Cisco IPsec VPN help needed

Hálózatok egyéb

Sziasztok,

nehany napja szivok egy Cisco 851-es router ipsec vpn-jenek a beallitasaval. Elmeletileg site-to-site vpn-rol van szo, megkaptam hozza a parametereket, viszont teljesen elakadtam, mert szerintem minden rendeben van a beallitasokkal a kapcsolat megsem jon ossze, phase1-nel leall. Itt a megfelelo reszlet a logbol hatha valaki kiszur valamit amin nekem atsiklott
a tekintetem.
A felallas elviekben a kovetkezo:
192.168.30/24 --- WAN Int ------INTERNET------ WAN Int --- 192.168.10/24

Elore is koszi:
002678: May 17 00:55:09.131 PCTime: ISAKMP:(0): SA request profile is (NULL)
002679: May 17 00:55:09.131 PCTime: ISAKMP: Created a peer struct for y.y.y.y, peer port 500
002680: May 17 00:55:09.131 PCTime: ISAKMP: New peer created peer = 0x81FC5834 peer_handle = 0x80000020
002681: May 17 00:55:09.131 PCTime: ISAKMP: Locking peer struct 0x81FC5834, refcount 1 for isakmp_initiator
002682: May 17 00:55:09.131 PCTime: ISAKMP: local port 500, remote port 500
002683: May 17 00:55:09.131 PCTime: ISAKMP: set new node 0 to QM_IDLE
002684: May 17 00:55:09.135 PCTime: insert sa successfully sa = 82A6B8E4
002685: May 17 00:55:09.135 PCTime: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
002686: May 17 00:55:09.135 PCTime: ISAKMP:(0):found peer pre-shared key matching y.y.y.y
002687: May 17 00:55:09.135 PCTime: ISAKMP:(0): constructed NAT-T vendor-07 ID
002688: May 17 00:55:09.135 PCTime: ISAKMP:(0): constructed NAT-T vendor-03 ID
002689: May 17 00:55:09.135 PCTime: ISAKMP:(0): constructed NAT-T vendor-02 ID
002690: May 17 00:55:09.135 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
002691: May 17 00:55:09.135 PCTime: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

002692: May 17 00:55:09.135 PCTime: ISAKMP:(0): beginning Main Mode exchange
002693: May 17 00:55:09.135 PCTime: ISAKMP:(0): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_NO_STATE
002694: May 17 00:55:19.133 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
002695: May 17 00:55:19.133 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
002696: May 17 00:55:19.133 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
002697: May 17 00:55:19.133 PCTime: ISAKMP:(0): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_NO_STATE
002698: May 17 00:55:29.130 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
002699: May 17 00:55:29.130 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
002700: May 17 00:55:29.130 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
002701: May 17 00:55:29.130 PCTime: ISAKMP:(0): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_NO_STATE
002702: May 17 00:55:39.123 PCTime: ISAKMP: set new node 0 to QM_IDLE
002703: May 17 00:55:39.123 PCTime: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local x.x.x.x, remote y.y.y.y)
002704: May 17 00:55:39.123 PCTime: ISAKMP: Error while processing SA request: Failed to initialize SA
002705: May 17 00:55:39.123 PCTime: ISAKMP: Error while processing KMI message 0, error 2.
002706: May 17 00:55:39.127 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
002707: May 17 00:55:39.127 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
002708: May 17 00:55:39.127 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
002709: May 17 00:55:39.127 PCTime: ISAKMP:(0): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_NO_STATE
002710: May 17 00:55:49.124 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
002711: May 17 00:55:49.124 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
002712: May 17 00:55:49.124 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
002713: May 17 00:55:49.124 PCTime: ISAKMP:(0): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_NO_STATE
002714: May 17 00:55:59.121 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
002715: May 17 00:55:59.121 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
002716: May 17 00:55:59.121 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
002717: May 17 00:55:59.121 PCTime: ISAKMP:(0): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_NO_STATE
002718: May 17 00:56:09.115 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.

002719: May 17 00:56:09.115 PCTime: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer y.y.y.y)
002720: May 17 00:56:09.115 PCTime: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer y.y.y.y)
002721: May 17 00:56:09.115 PCTime: ISAKMP: Unlocking peer struct 0x81FC5834 for isadb_mark_sa_deleted(), count 0
002722: May 17 00:56:09.115 PCTime: ISAKMP: Deleting peer node by peer_reap for y.y.y.y: 81FC5834
002723: May 17 00:56:09.115 PCTime: ISAKMP:(0):deleting node 1248120148 error FALSE reason "IKE deleted"
002724: May 17 00:56:09.115 PCTime: ISAKMP:(0):deleting node 1101328065 error FALSE reason "IKE deleted"
002725: May 17 00:56:09.115 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
002726: May 17 00:56:09.115 PCTime: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

  • 3981 megtekintés

hat igen, elmeletileg tolunk 500-as port kimeno van, megprobaltam masik szerverrel, lattam az 500-as porton megjeleno kapcsolodasi kiserleteket. nekem is ez a gyanus, viszont allitolag a masik oldal VPN szerver mas kliensekkel mukodik. sajnos a masik oldalhoz nincs hozzaferesem, nem latom, hogy ott mi van a logokban.

( Todvard | 2007. 05. 18., p – 13:56 )

Koszonom a segitseget, a problema megoldodott, a tuloldal tuzfalat beneztek..