Ilya_

Без ikev2 работает, id пробовал указывать, но перепроверю ещё раз. Спасибо

Ikev2 , т.к все остальные туннели на нем и раз у кинетика заявлена поддержка IPsec с Ikev2, решил на нем тоже тунель сделать. Но тут что то не по плану пошло. Я так понимаю надо заставить кинетик принимать мой сертификат, или отключить его использование, но у gre не редактируется криптомап пс: и производительность устраивает

Еще вопрос, как добавить в кинетик свой сертификат для авторизации ikev2? или указать не использовать сертификат, а только по логин-паролю 13:32:22 srv IPSEC: 06[IKE] received 129 cert requests for an unknown ca 13:32:22 srv IPSEC: 06[CFG] looking for peer configs matching BBB.BBB.BBB.BBB[Gre0]...AAA.AAA.AAA.AAA[Gre0] 13:32:22 srv IPSEC: 06[CFG] no matching peer config found 13:32:22 srv IPSEC: peer authentication failed 13:32:22 srv IPSEC: 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Добрый день, подскажите, возможно ли указать свой crypto map для Gre интерфейса? 2 роутера с белыми IP, просто Gre(без IPSec) создается без проблем, IPSec не проходит 3я часть первой фазы Конфиг на кинетике: ! interface Gre0 rename AAA.AAA.AAA.AAA security-level private debug ip address 172.16.1.10 255.255.255.252 ip mtu 1500 ipsec preshared-key ns3 YFcbJO6J6Bn+Yj8iux1phU+f ipsec encryption-level high ipsec ikev2 tunnel source UsbQmi0 tunnel destination BBB.BBB.BBB.BBB up ! Лог на нем же: I [Dec 13 13:48:03] ipsec: Starting strongSwan 5.8.0 IPsec [starter]... I [Dec 13 13:48:03] ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.9-ndm-4, mips) I [Dec 13 13:48:05] ipsec: 00[CFG] loading secrets I [Dec 13 13:48:05] ipsec: 00[CFG] loaded IKE secret for cmap:Gre0 I [Dec 13 13:48:05] ipsec: 00[CFG] loaded 1 RADIUS server configuration I [Dec 13 13:48:05] ipsec: 00[CFG] starting system time check, interval: 10s I [Dec 13 13:48:05] ipsec: 00[LIB] loaded plugins: charon ndm-pem random save-keys nonce x509 pubkey openssl xcbc cmac hmac ctr attr kernel-netlink resolve socket- default stroke updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-peap xauth-generic xauth-eap error-notify systime-fix unity I [Dec 13 13:48:05] ipsec: 00[LIB] dropped capabilities, running as uid 65534, gid 65534 I [Dec 13 13:48:05] ipsec: 03[CFG] received stroke: add connection 'Gre0' I [Dec 13 13:48:05] ipsec: 03[CFG] added configuration 'Gre0' I [Dec 13 13:48:05] ipsec: 11[CFG] received stroke: initiate 'Gre0' I [Dec 13 13:48:05] ipsec: 11[IKE] initiating IKE_SA Gre0[1] to BBB.BBB.BBB.BBB I [Dec 13 13:48:05] ipsec: 14[IKE] peer didn't accept DH group MODP_1024, it requested MODP_2048 I [Dec 13 13:48:05] ipsec: 14[IKE] initiating IKE_SA Gre0[1] to BBB.BBB.BBB.BBB I [Dec 13 13:48:06] ipsec: 15[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 I [Dec 13 13:48:06] ipsec: 15[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 I [Dec 13 13:48:06] ipsec: 15[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 I [Dec 13 13:48:06] ipsec: 15[IKE] found linked key for crypto map 'Gre0' I [Dec 13 13:48:06] ipsec: 15[IKE] establishing CHILD_SA Gre0{1} I [Dec 13 13:48:07] ipsec: 10[IKE] received AUTHENTICATION_FAILED notify error E [Dec 13 13:48:07] ndm: IpSec::Configurator: remote peer rejects to authenticate our crypto map "Gre0". W [Dec 13 13:48:07] ndm: IpSec::Configurator: (possibly because of wrong local/remote ID). I [Dec 13 13:48:07] ndm: IpSec::CryptoMapInfo: "Gre0": crypto map active IKE SA: 0, active CHILD SA: 0. W [Dec 13 13:48:07] ndm: IpSec::Configurator: fallback peer is not defined for crypto map "Gre0", retry. I [Dec 13 13:48:07] ndm: IpSec::Configurator: "Gre0": schedule reconnect for crypto map. I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": IPsec layer is down, shutdown tunnel layer. I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": secured tunnel is down. I [Dec 13 13:48:07] ndm: IpSec::Manager: "Gre0": IP secure connection and keys was deleted. E [Dec 13 13:48:07] ndm: IpSec::Configurator: general error while establishing crypto map "Gre0" connection. I [Dec 13 13:48:07] ndm: IpSec::CryptoMapInfo: "Gre0": crypto map active IKE SA: 0, active CHILD SA: 0. W [Dec 13 13:48:07] ndm: IpSec::Configurator: fallback peer is not defined for crypto map "Gre0", retry. I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": IPsec layer is down, shutdown tunnel layer. Зачем он подключает правила Radius? Как я понимаю, он пытается завершить авторизацию по сертификату Лог с другой стороны: 13:32:22 srv IPSEC: 06[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ] 13:32:22 srv IPSEC: 06[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2876 bytes) 13:32:22 srv IPSEC: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 41:f3:8f:66:50:fe:15:ff:4e:24:29:2d:c7:67:19:c4:4b:c8:1e:cd 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid c3:2e:e6:fd:16:60:3b:f5:d0:5f:fb:85:1d:41:46:ce:16:31:9d:6e 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid ba:b7:43:e0:ed:c7:1e:72:8a:31:ad:da:65:7b:b9:4c:ca:63:ee:07 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 0f:73:b7:ce:46:fb:89:05:4b:02:97:75:95:97:58:1f:bb:22:59:f5 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 99:9b:76:54:0b:4a:9c:7a:35:ca:8f:0f:2e:aa:74:7a:0f:ae:c5:6e 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid ca:0f:ad:e1:ca:f3:73:79:25:69:a5:b2:b6:29:ab:63:0a:bc:7a:1c 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 98:46:5e:8d:55:f2:bb:69:0c:d1:e6:c5:b0:81:2e:f2:fe:f2:38:a3 . . . 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid a7:e9:c8:0c:8c:4b:56:d6:37:fa:9e:0d:6c:69:58:1d:32:4e:91:c0 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 52:2c:46:fc:ee:2e:a4:be:b5:f1:01:a3:9d:d2:16:ba:d8:85:8e:b5 13:32:22 srv IPSEC: 06[IKE] received 129 cert requests for an unknown ca 13:32:22 srv IPSEC: 06[CFG] looking for peer configs matching BBB.BBB.BBB.BBB[Gre0]...AAA.AAA.AAA.AAA[Gre0] 13:32:22 srv IPSEC: 06[CFG] no matching peer config found 13:32:22 srv IPSEC: peer authentication failed 13:32:22 srv IPSEC: 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 13:32:22 srv IPSEC: 06[NET] sending packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500] (76 bytes) 13:32:22 srv IPSEC: 04[NET] sending packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500] 13:32:22 srv IPSEC: 06[IKE] removing IP address AAA.AAA.AAA.AAA for peer Gre0 13:32:22 srv IPSEC: 06[MGR] checkin and destroy IKE_SA (unnamed)[3106] 13:32:22 srv IPSEC: 06[IKE] IKE_SA (unnamed)[3106] state change: CONNECTING => DESTROYING 13:32:22 srv IPSEC: 06[MGR] checkin and destroy of IKE_SA successful