Andreevskiy

December 2, 2017

Спасибо за наводку все заработало.

December 2, 2017

Напишу сюда, проблема аналогична.

image.png.8468688cd152ac7cac141ec213812939.png

Лог циски

ciscoasa# show Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 316
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing SA payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ke payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ISA_KE payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing nonce payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ID payload
Dec 02 02:46:33 [IKEv1 DECODE]IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR ID received
XXX.XXX.XXX.XXX
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received DPD VID
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received Fragmentation VID
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received NAT-Traversal RFC VID
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received NAT-Traversal ver 02 VID
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group XXX.XXX.XXX.XXX
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing IKE SA payload
Dec 02 02:46:33 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ISAKMP SA payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ke payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing nonce payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Generating keys for Responder...
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ID payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Computing hash for ISAKMP
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing Cisco Unity VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing xauth V6 VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing dpd vid payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Traversal VID ver RFC payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Discovery payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Discovery payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing Fragmentation VID + extended capabilities payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 408
Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 100
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Computing hash for ISAKMP
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing NAT-Discovery payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing NAT-Discovery payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, PHASE 1 COMPLETED
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, Keep-alive type for this connection: DPD
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Starting P1 rekey timer: 2700 seconds.
Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500
Dec 02 02:46:33 [IKEv1 DECODE]IP = XXX.XXX.XXX.XXX, IKE Responder starting QM: msg id = 9f24aad1
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=9f24aad1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 284
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing SA payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing nonce payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ke payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ISA_KE for PFS in phase 2
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ID payload
Dec 02 02:46:33 [IKEv1 DECODE]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--192.168.121.0--255.255.255.0
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.121.0, Mask 255.255.255.0, Protocol 0, Port 0
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ID payload
Dec 02 02:46:33 [IKEv1 DECODE]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--192.168.50.0--255.255.255.0
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.50.0, Mask 255.255.255.0, Protocol 0, Port 0
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, QM IsRekeyed old sa not found by addr
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, checking map = mymap, seq = 10...
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, map = mymap, seq = 10, ACL does not match proxy IDs src:192.168.121.0 dst:192.168.50.0
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, checking map = mymap, seq = 11...
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, map mymap, seq = 11 is a successful match
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE Remote Peer configured for crypto map: mymap
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing IPSec SA payload
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, All IPSec SA proposals found unacceptable!
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending notify message
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing blank hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ipsec notify payload for msg id 9f24aad1
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing qm hash payload
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=78e848eb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, QM FSM error (P2 struct &0xce5df4c0, mess id 0x9f24aad1)!
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE QM Responder FSM error history (struct &0xce5df4c0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending delete/delete with reason message
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Removing peer from correlator table failed, no match!
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA AM:8fbc8e72 rcv'd Terminate: state AM_ACTIVE flags 0x00000041, refcnt 1, tuncnt 0
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA AM:8fbc8e72 terminating: flags 0x01000001, refcnt 0, tuncnt 0
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending delete/delete with reason message
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing blank hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing IKE delete payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing qm hash payload
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=8d98427d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Session is being torn down. Reason: Phase 2 Mismatch
Dec 02 02:46:33 [IKEv1]Ignoring msg to mark SA with dsID 1601536 dead because SA deleted

конфиги циски

crypto ipsec ikev1 transform-set myset2 esp-des esp-sha-hmac

crypto map mymap 11 set ikev1 transform-set myset2

crypto map mymap 11 match address L2LDima
crypto map mymap 11 set peer XXX.XXX.XXX.XXX
crypto map mymap 11 set ikev1 phase1-mode aggressive
crypto map mymap 11 set ikev1 transform-set myset2
crypto map mymap 11 set reverse-route

crypto ikev1 policy 11
authentication pre-share
encryption aes
hash sha
group 1
lifetime 3600

Sign In

Andreevskiy

Posts

Joined

Last visited

Content Type

Profiles

Forums

Gallery

Downloads

Blogs

Events

Posts posted by Andreevskiy

site-to-site ZyXEL Keenetic 4G III и CISCO ASA 5505

site-to-site ZyXEL Keenetic 4G III и CISCO ASA 5505

Browse

Activity

Store

My Details