Extra | IPSec и 2 подключения

timonych · February 18, 2017

Приветствую!

Возник вопрос касательно IPSec. Есть 3 устройства. у одного белый IP, у двух других серый. Облачный доступ есть.

Хотелось к одному с белым IP подключить по IPSec 2 других устройства. Все это добро какое то время работает, потом задыхается, ругается якобы на некорректный local/remote ID.

Работает по факту только второе подключение из списка. Если его удалить, первое подключение начинает адекватно работать.

Использовалась следующая схема:

Extra(1 клиент) + Lite II(2 клиент) -> Lite II (хост)

Extra(1 клиент) + Lite II(2 клиент) -> Extra (хост)

Вопрос: возможно ли вообще такая работа? Или зря головой бьюсь?

Скрытый текст

Feb 18 08:37:46ipsec

					14[IKE] 93.170.246.74 is initiating an IKE_SA
				

Feb 18 08:37:46ipsec

					14[CFG] received proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768/#
				

Feb 18 08:37:46ipsec

					14[CFG] configured proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768/#
				

Feb 18 08:37:46ipsec

					14[CFG] selected proposal: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768/#
				

Feb 18 08:37:46ipsec

					14[IKE] remote host is behind NAT
				

Feb 18 08:37:46ipsec

					11[CFG] looking for peer configs matching 176.123.***.**[***]...93.170.246.74[***]
				

Feb 18 08:37:46ipsec

					11[CFG] selected peer config '***'
				

Feb 18 08:37:46ipsec

					11[IKE] linked key for crypto map '***' is not found, still searching
				

Feb 18 08:37:46ipsec

					11[IKE] authentication of '***' with pre-shared key successful
				

Feb 18 08:37:46ipsec

					11[IKE] linked key for crypto map '***' is not found, still searching
				

Feb 18 08:37:46ipsec

					11[IKE] authentication of '***' (myself) with pre-shared key
				

Feb 18 08:37:46ipsec

					11[IKE] IKE_SA ***[2177] established between 176.123.***.**[***]...93.170.246.74[***]
				

Feb 18 08:37:46ipsec

					11[IKE] scheduling reauthentication in 3574s
				

Feb 18 08:37:46ipsec

					11[IKE] maximum IKE_SA lifetime 3594s
				

Feb 18 08:37:46ndm

					IpSec::Configurator: crypto map "***" active IKE SA: 1, active CHILD SA: 0.
				

Feb 18 08:37:46ipsec

					11[CFG] received proposals: ESP:DES_CBC/HMAC_MD5_96/#/#/NO_EXT_SEQ
				

Feb 18 08:37:46ipsec

					11[CFG] configured proposals: ESP:DES_CBC/HMAC_MD5_96/#/MODP_768/NO_EXT_SEQ
				

Feb 18 08:37:46ipsec

					11[CFG] selected proposal: ESP:DES_CBC/HMAC_MD5_96/#/#/NO_EXT_SEQ
				

Feb 18 08:37:46ipsec

					11[IKE] CHILD_SA ***{658} established with SPIs c2c9371a_i c21d6d1f_o and TS 192.168.11.0/24 === 192.168.1.0/24
				

Feb 18 08:37:46ndm

					IpSec::Configurator: crypto map "***" is up.
				

Feb 18 08:37:46ndm

					IpSec::Configurator: crypto map "***" active IKE SA: 1, active CHILD SA: 1.
				

Feb 18 08:37:46ipsec

					13[IKE] received DELETE for IKE_SA ***[2177]
				

Feb 18 08:37:46ipsec

					13[IKE] deleting IKE_SA ***[2177] between 176.123.***.**[***]...93.170.246.74[***]
				

Feb 18 08:37:46ndm

					IpSec::Configurator: remote peer rejects to authenticate our crypto map "***".
				

Feb 18 08:37:46ndm

					IpSec::Configurator: (possibly because of wrong local/remote ID).
				

Feb 18 08:37:46ndm

					IpSec::Configurator: crypto map "***" active IKE SA: 0, active CHILD SA: 0.
				

Feb 18 08:37:46ipsec

					13[IKE] IKE_SA deleted
				

Feb 18 08:37:46ndm

					IpSec::Configurator: crypto map "***" active IKE SA: 0, active CHILD SA: 0.
				

Feb 18 08:37:46ndm

					IpSec::Configurator: crypto map "***" active IKE SA: 0, active CHILD SA: 0.
				

Feb 18 08:37:46ndm

					IpSec::Configurator: crypto map "***" active IKE SA: 0, active CHILD SA: 0.
				

Feb 18 08:37:46ndm

					IpSec::IpSecNetfilter: start reloading netfilter configuration...
				

Feb 18 08:37:46ndm

					IpSec::IpSecNetfilter: netfilter configuration reloading is done.
				

P.S. на всех устройствах стоит последний Офф релиз v2.08(AANS.2)C0

Edited February 18, 2017 by timonych

Le ecureuil · February 18, 2017

8 часов назад, timonych сказал:

Приветствую!

Возник вопрос касательно IPSec. Есть 3 устройства. у одного белый IP, у двух других серый. Облачный доступ есть.

Хотелось к одному с белым IP подключить по IPSec 2 других устройства. Все это добро какое то время работает, потом задыхается, ругается якобы на некорректный local/remote ID.

Работает по факту только второе подключение из списка. Если его удалить, первое подключение начинает адекватно работать.

Использовалась следующая схема:

Extra(1 клиент) + Lite II(2 клиент) -> Lite II (хост)

Extra(1 клиент) + Lite II(2 клиент) -> Extra (хост)

Вопрос: возможно ли вообще такая работа? Или зря головой бьюсь?

Показать содержимое

Feb 18 08:37:46ipsec
14[IKE] 93.170.246.74 is initiating an IKE_SA

Feb 18 08:37:46ipsec
14[CFG] received proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768/#

Feb 18 08:37:46ipsec
14[CFG] configured proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768/#

Feb 18 08:37:46ipsec
14[CFG] selected proposal: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768/#

Feb 18 08:37:46ipsec
14[IKE] remote host is behind NAT

Feb 18 08:37:46ipsec
11[CFG] looking for peer configs matching 176.123.***.**[***]...93.170.246.74[***]

Feb 18 08:37:46ipsec
11[CFG] selected peer config '***'

Feb 18 08:37:46ipsec
11[IKE] linked key for crypto map '***' is not found, still searching

Feb 18 08:37:46ipsec
11[IKE] authentication of '***' with pre-shared key successful

Feb 18 08:37:46ipsec
11[IKE] linked key for crypto map '***' is not found, still searching

Feb 18 08:37:46ipsec
11[IKE] authentication of '***' (myself) with pre-shared key

Feb 18 08:37:46ipsec
11[IKE] IKE_SA ***[2177] established between 176.123.***.**[***]...93.170.246.74[***]

Feb 18 08:37:46ipsec
11[IKE] scheduling reauthentication in 3574s

Feb 18 08:37:46ipsec
11[IKE] maximum IKE_SA lifetime 3594s

Feb 18 08:37:46ndm
IpSec::Configurator: crypto map "***" active IKE SA: 1, active CHILD SA: 0.

Feb 18 08:37:46ipsec
11[CFG] received proposals: ESP:DES_CBC/HMAC_MD5_96/#/#/NO_EXT_SEQ

Feb 18 08:37:46ipsec
11[CFG] configured proposals: ESP:DES_CBC/HMAC_MD5_96/#/MODP_768/NO_EXT_SEQ

Feb 18 08:37:46ipsec
11[CFG] selected proposal: ESP:DES_CBC/HMAC_MD5_96/#/#/NO_EXT_SEQ

Feb 18 08:37:46ipsec
11[IKE] CHILD_SA ***{658} established with SPIs c2c9371a_i c21d6d1f_o and TS 192.168.11.0/24 === 192.168.1.0/24

Feb 18 08:37:46ndm
IpSec::Configurator: crypto map "***" is up.

Feb 18 08:37:46ndm
IpSec::Configurator: crypto map "***" active IKE SA: 1, active CHILD SA: 1.

Feb 18 08:37:46ipsec
13[IKE] received DELETE for IKE_SA ***[2177]

Feb 18 08:37:46ipsec
13[IKE] deleting IKE_SA ***[2177] between 176.123.***.**[***]...93.170.246.74[***]

Feb 18 08:37:46ndm
IpSec::Configurator: remote peer rejects to authenticate our crypto map "***".

Feb 18 08:37:46ndm
IpSec::Configurator: (possibly because of wrong local/remote ID).

Feb 18 08:37:46ndm
IpSec::Configurator: crypto map "***" active IKE SA: 0, active CHILD SA: 0.

Feb 18 08:37:46ipsec
13[IKE] IKE_SA deleted

Feb 18 08:37:46ndm
IpSec::Configurator: crypto map "***" active IKE SA: 0, active CHILD SA: 0.

Feb 18 08:37:46ndm
IpSec::Configurator: crypto map "***" active IKE SA: 0, active CHILD SA: 0.

Feb 18 08:37:46ndm
IpSec::Configurator: crypto map "***" active IKE SA: 0, active CHILD SA: 0.

Feb 18 08:37:46ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...

Feb 18 08:37:46ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.

P.S. на всех устройствах стоит последний Офф релиз v2.08(AANS.2)C0

Скиньте self-test с устройства с "белым IP". Подумаем.

Sign In

Extra | IPSec и 2 подключения

Recommended Posts

timonych

Link to comment

Share on other sites

Le ecureuil

Link to comment

Share on other sites

Join the conversation

Recently Browsing 0 members

Browse

Activity

Store

My Details