Jump to content

AlexanderG3

Forum Members
  • Posts

    9
  • Joined

  • Last visited

Everything posted by AlexanderG3

  1. Да, тоже уже решил, что к ним надо обращаться. Напишу здесь результат в случае решения вопроса.
  2. Спасибо. Уже на long term. Включил PFS - стало 3 rekey проходить норм, четвертый падает.
  3. Спасибо большое, буду копать в сторону ROS. Вы мне очень помогли, очень рад, что у Keenetic такая замечательная поддержка. Если что то узнаю про микротик - напишу.
  4. К сожалению, IPSec SA без разрыва L2TP не обновился: прошло 8 часов и соединение упало. Скажите, пожалуйста, куда еще можно посмотреть, чтобы решить проблему? 11[IKE] initiator did not reauthenticate as requested Aug 27 16:28:54 ipsec 11[IKE] reauthenticating IKE_SA L2TP0[176] actively Aug 27 16:28:54 ipsec 11[IKE] sending XAuth vendor ID Aug 27 16:28:54 ipsec 11[IKE] sending DPD vendor ID Aug 27 16:28:54 ipsec 11[IKE] sending FRAGMENTATION vendor ID Aug 27 16:28:54 ipsec 11[IKE] sending NAT-T (RFC 3947) vendor ID Aug 27 16:28:54 ipsec 11[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 27 16:28:54 ipsec 11[IKE] initiating Main Mode IKE_SA L2TP0[177] to IP_Mikrotik Aug 27 16:28:54 ipsec 16[IKE] received NAT-T (RFC 3947) vendor ID Aug 27 16:28:54 ipsec 16[IKE] received XAuth vendor ID Aug 27 16:28:54 ipsec 16[IKE] received DPD vendor ID Aug 27 16:28:54 ipsec 16[IKE] received FRAGMENTATION vendor ID Aug 27 16:28:54 ipsec 16[CFG] received proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 27 16:28:54 ipsec 16[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 Aug 27 16:28:54 ipsec 16[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 27 16:28:55 ipsec 09[IKE] found linked key for crypto map 'L2TP0' Aug 27 16:28:55 ipsec 08[IKE] schedule delete of duplicate IKE_SA for peer 'IP_Mikrotik' due to uniqueness policy and suspected reauthentication Aug 27 16:28:55 ipsec 08[IKE] IKE_SA L2TP0[177] established between IP_Keenetic[IP_Keenetic]...IP_Mikrotik[IP_Mikrotik] Aug 27 16:28:55 ipsec 08[IKE] scheduling reauthentication in 3566s Aug 27 16:28:55 ipsec 08[IKE] maximum IKE_SA lifetime 3586s Aug 27 16:28:55 ndm IpSec::CryptoMapInfo: "L2TP0": crypto map active IKE SA: 2, active CHILD SA: 1. Aug 27 16:29:05 ipsec 09[IKE] deleting IKE_SA L2TP0[176] between IP_Keenetic[IP_Keenetic]...IP_Mikrotik[IP_Mikrotik] Aug 27 16:29:05 ipsec 09[IKE] sending DELETE for IKE_SA L2TP0[176] Aug 27 16:29:05 ndm IpSec::CryptoMapInfo: "L2TP0": crypto map active IKE SA: 1, active CHILD SA: 1. Aug 27 16:30:22 ndhcps Aug 27 16:30:56 pppd_L2TP0 No response to 3 echo-requests Aug 27 16:30:56 pppd_L2TP0 Serial link appears to be disconnected.
  5. При изменении только ipsec proposal lifetime обновление ISAKMP-SA проходит корректно(видно как на стороне микротика так и на стороне кинетика, служебный тоннель строится). Теперь осталось дождаться чтобы IPSec SA тоже обновились по проcшествию soft lifetime (hard 28800, soft 06:24:00). Напишу результат.
  6. Для тестирования, чтобы меньше ждать обновления ключа поставил lifetime 3600, если менять один параметр ipsec proposal lifetime, то ключ по видимому обновляется, а вот если это же значение поставить для ipsec transform-set, то все возвращается к той же ситуации как была, только уже не раз в шесть часов, а раз в час. Поставлю 20000 и подожду, как с этой настройкой дела будут.
  7. Спасибо за быстрый ответ. Это параметр ipsec proposal lifetime на уровне интерфейса L2TP?
  8. Добрый день. Регулярно раз в шесть часов падает L2TP/IPSec, в логах видно: [I] Aug 24 23:04:33 ipsec: 05[IKE] received NAT-T (RFC 3947) vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received Cisco Unity vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] received DPD vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] W1.X1.Y1.Z1 is initiating a Main Mode IKE_SA [I] Aug 24 23:04:33 ipsec: 05[CFG] received proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 [I] Aug 24 23:04:33 ipsec: 05[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 [I] Aug 24 23:04:33 ipsec: 05[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 [I] Aug 24 23:04:33 ipsec: 05[IKE] sending XAuth vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] sending DPD vendor ID [I] Aug 24 23:04:33 ipsec: 05[IKE] sending NAT-T (RFC 3947) vendor ID [I] Aug 24 23:04:33 ipsec: 10[IKE] linked key for crypto map '(unnamed)' is not found, still searching [I] Aug 24 23:04:33 ipsec: 11[CFG] looking for pre-shared key peer configs matching W2.X2.Y2.Z2...W1.X1.Y1.Z1[W1.X1.Y1.Z1] [I] Aug 24 23:04:33 ipsec: 11[CFG] selected peer config "L2TP0" [I] Aug 24 23:04:33 ipsec: 11[IKE] detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs [I] Aug 24 23:04:33 ipsec: 11[IKE] schedule delete of duplicate IKE_SA for peer 'W1.X1.Y1.Z1' due to uniqueness policy and suspected reauthentication [I] Aug 24 23:04:33 ipsec: 11[IKE] IKE_SA L2TP0[106] established between W2.X2.Y2.Z2[W2.X2.Y2.Z2]...W1.X1.Y1.Z1[W1.X1.Y1.Z1] [I] Aug 24 23:04:33 ipsec: 11[IKE] scheduling reauthentication in 28767s [I] Aug 24 23:04:33 ipsec: 11[IKE] maximum IKE_SA lifetime 28787s [I] Aug 24 23:04:34 ndm: IpSec::CryptoMapInfo: "L2TP0": crypto map active IKE SA: 2, active CHILD SA: 1. [I] Aug 24 23:04:43 ipsec: 08[IKE] deleting IKE_SA L2TP0[105] between W2.X2.Y2.Z2[W2.X2.Y2.Z2]...W1.X1.Y1.Z1[W1.X1.Y1.Z1] [I] Aug 24 23:04:43 ipsec: 08[IKE] sending DELETE for IKE_SA L2TP0[105] [I] Aug 24 23:04:44 ndm: IpSec::CryptoMapInfo: "L2TP0": crypto map active IKE SA: 1, active CHILD SA: 1. [I] Aug 24 23:06:35 pppd_L2TP0: No response to 3 echo-requests [I] Aug 24 23:06:35 pppd_L2TP0: Serial link appears to be disconnected. [I] Aug 24 23:06:35 pppd_L2TP0: Connect time 386.1 minutes. [I] Aug 24 23:06:35 pppd_L2TP0: Sent 505126 bytes, received 1072468 bytes. [I] Aug 24 23:06:35 ndm: Network::Interface::Ip: "L2TP0": IP address cleared. Пожалуйста помогите решить проблему.
×
×
  • Create New...