Jul 21 10:38:33.192: CRYPTO_PKI: Retry 2
Jul 21 10:38:33.192: %PKI-3-SOCKETSEND: Failed to send out message to CA server.
Jul 21 10:38:33.192: CRYPTO_PKI: unlocked trustpoint second_trustpoint, refcount
is 0
Jul 21 10:38:33.192: CRYPTO_PKI: status = 65535: failed to send out the pki mess
age
Jul 21 10:38:33.192: %Error in connection to Certificate Authority: status =
FAIL
Jul 21 10:38:33.192: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:38:33.192: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
Jul 21 10:38:53.219: PKI: Shadow timer went off for second_trustpoint
Jul 21 10:38:53.219: CRYPTO_PKI: Sending Next CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetNextCACert&message=second_trustpoint HTT
P/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133
Jul 21 10:38:53.219: CRYPTO_PKI: locked trustpoint second_trustpoint, refcount i
s 1
Jul 21 10:38:53.219: CRYPTO_PKI: can not resolve server name/IP address
Jul 21 10:38:53.219: CRYPTO_PKI: Using unresolved IP Address 192.168.1.133
Jul 21 10:38:53.219: CRYPTO_PKI: http connection opened
Jul 21 10:38:53.219: CRYPTO_PKI: Sending HTTP message
Jul 21 10:38:53.219: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133
Jul 21 10:39:00.650: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pa
cket. (ip) vrf/dest_addr= /192.168.1.255, src_addr= 192.168.1.93, prot= 17
Jul 21 10:39:08.218: CRYPTO_PKI: Retry 1
Jul 21 10:39:23.216: CRYPTO_PKI: Retry 2
Jul 21 10:39:23.216: %PKI-3-SOCKETSEND: Failed to send out message to CA server.
Jul 21 10:39:23.216: CRYPTO_PKI: unlocked trustpoint second_trustpoint, refcount
is 0
Jul 21 10:39:23.216: CRYPTO_PKI: status = 65535: failed to send out the pki mess
age
Jul 21 10:39:23.216: %Error in connection to Certificate Authority: status =
FAIL
Jul 21 10:39:23.216: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:39:23.220: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
Jul 21 10:39:43.219: PKI: Shadow timer went off for second_trustpoint
Jul 21 10:39:43.219: CRYPTO_PKI: Sending Next CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetNextCACert&message=second_trustpoint HTT
P/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133
Jul 21 10:39:43.219: CRYPTO_PKI: locked trustpoint second_trustpoint, refcount i
s 1
Jul 21 10:39:43.219: CRYPTO_PKI: can not resolve server name/IP address
Jul 21 10:39:43.219: CRYPTO_PKI: Using unresolved IP Address 192.168.1.133
Jul 21 10:39:43.219: CRYPTO_PKI: http connection opened
Jul 21 10:39:43.219: CRYPTO_PKI: Sending HTTP message
Jul 21 10:39:43.219: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133
Jul 21 10:39:58.218: CRYPTO_PKI: Retry 1
Jul 21 10:40:13.216: CRYPTO_PKI: Retry 2
Jul 21 10:40:13.216: %PKI-3-SOCKETSEND: Failed to send out message to CA server.
Jul 21 10:40:13.216: CRYPTO_PKI: unlocked trustpoint second_trustpoint, refcount
is 0
Jul 21 10:40:13.216: CRYPTO_PKI: status = 65535: failed to send out the pki mess
age
Jul 21 10:40:13.216: %Error in connection to Certificate Authority: status =
FAIL
Jul 21 10:40:13.216: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:40:13.216: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
Jul 21 10:40:19.456: ISAKMP (0): received packet from 192.168.1.222 dport 500 sp
ort 4836 Global (N) NEW SA
Jul 21 10:40:19.456: ISAKMP: Created a peer struct for 192.168.1.222, peer port
4836
Jul 21 10:40:19.456: ISAKMP: New peer created peer = 0x67861900 peer_handle = 0x
80000017
Jul 21 10:40:19.456: ISAKMP: Locking peer struct 0x67861900, refcount 1 for cryp
to_isakmp_process_block
Jul 21 10:40:19.456: ISAKMP: local port 500, remote port 4836
Jul 21 10:40:19.460: ISAKMP:(0):insert sa successfully sa = 67597414
Jul 21 10:40:19.460: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 21 10:40:19.460: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jul 21 10:40:19.460: ISAKMP:(0): processing SA payload. message ID = 0
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatc
h
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID is XAUTH
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID is DPD
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): processing IKE frag vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatc
h
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID is NAT-T v2
Jul 21 10:40:19.460: ISAKMP:(0): processing vendor id payload
Jul 21 10:40:19.460: ISAKMP:(0): vendor ID is Unity
Jul 21 10:40:19.460: ISAKMP : Scanning profiles for xauth ...
Jul 21 10:40:19.460: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10
policy
Jul 21 10:40:19.460: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.460: ISAKMP: hash SHA
Jul 21 10:40:19.460: ISAKMP: default group 5
Jul 21 10:40:19.460: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.460: ISAKMP: life type in seconds
Jul 21 10:40:19.460: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.464: ISAKMP: keylength of 256
Jul 21 10:40:19.464: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.464: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.464: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10
policy
Jul 21 10:40:19.464: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.464: ISAKMP: hash MD5
Jul 21 10:40:19.464: ISAKMP: default group 5
Jul 21 10:40:19.464: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.464: ISAKMP: life type in seconds
Jul 21 10:40:19.464: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.464: ISAKMP: keylength of 256
Jul 21 10:40:19.464: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.464: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.464: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10
policy
Jul 21 10:40:19.464: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.464: ISAKMP: hash SHA
Jul 21 10:40:19.464: ISAKMP: default group 5
Jul 21 10:40:19.464: ISAKMP: auth RSA sig
Jul 21 10:40:19.464: ISAKMP: life type in seconds
Jul 21 10:40:19.464: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.464: ISAKMP: keylength of 256
Jul 21 10:40:19.464: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.464: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.464: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10
policy
Jul 21 10:40:19.464: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.464: ISAKMP: hash MD5
Jul 21 10:40:19.464: ISAKMP: default group 5
Jul 21 10:40:19.464: ISAKMP: auth RSA sig
Jul 21 10:40:19.464: ISAKMP: life type in seconds
Jul 21 10:40:19.464: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.464: ISAKMP: keylength of 256
Jul 21 10:40:19.464: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.464: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.464: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10
policy
Jul 21 10:40:19.464: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.464: ISAKMP: hash SHA
Jul 21 10:40:19.464: ISAKMP: default group 2
Jul 21 10:40:19.464: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.464: ISAKMP: life type in seconds
Jul 21 10:40:19.464: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP: keylength of 256
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP: hash MD5
Jul 21 10:40:19.468: ISAKMP: default group 2
Jul 21 10:40:19.468: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.468: ISAKMP: life type in seconds
Jul 21 10:40:19.468: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP: keylength of 256
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP: hash SHA
Jul 21 10:40:19.468: ISAKMP: default group 2
Jul 21 10:40:19.468: ISAKMP: auth RSA sig
Jul 21 10:40:19.468: ISAKMP: life type in seconds
Jul 21 10:40:19.468: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP: keylength of 256
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP: hash MD5
Jul 21 10:40:19.468: ISAKMP: default group 2
Jul 21 10:40:19.468: ISAKMP: auth RSA sig
Jul 21 10:40:19.468: ISAKMP: life type in seconds
Jul 21 10:40:19.468: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP: keylength of 256
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP: hash SHA
Jul 21 10:40:19.468: ISAKMP: default group 5
Jul 21 10:40:19.468: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.468: ISAKMP: life type in seconds
Jul 21 10:40:19.468: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.468: ISAKMP: keylength of 128
Jul 21 10:40:19.468: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.468: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.468: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10
policy
Jul 21 10:40:19.468: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.468: ISAKMP: hash MD5
Jul 21 10:40:19.468: ISAKMP: default group 5
Jul 21 10:40:19.468: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.472: ISAKMP: life type in seconds
Jul 21 10:40:19.472: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP: keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP: hash SHA
Jul 21 10:40:19.472: ISAKMP: default group 5
Jul 21 10:40:19.472: ISAKMP: auth RSA sig
Jul 21 10:40:19.472: ISAKMP: life type in seconds
Jul 21 10:40:19.472: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP: keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP: hash MD5
Jul 21 10:40:19.472: ISAKMP: default group 5
Jul 21 10:40:19.472: ISAKMP: auth RSA sig
Jul 21 10:40:19.472: ISAKMP: life type in seconds
Jul 21 10:40:19.472: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP: keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP: hash SHA
Jul 21 10:40:19.472: ISAKMP: default group 2
Jul 21 10:40:19.472: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.472: ISAKMP: life type in seconds
Jul 21 10:40:19.472: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP: keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP: hash MD5
Jul 21 10:40:19.472: ISAKMP: default group 2
Jul 21 10:40:19.472: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.472: ISAKMP: life type in seconds
Jul 21 10:40:19.472: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.472: ISAKMP: keylength of 128
Jul 21 10:40:19.472: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.472: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.472: ISAKMP:(0):Checking ISAKMP transform 15 against priority 10
policy
Jul 21 10:40:19.472: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.472: ISAKMP: hash SHA
Jul 21 10:40:19.472: ISAKMP: default group 2
Jul 21 10:40:19.472: ISAKMP: auth RSA sig
Jul 21 10:40:19.472: ISAKMP: life type in seconds
Jul 21 10:40:19.472: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP: keylength of 128
Jul 21 10:40:19.476: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 16 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP: encryption AES-CBC
Jul 21 10:40:19.476: ISAKMP: hash MD5
Jul 21 10:40:19.476: ISAKMP: default group 2
Jul 21 10:40:19.476: ISAKMP: auth RSA sig
Jul 21 10:40:19.476: ISAKMP: life type in seconds
Jul 21 10:40:19.476: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP: keylength of 128
Jul 21 10:40:19.476: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 17 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP: encryption 3DES-CBC
Jul 21 10:40:19.476: ISAKMP: hash SHA
Jul 21 10:40:19.476: ISAKMP: default group 5
Jul 21 10:40:19.476: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.476: ISAKMP: life type in seconds
Jul 21 10:40:19.476: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 18 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP: encryption 3DES-CBC
Jul 21 10:40:19.476: ISAKMP: hash MD5
Jul 21 10:40:19.476: ISAKMP: default group 5
Jul 21 10:40:19.476: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.476: ISAKMP: life type in seconds
Jul 21 10:40:19.476: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP:(0):Xauth authentication by RSA offered but does not
match policy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 19 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP: encryption 3DES-CBC
Jul 21 10:40:19.476: ISAKMP: hash SHA
Jul 21 10:40:19.476: ISAKMP: default group 5
Jul 21 10:40:19.476: ISAKMP: auth RSA sig
Jul 21 10:40:19.476: ISAKMP: life type in seconds
Jul 21 10:40:19.476: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.476: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 21 10:40:19.476: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.476: ISAKMP:(0):Checking ISAKMP transform 20 against priority 10
policy
Jul 21 10:40:19.476: ISAKMP: encryption 3DES-CBC
Jul 21 10:40:19.476: ISAKMP: hash MD5
Jul 21 10:40:19.476: ISAKMP: default group 5
Jul 21 10:40:19.476: ISAKMP: auth RSA sig
Jul 21 10:40:19.476: ISAKMP: life type in seconds
Jul 21 10:40:19.476: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Diffie-Hellman group offered does not match poli
cy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 21 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP: encryption 3DES-CBC
Jul 21 10:40:19.480: ISAKMP: hash SHA
Jul 21 10:40:19.480: ISAKMP: default group 2
Jul 21 10:40:19.480: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.480: ISAKMP: life type in seconds
Jul 21 10:40:19.480: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 22 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP: encryption 3DES-CBC
Jul 21 10:40:19.480: ISAKMP: hash MD5
Jul 21 10:40:19.480: ISAKMP: default group 2
Jul 21 10:40:19.480: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.480: ISAKMP: life type in seconds
Jul 21 10:40:19.480: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Xauth authentication by RSA offered but does not
match policy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 23 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP: encryption 3DES-CBC
Jul 21 10:40:19.480: ISAKMP: hash SHA
Jul 21 10:40:19.480: ISAKMP: default group 2
Jul 21 10:40:19.480: ISAKMP: auth RSA sig
Jul 21 10:40:19.480: ISAKMP: life type in seconds
Jul 21 10:40:19.480: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 24 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP: encryption 3DES-CBC
Jul 21 10:40:19.480: ISAKMP: hash MD5
Jul 21 10:40:19.480: ISAKMP: default group 2
Jul 21 10:40:19.480: ISAKMP: auth RSA sig
Jul 21 10:40:19.480: ISAKMP: life type in seconds
Jul 21 10:40:19.480: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.480: ISAKMP:(0):Diffie-Hellman group offered does not match poli
cy!
Jul 21 10:40:19.480: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.480: ISAKMP:(0):Checking ISAKMP transform 25 against priority 10
policy
Jul 21 10:40:19.480: ISAKMP: encryption DES-CBC
Jul 21 10:40:19.480: ISAKMP: hash MD5
Jul 21 10:40:19.480: ISAKMP: default group 1
Jul 21 10:40:19.480: ISAKMP: auth XAUTHInitRSA
Jul 21 10:40:19.480: ISAKMP: life type in seconds
Jul 21 10:40:19.480: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.484: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.484: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 10:40:19.484: ISAKMP:(0):Checking ISAKMP transform 26 against priority 10
policy
Jul 21 10:40:19.484: ISAKMP: encryption DES-CBC
Jul 21 10:40:19.484: ISAKMP: hash MD5
Jul 21 10:40:19.484: ISAKMP: default group 1
Jul 21 10:40:19.484: ISAKMP: auth RSA sig
Jul 21 10:40:19.484: ISAKMP: life type in seconds
Jul 21 10:40:19.484: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 21 10:40:19.484: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jul 21 10:40:19.484: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 21 10:40:19.484: ISAKMP:(0):no offers accepted!
Jul 21 10:40:19.484: ISAKMP:(0): phase 1 SA policy not acceptable! (local 192.16
8.1.133 remote 192.168.1.222)
Jul 21 10:40:19.484: ISKAMP: growing send buffer from 1024 to 3072
Jul 21 10:40:19.484: ISAKMP (0): incrementing error counter on sa, attempt 1 of
5: construct_fail_ag_init
Jul 21 10:40:19.484: ISAKMP:(0): Failed to construct AG informational message.
Jul 21 10:40:19.484: ISAKMP:(0): sending packet to 192.168.1.222 my_port 500 pee
r_port 4836 (R) MM_NO_STATE
Jul 21 10:40:19.484: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 10:40:19.484: ISAKMP:(0):peer does not do paranoid keepalives.
Jul 21 10:40:19.484: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) MM_NO_STATE (peer 192.168.1.222)
Jul 21 10:40:19.484: ISAKMP (0): FSM action returned error: 2
Jul 21 10:40:19.484: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 21 10:40:19.488: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 21 10:40:19.488: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) MM_NO_STATE (peer 192.168.1.222)
Jul 21 10:40:19.488: ISAKMP: Unlocking peer struct 0x67861900 for isadb_mark_sa_
deleted(), count 0
Jul 21 10:40:19.488: ISAKMP: Deleting peer node by peer_reap for 192.168.1.222:
67861900
Jul 21 10:40:19.488: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 21 10:40:19.488: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
Jul 21 10:40:19.488: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jul 21 10:40:19.488: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_S
TATE (peer 192.168.1.222)
Jul 21 10:40:19.492: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Jul 21 10:40:19.492: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Jul 21 10:40:24.648: ISAKMP (0): received packet from 192.168.1.222 dport 500 sp
ort 4836 Global (R) MM_NO_STATE
Jul 21 10:40:29.647: ISAKMP (0): received packet from 192.168.1.222 dport 500 sp
ort 4836 Global (R) MM_NO_STATE
Jul 21 10:40:33.215: PKI: Shadow timer went off for second_trustpoint
Jul 21 10:40:33.215: CRYPTO_PKI: Sending Next CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetNextCACert&message=second_trustpoint HTT
P/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133
Jul 21 10:40:33.215: CRYPTO_PKI: locked trustpoint second_trustpoint, refcount i
s 1
Jul 21 10:40:33.215: CRYPTO_PKI: can not resolve server name/IP address
Jul 21 10:40:33.215: CRYPTO_PKI: Using unresolved IP Address 192.168.1.133
Jul 21 10:40:33.215: CRYPTO_PKI: http connection opened
Jul 21 10:40:33.215: CRYPTO_PKI: Sending HTTP message
Jul 21 10:40:33.215: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.133
Jul 21 10:40:34.647: ISAKMP (0): received packet from 192.168.1.222 dport 500 sp
ort 4836 Global (R) MM_NO_STATE
Jul 21 10:40:48.214: CRYPTO_PKI: Retry 1
Jul 21 10:41:03.213: CRYPTO_PKI: Retry 2
Jul 21 10:41:03.213: %PKI-3-SOCKETSEND: Failed to send out message to CA server.
Jul 21 10:41:03.213: CRYPTO_PKI: unlocked trustpoint second_trustpoint, refcount
is 0
Jul 21 10:41:03.213: CRYPTO_PKI: status = 65535: failed to send out the pki mess
age
Jul 21 10:41:03.213: %Error in connection to Certificate Authority: status =
FAIL
Jul 21 10:41:03.213: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
_WAIT_FOR_RETRY
Jul 21 10:41:03.217: PKI: Shadow state for second_trustpoint now GET_NEW_CA_CERT
Jul 21 10:41:06.700: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pa
cket. (ip) vrf/dest_addr= /192.168.1.255, src_addr= 192.168.1.80, prot= 17
поможите чем можите!