Jump to content

Владислав Новиков

Forum Members
 View Profile  See their activity

  • Posts

    7

  • Joined

  • Last visited

 Content Type 

Everything posted by Владислав Новиков

  1. Владислав Новиков
    Спасибо! IPsec между Zyxel Keenetic Ultra II и с S-Terra Gate 4.1 стабилен под нагрузкой уже на протяжении нескольких дней. Но очень хотелось бы аутентификацию по сертификатам с поддержкой CRL (CDP/OCSP).
  2. Владислав Новиков
    Спасибо. А есть ссылка на стандарт, где описано такое поведение? Я не нашел сходу что допустимым является нулевое значение времени жизни ISAKMP SA.
  3. Владислав Новиков
    А у Вас есть предположение по какой причине без данной опции наблюдается проблема? Я если честно не могу связать одно с другим .
  4. Владислав Новиков
    К сожалению, на версии 2.09.B.0.0-1 такая же проблема. Но, если установить опцию "Nailed-up", то IPsec lifetime шлется верный . На старой версии v2.08(AAUX.0)C2 я с этой опцией не проверял. 1) Без опции "Nailed-up" (лог на стороне S-Terra Gate): Jul 3 00:05:20 localhost vpnsvc: 10000001 <79:0> Start IKE session, Request: Inbound ISAKMP packet, type Main, peer 46.39.231.48:45740, sessionId 11723A184C9AA51B.0 Jul 3 00:05:20 localhost vpnsvc: 00101012 <79:0> Received ISAKMP proposals: Jul 3 00:05:20 localhost vpnsvc: 00101013 <79:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:0 Jul 3 00:05:20 localhost vpnsvc: 00101031 <79:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:1", Transform #2: payload malformed Jul 3 00:05:20 localhost vpnsvc: 10000018 <79:0> IKE session stopped at [Main Mode, Responder, Packets 1,2][Compare policy], Reason: NO-PROPOSAL-CHOSEN Jul 3 00:05:20 localhost vpnsvc: 10000001 <79:1> Start IKE session, Request: ISAKMP notification, type Informational, peer 46.39.231.48:45740, sessionId 11723A184C9AA51B.22A7B03F Jul 3 00:05:20 localhost vpnsvc: 1000001b <79:1> Sending notification [NO-PROPOSAL-CHOSEN] for <79:0> Jul 3 00:05:20 localhost vpnsvc: 10000002 <79:1> Session completed Jul 3 00:05:26 localhost vpnsvc: 10000006 ISAKMP connection 77 closed, peer 46.39.231.48:39849, id "192.168.1.1", bytes sent/received: 856/1000, exchanges passed: 1, Reason: Delete payload received 2) С опцией "Nailed-up" (лог на стороне S-Terra Gate): Jul 3 00:05:45 localhost vpnsvc: 10000001 <80:0> Start IKE session, Request: Inbound ISAKMP packet, type Main, peer 46.39.231.48:45740, sessionId 67F709E498610C9C.0 Jul 3 00:05:45 localhost vpnsvc: 00101012 <80:0> Received ISAKMP proposals: Jul 3 00:05:45 localhost vpnsvc: 00101013 <80:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:3600 Jul 3 00:05:45 localhost vpnsvc: 00101031 <80:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:1", Transform #2: match Jul 3 00:05:45 localhost vpnsvc: 00101011 <80:0> Sending ISAKMP proposals: Jul 3 00:05:45 localhost vpnsvc: 00101013 <80:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:3600 Jul 3 00:05:46 localhost vpnsvc: 10000101 <80:0> NAT detected on remote side Jul 3 00:05:46 localhost vpnsvc: 10000102 <80:0> NAT detected on local side Jul 3 00:05:46 localhost vpnsvc: 00101036 <80:0> Using preshared key "cs_key_0_0_0_0__0_0_0_0" Jul 3 00:05:46 localhost vpnsvc: 10000009 <80:0> Float partner to 46.39.231.48:39849 Jul 3 00:05:46 localhost vpnsvc: 1000001d <80:0> Received unprotected notification [INITIAL-CONTACT]: Ignore Jul 3 00:05:46 localhost vpnsvc: 10000007 <80:0> Receive identity "192.168.1.1", peer 46.39.231.48:39849 Jul 3 00:05:46 localhost vpnsvc: 10000008 <80:0> Send identity "172.16.5.2", peer 46.39.231.48:39849, id "192.168.1.1" Jul 3 00:05:46 localhost vpnsvc: 10000002 <80:0> Session completed Jul 3 00:05:46 localhost vpnsvc: 10000005 <80:0> ISAKMP connection 80 created, peer 46.39.231.48:39849, id "192.168.1.1" Jul 3 00:05:46 localhost vpnsvc: 10000001 <80:1> Start IKE session, Request: Inbound ISAKMP packet, type Quick, peer 46.39.231.48:39849, sessionId 67F709E498610C9C.D66C17E1 Jul 3 00:05:46 localhost vpnsvc: 1000000b <80:1> Receive traffic request: (192.168.1.0/255.255.255.0,,)->(172.16.1.0/255.255.255.0,,) Jul 3 00:05:46 localhost vpnsvc: 00101022 <80:1> Received IPSec proposals: Jul 3 00:05:46 localhost vpnsvc: 00101023 <80:1> Proposal #0: Jul 3 00:05:46 localhost vpnsvc: 00101024 <80:1> Protocol ESP: Jul 3 00:05:46 localhost vpnsvc: 00101025 <80:1> Transform #1: Trans-ID:ESP_AES, Attr(6):(256), Integrity:HMAC-SHA, Encapsulation:UDP-Encapsulated-Tunnel, Life Time:3600, Life Traffic:21474836 Jul 3 00:05:46 localhost vpnsvc: 00101031 <80:1> Checking Proposal #0, Protocol ESP, Transform #1 for Rule "IPsecAction:CMAP:1:DMAP:1", Proposal #1, Protocol ESP, Transform #1: match Jul 3 00:05:46 localhost vpnsvc: 00101021 <80:1> Sending IPSec proposals: Jul 3 00:05:46 localhost vpnsvc: 00101023 <80:1> Proposal #0: Jul 3 00:05:46 localhost vpnsvc: 00101024 <80:1> Protocol ESP: Jul 3 00:05:46 localhost vpnsvc: 00101025 <80:1> Transform #1: Trans-ID:ESP_AES, Attr(6):(256), Integrity:HMAC-SHA, Encapsulation:UDP-Encapsulated-Tunnel, Life Time:3600, Life Traffic:21474836 Jul 3 00:05:46 localhost vpnsvc: 1000001b <80:1> Sending notification [RESPONDER-LIFETIME], LifeTraffic:4608000 Jul 3 00:05:46 localhost vpnsvc: 1000001b <80:1> Sending notification [INITIAL-CONTACT] for ISAKMP connection 80 Jul 3 00:05:46 localhost vpnsvc: 1000001b <80:1> Sending notification [CONNECTED] Jul 3 00:05:46 localhost vpnsvc: 00100119 <80:1> IPSec connection 5 established, traffic selector 172.16.1.0-172.16.1.255->192.168.1.0-192.168.1.255, peer 46.39.231.48:39849, id "192.168.1.1", Filter IPsec:Protect:CMAP:1:DMAP:1:to_zyxel, IPsecAction IPsecAction:CMAP:1:DMAP:1, IKERule IKERule:CMAP:1:DMAP:1
  5. Владислав Новиков
    capture-GigabitEthernet1-Jul 2 10-57-06.pcapng self-test (1).txt
  6. Владислав Новиков
    Приветствую! Проблема: IKEv1 шлет нулевое значение времени жизни ISAKMP SA lifetime вне зависимости от заданного в web-интерфейсе значения (см. скриншот и информацию ниже). Из-за этой проблемы нет возможности построить IPsec-туннель с оборудованием S-Terra Gate 4.1. Подробнее: 1) Вывод из tcpdump на ответной стороне (lifeduration value=0000): 19:40:33.359985 IP (tos 0x0, ttl 59, id 33699, offset 0, flags [DF], proto UDP (17), length 196) 46.39.231.48.32442 > 172.16.5.2.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 508f08fc14c2b9eb->0000000000000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #0 protoid=isakmp transform=1 (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1536)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=0000)))) (vid: len=16 afcad71368a1f1c96b8696fc77570100) (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000) (vid: len=16 4a131c81070358455c5728f20e95452f) (vid: len=16 90cb80913ebb696e086381b5ec427b1f) 2) В системном журнале пишется, что значение выставляется верно (lifetime set to 3600 s): Jul 01 20:03:40 ndm IpSec::Manager: crypto ike proposal "to_Sterra4.1" encryption algorithm "aes-cbc-256" added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike proposal "to_Sterra4.1" DH group "5" successfully added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike proposal "to_Sterra4.1" integrity algorithm "sha1" successfully added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" proposal "to_Sterra4.1" successfully added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" lifetime set to 3600 s. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" mode set to "ikev1". Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" negotiation-mode set to "main". Jul 01 20:03:40 ndm IpSec::Manager: crypto ike key "to_Sterra4.1" successfully updated. 3) Со стороны S-Terra Gate 4.1 (Life Time: 0): Jul 1 20:00:38 localhost vpnsvc: 10000001 <47:0> Start IKE session, Request: Inbound ISAKMP packet, type Main, peer 46.39.231.48:32442, sessionId FD630224261656EC.0 Jul 1 20:00:38 localhost vpnsvc: 00101012 <47:0> Received ISAKMP proposals: Jul 1 20:00:38 localhost vpnsvc: 00101013 <47:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:0 Jul 1 20:00:38 localhost vpnsvc: 00101031 <47:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:1", Transform #2: payload malformed Jul 1 20:00:38 localhost vpnsvc: 00101031 <47:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:2", Transform #2: payload malformed Jul 1 20:00:38 localhost vpnsvc: 10000018 <47:0> IKE session stopped at [Main Mode, Responder, Packets 1,2][Compare policy], Reason: NO-PROPOSAL-CHOSEN Jul 1 20:00:38 localhost vpnsvc: 10000001 <47:1> Start IKE session, Request: ISAKMP notification, type Informational, peer 46.39.231.48:32442, sessionId FD630224261656EC.C2B631EF Jul 1 20:00:38 localhost vpnsvc: 1000001b <47:1> Sending notification [NO-PROPOSAL-CHOSEN] for <47:0> Jul 1 20:00:38 localhost vpnsvc: 10000002 <47:1> Session completed 4) Насколько я понимаю, то в соответствии со стандартом RFC2409 нулевое значение недопустимо. Информация об устройстве: 1) роутер zyxel keenetic ultra II; 2) версия ПО: v2.08(AAUX.0)C2.
×
×
  • Create New...