Никак не могу настроить ВПН между D-Link и Cisco 2811. Все делаю так как написано вот здесь: http://www.dlink.ru/technical/faq_vpn_4.php.
Но что то мешает построению туннеля.
Вот конфиг Цискиcrypto isakmp policy 14
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 141414 address 195.151.х.х
crypto ipsec transform-set samara esp-3des
crypto map nolan 140 ipsec-isakmp
description VPN To SAMARA
set peer 195.151.х.х
set security-association lifetime seconds 28800
set transform-set samara
set pfs group2
match address 150
access-list 150 remark "****To SAMARA***"
access-list 150 permit tcp any 192.168.3.0 0.0.0.255
access-list 150 permit tcp 192.168.3.0 0.0.0.255 any
interface FastEthernet0/1.1
crypto map nolan
Конфиг Длинка, даже и не знаю. Скриншоты разве только. :-)
Вот еще дебаг циски:
debug crypto isakmp
*Sep 12 20:08:43.091: ISAKMP (0:1058): received packet from 195.151.х.х dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:08:43.091: ISAKMP: set new node 287449792 to QM_IDLE
*Sep 12 20:08:43.091: ISAKMP:(1058): processing HASH payload. message ID = 287449792
*Sep 12 20:08:43.091: ISAKMP:(1058): processing SA payload. message ID = 287449792
*Sep 12 20:08:43.091: ISAKMP:(1058):Checking IPSec proposal 1
*Sep 12 20:08:43.091: ISAKMP: transform 1, ESP_3DES
*Sep 12 20:08:43.091: ISAKMP: attributes in transform:
*Sep 12 20:08:43.091: ISAKMP: authentication algorithm... What? 0?
*Sep 12 20:08:43.091: ISAKMP: encaps is 1 (Tunnel)
*Sep 12 20:08:43.091: ISAKMP: group is 2
*Sep 12 20:08:43.091: ISAKMP: SA life type in seconds
*Sep 12 20:08:43.091: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 12 20:08:43.091: ISAKMP:(1058):atts are acceptable.
*Sep 12 20:08:43.091: ISAKMP:(1058): IPSec policy invalidated proposal with error 256
*Sep 12 20:08:43.091: ISAKMP:(1058): phase 2 SA policy not acceptable! (local 213.33.253.198 remote 195.151.x.x)
*Sep 12 20:08:43.091: ISAKMP: set new node -1374168342 to QM_IDLE
*Sep 12 20:08:43.091: ISAKMP:(1058):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1198152808, message ID = -1374168342
*Sep 12 20:08:43.095: ISAKMP:(1058): sending packet to 195.151.x.x my_port 500 peer_port 500 (R) QM_IDLE
*Sep 12 20:08:43.095: ISAKMP:(1058):purging node -1374168342
*Sep 12 20:08:43.095: ISAKMP:(1058):deleting node 287449792 error TRUE reason "QM rejected"
*Sep 12 20:08:43.095: ISAKMP:(1058):Node 287449792, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Sep 12 20:08:43.095: ISAKMP:(1058):Old State = IKE_QM_READY New State = IKE_QM_READY
*Sep 12 20:08:44.087: ISAKMP (0:1058): received packet from 195.151.x.x dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:08:44.087: ISAKMP: set new node 255492324 to QM_IDLE
*Sep 12 20:08:44.091: ISAKMP:(1058): processing HASH payload. message ID = 255492324
*Sep 12 20:08:44.091: ISAKMP:(1058): processing SA payload. message ID = 255492324
*Sep 12 20:08:44.091: ISAKMP:(1058):Checking IPSec proposal 1
*Sep 12 20:08:44.091: ISAKMP: transform 1, ESP_3DES
*Sep 12 20:08:44.091: ISAKMP: attributes in transform:
*Sep 12 20:08:44.091: ISAKMP: authentication algorithm... What? 0?
*Sep 12 20:08:44.091: ISAKMP: encaps is 1 (Tunnel)
*Sep 12 20:08:44.091: ISAKMP: group is 2
*Sep 12 20:08:44.091: ISAKMP: SA life type in seconds
*Sep 12 20:08:44.091: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 12 20:08:44.091: ISAKMP:(1058):atts are acceptable.
*Sep 12 20:08:44.091: ISAKMP:(1058): IPSec policy invalidated proposal with error 256
*Sep 12 20:08:44.091: ISAKMP:(1058): phase 2 SA policy not acceptable! (local 213.33.x.x remote 195.151.x.x)
*Sep 12 20:08:44.091: ISAKMP: set new node 325537990 to QM_IDLE
*Sep 12 20:08:44.091: ISAKMP:(1058):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1198152808, message ID = 325537990
*Sep 12 20:08:44.091: ISAKMP:(1058): sending packet to 195.151.x.x my_port 500 peer_port 500 (R) QM_IDLE
*Sep 12 20:08:44.091: ISAKMP:(1058):purging node 325537990
*Sep 12 20:08:44.091: ISAKMP:(1058):deleting node 255492324 error TRUE reason "QM rejected"
*Sep 12 20:08:44.091: ISAKMP:(1058):Node 255492324, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Sep 12 20:08:44.095: ISAKMP:(1058):Old State = IKE_QM_READY New State = IKE_QM_READY
*Sep 12 20:08:48.543: ISAKMP (0:1058): received packet from 195.151.x.x dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:08:48.543: ISAKMP:(1058): phase 2 packet is a duplicate of a previous packet.
*Sep 12 20:08:48.543: ISAKMP:(1058): retransmitting due to retransmit phase 2
*Sep 12 20:08:48.543: ISAKMP:(1058): ignoring retransmission,because phase2 node marked dead 287449792
*Sep 12 20:08:49.539: ISAKMP (0:1058): received packet from 195.151.x.x dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:08:49.539: ISAKMP:(1058): phase 2 packet is a duplicate of a previous packet.
*Sep 12 20:08:49.539: ISAKMP:(1058): retransmitting due to retransmit phase 2
*Sep 12 20:08:49.539: ISAKMP:(1058): ignoring retransmission,because phase2 node marked dead 255492324
*Sep 12 20:08:53.531: ISAKMP (0:1058): received packet from 195.151.x.x dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:08:53.531: ISAKMP:(1058): phase 2 packet is a duplicate of a previous packet.
*Sep 12 20:08:53.531: ISAKMP:(1058): retransmitting due to retransmit phase 2
*Sep 12 20:08:53.531: ISAKMP:(1058): ignoring retransmission,because phase2 node marked dead 287449792
*Sep 12 20:08:54.527: ISAKMP (0:1058): received packet from 195.151.x.x dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:08:54.527: ISAKMP:(1058): phase 2 packet is a duplicate of a previous packet.
*Sep 12 20:08:54.527: ISAKMP:(1058): retransmitting due to retransmit phase 2
*Sep 12 20:08:54.527: ISAKMP:(1058): ignoring retransmission,because phase2 node marked dead 255492324
*Sep 12 20:09:03.507: ISAKMP (0:1058): received packet from 195.151.x.x dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:09:03.507: ISAKMP:(1058): phase 2 packet is a duplicate of a previous packet.
*Sep 12 20:09:03.507: ISAKMP:(1058): retransmitting due to retransmit phase 2
*Sep 12 20:09:03.507: ISAKMP:(1058): ignoring retransmission,because phase2 node marked dead 287449792
*Sep 12 20:09:04.503: ISAKMP (0:1058): received packet from 195.151.x.x dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:09:04.503: ISAKMP:(1058): phase 2 packet is a duplicate of a previous packet.
*Sep 12 20:09:04.503: ISAKMP:(1058): retransmitting due to retransmit phase 2
*Sep 12 20:09:04.503: ISAKMP:(1058): ignoring retransmission,because phase2 node marked dead 255492324
*Sep 12 20:09:13.479: ISAKMP (0:1058): received packet from 195.151.x.x dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:09:13.479: ISAKMP:(1058): phase 2 packet is a duplicate of a previous packet.
*Sep 12 20:09:13.479: ISAKMP:(1058): retransmitting due to retransmit phase 2
*Sep 12 20:09:13.479: ISAKMP:(1058): ignoring retransmission,because phase2 node marked dead 287449792
*Sep 12 20:09:14.479: ISAKMP (0:1058): received packet from 195.151.x.x dport 500 sport 500 Global (R) QM_IDLE
*Sep 12 20:09:14.479: ISAKMP:(1058): phase 2 packet is a duplicate of a previous packet.
*Sep 12 20:09:14.479: ISAKMP:(1058): retransmitting due to retransmit phase 2
*Sep 12 20:09:14.479: ISAKMP:(1058): ignoring retransmission,because phase2 node marked dead 255492324
*Sep 12 20:09:14.603: ISAKMP:(1058):purging node -305254386
*Sep 12 20:09:15.599: ISAKMP:(1058):purging node 1721852175
Насколько я понимаю почему то не проходит фаза 2.
Что то не так в transfrom set??????
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(ok) on 13-Сен-07, 01:07 
