Владислав Новиков Posted July 1, 2017 Share Posted July 1, 2017 (edited) Приветствую! Проблема: IKEv1 шлет нулевое значение времени жизни ISAKMP SA lifetime вне зависимости от заданного в web-интерфейсе значения (см. скриншот и информацию ниже). Из-за этой проблемы нет возможности построить IPsec-туннель с оборудованием S-Terra Gate 4.1. Подробнее: 1) Вывод из tcpdump на ответной стороне (lifeduration value=0000): 19:40:33.359985 IP (tos 0x0, ttl 59, id 33699, offset 0, flags [DF], proto UDP (17), length 196) 46.39.231.48.32442 > 172.16.5.2.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 508f08fc14c2b9eb->0000000000000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #0 protoid=isakmp transform=1 (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1536)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=0000)))) (vid: len=16 afcad71368a1f1c96b8696fc77570100) (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000) (vid: len=16 4a131c81070358455c5728f20e95452f) (vid: len=16 90cb80913ebb696e086381b5ec427b1f) 2) В системном журнале пишется, что значение выставляется верно (lifetime set to 3600 s): Jul 01 20:03:40 ndm IpSec::Manager: crypto ike proposal "to_Sterra4.1" encryption algorithm "aes-cbc-256" added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike proposal "to_Sterra4.1" DH group "5" successfully added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike proposal "to_Sterra4.1" integrity algorithm "sha1" successfully added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" proposal "to_Sterra4.1" successfully added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" lifetime set to 3600 s. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" mode set to "ikev1". Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" negotiation-mode set to "main". Jul 01 20:03:40 ndm IpSec::Manager: crypto ike key "to_Sterra4.1" successfully updated. 3) Со стороны S-Terra Gate 4.1 (Life Time: 0): Jul 1 20:00:38 localhost vpnsvc: 10000001 <47:0> Start IKE session, Request: Inbound ISAKMP packet, type Main, peer 46.39.231.48:32442, sessionId FD630224261656EC.0 Jul 1 20:00:38 localhost vpnsvc: 00101012 <47:0> Received ISAKMP proposals: Jul 1 20:00:38 localhost vpnsvc: 00101013 <47:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:0 Jul 1 20:00:38 localhost vpnsvc: 00101031 <47:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:1", Transform #2: payload malformed Jul 1 20:00:38 localhost vpnsvc: 00101031 <47:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:2", Transform #2: payload malformed Jul 1 20:00:38 localhost vpnsvc: 10000018 <47:0> IKE session stopped at [Main Mode, Responder, Packets 1,2][Compare policy], Reason: NO-PROPOSAL-CHOSEN Jul 1 20:00:38 localhost vpnsvc: 10000001 <47:1> Start IKE session, Request: ISAKMP notification, type Informational, peer 46.39.231.48:32442, sessionId FD630224261656EC.C2B631EF Jul 1 20:00:38 localhost vpnsvc: 1000001b <47:1> Sending notification [NO-PROPOSAL-CHOSEN] for <47:0> Jul 1 20:00:38 localhost vpnsvc: 10000002 <47:1> Session completed 4) Насколько я понимаю, то в соответствии со стандартом RFC2409 нулевое значение недопустимо. Информация об устройстве: 1) роутер zyxel keenetic ultra II; 2) версия ПО: v2.08(AAUX.0)C2. Edited July 1, 2017 by Владислав Новиков Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted July 2, 2017 Share Posted July 2, 2017 12 часа назад, Владислав Новиков сказал: Приветствую! Проблема: IKEv1 шлет нулевое значение времени жизни ISAKMP SA lifetime вне зависимости от заданного в web-интерфейсе значения (см. скриншот и информацию ниже). Из-за этой проблемы нет возможности построить IPsec-туннель с оборудованием S-Terra Gate 4.1. Подробнее: 1) Вывод из tcpdump на ответной стороне (lifeduration value=0000): 19:40:33.359985 IP (tos 0x0, ttl 59, id 33699, offset 0, flags [DF], proto UDP (17), length 196) 46.39.231.48.32442 > 172.16.5.2.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 508f08fc14c2b9eb->0000000000000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #0 protoid=isakmp transform=1 (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1536)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=0000)))) (vid: len=16 afcad71368a1f1c96b8696fc77570100) (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000) (vid: len=16 4a131c81070358455c5728f20e95452f) (vid: len=16 90cb80913ebb696e086381b5ec427b1f) 2) В системном журнале пишется, что значение выставляется верно (lifetime set to 3600 s): Jul 01 20:03:40 ndm IpSec::Manager: crypto ike proposal "to_Sterra4.1" encryption algorithm "aes-cbc-256" added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike proposal "to_Sterra4.1" DH group "5" successfully added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike proposal "to_Sterra4.1" integrity algorithm "sha1" successfully added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" proposal "to_Sterra4.1" successfully added. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" lifetime set to 3600 s. Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" mode set to "ikev1". Jul 01 20:03:40 ndm IpSec::Manager: crypto ike policy "to_Sterra4.1" negotiation-mode set to "main". Jul 01 20:03:40 ndm IpSec::Manager: crypto ike key "to_Sterra4.1" successfully updated. 3) Со стороны S-Terra Gate 4.1 (Life Time: 0): Jul 1 20:00:38 localhost vpnsvc: 10000001 <47:0> Start IKE session, Request: Inbound ISAKMP packet, type Main, peer 46.39.231.48:32442, sessionId FD630224261656EC.0 Jul 1 20:00:38 localhost vpnsvc: 00101012 <47:0> Received ISAKMP proposals: Jul 1 20:00:38 localhost vpnsvc: 00101013 <47:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:0 Jul 1 20:00:38 localhost vpnsvc: 00101031 <47:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:1", Transform #2: payload malformed Jul 1 20:00:38 localhost vpnsvc: 00101031 <47:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:2", Transform #2: payload malformed Jul 1 20:00:38 localhost vpnsvc: 10000018 <47:0> IKE session stopped at [Main Mode, Responder, Packets 1,2][Compare policy], Reason: NO-PROPOSAL-CHOSEN Jul 1 20:00:38 localhost vpnsvc: 10000001 <47:1> Start IKE session, Request: ISAKMP notification, type Informational, peer 46.39.231.48:32442, sessionId FD630224261656EC.C2B631EF Jul 1 20:00:38 localhost vpnsvc: 1000001b <47:1> Sending notification [NO-PROPOSAL-CHOSEN] for <47:0> Jul 1 20:00:38 localhost vpnsvc: 10000002 <47:1> Session completed 4) Насколько я понимаю, то в соответствии со стандартом RFC2409 нулевое значение недопустимо. Информация об устройстве: 1) роутер zyxel keenetic ultra II; 2) версия ПО: v2.08(AAUX.0)C2. Спасибо за репорт, будем разбираться. Приложите self-test для пущей достоверности, и еще неплохо бы дамп IKE трафика на WAN Keenetic, полученный через компонент monitor (можно задать ограничение на захват только UDP, чтобы избежать большого дампа) во время установки соединения. Quote Link to comment Share on other sites More sharing options...
Владислав Новиков Posted July 2, 2017 Author Share Posted July 2, 2017 10 часов назад, Le ecureuil сказал: Спасибо за репорт, будем разбираться. Приложите self-test для пущей достоверности, и еще неплохо бы дамп IKE трафика на WAN Keenetic, полученный через компонент monitor (можно задать ограничение на захват только UDP, чтобы избежать большого дампа) во время установки соединения. capture-GigabitEthernet1-Jul 2 10-57-06.pcapng self-test (1).txt Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted July 2, 2017 Share Posted July 2, 2017 3 часа назад, Владислав Новиков сказал: capture-GigabitEthernet1-Jul 2 10-57-06.pcapng self-test (1).txt На 2.09 и 2.10 не воспроизводится. Проверьте на них, тем более бета 2.09 уже вышла. 1 Quote Link to comment Share on other sites More sharing options...
Владислав Новиков Posted July 2, 2017 Author Share Posted July 2, 2017 1 час назад, Le ecureuil сказал: На 2.09 и 2.10 не воспроизводится. Проверьте на них, тем более бета 2.09 уже вышла. К сожалению, на версии 2.09.B.0.0-1 такая же проблема. Но, если установить опцию "Nailed-up", то IPsec lifetime шлется верный . На старой версии v2.08(AAUX.0)C2 я с этой опцией не проверял. 1) Без опции "Nailed-up" (лог на стороне S-Terra Gate): Jul 3 00:05:20 localhost vpnsvc: 10000001 <79:0> Start IKE session, Request: Inbound ISAKMP packet, type Main, peer 46.39.231.48:45740, sessionId 11723A184C9AA51B.0 Jul 3 00:05:20 localhost vpnsvc: 00101012 <79:0> Received ISAKMP proposals: Jul 3 00:05:20 localhost vpnsvc: 00101013 <79:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:0 Jul 3 00:05:20 localhost vpnsvc: 00101031 <79:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:1", Transform #2: payload malformed Jul 3 00:05:20 localhost vpnsvc: 10000018 <79:0> IKE session stopped at [Main Mode, Responder, Packets 1,2][Compare policy], Reason: NO-PROPOSAL-CHOSEN Jul 3 00:05:20 localhost vpnsvc: 10000001 <79:1> Start IKE session, Request: ISAKMP notification, type Informational, peer 46.39.231.48:45740, sessionId 11723A184C9AA51B.22A7B03F Jul 3 00:05:20 localhost vpnsvc: 1000001b <79:1> Sending notification [NO-PROPOSAL-CHOSEN] for <79:0> Jul 3 00:05:20 localhost vpnsvc: 10000002 <79:1> Session completed Jul 3 00:05:26 localhost vpnsvc: 10000006 ISAKMP connection 77 closed, peer 46.39.231.48:39849, id "192.168.1.1", bytes sent/received: 856/1000, exchanges passed: 1, Reason: Delete payload received 2) С опцией "Nailed-up" (лог на стороне S-Terra Gate): Jul 3 00:05:45 localhost vpnsvc: 10000001 <80:0> Start IKE session, Request: Inbound ISAKMP packet, type Main, peer 46.39.231.48:45740, sessionId 67F709E498610C9C.0 Jul 3 00:05:45 localhost vpnsvc: 00101012 <80:0> Received ISAKMP proposals: Jul 3 00:05:45 localhost vpnsvc: 00101013 <80:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:3600 Jul 3 00:05:45 localhost vpnsvc: 00101031 <80:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:1", Transform #2: match Jul 3 00:05:45 localhost vpnsvc: 00101011 <80:0> Sending ISAKMP proposals: Jul 3 00:05:45 localhost vpnsvc: 00101013 <80:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:3600 Jul 3 00:05:46 localhost vpnsvc: 10000101 <80:0> NAT detected on remote side Jul 3 00:05:46 localhost vpnsvc: 10000102 <80:0> NAT detected on local side Jul 3 00:05:46 localhost vpnsvc: 00101036 <80:0> Using preshared key "cs_key_0_0_0_0__0_0_0_0" Jul 3 00:05:46 localhost vpnsvc: 10000009 <80:0> Float partner to 46.39.231.48:39849 Jul 3 00:05:46 localhost vpnsvc: 1000001d <80:0> Received unprotected notification [INITIAL-CONTACT]: Ignore Jul 3 00:05:46 localhost vpnsvc: 10000007 <80:0> Receive identity "192.168.1.1", peer 46.39.231.48:39849 Jul 3 00:05:46 localhost vpnsvc: 10000008 <80:0> Send identity "172.16.5.2", peer 46.39.231.48:39849, id "192.168.1.1" Jul 3 00:05:46 localhost vpnsvc: 10000002 <80:0> Session completed Jul 3 00:05:46 localhost vpnsvc: 10000005 <80:0> ISAKMP connection 80 created, peer 46.39.231.48:39849, id "192.168.1.1" Jul 3 00:05:46 localhost vpnsvc: 10000001 <80:1> Start IKE session, Request: Inbound ISAKMP packet, type Quick, peer 46.39.231.48:39849, sessionId 67F709E498610C9C.D66C17E1 Jul 3 00:05:46 localhost vpnsvc: 1000000b <80:1> Receive traffic request: (192.168.1.0/255.255.255.0,,)->(172.16.1.0/255.255.255.0,,) Jul 3 00:05:46 localhost vpnsvc: 00101022 <80:1> Received IPSec proposals: Jul 3 00:05:46 localhost vpnsvc: 00101023 <80:1> Proposal #0: Jul 3 00:05:46 localhost vpnsvc: 00101024 <80:1> Protocol ESP: Jul 3 00:05:46 localhost vpnsvc: 00101025 <80:1> Transform #1: Trans-ID:ESP_AES, Attr(6):(256), Integrity:HMAC-SHA, Encapsulation:UDP-Encapsulated-Tunnel, Life Time:3600, Life Traffic:21474836 Jul 3 00:05:46 localhost vpnsvc: 00101031 <80:1> Checking Proposal #0, Protocol ESP, Transform #1 for Rule "IPsecAction:CMAP:1:DMAP:1", Proposal #1, Protocol ESP, Transform #1: match Jul 3 00:05:46 localhost vpnsvc: 00101021 <80:1> Sending IPSec proposals: Jul 3 00:05:46 localhost vpnsvc: 00101023 <80:1> Proposal #0: Jul 3 00:05:46 localhost vpnsvc: 00101024 <80:1> Protocol ESP: Jul 3 00:05:46 localhost vpnsvc: 00101025 <80:1> Transform #1: Trans-ID:ESP_AES, Attr(6):(256), Integrity:HMAC-SHA, Encapsulation:UDP-Encapsulated-Tunnel, Life Time:3600, Life Traffic:21474836 Jul 3 00:05:46 localhost vpnsvc: 1000001b <80:1> Sending notification [RESPONDER-LIFETIME], LifeTraffic:4608000 Jul 3 00:05:46 localhost vpnsvc: 1000001b <80:1> Sending notification [INITIAL-CONTACT] for ISAKMP connection 80 Jul 3 00:05:46 localhost vpnsvc: 1000001b <80:1> Sending notification [CONNECTED] Jul 3 00:05:46 localhost vpnsvc: 00100119 <80:1> IPSec connection 5 established, traffic selector 172.16.1.0-172.16.1.255->192.168.1.0-192.168.1.255, peer 46.39.231.48:39849, id "192.168.1.1", Filter IPsec:Protect:CMAP:1:DMAP:1:to_zyxel, IPsecAction IPsecAction:CMAP:1:DMAP:1, IKERule IKERule:CMAP:1:DMAP:1 Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted July 3, 2017 Share Posted July 3, 2017 10 часов назад, Владислав Новиков сказал: К сожалению, на версии 2.09.B.0.0-1 такая же проблема. Но, если установить опцию "Nailed-up", то IPsec lifetime шлется верный . На старой версии v2.08(AAUX.0)C2 я с этой опцией не проверял. 1) Без опции "Nailed-up" (лог на стороне S-Terra Gate): Jul 3 00:05:20 localhost vpnsvc: 10000001 <79:0> Start IKE session, Request: Inbound ISAKMP packet, type Main, peer 46.39.231.48:45740, sessionId 11723A184C9AA51B.0 Jul 3 00:05:20 localhost vpnsvc: 00101012 <79:0> Received ISAKMP proposals: Jul 3 00:05:20 localhost vpnsvc: 00101013 <79:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:0 Jul 3 00:05:20 localhost vpnsvc: 00101031 <79:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:1", Transform #2: payload malformed Jul 3 00:05:20 localhost vpnsvc: 10000018 <79:0> IKE session stopped at [Main Mode, Responder, Packets 1,2][Compare policy], Reason: NO-PROPOSAL-CHOSEN Jul 3 00:05:20 localhost vpnsvc: 10000001 <79:1> Start IKE session, Request: ISAKMP notification, type Informational, peer 46.39.231.48:45740, sessionId 11723A184C9AA51B.22A7B03F Jul 3 00:05:20 localhost vpnsvc: 1000001b <79:1> Sending notification [NO-PROPOSAL-CHOSEN] for <79:0> Jul 3 00:05:20 localhost vpnsvc: 10000002 <79:1> Session completed Jul 3 00:05:26 localhost vpnsvc: 10000006 ISAKMP connection 77 closed, peer 46.39.231.48:39849, id "192.168.1.1", bytes sent/received: 856/1000, exchanges passed: 1, Reason: Delete payload received 2) С опцией "Nailed-up" (лог на стороне S-Terra Gate): Jul 3 00:05:45 localhost vpnsvc: 10000001 <80:0> Start IKE session, Request: Inbound ISAKMP packet, type Main, peer 46.39.231.48:45740, sessionId 67F709E498610C9C.0 Jul 3 00:05:45 localhost vpnsvc: 00101012 <80:0> Received ISAKMP proposals: Jul 3 00:05:45 localhost vpnsvc: 00101013 <80:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:3600 Jul 3 00:05:45 localhost vpnsvc: 00101031 <80:0> Checking Transform #1 for Rule "IKERule:CMAP:1:DMAP:1", Transform #2: match Jul 3 00:05:45 localhost vpnsvc: 00101011 <80:0> Sending ISAKMP proposals: Jul 3 00:05:45 localhost vpnsvc: 00101013 <80:0> Transform #1: Cipher:AES-CBC, Attr(14):(256), Hash:SHA, Group:MODP_1536, Auth:Pre-Shared Key, Life Time:3600 Jul 3 00:05:46 localhost vpnsvc: 10000101 <80:0> NAT detected on remote side Jul 3 00:05:46 localhost vpnsvc: 10000102 <80:0> NAT detected on local side Jul 3 00:05:46 localhost vpnsvc: 00101036 <80:0> Using preshared key "cs_key_0_0_0_0__0_0_0_0" Jul 3 00:05:46 localhost vpnsvc: 10000009 <80:0> Float partner to 46.39.231.48:39849 Jul 3 00:05:46 localhost vpnsvc: 1000001d <80:0> Received unprotected notification [INITIAL-CONTACT]: Ignore Jul 3 00:05:46 localhost vpnsvc: 10000007 <80:0> Receive identity "192.168.1.1", peer 46.39.231.48:39849 Jul 3 00:05:46 localhost vpnsvc: 10000008 <80:0> Send identity "172.16.5.2", peer 46.39.231.48:39849, id "192.168.1.1" Jul 3 00:05:46 localhost vpnsvc: 10000002 <80:0> Session completed Jul 3 00:05:46 localhost vpnsvc: 10000005 <80:0> ISAKMP connection 80 created, peer 46.39.231.48:39849, id "192.168.1.1" Jul 3 00:05:46 localhost vpnsvc: 10000001 <80:1> Start IKE session, Request: Inbound ISAKMP packet, type Quick, peer 46.39.231.48:39849, sessionId 67F709E498610C9C.D66C17E1 Jul 3 00:05:46 localhost vpnsvc: 1000000b <80:1> Receive traffic request: (192.168.1.0/255.255.255.0,,)->(172.16.1.0/255.255.255.0,,) Jul 3 00:05:46 localhost vpnsvc: 00101022 <80:1> Received IPSec proposals: Jul 3 00:05:46 localhost vpnsvc: 00101023 <80:1> Proposal #0: Jul 3 00:05:46 localhost vpnsvc: 00101024 <80:1> Protocol ESP: Jul 3 00:05:46 localhost vpnsvc: 00101025 <80:1> Transform #1: Trans-ID:ESP_AES, Attr(6):(256), Integrity:HMAC-SHA, Encapsulation:UDP-Encapsulated-Tunnel, Life Time:3600, Life Traffic:21474836 Jul 3 00:05:46 localhost vpnsvc: 00101031 <80:1> Checking Proposal #0, Protocol ESP, Transform #1 for Rule "IPsecAction:CMAP:1:DMAP:1", Proposal #1, Protocol ESP, Transform #1: match Jul 3 00:05:46 localhost vpnsvc: 00101021 <80:1> Sending IPSec proposals: Jul 3 00:05:46 localhost vpnsvc: 00101023 <80:1> Proposal #0: Jul 3 00:05:46 localhost vpnsvc: 00101024 <80:1> Protocol ESP: Jul 3 00:05:46 localhost vpnsvc: 00101025 <80:1> Transform #1: Trans-ID:ESP_AES, Attr(6):(256), Integrity:HMAC-SHA, Encapsulation:UDP-Encapsulated-Tunnel, Life Time:3600, Life Traffic:21474836 Jul 3 00:05:46 localhost vpnsvc: 1000001b <80:1> Sending notification [RESPONDER-LIFETIME], LifeTraffic:4608000 Jul 3 00:05:46 localhost vpnsvc: 1000001b <80:1> Sending notification [INITIAL-CONTACT] for ISAKMP connection 80 Jul 3 00:05:46 localhost vpnsvc: 1000001b <80:1> Sending notification [CONNECTED] Jul 3 00:05:46 localhost vpnsvc: 00100119 <80:1> IPSec connection 5 established, traffic selector 172.16.1.0-172.16.1.255->192.168.1.0-192.168.1.255, peer 46.39.231.48:39849, id "192.168.1.1", Filter IPsec:Protect:CMAP:1:DMAP:1:to_zyxel, IPsecAction IPsecAction:CMAP:1:DMAP:1, IKERule IKERule:CMAP:1:DMAP:1 Значит просто выставляйте "NailUp", и все. Quote Link to comment Share on other sites More sharing options...
Владислав Новиков Posted July 3, 2017 Author Share Posted July 3, 2017 7 часов назад, Le ecureuil сказал: Значит просто выставляйте "NailUp", и все. А у Вас есть предположение по какой причине без данной опции наблюдается проблема? Я если честно не могу связать одно с другим . Quote Link to comment Share on other sites More sharing options...
gaaronk Posted July 3, 2017 Share Posted July 3, 2017 1 hour ago, Владислав Новиков said: А у Вас есть предположение по какой причине без данной опции наблюдается проблема? Я если честно не могу связать одно с другим . При no nail-up в конфиг стронгсвана для соединения вставляется rekey = no А раз мы не делаем rekey то и lifitime у нас становится бесконечным, то есть 0. И мы ждем что rekey инициирует другая сторона. Quote Link to comment Share on other sites More sharing options...
Владислав Новиков Posted July 3, 2017 Author Share Posted July 3, 2017 3 минуты назад, gaaronk сказал: При no nail-up в конфиг стронгсвана для соединения вставляется rekey = no А раз мы не делаем rekey то и lifitime у нас становится бесконечным, то есть 0. И мы ждем что rekey инициирует другая сторона. Спасибо. А есть ссылка на стандарт, где описано такое поведение? Я не нашел сходу что допустимым является нулевое значение времени жизни ISAKMP SA. Quote Link to comment Share on other sites More sharing options...
gaaronk Posted July 3, 2017 Share Posted July 3, 2017 1 hour ago, Владислав Новиков said: Спасибо. А есть ссылка на стандарт, где описано такое поведение? Я не нашел сходу что допустимым является нулевое значение времени жизни ISAKMP SA. Да тот же RFC2409 этого НЕ запрещает. Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted July 3, 2017 Share Posted July 3, 2017 Собственно не успел, уже все ответили Quote Link to comment Share on other sites More sharing options...
Владислав Новиков Posted July 5, 2017 Author Share Posted July 5, 2017 Спасибо! IPsec между Zyxel Keenetic Ultra II и с S-Terra Gate 4.1 стабилен под нагрузкой уже на протяжении нескольких дней. Но очень хотелось бы аутентификацию по сертификатам с поддержкой CRL (CDP/OCSP). Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted July 5, 2017 Share Posted July 5, 2017 1 час назад, Владислав Новиков сказал: Спасибо! IPsec между Zyxel Keenetic Ultra II и с S-Terra Gate 4.1 стабилен под нагрузкой уже на протяжении нескольких дней. Но очень хотелось бы аутентификацию по сертификатам с поддержкой CRL (CDP/OCSP). Не меньше пары месяцев еще до этого, а то и больше ( Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.