Mexonizator Posted November 13, 2017 Share Posted November 13, 2017 (edited) Добрый день! Собственно, как и следует из названия темы, устройство начинает пробрасывать тоннель, причём, по какой-то непостижимой причине, производится сразу несколько попыток. В результате, соединение успешно устанавливается в рамках одного из согласований, а затем благополучно дропается, т.к. другое не получает ответа от Циски и рубит по тайм-ауту. Что характерно, с самим соединений никаких проблем нет: пакеты ходят, компы друг друга видят, пингуют... Версия прошивки: v2.08(AAUU.4)C2 Версия Циски: 15.4 Логи Кинетика: Nov 10 13:15:01ipsec 06[MGR] ignoring request with ID 0, already processing Nov 10 13:15:08ipsec 16[IKE] remote host is behind NAT Nov 10 13:15:08ipsec 14[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] Nov 10 13:15:08ipsec 14[CFG] selected peer config 'Test' Nov 10 13:15:08ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:15:08ipsec 14[IKE] authentication of '192.168.0.2' with pre-shared key successful Nov 10 13:15:08ipsec 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 10 13:15:08ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:15:08ipsec 14[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key Nov 10 13:15:08ipsec 14[IKE] IKE_SA Test[4] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:15:08ipsec 14[IKE] scheduling reauthentication in 3573s Nov 10 13:15:08ipsec 14[IKE] maximum IKE_SA lifetime 3593s Nov 10 13:15:08ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0. Nov 10 13:15:08ipsec 14[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:15:08ipsec 14[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ Nov 10 13:15:08ipsec 14[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:15:08ipsec 14[IKE] CHILD_SA Test{2} established with SPIs c12ee9c8_i c20b83b1_o and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:15:08ndm IpSec::Configurator: crypto map "Test" is up. Nov 10 13:15:08ndm IpSec::Configurator: reconnection for crypto map "Test" was cancelled. Nov 10 13:15:08ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1. Nov 10 13:15:08ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:15:08ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:15:11ipsec 10[IKE] retransmit 1 of request with message ID 0 Nov 10 13:15:20ipsec 08[IKE] retransmit 2 of request with message ID 0 Nov 10 13:15:30ipsec 10[IKE] retransmit 3 of request with message ID 0 Nov 10 13:15:41ipsec 09[IKE] retransmit 4 of request with message ID 0 Nov 10 13:15:52ipsec 05[IKE] retransmit 5 of request with message ID 0 Nov 10 13:16:05ipsec 10[IKE] retransmit 6 of request with message ID 0 Nov 10 13:16:20ipsec 09[IKE] retransmit 7 of request with message ID 0 Nov 10 13:16:35ipsec 16[IKE] retransmit 8 of request with message ID 0 Nov 10 13:16:52ipsec 12[IKE] giving up after 8 retransmits Nov 10 13:16:52ndm IpSec::Configurator: remote peer of crypto map "Test" is down. Nov 10 13:16:52ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:16:52ndm IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry. Nov 10 13:16:52ndm IpSec::Configurator: schedule reconnect for crypto map "Test". Nov 10 13:16:52ipsec 12[IKE] establishing IKE_SA failed, peer not responding Nov 10 13:17:08ndm IpSec::Configurator: reconnecting crypto map "Test". Nov 10 13:17:10ndm IpSec::Configurator: crypto map "Test" shutdown started. Nov 10 13:17:10ipsec 12[CFG] received stroke: unroute 'Test' Nov 10 13:17:10ipsec 13[CFG] received stroke: terminate 'Test{*}' Nov 10 13:17:10ipsec 16[IKE] closing CHILD_SA Test{2} with SPIs c12ee9c8_i (40144 bytes) c20b83b1_o (811908 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:17:10ipsec 16[IKE] sending DELETE for ESP CHILD_SA with SPI c12ee9c8 Nov 10 13:17:10ipsec 09[IKE] received DELETE for ESP CHILD_SA with SPI c20b83b1 Nov 10 13:17:10ipsec 09[IKE] CHILD_SA closed Nov 10 13:17:10ipsec 14[CFG] received stroke: terminate 'Test[*]' Nov 10 13:17:10ndm IpSec::Configurator: crypto map "Test" shutdown complete. Nov 10 13:17:11ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:17:11ipsec 06[IKE] deleting IKE_SA Test[4] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:17:11ipsec 06[IKE] sending DELETE for IKE_SA Test[4] Nov 10 13:17:11ipsec 11[IKE] IKE_SA deleted Nov 10 13:17:11ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:17:11ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:17:11ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:17:11ipsec 15[IKE] received Cisco Delete Reason vendor ID Nov 10 13:17:11ipsec 15[IKE] CISCO_IP is initiating an IKE_SA Nov 10 13:17:11ipsec 15[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:17:11ipsec 15[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:17:11ipsec 15[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:17:11ipsec 12[CFG] received stroke: initiate 'Test' Nov 10 13:17:11ndm IpSec::Configurator: crypto map "Test" initialized. Nov 10 13:17:13ipsec 07[MGR] ignoring request with ID 0, already processing Nov 10 13:17:17ipsec 09[MGR] ignoring request with ID 0, already processing Nov 10 13:17:19ipsec 15[IKE] remote host is behind NAT Nov 10 13:17:19ipsec 16[IKE] initiating IKE_SA Test[6] to CISCO_IP Nov 10 13:17:20ipsec 14[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] Nov 10 13:17:20ipsec 14[CFG] selected peer config 'Test' Nov 10 13:17:20ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:17:20ipsec 14[IKE] authentication of '192.168.0.2' with pre-shared key successful Nov 10 13:17:20ipsec 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 10 13:17:20ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:17:20ipsec 14[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key Nov 10 13:17:20ipsec 14[IKE] IKE_SA Test[5] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:17:20ipsec 14[IKE] scheduling reauthentication in 3569s Nov 10 13:17:20ipsec 14[IKE] maximum IKE_SA lifetime 3589s Nov 10 13:17:20ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0. Nov 10 13:17:20ipsec 14[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:17:20ipsec 14[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ Nov 10 13:17:20ipsec 14[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:17:20ipsec 14[IKE] CHILD_SA Test{3} established with SPIs c96d5999_i 8d98ca14_o and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:17:20ndm IpSec::Configurator: crypto map "Test" is up. Nov 10 13:17:20ndm IpSec::Configurator: reconnection for crypto map "Test" was cancelled. Nov 10 13:17:20ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1. Nov 10 13:17:20ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:17:20ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:17:32ipsec 11[IKE] retransmit 1 of request with message ID 0 Nov 10 13:17:41ipsec 07[IKE] retransmit 2 of request with message ID 0 Nov 10 13:17:50ipsec 05[IKE] retransmit 3 of request with message ID 0 Nov 10 13:18:01ipsec 13[IKE] retransmit 4 of request with message ID 0 Nov 10 13:18:13ipsec 05[IKE] retransmit 5 of request with message ID 0 Nov 10 13:18:26ipsec 15[IKE] retransmit 6 of request with message ID 0 Nov 10 13:18:40ipsec 13[IKE] retransmit 7 of request with message ID 0 Nov 10 13:18:55ipsec 16[IKE] retransmit 8 of request with message ID 0 Nov 10 13:19:13ipsec 14[IKE] giving up after 8 retransmits Nov 10 13:19:13ndm IpSec::Configurator: remote peer of crypto map "Test" is down. Nov 10 13:19:13ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:19:13ndm IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry. Nov 10 13:19:13ndm IpSec::Configurator: schedule reconnect for crypto map "Test". Nov 10 13:19:13ipsec 14[IKE] establishing IKE_SA failed, peer not responding Nov 10 13:19:29ndm IpSec::Configurator: reconnecting crypto map "Test". Nov 10 13:19:31ndm IpSec::Configurator: crypto map "Test" shutdown started. Nov 10 13:19:31ipsec 14[CFG] received stroke: unroute 'Test' Nov 10 13:19:31ipsec 08[CFG] received stroke: terminate 'Test{*}' Nov 10 13:19:31ipsec 16[IKE] closing CHILD_SA Test{3} with SPIs c96d5999_i (24735 bytes) 8d98ca14_o (68197 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:19:31ipsec 16[IKE] sending DELETE for ESP CHILD_SA with SPI c96d5999 Nov 10 13:19:31ipsec 13[IKE] received DELETE for ESP CHILD_SA with SPI 8d98ca14 Nov 10 13:19:31ipsec 13[IKE] CHILD_SA closed Nov 10 13:19:31ipsec 09[CFG] received stroke: terminate 'Test[*]' Nov 10 13:19:31ndm IpSec::Configurator: crypto map "Test" shutdown complete. Nov 10 13:19:31ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:19:31ipsec 10[IKE] deleting IKE_SA Test[5] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:19:31ipsec 10[IKE] sending DELETE for IKE_SA Test[5] Nov 10 13:19:31ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:19:31ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:19:32ipsec 12[CFG] received stroke: initiate 'Test' Nov 10 13:19:32ndm IpSec::Configurator: crypto map "Test" initialized. Nov 10 13:19:39ipsec 15[IKE] unable to create CHILD_SA while deleting IKE_SA Nov 10 13:19:39ipsec 05[IKE] IKE_SA deleted Nov 10 13:19:39ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:19:39ipsec 07[IKE] initiating IKE_SA Test[7] to CISCO_IP Nov 10 13:19:51ipsec 08[IKE] retransmit 1 of request with message ID 0 Nov 10 13:20:00ipsec 13[IKE] retransmit 2 of request with message ID 0 Nov 10 13:20:01ipsec 10[IKE] received Cisco Delete Reason vendor ID Nov 10 13:20:01ipsec 10[IKE] CISCO_IP is initiating an IKE_SA Nov 10 13:20:01ipsec 10[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:20:01ipsec 10[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:20:01ipsec 10[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:20:03ipsec 14[MGR] ignoring request with ID 0, already processing Nov 10 13:20:06ipsec 16[MGR] ignoring request with ID 0, already processing Nov 10 13:20:09ipsec 10[IKE] remote host is behind NAT Nov 10 13:20:09ipsec 08[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] Nov 10 13:20:09ipsec 08[CFG] selected peer config 'Test' Nov 10 13:20:09ipsec 08[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:20:09ipsec 08[IKE] authentication of '192.168.0.2' with pre-shared key successful Nov 10 13:20:09ipsec 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 10 13:20:09ipsec 08[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:20:09ipsec 08[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key Nov 10 13:20:09ipsec 08[IKE] IKE_SA Test[8] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:20:09ipsec 08[IKE] scheduling reauthentication in 3567s Nov 10 13:20:09ipsec 08[IKE] maximum IKE_SA lifetime 3587s Nov 10 13:20:09ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0. Nov 10 13:20:09ipsec 08[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:20:09ipsec 08[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ Nov 10 13:20:09ipsec 08[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:20:09ipsec 08[IKE] CHILD_SA Test{4} established with SPIs cdeb3b19_i 00d56f15_o and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:20:09ndm IpSec::Configurator: crypto map "Test" is up. Nov 10 13:20:09ndm IpSec::Configurator: reconnection for crypto map "Test" was cancelled. Nov 10 13:20:09ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1. Nov 10 13:20:09ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:20:10ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:20:10ipsec 05[IKE] retransmit 3 of request with message ID 0 Nov 10 13:20:20ipsec 15[IKE] retransmit 4 of request with message ID 0 Nov 10 13:20:32ipsec 05[IKE] retransmit 5 of request with message ID 0 Nov 10 13:20:45ipsec 08[IKE] retransmit 6 of request with message ID 0 Nov 10 13:20:48ndhcps _WEBADMIN: DHCPREQUEST received (STATE_SELECTING) for 192.168.10.45 from 74:04:2b:84:60:e8. Nov 10 13:20:48ndhcps _WEBADMIN: sending ACK of 192.168.10.45 to 74:04:2b:84:60:e8. Nov 10 13:20:59ipsec 16[IKE] retransmit 7 of request with message ID 0 Nov 10 13:21:15ipsec 15[IKE] retransmit 8 of request with message ID 0 Nov 10 13:21:32ipsec 13[IKE] giving up after 8 retransmits Nov 10 13:21:32ndm IpSec::Configurator: remote peer of crypto map "Test" is down. Nov 10 13:21:32ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:21:32ndm IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry. Nov 10 13:21:32ndm IpSec::Configurator: schedule reconnect for crypto map "Test". Nov 10 13:21:32ipsec 13[IKE] establishing IKE_SA failed, peer not responding Nov 10 13:21:48ndm IpSec::Configurator: reconnecting crypto map "Test". Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" shutdown started. Nov 10 13:21:50ipsec 13[CFG] received stroke: unroute 'Test' Nov 10 13:21:50ipsec 07[CFG] received stroke: terminate 'Test{*}' Nov 10 13:21:50ipsec 15[IKE] closing CHILD_SA Test{4} with SPIs cdeb3b19_i (24726 bytes) 00d56f15_o (85210 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:21:50ipsec 15[IKE] sending DELETE for ESP CHILD_SA with SPI cdeb3b19 Nov 10 13:21:50ipsec 16[IKE] received DELETE for ESP CHILD_SA with SPI 00d56f15 Nov 10 13:21:50ipsec 16[IKE] CHILD_SA closed Nov 10 13:21:50ipsec 06[CFG] received stroke: terminate 'Test[*]' Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" shutdown complete. Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:21:50ipsec 08[IKE] deleting IKE_SA Test[8] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:21:50ipsec 08[IKE] sending DELETE for IKE_SA Test[8] Nov 10 13:21:50ipsec 05[IKE] IKE_SA deleted Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Спасибо! Edited November 13, 2017 by Никита Болдин 1 Quote Link to comment Share on other sites More sharing options...
makc22 Posted November 13, 2017 Share Posted November 13, 2017 Словил тоже на 2.11.A.8.0-3 решил отключением "Включить IPv6:" в Broadband connection Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted November 13, 2017 Share Posted November 13, 2017 Ничего непонятно. Начните с установки draft и приложения sefl-test, а также объясните кто у вас инициатор соединения. Quote Link to comment Share on other sites More sharing options...
Mexonizator Posted November 13, 2017 Author Share Posted November 13, 2017 38 минут назад, Le ecureuil сказал: Ничего непонятно. Начните с установки draft и приложения sefl-test, а также объясните кто у вас инициатор соединения. Инициатор - зухель, который подрубается к циске. По поводу draft. Можно ли как-то обойтись без него? Self-test приложу следующим постом. 5 часов назад, makc22 сказал: Словил тоже на 2.11.A.8.0-3 решил отключением "Включить IPv6:" в Broadband connection Жаль, нет такой опции в настройках соединения. Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted November 13, 2017 Share Posted November 13, 2017 8 минут назад, Mexonizator сказал: Инициатор - зухель, который подрубается к циске. По поводу draft. Можно ли как-то обойтись без него? Self-test приложу следующим постом. Жаль, нет такой опции в настройках соединения. Копаться в 2.08 у меня желания нет, обращайтесь тогда в официальную техподдержку. Quote Link to comment Share on other sites More sharing options...
Mexonizator Posted November 14, 2017 Author Share Posted November 14, 2017 Понятно, спасибо. А идей каких-то нет, из-за чего это может быть? Quote Link to comment Share on other sites More sharing options...
Mexonizator Posted November 15, 2017 Author Share Posted November 15, 2017 (edited) Вести с полей. Смена режима ВПН-ки с transport на tunnel убрало ошибку. Зато возник новый глюк. После первого запуска, ВПН-ка проработала некоторое время, а затем стала валиться в лог: Nov 14 19:22:12ipsec 05[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:12ipsec 08[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:15ipsec 06[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:17ipsec 13[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:22ipsec 05[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job По всей видимости, ошибка имеет отношение к НАТу, но непонятно, какое именно. Со стороны циски (т.е. между ней и тоннелем) НАТа нет. Причём, что характерно, перезапуск ВПН-ки не помог. Очевидно, что проблема как-то связана с сопоставлением со стороны НАТа. UPD: При запуске на следующий день, ВПН-ка снова без проблем поднялась и работает некоторое время. UPD2: Ошибка снова посыпалась, но, что интересно, данные пока продолжают ходить. Edited November 15, 2017 by Mexonizator Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted November 17, 2017 Share Posted November 17, 2017 Дошли до техподдержки, техподдержка дошла до меня Если вкратце, то у меня ощущение, что вам гадит роутер стоящий между вашей cisco и keenetic. Опишите его (вендор, модель, версия ПО). Тогда будет понятнее, как это хотя бы воспроизвести (или же вам починить). Quote Link to comment Share on other sites More sharing options...
Mexonizator Posted November 17, 2017 Author Share Posted November 17, 2017 (edited) TP-LINK RT480T+. У роутера этого есть фишка IPSEC ALG, которую я вырубил. Что характерно, особого эффекта не оказало. ЗЫ. Версия прошивки - скрытым постом. Edited November 17, 2017 by Mexonizator Quote Link to comment Share on other sites More sharing options...
Mexonizator Posted November 28, 2017 Author Share Posted November 28, 2017 (edited) Итого. Все 3 ошибки удалось побороть, тоннель стабилен, полёт нормальный. 1. Видимо, ошибка вызывается НАТом на роутере (циска за ним), а также, возможно, его фишкой IPSEC ALG. Инициация соединения со стороны неё, а не Зухеля решило проблему. 05[KNL] NAT mappings of CHILD_SA ESP/0xc872b75d/ZYXEL_IP changed to CISCO_IP[4500], queuing update job Nov 14 19:22:12ipsec 2. Галка Nailed-Up и trasnport mode во второй фазе вызывали разрывы тоннеля даже при успешной установке. 3. Ну и наконец. Оказалось, что эта ошибка возникает из-за слишком сильного шифрования при первой фазе. Кинетик банально не успевал выполнить шифрование при согласовании, и Циска отправляла повторные запросы. Что, в конечном счёте, и приводило к разрыву. Понижение шифра до 128 бит, и переход на SHA1 решило проблему. 10[IKE] retransmit 1 of request with message ID 0 Nov 10 13:15:20ipsec Всем спасибо, тему можно считать закрытой. Edited November 28, 2017 by Mexonizator Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted November 30, 2017 Share Posted November 30, 2017 Ну и славно. Quote Link to comment Share on other sites More sharing options...
datswd Posted November 13, 2021 Share Posted November 13, 2021 Спасибо за мысль о том, что keenetic не успевает ответить при слишком сильном шифровании. Была аналогичная проблема. Оказалось, что слишком активно работал transmission на отдачу. Ограничил скорость и всё стало ок. Quote Link to comment Share on other sites More sharing options...
datswd Posted November 14, 2021 Share Posted November 14, 2021 Облом Дело было не в том, что keenetic не успевает выполнить шифрование. Даже если полностью выключить Transmission и поставить на сервере самые простые протоколы шифрования, то keenetic не может подключиться. Проблема в чём-то другом, но определённо в keenetic, потому что три устройства выходящие в сеть через keenetic (Android 7.1.1, Android 10, Windows 10) успешно подключаются, а вот сам keenetic не может. Ещё одно наблюдение: при подключении keenetic к интернету, провайдер выдает разные IP-адреса. С каких-то keenetic может подключиться к VPN, с каких-то нет. Создам отдельную тему, где подробно опишу проблему. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.