Andrey Lazarev Posted February 15, 2017 Share Posted February 15, 2017 Подскажите кому удавалось подружить CISCO ASA 5505 с ZyXEL Keenetic 4G III через IPsec? если такие есть, то какие настройки использовали? у самого не получилось ошибка при использовании ikev1 Feb 15 12:42:04ndm IpSec::Configurator: remote peer of crypto map "Test" returned proposal mismatch for IKE phase 1. при использовании ikev2 Feb 15 12:42:22ipsec 08[IKE] received NO_PROPOSAL_CHOSEN notify error Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted February 15, 2017 Share Posted February 15, 2017 3 часа назад, Andrey Lazarev сказал: Подскажите кому удавалось подружить CISCO ASA 5505 с ZyXEL Keenetic 4G III через IPsec? если такие есть, то какие настройки использовали? у самого не получилось ошибка при использовании ikev1 Feb 15 12:42:04ndm IpSec::Configurator: remote peer of crypto map "Test" returned proposal mismatch for IKE phase 1. при использовании ikev2 Feb 15 12:42:22ipsec 08[IKE] received NO_PROPOSAL_CHOSEN notify error Скидывайте конфиги обоих сторон, посмотрим что не так. Еще важна точная версия прошивки на Keentic. Quote Link to comment Share on other sites More sharing options...
alekssmak Posted February 27, 2017 Share Posted February 27, 2017 Аналогичные траблы, CISCO ASA 5520 + ZyXEL Keenetic 4G III ZyXEL Keenetic 4G III (прошивка v2.09(AAUR.6)A3) К сожалению, со стороны CISCO есть только требования по подключению: Phase 1 Auth Method: Pre-Shared Key DH Group: Group 2 Encryption Algorithm: 3DES Hashing Algorithm: SHA1 Main or Aggressive Mode: Main mode Lifetime (for renegotiation): 28800s Phase 2 Encapsulation (ESP or AH): ESP Enc Algorithm: 3DES Auth Algorithm: SHA1 Perfect Forward Secrecy: Group 2 Lifetime (for renegotiation): 28800s В случае "ikev1" - "ipsec06[IKE] received NO_PROPOSAL_CHOSEN notify error" В случае "ikev2" - "ipsec10[IKE] received INVALID_IKE_SPI error notify" Quote Link to comment Share on other sites More sharing options...
KorDen Posted February 27, 2017 Share Posted February 27, 2017 @alekssmak, там однозначно IKEv1, а дальше смотрите в логи, там ЕМНИП в логе будет писать что предложила циска в proposals Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted February 27, 2017 Share Posted February 27, 2017 Начните с: Идентификатор локального шлюза - IP-адрес Значение идентификатора - IP-адрес вашего WAN Идентификатор удаленного шлюза - IP-адрес Значение идентификатора - IP-адрес Cisco Версия протокола - IKEv1 Quote Link to comment Share on other sites More sharing options...
alekssmak Posted February 27, 2017 Share Posted February 27, 2017 4 минуты назад, Le ecureuil сказал: Начните с: Идентификатор локального шлюза - IP-адрес Значение идентификатора - IP-адрес вашего WAN Идентификатор удаленного шлюза - IP-адрес Значение идентификатора - IP-адрес Cisco Версия протокола - IKEv1 Сделал. В логе ошибки: ndmIpSec::Configurator: general error while establishing crypto map "Zyxel" connection. ndmIpSec::Configurator: fallback peer is not defined for crypto map "Zyxel", retry. ipsec08[IKE] sending DPD vendor ID ipsec08[IKE] sending FRAGMENTATION vendor ID ipsec08[IKE] sending NAT-T (RFC 3947) vendor ID ipsec08[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID ipsec08[IKE] initiating Main Mode IKE_SA Zyxel[15] to 207.xx.xx.xx ipsec06[IKE] received NAT-T (RFC 3947) vendor ID ipsec06[IKE] received FRAGMENTATION vendor ID ipsec06[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# ipsec06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# ipsec06[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/# ipsec15[IKE] sending retransmit 1 of request message ID 0, seq 2 ipsec11[IKE] received INVALID_IKE_SPI error notify ndmIpSec::Configurator: general error while establishing crypto map "Zyxel" connection. ndmIpSec::Configurator: crypto map "Zyxel" active IKE SA: 0, active CHILD SA: 0. ndmIpSec::Configurator: fallback peer is not defined for crypto map "Zyxel", retry. ndmIpSec::Configurator: schedule reconnect for crypto map "Zyxel". ndmIpSec::Configurator: crypto map "Zyxel" active IKE SA: 0, active CHILD SA: 0. ndmIpSec::Configurator: reconnecting crypto map "Zyxel". Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted February 27, 2017 Share Posted February 27, 2017 Представленной информации мало для дальнейших действий, вам нужно пообщаться с настройщиком Cisco. Quote Link to comment Share on other sites More sharing options...
alekssmak Posted March 22, 2017 Share Posted March 22, 2017 В 27.02.2017 в 15:49, alekssmak сказал: Аналогичные траблы, CISCO ASA 5520 + ZyXEL Keenetic 4G III ZyXEL Keenetic 4G III (прошивка v2.09(AAUR.6)A3) К сожалению, со стороны CISCO есть только требования по подключению: В случае "ikev1" - "ipsec06[IKE] received NO_PROPOSAL_CHOSEN notify error" В случае "ikev2" - "ipsec10[IKE] received INVALID_IKE_SPI error notify" В итоге - все взлетело и работает. Как обычно - человеческий фактор - неверно был указан внешний ip Zyxel на стороне Cisco. Спасибо за отличный продукт! Quote Link to comment Share on other sites More sharing options...
Andreevskiy Posted December 2, 2017 Share Posted December 2, 2017 (edited) Напишу сюда, проблема аналогична. Лог циски ciscoasa# show Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500 Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 316 Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing SA payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ke payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ISA_KE payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing nonce payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing ID payload Dec 02 02:46:33 [IKEv1 DECODE]IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR ID received XXX.XXX.XXX.XXX Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received DPD VID Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received Fragmentation VID Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received NAT-Traversal RFC VID Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, processing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]IP = XXX.XXX.XXX.XXX, Received NAT-Traversal ver 02 VID Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group XXX.XXX.XXX.XXX Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing IKE SA payload Dec 02 02:46:33 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ISAKMP SA payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ke payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing nonce payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Generating keys for Responder... Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ID payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Computing hash for ISAKMP Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing Cisco Unity VID payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing xauth V6 VID payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing dpd vid payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Traversal VID ver RFC payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Discovery payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing NAT-Discovery payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing Fragmentation VID + extended capabilities payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing VID payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 408 Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500 Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 100 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Computing hash for ISAKMP Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing NAT-Discovery payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing NAT-Discovery payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, computing NAT Discovery hash Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, PHASE 1 COMPLETED Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, Keep-alive type for this connection: DPD Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Starting P1 rekey timer: 2700 seconds. Dec 02 02:46:33 [IKEv1]IKE Receiver: Packet received on 80.246.253.173:500 from XXX.XXX.XXX.XXX:500 Dec 02 02:46:33 [IKEv1 DECODE]IP = XXX.XXX.XXX.XXX, IKE Responder starting QM: msg id = 9f24aad1 Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=9f24aad1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 284 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing SA payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing nonce payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ke payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ISA_KE for PFS in phase 2 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ID payload Dec 02 02:46:33 [IKEv1 DECODE]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--192.168.121.0--255.255.255.0 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.121.0, Mask 255.255.255.0, Protocol 0, Port 0 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing ID payload Dec 02 02:46:33 [IKEv1 DECODE]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--192.168.50.0--255.255.255.0 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Received local IP Proxy Subnet data in ID Payload: Address 192.168.50.0, Mask 255.255.255.0, Protocol 0, Port 0 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, QM IsRekeyed old sa not found by addr Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, checking map = mymap, seq = 10... Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, map = mymap, seq = 10, ACL does not match proxy IDs src:192.168.121.0 dst:192.168.50.0 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, checking map = mymap, seq = 11... Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Static Crypto Map check, map mymap, seq = 11 is a successful match Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE Remote Peer configured for crypto map: mymap Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, processing IPSec SA payload Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, All IPSec SA proposals found unacceptable! Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending notify message Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing blank hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing ipsec notify payload for msg id 9f24aad1 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing qm hash payload Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=78e848eb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, QM FSM error (P2 struct &0xce5df4c0, mess id 0x9f24aad1)! Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE QM Responder FSM error history (struct &0xce5df4c0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending delete/delete with reason message Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Removing peer from correlator table failed, no match! Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA AM:8fbc8e72 rcv'd Terminate: state AM_ACTIVE flags 0x00000041, refcnt 1, tuncnt 0 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, IKE SA AM:8fbc8e72 terminating: flags 0x01000001, refcnt 0, tuncnt 0 Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, sending delete/delete with reason message Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing blank hash payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing IKE delete payload Dec 02 02:46:33 [IKEv1 DEBUG]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, constructing qm hash payload Dec 02 02:46:33 [IKEv1]IP = XXX.XXX.XXX.XXX, IKE_DECODE SENDING Message (msgid=8d98427d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Dec 02 02:46:33 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Session is being torn down. Reason: Phase 2 Mismatch Dec 02 02:46:33 [IKEv1]Ignoring msg to mark SA with dsID 1601536 dead because SA deleted конфиги циски crypto ipsec ikev1 transform-set myset2 esp-des esp-sha-hmac crypto map mymap 11 set ikev1 transform-set myset2 crypto map mymap 11 match address L2LDima crypto map mymap 11 set peer XXX.XXX.XXX.XXX crypto map mymap 11 set ikev1 phase1-mode aggressive crypto map mymap 11 set ikev1 transform-set myset2 crypto map mymap 11 set reverse-route crypto ikev1 policy 11 authentication pre-share encryption aes hash sha group 1 lifetime 3600 Edited December 2, 2017 by Andreevskiy Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted December 2, 2017 Share Posted December 2, 2017 @Andreevskiy Во-первых, везде отключите агрессивный режим, используйте main mode. Во-вторых, попытайтесь настроить IKEv2. В-третьих, выключите PFS на Keenetic для 2 фазы, у вас на cisco он не включен. В-четвертых, если ничего из вышеперечисленного не поможет, то приложите нормальные конфиги и логи (скрытым постом например), разбираться по "замазкам" и обрубкам я не собираюсь. Или обратитесь с ними в техподдержку, если не доверяете форуму. Они все равно дойдут до меня. Quote Link to comment Share on other sites More sharing options...
Andreevskiy Posted December 2, 2017 Share Posted December 2, 2017 Спасибо за наводку все заработало. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.