Toon posts:

VPN Cisco 1801 Juniper SSG 320 M

Pagina: 1
Acties:

vrijdag 14 december 2012 19:55

Acties:
  • 0 Henk 'm!
  • Pieter Kimpen
  • Registratie: Juni 2007
  • Laatst online: 23-11-2024

Pieter Kimpen

Topicstarter
Beste,

Ik probeer een VPN verbinding op te zetten tussen een Cisco 1801 router en een Juniper SSG 320 M firewall.
De tunnel komt echter niet op.

Afbeeldingslocatie: http://www.pjkcomputers.be/GOT/netwerkoverzicht.jpg

Ik heb minder ervaring met Juniper.

De cisco configuratie:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 2
crypto isakmp key <verwijderd> address 81.246.52.** no-xauth
!
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
 set peer 81.246.52.**
 set transform-set ESP-AES128-SHA
 match address VPN


interface Vlan1
 description Intern LAN$ES_LAN$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip tcp adjust-mss 1452
 crypto map CRYPTO_MAP

ip access-list extended VPN
 permit ip 10.10.10.0 0.0.0.255 193.100.100.0 0.0.0.255
 permit ip 81.82.229.75 0.0.0.128 81.246.52.42 0.0.0.128


niet relevante code heb ik er tussenuit gelaten


debugging

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

Cisco1801#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
81.82.229.**    81.246.52.**    QM_IDLE           2004    0 ACTIVE

IPv6 Crypto ISAKMP SA


Cisco1801#show crypto ipsec sa


interface: Vlan1
    Crypto map tag: CRYPTO_MAP, local addr 10.10.10.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (81.246.52.42/255.255.255.127/0/0)
   current_peer 81.246.52.42 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.10.1, remote crypto endpt.: 81.246.52.**
     path mtu 1500, ip mtu 1500, ip mtu idb Vlan1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:




debug crypto isakmp 


*Dec 14 17:43:39.198 UTC: ISAKMP (0:2004): received packet from 81.246.52.** dport 500 sport 500 Global (R) QM_IDLE
000301: *Dec 14 17:43:39.198 UTC: ISAKMP: set new node -15221771 to QM_IDLE     
000302: *Dec 14 17:43:39.198 UTC: ISAKMP:(2004): processing HASH payload. message ID = -15221771
000303: *Dec 14 17:43:39.198 UTC: ISAKMP:(2004): processing SA payload. message ID = -15221771
000304: *Dec 14 17:43:39.198 UTC: ISAKMP:(2004):Checking IPSec proposal 1
000305: *Dec 14 17:43:39.198 UTC: ISAKMP: transform 1, ESP_AES
000306: *Dec 14 17:43:39.198 UTC: ISAKMP:   attributes in transform:
000307: *Dec 14 17:43:39.198 UTC: ISAKMP:      SA life type in seconds
000308: *Dec 14 17:43:39.198 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
000309: *Dec 14 17:43:39.198 UTC: ISAKMP:      encaps is 1 (Tunnel)
000310: *Dec 14 17:43:39.198 UTC: ISAKMP:      authenticator is HMAC-SHA
000311: *Dec 14 17:43:39.198 UTC: ISAKMP:      group is 2
000312: *Dec 14 17:43:39.198 UTC: ISAKMP:      key length is 128
000313: *Dec 14 17:43:39.198 UTC: ISAKMP:(2004):atts are acceptable.
000314: *Dec 14 17:43:39.198 UTC: ISAKMP:(2004): IPSec policy invalidated proposal with error 8
000315: *Dec 14 17:43:39.198 UTC: ISAKMP:(2004): phase 2 SA policy not acceptable! (local 81.82.229.75 remote 81.246.52.42)
000316: *Dec 14 17:43:39.198 UTC: ISAKMP: set new node 152758481 to QM_IDLE     
000317: *Dec 14 17:43:39.198 UTC: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2215108240, message ID = 152758481
000318: *Dec 14 17:43:39.198 UTC: ISAKMP:(2004): sending packet to 81.246.52.42 my_port 500 peer_port 500 (R) QM_IDLE
000319: *Dec 14 17:43:39.202 UTC: ISAKMP:(2004):Sending an IKE IPv4 Packet.
000320: *Dec 14 17:43:39.202 UTC: ISAKMP:(2004):purging node 152758481
000321: *Dec 14 17:43:39.202 UTC: ISAKMP:(2004):deleting node -15221771 error TRUE reason "QM rejected"
000322: *Dec 14 17:43:39.202 UTC: ISAKMP:(2004):Node -15221771, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000323: *Dec 14 17:43:39.202 UTC: ISAKMP:(2004):Old State = IKE_QM_READY  New State = IKE_QM_READY
000324: *Dec 14 17:43:53.942 UTC: ISAKMP (0:2004): received packet from 81.246.52.** dport 500 sport 500 Global (R) QM_IDLE
000325: *Dec 14 17:43:53.942 UTC: ISAKMP: set new node -30244431 to QM_IDLE     
000326: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004): processing HASH payload. message ID = -30244431
000327: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004): processing SA payload. message ID = -30244431
000328: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004):Checking IPSec proposal 1
000329: *Dec 14 17:43:53.946 UTC: ISAKMP: transform 1, ESP_AES
000330: *Dec 14 17:43:53.946 UTC: ISAKMP:   attributes in transform:
000331: *Dec 14 17:43:53.946 UTC: ISAKMP:      SA life type in seconds
000332: *Dec 14 17:43:53.946 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
000333: *Dec 14 17:43:53.946 UTC: ISAKMP:      encaps is 1 (Tunnel)
000334: *Dec 14 17:43:53.946 UTC: ISAKMP:      authenticator is HMAC-SHA
000335: *Dec 14 17:43:53.946 UTC: ISAKMP:      group is 2
000336: *Dec 14 17:43:53.946 UTC: ISAKMP:      key length is 128
000337: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004):atts are acceptable.
000338: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004): IPSec policy invalidated proposal with error 8
000339: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004): phase 2 SA policy not acceptable! (local 81.82.229.75 remote 81.246.52.42)
000340: *Dec 14 17:43:53.946 UTC: ISAKMP: set new node 1639010863 to QM_IDLE    
000341: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2215108240, message ID = 1639010863
000342: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004): sending packet to 81.246.52.42 my_port 500 peer_port 500 (R) QM_IDLE
000343: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004):Sending an IKE IPv4 Packet.
000344: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004):purging node 1639010863
000345: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004):deleting node -30244431 error TRUE reason "QM rejected"
000346: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004):Node -30244431, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000347: *Dec 14 17:43:53.946 UTC: ISAKMP:(2004):Old State = IKE_QM_READY  New State = IKE_QM_READY


Juniper config:

Op de Juniper gebruik ik een policy based VPN

De VPN configuratie

Afbeeldingslocatie: http://www.pjkcomputers.be/GOT/juniper1.JPG

Afbeeldingslocatie: http://www.pjkcomputers.be/GOT/juniper2.JPG

De configuratie van de policies:

van Trust naar Untrust

Afbeeldingslocatie: http://www.pjkcomputers.be/GOT/juniper3trust.JPG

van Untrust naar Trust

Afbeeldingslocatie: http://www.pjkcomputers.be/GOT/juniperuntrust.jpg


debug informatie

code:
1
2
3
4
5

get sa


0000001e<    81.82.229.75  500 esp:a256/sha1 00000000 expir unlim I/I    85 0
0000001e>    81.82.229.75  500 esp:a256/sha1 00000000 expir unlim I/I    84 0


extra info

IKE: Removed Phase 2 SAs after receiving a notification message.
2012-12-14 19:18:48 info IKE 81.82.229.**: Received a notification message for DOI 1 14 NO-PROPOSAL-CHOSEN.
2012-12-14 19:18:48 info IKE 81.82.229.** Phase 2: Initiated negotiations.
2012-12-14 19:18:34 info IKE: Removed Phase 2 SAs after receiving a notification message.
2012-12-14 19:18:34 info IKE 81.82.229.**: Received a notification message for DOI 1 14 NO-PROPOSAL-CHOSEN.
2012-12-14 19:18:34 info IKE 81.82.229.** Phase 2: Initiated negotiations.

Zien jullie waar het ergens de mist in gaat?

zaterdag 15 december 2012 11:17

Acties:
  • 0 Henk 'm!
  • Pieter Kimpen
  • Registratie: Juni 2007
  • Laatst online: 23-11-2024

Pieter Kimpen

Topicstarter
Ik heb het nu anders geprobeerd: route based ipv policy based.

volgens deze instructies op deze website:

http://mellowd.co.uk/ccie/?p=2652

ik ben alles nog eens aan het bekijken maar 't lukt nog steeds niet. Debug info:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

000419: *Dec 15 09:57:09.666 UTC: ISAKMP:(0): SA request profile is (NULL)
000420: *Dec 15 09:57:09.666 UTC: ISAKMP: Created a peer struct for 81.246.52.42, peer port 500
000421: *Dec 15 09:57:09.666 UTC: ISAKMP: New peer created peer = 0x838897D8 peer_handle = 0x80000014
000422: *Dec 15 09:57:09.666 UTC: ISAKMP: Locking peer struct 0x838897D8, refcount 1 for isakmp_initiator
000423: *Dec 15 09:57:09.666 UTC: ISAKMP: local port 500, remote port 500
000424: *Dec 15 09:57:09.666 UTC: ISAKMP: set new node 0 to QM_IDLE
000425: *Dec 15 09:57:09.666 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 850F67DC
000426: *Dec 15 09:57:09.666 UTC: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000427: *Dec 15 09:57:09.666 UTC: ISAKMP:(0):found peer pre-shared key matching 81.246.52.42
000428: *Dec 15 09:57:09.666 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
000429: *Dec 15 09:57:09.666 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
000430: *Dec 15 09:57:09.666 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
000431: *Dec 15 09:57:09.666 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000432: *Dec 15 09:57:09.666 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

000433: *Dec 15 09:57:09.666 UTC: ISAKMP:(0): beginning Main Mode exchange
000434: *Dec 15 09:57:09.666 UTC: ISAKMP:(0): sending packet to 81.246.52.42 my_port 500 peer_port 500 (I) MM_NO_STATE
000435: *Dec 15 09:57:09.666 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
000436: *Dec 15 09:57:09.682 UTC: ISAKMP (0:0): received packet from 81.246.52.42 dport 500 sport 500 Global (I) MM_NO_STATE
000437: *Dec 15 09:57:09.682 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000438: *Dec 15 09:57:09.682 UTC: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

000439: *Dec 15 09:57:09.682 UTC: ISAKMP:(0): processing SA payload. message ID = 0
000440: *Dec 15 09:57:09.682 UTC: ISAKMP:(0): processing vendor id payload
000441: *Dec 15 09:57:09.682 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 163 mismatch
000442: *Dec 15 09:57:09.682 UTC: ISAKMP:(0): processing vendor id payload
000443: *Dec 15 09:57:09.682 UTC: ISAKMP:(0): vendor ID is DPD
000444: *Dec 15 09:57:09.682 UTC: ISAKMP:(0): processing vendor id payload
000445: *Dec 15 09:57:09.686 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 102 mismatch
000446: *Dec 15 09:57:09.686 UTC: ISAKMP:(0):found peer pre-shared key matching 81.246.52.42
000447: *Dec 15 09:57:09.686 UTC: ISAKMP:(0): local preshared key found
000448: *Dec 15 09:57:09.686 UTC: ISAKMP : Scanning profiles for xauth ...
000449: *Dec 15 09:57:09.686 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
000450: *Dec 15 09:57:09.686 UTC: ISAKMP:      encryption AES-CBC
000451: *Dec 15 09:57:09.686 UTC: ISAKMP:      hash SHA
000452: *Dec 15 09:57:09.686 UTC: ISAKMP:      default group 2
000453: *Dec 15 09:57:09.686 UTC: ISAKMP:      auth pre-share
000454: *Dec 15 09:57:09.686 UTC: ISAKMP:      keylength of 128
000455: *Dec 15 09:57:09.686 UTC: ISAKMP:      life type in seconds
000456: *Dec 15 09:57:09.686 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
000457: *Dec 15 09:57:09.686 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
000458: *Dec 15 09:57:09.686 UTC: ISAKMP:(0): processing vendor id payload
000459: *Dec 15 09:57:09.686 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 163 mismatch
000460: *Dec 15 09:57:09.686 UTC: ISAKMP:(0): processing vendor id payload
000461: *Dec 15 09:57:09.686 UTC: ISAKMP:(0): vendor ID is DPD
000462: *Dec 15 09:57:09.686 UTC: ISAKMP:(0): processing vendor id payload
000463: *Dec 15 09:57:09.686 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 102 mismatch
000464: *Dec 15 09:57:09.686 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000465: *Dec 15 09:57:09.686 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

000466: *Dec 15 09:57:09.686 UTC: ISAKMP:(0): sending packet to 81.246.52.42 my_port 500 peer_port 500 (I) MM_SA_SETUP
000467: *Dec 15 09:57:09.686 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
000468: *Dec 15 09:57:09.686 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000469: *Dec 15 09:57:09.686 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

000470: *Dec 15 09:57:09.702 UTC: ISAKMP (0:0): received packet from 81.246.52.42 dport 500 sport 500 Global (I) MM_SA_SETUP
000471: *Dec 15 09:57:09.702 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000472: *Dec 15 09:57:09.702 UTC: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

000473: *Dec 15 09:57:09.706 UTC: ISAKMP:(0): processing KE payload. message ID = 0
000474: *Dec 15 09:57:09.734 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
000475: *Dec 15 09:57:09.734 UTC: ISAKMP:(0):found peer pre-shared key matching 81.246.52.42
000476: *Dec 15 09:57:09.734 UTC: ISAKMP:(2019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000477: *Dec 15 09:57:09.734 UTC: ISAKMP:(2019):Old State = IKE_I_MM4  New State = IKE_I_MM4

000478: *Dec 15 09:57:09.738 UTC: ISAKMP:(2019):Send initial contact
000479: *Dec 15 09:57:09.738 UTC: ISAKMP:(2019):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000480: *Dec 15 09:57:09.738 UTC: ISAKMP (0:2019): ID payload
        next-payload : 8
        type         : 1

zaterdag 15 december 2012 11:56

Acties:
  • 0 Henk 'm!
  • Pieter Kimpen
  • Registratie: Juni 2007
  • Laatst online: 23-11-2024

Pieter Kimpen

Topicstarter
Ik heb het ondertussen werkend gekregen!

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

ESP-AES128-SHA 

001104: *Dec 15 10:28:29.702 UTC: ISAKMP (0:0): received packet from 81.246.52.42 dport 500 sport 500 Global (N) NEW SA
001105: *Dec 15 10:28:29.702 UTC: ISAKMP: Created a peer struct for 81.246.52.42, peer port 500
001106: *Dec 15 10:28:29.702 UTC: ISAKMP: New peer created peer = 0x852E6BA4 peer_handle = 0x80000033
001107: *Dec 15 10:28:29.702 UTC: ISAKMP: Locking peer struct 0x852E6BA4, refcount 1 for crypto_isakmp_process_block
001108: *Dec 15 10:28:29.702 UTC: ISAKMP: local port 500, remote port 500
001109: *Dec 15 10:28:29.702 UTC: insert sa successfully sa = 84F6F54C
001110: *Dec 15 10:28:29.702 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
001111: *Dec 15 10:28:29.702 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

001112: *Dec 15 10:28:29.702 UTC: ISAKMP:(0): processing SA payload. message ID = 0
001113: *Dec 15 10:28:29.702 UTC: ISAKMP:(0): processing vendor id payload
001114: *Dec 15 10:28:29.702 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 163 mismatch
001115: *Dec 15 10:28:29.702 UTC: ISAKMP:(0): processing vendor id payload
001116: *Dec 15 10:28:29.702 UTC: ISAKMP:(0): vendor ID is DPD
001117: *Dec 15 10:28:29.702 UTC: ISAKMP:(0): processing vendor id payload
001118: *Dec 15 10:28:29.706 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 102 mismatch
001119: *Dec 15 10:28:29.706 UTC: ISAKMP:(0):found peer pre-shared key matching 81.246.52.42
001120: *Dec 15 10:28:29.706 UTC: ISAKMP:(0): local preshared key found
001121: *Dec 15 10:28:29.706 UTC: ISAKMP : Scanning profiles for xauth ...
001122: *Dec 15 10:28:29.706 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
001123: *Dec 15 10:28:29.706 UTC: ISAKMP:      encryption AES-CBC
001124: *Dec 15 10:28:29.706 UTC: ISAKMP:      hash SHA
001125: *Dec 15 10:28:29.706 UTC: ISAKMP:      default group 2
001126: *Dec 15 10:28:29.706 UTC: ISAKMP:      auth pre-share
001127: *Dec 15 10:28:29.706 UTC: ISAKMP:      keylength of 128
001128: *Dec 15 10:28:29.706 UTC: ISAKMP:      life type in seconds
001129: *Dec 15 10:28:29.706 UTC: ISAKMP:      life duration (basic) of 28800
001130: *Dec 15 10:28:29.706 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
001131: *Dec 15 10:28:29.706 UTC: ISAKMP:(0): processing vendor id payload
001132: *Dec 15 10:28:29.706 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 163 mismatch
001133: *Dec 15 10:28:29.706 UTC: ISAKMP:(0): processing vendor id payload
001134: *Dec 15 10:28:29.706 UTC: ISAKMP:(0): vendor ID is DPD
001135: *Dec 15 10:28:29.706 UTC: ISAKMP:(0): processing vendor id payload
001136: *Dec 15 10:28:29.706 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 102 mismatch
001137: *Dec 15 10:28:29.706 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
001138: *Dec 15 10:28:29.706 UTC: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

001139: *Dec 15 10:28:29.706 UTC: ISAKMP:(0): sending packet to 81.246.52.42 my_port 500 peer_port 500 (R) MM_SA_SETUP
001140: *Dec 15 10:28:29.706 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
001141: *Dec 15 10:28:29.706 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
001142: *Dec 15 10:28:29.706 UTC: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

001143: *Dec 15 10:28:29.734 UTC: ISAKMP (0:0): received packet from 81.246.52.42 dport 500 sport 500 Global (R) MM_SA_SETUP
001144: *Dec 15 10:28:29.734 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
001145: *Dec 15 10:28:29.734 UTC: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

001146: *Dec 15 10:28:29.734 UTC: ISAKMP:(0): processing KE payload. message ID = 0
001147: *Dec 15 10:28:29.762 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
001148: *Dec 15 10:28:29.762 UTC: ISAKMP:(0):found peer pre-shared key matching 81.246.52.42
001149: *Dec 15 10:28:29.766 UTC: ISAKMP:(2050):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
001150: *Dec 15 10:28:29.766 UTC: ISAKMP:(2050):Old State = IKE_R_MM3  New State = IKE_R_MM3

001151: *Dec 15 10:28:29.770 UTC: ISAKMP:(2050): sending packet to 81.246.52.42 my_port 500 peer_port 500 (R) MM_KEY_EXCH
001152: *Dec 15 10:28:29.770 UTC: ISAKMP:(2050):Sending an IKE IPv4 Packet.
001153: *Dec 15 10:28:29.770 UTC: ISAKMP:(2050):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
001154: *Dec 15 10:28:29.770 UTC: ISAKMP:(2050):Old State = IKE_R_MM3  New State = IKE_R_MM4

001155: *Dec 15 10:28:29.786 UTC: ISAKMP (0:2050): received packet from 81.246.52.42 dport 500 sport 500 Global (R) MM_KEY_EXCH
001156: *Dec 15 10:28:29.786 UTC: ISAKMP:(2050):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
001157: *Dec 15 10:28:29.786 UTC: ISAKMP:(2050):Old State = IKE_R_MM4  New State = IKE_R_MM5

001158: *Dec 15 10:28:29.786 UTC: ISAKMP:(2050): processing ID payload. message ID = 0
001159: *Dec 15 10:28:29.786 UTC: ISAKMP (0:2050): ID payload
        next-payload : 8
        type         : 1
        address      : 81.246.52.42
        protocol     : 17
        port         : 500
        length       : 12
001160: *Dec 15 10:28:29.786 UTC: ISAKMP:(0):: peer matches *none* of the profiles
001161: *Dec 15 10:28:29.786 UTC: ISAKMP:(2050): processing HASH payload. message ID = 0
001162: *Dec 15 10:28:29.786 UTC: ISAKMP:(2050):SA authentication status:
        authenticated
001163: *Dec 15 10:28:29.786 UTC: ISAKMP:(2050):SA has been authenticated with 81.246.52.42
001164: *Dec 15 10:28:29.790 UTC: ISAKMP: Trying to insert a peer 81.82.229.75/81.246.52.42/500/,  and inserted successfully 852E6BA4.
001165: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
001166: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050):Old State = IKE_R_MM5  New State = IKE_R_MM5

001167: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
001168: *Dec 15 10:28:29.790 UTC: ISAKMP (0:2050): ID payload
        next-payload : 8
        type         : 1
        address      : 81.82.229.75
        protocol     : 17
        port         : 500
        length       : 12
001169: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050):Total payload length: 12
001170: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050): sending packet to 81.246.52.42 my_port 500 peer_port 500 (R) MM_KEY_EXCH
001171: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050):Sending an IKE IPv4 Packet.
001172: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
001173: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

001174: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
001175: *Dec 15 10:28:29.790 UTC: ISAKMP:(2050):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

001176: *Dec 15 10:28:29.806 UTC: ISAKMP (0:2050): received packet from 81.246.52.42 dport 500 sport 500 Global (R) QM_IDLE
001177: *Dec 15 10:28:29.810 UTC: ISAKMP: set new node 1458869303 to QM_IDLE    
001178: *Dec 15 10:28:29.810 UTC: ISAKMP:(2050): processing HASH payload. message ID = 1458869303
001179: *Dec 15 10:28:29.810 UTC: ISAKMP:(2050): processing SA payload. message ID = 1458869303
001180: *Dec 15 10:28:29.810 UTC: ISAKMP:(2050):Checking IPSec proposal 1
001181: *Dec 15 10:28:29.810 UTC: ISAKMP: transform 1, ESP_AES
001182: *Dec 15 10:28:29.810 UTC: ISAKMP:   attributes in transform:
001183: *Dec 15 10:28:29.810 UTC: ISAKMP:      SA life type in seconds
001184: *Dec 15 10:28:29.810 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10
001185: *Dec 15 10:28:29.810 UTC: ISAKMP:      encaps is 1 (Tunnel)
001186: *Dec 15 10:28:29.810 UTC: ISAKMP:      authenticator is HMAC-SHA
001187: *Dec 15 10:28:29.810 UTC: ISAKMP:      group is 2
001188: *Dec 15 10:28:29.810 UTC: ISAKMP:      key length is 128
001189: *Dec 15 10:28:29.810 UTC: ISAKMP:(2050):atts are acceptable.
001190: *Dec 15 10:28:29.810 UTC: ISAKMP:(2050): processing NONCE payload. message ID = 1458869303
001191: *Dec 15 10:28:29.810 UTC: ISAKMP:(2050): processing KE payload. message ID = 1458869303
001192: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050): processing ID payload. message ID = 1458869303
001193: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050): processing ID payload. message ID = 1458869303
001194: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050):QM Responder gets spi
001195: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050):Node 1458869303, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
001196: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
001197: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050): Creating IPSec SAs
001198: *Dec 15 10:28:29.842 UTC:         inbound SA from 81.246.52.42 to 81.82.229.75 (f/i)  0/ 0
        (proxy 0.0.0.0 to 0.0.0.0)
001199: *Dec 15 10:28:29.842 UTC:         has spi 0x27E463B2 and conn_id 0
001200: *Dec 15 10:28:29.842 UTC:         lifetime of 3600 seconds
001201: *Dec 15 10:28:29.842 UTC:         outbound SA from 81.82.229.75 to 81.246.52.42 (f/i) 0/0
        (proxy 0.0.0.0 to 0.0.0.0)
001202: *Dec 15 10:28:29.842 UTC:         has spi  0x57861378 and conn_id 0
001203: *Dec 15 10:28:29.842 UTC:         lifetime of 3600 seconds
001204: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050): sending packet to 81.246.52.42 my_port 500 peer_port 500 (R) QM_IDLE
001205: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050):Sending an IKE IPv4 Packet.
001206: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050):Node 1458869303, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
001207: *Dec 15 10:28:29.842 UTC: ISAKMP:(2050):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
001208: *Dec 15 10:28:29.846 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
001209: *Dec 15 10:28:29.874 UTC: ISAKMP (0:2050): received packet from 81.246.52.42 dport 500 sport 500 Global (R) QM_IDLE
001210: *Dec 15 10:28:29.874 UTC: ISAKMP:(2050):deleting node 1458869303 error FALSE reason "QM done (await)"
001211: *Dec 15 10:28:29.874 UTC: ISAKMP:(2050):Node 1458869303, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
001212: *Dec 15 10:28:29.874 UTC: ISAKMP:(2050):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE


het missende commando:


crypto isakmp nat keepalive 3600


de keepalive op de cisco stond niet goed ingesteld.

Topic mag gesloten worden.
Reageer

Apple iPhone 16e LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq