The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"Не поднимается тунель через rsa-sign"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Изначальное сообщение [ Отслеживать ]

"Не поднимается тунель через rsa-sign"  +/
Сообщение от OlegUA (ok) on 30-Сен-10, 19:16 
Вобщем замучались уже. Есть 2 офиса которые нужно связать тунелем, авторизация ipsec RSA Cert. Все вроде правильно, но тунель не встает, если пробывать указать pre-share то тунель заводится на ура. В логах ничего конкретного не пишет :( Вообщем вот конфа и лог, мож кто поймет в чем дело то (

У пира ASA:
crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 64

crypto ipsec fragmentation before-encryption outside

crypto ipsec df-bit copy-df outside

crypto map CRYPTOMAP 150 match address daniel-crypto
crypto map CRYPTOMAP 150 set connection-type bi-directional
crypto map CRYPTOMAP 150 set peer 1.1.1.1
crypto map CRYPTOMAP 150 set transform-set AES-SHA
crypto map CRYPTOMAP 150 set security-association lifetime seconds 3600
crypto map CRYPTOMAP 150 set inheritance rule
crypto map CRYPTOMAP 150 set phase1-mode main

crypto map CRYPTOMAP interface outside

crypto ca trustpoint rbacacom
revocation-check crl
enrollment retry period 1
enrollment retry count 0
enrollment url http://www:80/ejbca/publicweb/apply/scep/pkiclient.exe
fqdn gw.aval.ua
no email
subject-name CN=gw.domain.com
no serial-number
no ip-address
no password
client-types ipsec ssl
accept-subordinates
id-cert-issuer
id-usage ssl-ipsec
no ignore-ipsec-keyusage
no ignore-ssl-keyusage
no proxy-ldc-issuer
crl configure
policy cdp
cache-time 60
enforcenextupdate
protocol http
protocol ldap
protocol scep

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
peer-id-validate cert
chain
trust-point rbacacom
isakmp keepalive threshold 10 retry 2

group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp enable
re-xauth enable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication enable
user-authentication enable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
url-list none
filter none
homepage none
html-content-filter none
port-forward name Application Access
port-forward disable
http-proxy disable
sso-server none
svc dtls enable
svc mtu 1406
svc keep-installer installed
svc keepalive 20
svc rekey time none
svc rekey method none
svc dpd-interval client 30
svc dpd-interval gateway 30
svc compression none
svc modules none
svc profiles none
svc ask none
ike-retry-timeout 10
ike-retry-count 3
customization none
keep-alive-ignore 4
http-comp gzip
download-max-size 2147483647
upload-max-size 2147483647
post-max-size 2147483647
user-storage none
storage-objects value cookies,credentials
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
unix-auth-uid 65534
unix-auth-gid 65534
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
smart-tunnel auto-signon disable
svc df-bit-ignore disable
svc routing-filtering-ignore disable

У меня c2821:
crypto key generate rsa general-keys modulus 1024

crypto pki trustpoint rbacacom
enrollment url http://www:80/ejbca/publicweb/apply/scep
fqdn c2821.domain.com
subject-name CN=c2821.domain.com
revocation-check crl
auto-enroll 95


crypto ca authenticate rbacacom

crypto ca enroll rbacacom


c2821#sh cry ca cert
Certificate
  Status: Available
  Certificate Serial Number: 79EE958AF219887A
  Certificate Usage: General Purpose
  Issuer:
    c=UA
    o=Company Name
    cn=rbacacom
  Subject:
    Name: c2821.domain.com
    c=UA
    o=Company Name
    cn=c2821.domain.com
    hostname=c2821.domain.com
  Validity Date:
    start date: 17:21:29 KYI Sep 30 2010
    end   date: 17:21:29 KYI Sep 30 2011
    renew date: 11:21:29 KYI Sep 12 2011
  Associated Trustpoints: rbacacom

CA Certificate
  Status: Available
  Certificate Serial Number: 17AB94A86314FFC9
  Certificate Usage: General Purpose
  Issuer:
    c=UA
    o=Company Name
    cn=rbacacom
  Subject:
    c=UA
    o=Company Name
    cn=rbacacom
  CRL Distribution Points:
    http://www:80/ejbca/publicweb/webdist/certdist?cmd=crl&issue...,O=Company name,C=UA
  Validity Date:
    start date: 15:40:37 KYI Aug 26 2010
    end   date: 15:40:37 KYI Aug 23 2020
  Associated Trustpoints: rbacacom


crypto isakmp policy 10
encr aes 256
group 5
lifetime 3600


crypto ipsec transform-set AE-SHA esp-aes 256 esp-sha-hmac

crypto map VPN-I 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set AE-SHA
match address AE-crypto

ip nat pool ae-nat 172.16.1.2 172.16.1.2 prefix-length 30
ip nat inside source list ae-nat-list pool ae-nat overload

ip access-list extended ae-nat-list
permit ip any host 172.16.1.1

ip access-list extended AE-crypto
permit ip host 172.16.1.2 host 172.16.1.1

Крипто мапа висит на правильно интерфейсе. Вот что в логах по debug cry ipsec/iskmp/engine:

089794: 1d06h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 172.16.1.2/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.16.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 1800s and 4608000kb,
    spi= 0xDD1FB18D(3709841805), conn_id= 0, keysize= 256, flags= 0x400A
089795: 1d06h: ISAKMP: received ke message (1/1)
089796: 1d06h: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
089797: 1d06h: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
089798: 1d06h: ISAKMP: New peer created peer = 0x45BB90D4 peer_handle = 0x800001EF
089799: 1d06h: ISAKMP: Locking peer struct 0x45BB90D4, IKE refcount 1 for isakmp_initiator
089800: 1d06h: ISAKMP: local port 500, remote port 500
089801: 1d06h: ISAKMP: set new node 0 to QM_IDLE
089802: 1d06h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45064664
089803: 1d06h: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
089804: 1d06h: ISAKMP:(0:0:N/A:0):No pre-shared key with 2.2.2.2!
089805: 1d06h: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
089806: 1d06h: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
089807: 1d06h: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
089808: 1d06h: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
089809: 1d06h: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

089810: 1d06h: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
089811: 1d06h: ISAKMP:(0:0:N/A:0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
089812: Sep 30 17:56:32 KYI: %SEC-6-IPACCESSLOGP: list 192 denied udp 1.1.1.1(0) -> 2.2.2.2(0), 1 packet
089813: 1d06h: ISAKMP (0:0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_NO_STATE
089814: 1d06h: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
089815: 1d06h: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

089816: 1d06h: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
089817: 1d06h: ISAKMP:(0:0:N/A:0): processing vendor id payload
089818: 1d06h: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
089819: 1d06h: ISAKMP:(0:0:N/A:0):No pre-shared key with 2.2.2.2!
089820: 1d06h: ISAKMP : Scanning profiles for xauth ... L2L-DNEPR L2L-BROVARY L2L-KHMELNICK L2L-OFFICE2 L2L-JALTA DNEPR-BACKUP JALTA-BACKUP L2L-MAGNI L2L-TOBO9 L2L-BROVARY-UKRCOM L2L-MAGNITOGORSKAYA
089821: 1d06h: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
089822: 1d06h: ISAKMP:      encryption AES-CBC
089823: 1d06h: ISAKMP:      keylength of 256
089824: 1d06h: ISAKMP:      hash SHA
089825: 1d06h: ISAKMP:      default group 5
089826: 1d06h: ISAKMP:      auth RSA sig
089827: 1d06h: ISAKMP:      life type in seconds
089828: 1d06h: ISAKMP:      life duration (basic) of 3600
089829: 1d06h: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
089830: 1d06h: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
089831: 1d06h: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
089832: 1d06h: ISAKMP:      encryption AES-CBC
089833: 1d06h: ISAKMP:      keylength of 256
089834: 1d06h: ISAKMP:      hash SHA
089835: 1d06h: ISAKMP:      default group 5
089836: 1d06h: ISAKMP:      auth RSA sig
089837: 1d06h: ISAKMP:      life type in seconds
089838: 1d06h: ISAKMP:      life duration (basic) of 3600
089839: 1d06h: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
089840: 1d06h: CryptoEngine0: generating alg parameter for connid 82
089841: 1d06h: CRYPTO_ENGINE: Dh phase 1 status: 0
089842: 1d06h: CRYPTO_ENGINE: Dh phase 1 status: OK
089843: 1d06h: ISAKMP:(0:82:SW:1): processing vendor id payload
089844: 1d06h: ISAKMP:(0:82:SW:1): vendor ID seems Unity/DPD but major 194 mismatch
089845: 1d06h: ISAKMP:(0:82:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
089846: 1d06h: ISAKMP:(0:82:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

089847: 1d06h: ISAKMP (0:134217810): constructing CERT_REQ for issuer c=UA,o=Company Name,cn=rbacacom
089848: 1d06h: ISAKMP:(0:82:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
089849: 1d06h: ISAKMP:(0:82:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
089850: 1d06h: ISAKMP:(0:82:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

089851: 1d06h: ISAKMP (0:134217810): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_SA_SETUP
089852: 1d06h: ISAKMP:(0:82:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
089853: 1d06h: ISAKMP:(0:82:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

089854: 1d06h: ISAKMP:(0:82:SW:1): processing KE payload. message ID = 0
089855: 1d06h: CryptoEngine0: generating alg parameter for connid 0
089856: 1d06h: ISAKMP:(0:82:SW:1): processing NONCE payload. message ID = 0
089857: 1d06h: CryptoEngine0: calculate pkey hmac for conn id 82
089858: 1d06h: CryptoEngine0: create ISAKMP SKEYID for conn id 82
089859: 1d06h: ISAKMP:(0:82:SW:1):SKEYID state generated
089860: 1d06h: ISAKMP:(0:82:SW:1): processing CERT_REQ payload. message ID = 0
089861: 1d06h: ISAKMP:(0:82:SW:1): peer wants a CT_X509_SIGNATURE cert
089862: 1d06h: ISAKMP:(0:82:SW:1): peer want cert issued by
089863: 1d06h: ISAKMP:(0:82:SW:1): Choosing trustpoint rbacacom as issuer
089864: 1d06h: ISAKMP:(0:82:SW:1): processing CERT_REQ payload. message ID = 0
089865: 1d06h: ISAKMP:(0:82:SW:1): peer wants a CT_X509_SIGNATURE cert
089866: 1d06h: ISAKMP:(0:82:SW:1): peer want cert issued by
089867: 1d06h: ISAKMP:(0:82:SW:1): processing CERT_REQ payload. message ID = 0
089868: 1d06h: ISAKMP:(0:82:SW:1): peer wants a CT_X509_SIGNATURE cert
089869: 1d06h: ISAKMP:(0:82:SW:1): peer want cert issued by
089870: 1d06h: ISAKMP:(0:82:SW:1): processing vendor id payload
089871: 1d06h: ISAKMP:(0:82:SW:1): vendor ID is Unity
089872: 1d06h: ISAKMP:(0:82:SW:1): processing vendor id payload
089873: 1d06h: ISAKMP:(0:82:SW:1): vendor ID seems Unity/DPD but major 60 mismatch
089874: 1d06h: ISAKMP:(0:82:SW:1): vendor ID is XAUTH
089875: 1d06h: ISAKMP:(0:82:SW:1): processing vendor id payload
089876: 1d06h: ISAKMP:(0:82:SW:1): speaking to another IOS box!
089877: 1d06h: ISAKMP:(0:82:SW:1): processing vendor id payload
089878: 1d06h: ISAKMP:(0:82:SW:1):vendor ID seems Unity/DPD but hash mismatch
089879: 1d06h: ISAKMP:(0:82:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
089880: 1d06h: ISAKMP:(0:82:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

089881: 1d06h: ISAKMP:(0:82:SW:1):Send initial contact
089882: 1d06h: ISAKMP:(0:82:SW:1):SA is doing RSA signature authentication using id type ID_FQDN
089883: 1d06h: ISAKMP (0:134217810): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : c2821.domain.com
        protocol     : 17
        port         : 500
        length       : 31
089884: 1d06h: ISAKMP:(0:82:SW:1):Total payload length: 31
089885: 1d06h: ISAKMP (0:134217810): constructing CERT payload for c=UA,o=Company Name,cn=c2821.domain.com,hostname=c2821.domain.com
089886: 1d06h: CryptoEngine0: generate hmac context for conn id 82
089887: 1d06h: ISAKMP:(0:82:SW:1): using the rbacacom trustpoint's keypair to sign
089888: 1d06h: crypto_engine: public key sign
089889: 1d06h: ISAKMP:(0:82:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
089890: 1d06h: ISAKMP:(0:82:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
089891: 1d06h: ISAKMP:(0:82:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

089897: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH...
089898: 1d06h: ISAKMP (0:134217810): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
089899: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH
089900: 1d06h: ISAKMP:(0:82:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
089904: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH...
089905: 1d06h: ISAKMP (0:134217810): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
089906: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH
089907: 1d06h: ISAKMP:(0:82:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
089912: 1d06h: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 172.16.1.2/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.16.1.1/255.255.255.255/0/0 (type=1)
089913: 1d06h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 172.16.1.2/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.16.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 1800s and 4608000kb,
    spi= 0x89758C9C(2306182300), conn_id= 0, keysize= 256, flags= 0x400A
089914: 1d06h: ISAKMP: received ke message (1/1)
089915: 1d06h: ISAKMP: set new node 0 to QM_IDLE
089916: 1d06h: ISAKMP:(0:82:SW:1):SA is still budding. Attached new ipsec request to it. (local 1.1.1.1, remote 2.2.2.2)
089918: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH...
089919: 1d06h: ISAKMP (0:134217810): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
089920: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH
089921: 1d06h: ISAKMP:(0:82:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
089924: 1d06h: ISAKMP:(0:81:SW:1):purging node 732705894
089925: 1d06h: ISAKMP:(0:81:SW:1):purging node 899173049
089926: 1d06h: ISAKMP:(0:81:SW:1):purging node 71651595
089928: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH...
089929: 1d06h: ISAKMP (0:134217810): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
089930: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH
089931: 1d06h: ISAKMP:(0:82:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
089932: 1d06h: ISAKMP (0:134217810): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
089933: 1d06h: ISAKMP: set new node 1733739624 to QM_IDLE
089934: 1d06h: ISAKMP (0:134217810): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
089935: 1d06h: ISAKMP (0:134217810): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
089936: 1d06h: ISAKMP (0:134217810): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
089937: 1d06h: ISAKMP (0:134217810): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
089938: 1d06h: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 2.2.2.2 to 1.1.1.1.
089942: 1d06h: ISAKMP:(0:81:SW:1):purging SA., sa=465F011C, delme=465F011C
089943: 1d06h: CryptoEngine0: delete connection 81
089945: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH...
089946: 1d06h: ISAKMP (0:134217810): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
089947: 1d06h: ISAKMP:(0:82:SW:1): retransmitting phase 1 MM_KEY_EXCH
089948: 1d06h: ISAKMP:(0:82:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
089955: 1d06h: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 172.16.1.2/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.16.1.1/255.255.255.255/0/0 (type=1)
089956: 1d06h: ISAKMP: received ke message (3/1)
089957: 1d06h: ISAKMP:(0:82:SW:1):peer does not do paranoid keepalives.

089958: 1d06h: ISAKMP:(0:82:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 2.2.2.2)
089959: 1d06h: ISAKMP:(0:82:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 2.2.2.2)
089960: 1d06h: ISAKMP: Unlocking IKE struct 0x45BB90D4 for isadb_mark_sa_deleted(), count 0
089961: 1d06h: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 45BB90D4
089962: 1d06h: ISAKMP:(0:82:SW:1):deleting node 337248950 error FALSE reason "IKE deleted"
089963: 1d06h: ISAKMP:(0:82:SW:1):deleting node 1729395982 error FALSE reason "IKE deleted"
089964: 1d06h: ISAKMP:(0:82:SW:1):deleting node 1733739624 error FALSE reason "IKE deleted"
089965: 1d06h: ISAKMP:(0:82:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
089966: 1d06h: ISAKMP:(0:82:SW:1):Old State = IKE_I_MM5  New State = IKE_DEST_SA

089967: 1d06h: IPSEC(key_engine): got a queue event with 1 kei messages


Просто уже незнаем что и думать. Если
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600

ну и естественно добавить одинаковые ключи с двух сторон все работает на ура. при authentication rsa-sig непашет ничего :(

Высказать мнение | Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "Не поднимается тунель через rsa-sign"  +/
Сообщение от аноним on 01-Окт-10, 21:54 
>enrollment url http://www:80/...

а www во что резолвится - может быть пытается проверять сертификат через этот урл ?

Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

2. "Не поднимается тунель через rsa-sign"  +/
Сообщение от OlegUA (ok) on 01-Окт-10, 22:32 
>>enrollment url http://www:80/...
> а www во что резолвится - может быть пытается проверять сертификат через
> этот урл ?

адрес реальный, просто заменил на етот :) резолвится без проблем, покрайней мере по этому адресу я спокойно получил сертификат.

Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру