Jump to content

site-to-site ZyXEL Keenetic 4G III и CISCO ASA 5505


Recommended Posts

Подскажите кому удавалось подружить  CISCO ASA 5505 с ZyXEL Keenetic 4G III через IPsec?

если такие есть, то какие настройки использовали?

у самого не получилось ошибка 
при использовании  ikev1

Feb 15 12:42:04ndm
IpSec::Configurator: remote peer of crypto map "Test" returned proposal mismatch for IKE phase 1.

при использовании  ikev2
Feb 15 12:42:22ipsec
08[IKE] received NO_PROPOSAL_CHOSEN notify error
Link to comment
Share on other sites

3 часа назад, Andrey Lazarev сказал:

Подскажите кому удавалось подружить  CISCO ASA 5505 с ZyXEL Keenetic 4G III через IPsec?

если такие есть, то какие настройки использовали?

у самого не получилось ошибка 
при использовании  ikev1

Feb 15 12:42:04ndm
IpSec::Configurator: remote peer of crypto map "Test" returned proposal mismatch for IKE phase 1.

при использовании  ikev2
Feb 15 12:42:22ipsec
08[IKE] received NO_PROPOSAL_CHOSEN notify error

Скидывайте конфиги обоих сторон, посмотрим что не так.

Еще важна точная версия прошивки на Keentic.

Link to comment
Share on other sites

  • 2 weeks later...

Аналогичные траблы, CISCO ASA 5520 + ZyXEL Keenetic 4G III

ZyXEL Keenetic 4G III (прошивка v2.09(AAUR.6)A3)

К сожалению, со стороны CISCO есть только требования по подключению:

Phase 1
Auth Method: Pre-Shared Key
DH Group: Group 2
Encryption Algorithm: 3DES
Hashing Algorithm: SHA1
Main or Aggressive Mode: Main mode
Lifetime (for renegotiation): 28800s

Phase 2
Encapsulation (ESP or AH): ESP
Enc Algorithm: 3DES
Auth Algorithm: SHA1
Perfect Forward Secrecy: Group 2
Lifetime (for renegotiation): 28800s

В случае "ikev1" - "ipsec06[IKE] received NO_PROPOSAL_CHOSEN notify error"

В случае "ikev2" - "ipsec10[IKE] received INVALID_IKE_SPI error notify"

ZyxelIPSEC_1.jpg.c353166c8829df897ffbc43ce7c2796d.jpg

Link to comment
Share on other sites

Начните с:

Идентификатор локального шлюза - IP-адрес
Значение идентификатора - IP-адрес вашего WAN
Идентификатор удаленного шлюза - IP-адрес
Значение идентификатора - IP-адрес Cisco

Версия протокола - IKEv1

Link to comment
Share on other sites

4 минуты назад, Le ecureuil сказал:

Начните с:

Идентификатор локального шлюза - IP-адрес
Значение идентификатора - IP-адрес вашего WAN
Идентификатор удаленного шлюза - IP-адрес
Значение идентификатора - IP-адрес Cisco

Версия протокола - IKEv1

Сделал.

В логе ошибки:

ndmIpSec::Configurator: general error while establishing crypto map "Zyxel" connection.

ndmIpSec::Configurator: fallback peer is not defined for crypto map "Zyxel", retry.

ipsec08[IKE] sending DPD vendor ID 
ipsec08[IKE] sending FRAGMENTATION vendor ID 
ipsec08[IKE] sending NAT-T (RFC 3947) vendor ID 
ipsec08[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
ipsec08[IKE] initiating Main Mode IKE_SA Zyxel[15] to 207.xx.xx.xx 
ipsec06[IKE] received NAT-T (RFC 3947) vendor ID 
ipsec06[IKE] received FRAGMENTATION vendor ID 
ipsec06[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# 
ipsec06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# 
ipsec06[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# 
ipsec15[IKE] sending retransmit 1 of request message ID 0, seq 2 
ipsec11[IKE] received INVALID_IKE_SPI error notify 
ndmIpSec::Configurator: general error while establishing crypto map "Zyxel" connection.
ndmIpSec::Configurator: crypto map "Zyxel" active IKE SA: 0, active CHILD SA: 0.
ndmIpSec::Configurator: fallback peer is not defined for crypto map "Zyxel", retry.
ndmIpSec::Configurator: schedule reconnect for crypto map "Zyxel".
ndmIpSec::Configurator: crypto map "Zyxel" active IKE SA: 0, active CHILD SA: 0.
ndmIpSec::Configurator: reconnecting crypto map "Zyxel".

 

Link to comment
Share on other sites

  • 4 weeks later...
В 27.02.2017 в 15:49, alekssmak сказал:

Аналогичные траблы, CISCO ASA 5520 + ZyXEL Keenetic 4G III

ZyXEL Keenetic 4G III (прошивка v2.09(AAUR.6)A3)

К сожалению, со стороны CISCO есть только требования по подключению:

В случае "ikev1" - "ipsec06[IKE] received NO_PROPOSAL_CHOSEN notify error"

В случае "ikev2" - "ipsec10[IKE] received INVALID_IKE_SPI error notify"

В итоге - все взлетело и работает.

Как обычно - человеческий фактор - неверно был указан внешний ip Zyxel на стороне Cisco.

Спасибо за отличный продукт!

Link to comment
Share on other sites

  • 8 months later...

Напишу сюда, проблема аналогична.

image.png.8468688cd152ac7cac141ec213812939.png

 

Лог циски

 

ciscoasa# show Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 316
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing SA payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ke payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ISA_KE payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing nonce payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ID payload
Dec 02 02:46:33 [IKEv1 DECODE]IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR ID received
XXX.XXX.XXX.XXX
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received DPD VID
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received Fragmentation VID
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received NAT-Traversal RFC VID
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received NAT-Traversal ver 02 VID
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group XXX.XXX.XXX.XXX
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing IKE SA payload
Dec 02 02:46:33 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 5
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ISAKMP SA payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ke payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing nonce payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Generating keys for Responder...
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ID payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Computing hash for ISAKMP
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing Cisco Unity VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing xauth V6 VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing dpd vid payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Traversal VID ver RFC payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Discovery payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Discovery payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing Fragmentation VID + extended capabilities payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing VID payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 408
Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 100
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Computing hash for ISAKMP
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing NAT-Discovery payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing NAT-Discovery payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, PHASE 1 COMPLETED
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, Keep-alive type for this connection: DPD
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Starting P1 rekey timer: 2700 seconds.
Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500
Dec 02 02:46:33 [IKEv1 DECODE]IP = XXX.XXX.XXX.XXX, IKE Responder starting QM: msg id = 9f24aad1
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=9f24aad1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 284
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing SA payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing nonce payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ke payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ISA_KE for PFS in phase 2
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ID payload
Dec 02 02:46:33 [IKEv1 DECODE]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--192.168.121.0--255.255.255.0
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.121.0, Mask 255.255.255.0, Protocol 0, Port 0
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ID payload
Dec 02 02:46:33 [IKEv1 DECODE]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--192.168.50.0--255.255.255.0
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.50.0, Mask 255.255.255.0, Protocol 0, Port 0
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, QM IsRekeyed old sa not found by addr
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, checking map = mymap, seq = 10...
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, map = mymap, seq = 10, ACL does not match proxy IDs src:192.168.121.0 dst:192.168.50.0
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, checking map = mymap, seq = 11...
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, map mymap, seq = 11 is a successful match
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE Remote Peer configured for crypto map: mymap
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing IPSec SA payload
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, All IPSec SA proposals found unacceptable!
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending notify message
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing blank hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ipsec notify payload for msg id 9f24aad1
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing qm hash payload
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=78e848eb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, QM FSM error (P2 struct &0xce5df4c0, mess id 0x9f24aad1)!
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE QM Responder FSM error history (struct &0xce5df4c0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending delete/delete with reason message
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Removing peer from correlator table failed, no match!
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA AM:8fbc8e72 rcv'd Terminate: state AM_ACTIVE  flags 0x00000041, refcnt 1, tuncnt 0
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA AM:8fbc8e72 terminating:  flags 0x01000001, refcnt 0, tuncnt 0
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending delete/delete with reason message
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing blank hash payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing IKE delete payload
Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing qm hash payload
Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=8d98427d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Session is being torn down. Reason: Phase 2 Mismatch
Dec 02 02:46:33 [IKEv1]Ignoring msg to mark SA with dsID 1601536 dead because SA deleted

 

 

конфиги циски

 

crypto ipsec ikev1 transform-set myset2 esp-des esp-sha-hmac

crypto map mymap 11 set ikev1 transform-set myset2

crypto map mymap 11 match address L2LDima
crypto map mymap 11 set peer XXX.XXX.XXX.XXX
crypto map mymap 11 set ikev1 phase1-mode aggressive
crypto map mymap 11 set ikev1 transform-set myset2
crypto map mymap 11 set reverse-route

crypto ikev1 policy 11
 authentication pre-share
 encryption aes
 hash sha
 group 1
 lifetime 3600

 

 

 

 

Edited by Andreevskiy
Link to comment
Share on other sites

@Andreevskiy

Во-первых, везде отключите агрессивный режим, используйте main mode.

Во-вторых, попытайтесь настроить IKEv2.

В-третьих, выключите PFS на Keenetic для 2 фазы, у вас на cisco он не включен.

В-четвертых, если ничего из вышеперечисленного не поможет, то приложите нормальные конфиги и логи (скрытым постом например), разбираться по "замазкам" и обрубкам я не собираюсь. Или обратитесь с ними в техподдержку, если не доверяете форуму. Они все равно дойдут до меня.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...