forum.opennet.ru - "VPN Tunnel между Cisco 878 и Juniper SRX" (21)

форумы

помощь

поиск

регистрация

майллист

вход/выход

слежка

"VPN Tunnel между Cisco 878 и Juniper SRX"

Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[ Отслеживать ]

"VPN Tunnel между Cisco 878 и Juniper SRX"	+/–
Сообщение от armanman (ok) on 07-Фев-11, 20:41
Существует Cisco 878 и Juniper SRX3600. Есть задача создать между ними VPN тунель. Cisco Trusted интерфейс 192.168.1.20 Cisco Untrusted интерфейс 10.0.0.1 Juniper SRX Trusted интерфейс 192.168.103.20 Juniper SRX Untrusted интерфейс 192.168.103.20 Помогите с конфигом !!!! СПАСИБО
Ответить \| Правка \| Cообщить модератору

Оглавление

VPN Tunnel между Cisco 878 и Juniper SRX, armanman, 20:42 , 07-Фев-11, (1)

VPN Tunnel между Cisco 878 и Juniper SRX, rijiy, 21:28 , 07-Фев-11, (2)

VPN Tunnel между Cisco 878 и Juniper SRX, armanman, 21:38 , 07-Фев-11, (3)

вот Джуниковский, rijiy, 21:48 , 07-Фев-11, (4)
Вот цисковсикй - не помню точно какая политика для ISAKMP, rijiy, 21:53 , 07-Фев-11, (5)

Вот цисковсикй - не помню точно какая политика для ISAKMP, armanman, 11:55 , 08-Фев-11, (6)

Вот цисковсикй - не помню точно какая политика для ISAKMP, rijiy, 11:57 , 08-Фев-11, (7)

Вот цисковсикй - не помню точно какая политика для ISAKMP, armanman, 12:17 , 08-Фев-11, (8)

Вот цисковсикй - не помню точно какая политика для ISAKMP, rijiy, 12:23 , 08-Фев-11, (9)

Вот цисковсикй - не помню точно какая политика для ISAKMP, armanman, 12:24 , 08-Фев-11, (10)

Вот цисковсикй - не помню точно какая политика для ISAKMP, armanman, 12:28 , 08-Фев-11, (11)

Вот цисковсикй - не помню точно какая политика для ISAKMP, armanman, 12:29 , 08-Фев-11, (12)

Вот цисковсикй - не помню точно какая политика для ISAKMP, rijiy, 13:02 , 08-Фев-11, (13)
Вот цисковсикй - не помню точно какая политика для ISAKMP, armanman, 14:03 , 08-Фев-11, (14)
Вот цисковсикй - не помню точно какая политика для ISAKMP, armanman, 14:12 , 08-Фев-11, (15)
а ключи точно одинаковые?, rijiy, 14:17 , 08-Фев-11, (16)
а ключи точно одинаковые?, armanman, 15:08 , 08-Фев-11, (17)
а ключи точно одинаковые?, armanman, 15:22 , 08-Фев-11, (18)
а ключи точно одинаковые?, armanman, 16:21 , 08-Фев-11, (19)
а ключи точно одинаковые?, armanman, 11:09 , 10-Фев-11, (20)
Между Cisco 2951 и SRX100h работает, Сталкер, 17:07 , 06-Июл-11, (21)

Сообщения по теме [Сортировка по времени | RSS]

1. "VPN Tunnel между Cisco 878 и Juniper SRX" +/–

Сообщение от armanman (ok) on 07-Фев-11, 20:42

Сорри ошибка по интерфейсу
"VPN Tunnel между Cisco 878 и Juniper SRX"
Существует Cisco 878 и Juniper SRX3600. Есть задача создать между ними VPN тунель.
Cisco Trusted интерфейс 192.168.1.20
Cisco Untrusted интерфейс 10.0.0.1
Juniper SRX Trusted интерфейс 192.168.103.20
Juniper SRX Untrusted интерфейс 10.0.0.2
Помогите с конфигом !!!!
СПАСИБО

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

2. "VPN Tunnel между Cisco 878 и Juniper SRX" +/–

Сообщение от rijiy (??) on 07-Фев-11, 21:28

Сам недавно разбирался с этой темой
Делаешь либо с созданием gre интерфейса на джунике
http://axeldittmann.spaces.live.com/blog/cns!DDC34FAAF045450...
Либо используешь st0 интерфейс на джунике - я сделал этим способом
http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju...
У меня все работает по второму примеру.

Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору

3. "VPN Tunnel между Cisco 878 и Juniper SRX" +/–

Сообщение от armanman (ok) on 07-Фев-11, 21:38

> Сам недавно разбирался с этой темой
> Делаешь либо с созданием gre интерфейса на джунике
> http://axeldittmann.spaces.live.com/blog/cns!DDC34FAAF045450...
> Либо используешь st0 интерфейс на джунике - я сделал этим способом
> http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju...
> У меня все работает по второму примеру.
Я пробожал етим методом
http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju...
что то не получаетсиа,
можно пример конфигов?

Ответить | Правка | ^ к родителю #2 | Наверх | Cообщить модератору

4. "вот Джуниковский" +/–

Сообщение от rijiy (??) on 07-Фев-11, 21:48

interfaces {
    ge-0/0/0 {
        description "-- LAN";
        unit 0 {
            description "-- LAN";
            family inet {
                address 192.168.54.1/26;
            }
        }
    }
    fe-0/0/2 {
        description "-- TopNet-Tun";
        unit 0 {
            description "-- TopNet-Tun";
            family inet {
                filter {
                    input Block-E;
                }
                address aa.bb.cc.dd/30;
            }
        }
    }
    }
    st0 {
        unit 0 {
            description "-- To LSR Peterstar";
            family inet {
                mtu 1500;
                address 172.16.0.206/30;
            }
        }
    }
}
security {
    ike {
        proposal IKE_AES {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 86400;
        }
        policy ph1-policy {
            mode main;
            proposals IKE_AES;
            pre-shared-key ascii-text "qwertyui"; ## SECRET-DATA
        }
        gateway asdfgh {
            ike-policy ph1-policy;
            address ee.ff.gg.hh;
            external-interface fe-0/0/2.0;
        }
        }
    }
    ipsec {
        proposal IPSEC_AES {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 86400;
        }
        policy Inet-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals IPSEC_AES;
        }
        vpn asdfgh  {
            bind-interface st0.0;
            ike {
                gateway asdfgh ;
                ipsec-policy Inet-policy;
            }

            establish-tunnels immediately;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
                st0.1;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    traceroute;
                    ike;
                }
            }
            interfaces {
                ge-0/0/1.0;
                fe-0/0/2.0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    count;
                }
            }
        }
    }
}

Ответить | Правка | ^ к родителю #3 | Наверх | Cообщить модератору

5. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от rijiy (??) on 07-Фев-11, 21:53

Current configuration : 59340 bytes
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 110
encr aes
authentication pre-share
!
crypto isakmp policy 210
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 1000
authentication pre-share
crypto isakmp key qwertyui address aa.ss.dd.ff
!
crypto ipsec transform-set 2juniper esp-aes esp-sha-hmac
!
crypto ipsec profile 2juniper
set transform-set 2juniper
set pfs group2
!
interface Tunnel72
bandwidth 10000
ip address 172.16.0.205 255.255.255.252
ip flow ingress
ip flow egress
ip tcp adjust-mss 1280
no ip mroute-cache
ip ospf authentication
ip ospf authentication-key 7 qwerty
ip ospf cost 400
ip ospf mtu-ignore
delay 400
tunnel source GigabitEthernet0/0.2
tunnel destination zz.xx.cc.vv
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile 2juniper
!
interface GigabitEthernet0/0.2
description -- WAN
encapsulation dot1Q 40
ip address hh.jj.kk.ll 255.255.255.248
ip access-group Block-E in
  no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip virtual-reassembly
no ip mroute-cache
no cdp enable
!
interface GigabitEthernet0/1
description -- LAN
ip address 10.10.0.60 255.255.240.0
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1280
ip ospf authentication
ip ospf authentication-key 7 zxcvbbn
duplex auto
speed auto
!

Ответить | Правка | ^ к родителю #3 | Наверх | Cообщить модератору

6. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от armanman (ok) on 08-Фев-11, 11:55

Черт не поднимается:(

Ответить | Правка | ^ к родителю #5 | Наверх | Cообщить модератору

7. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от rijiy (??) on 08-Фев-11, 11:57

> Черт не поднимается:(
это рабочий конфиг
значит надо тебе смотреть зоны безопасности на джунипере ну и может блокирующий ACL на циске если есть.
дебаги на крайняк посмотри ;-)

Ответить | Правка | ^ к родителю #6 | Наверх | Cообщить модератору

8. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от armanman (ok) on 08-Фев-11, 12:17

Циска и Джуник чистые, я под тестинг сейчас поставил и учусь :)
вот дебаг от циски
SAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.0.0.1)
ISAKMP: Unlocking peer struct 0x27E8590C for isadb_mark_sa_deleted(), count 0
ISAKMP: Deleting peer node by peer_reap for 10.0.0.1: 27E8590C
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.0.0.1)
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
ISAKMP (0): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_NO_STATE
ISAKMP:(0):purging SA., sa=27E838D4, delme=27E838D4
ISAKMP:(0):purging node -401611315
ISAKMP:(0):purging node 701748318
IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
ISAKMP:(0): SA request profile is (NULL)
ISAKMP: Created a peer struct for 10.0.0.1, peer port 500
ISAKMP: New peer created peer = 0x27E8590C peer_handle = 0x80000028
ISAKMP: Locking peer struct 0x27E8590C, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE
ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 30D3452C
ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
ISAKMP:(0):found peer pre-shared key matching 10.0.0.1
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0): constructed NAT-T vendor-02 ID
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
ISAKMP:(0): beginning Main Mode exchange
ISAKMP:(0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP (0): received packet from 10.0.0.1 dport 500 sport 500 Global (I) MM_NO_STATE
ISAKMP:(0):Couldn't find node: message_id -1040258146
ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.0.0.1
ISAKMP:(0):purging SA., sa=30D362AC, delme=30D362AC

Ответить | Правка | ^ к родителю #7 | Наверх | Cообщить модератору

9. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от rijiy (??) on 08-Фев-11, 12:23

sh cry isa sa det на циске
sh sec ike seс и sh sec ipsec sec на джунипере
надо понимать там ничего нету? раз isakmp не устанавливается?
я еще слышал что джуниковкий софт, с которым они идут глючный
у меня стоит
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Model: srx210h
JUNOS Software Release [10.2R3.10]
на джунипере на зоне разрешены входящие подключения?

Ответить | Правка | ^ к родителю #8 | Наверх | Cообщить модератору

10. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от armanman (ok) on 08-Фев-11, 12:24

Да на джунике разрешены входящие включения

Ответить | Правка | ^ к родителю #9 | Наверх | Cообщить модератору

11. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от armanman (ok) on 08-Фев-11, 12:28

root@srxA-1> show security ipsec security-associations
  Total active tunnels: 0

root@srxA-1> show security ike security-associations

Ответить | Правка | ^ к родителю #10 | Наверх | Cообщить модератору

12. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от armanman (ok) on 08-Фев-11, 12:29

Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
0     10.0.0.1     10.0.0.2              ACTIVE                0  0
       Engine-id:Conn-id =  ???
0     10.0.0.1     10.0.0.2              ACTIVE                0  0
       Engine-id:Conn-id =  ???
(deleted)
0     10.0.0.1     10.0.0.2              ACTIVE                0  0
       Engine-id:Conn-id =  ???
(deleted)
IPv6 Crypto ISAKMP SA

Ответить | Правка | ^ к родителю #11 | Наверх | Cообщить модератору

13. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от rijiy (??) on 08-Фев-11, 13:02

ну, брат, не знаю - вообще ничего не работает.
Выложи целиком конфиги гляну бегло

Ответить | Правка | ^ к родителю #12 | Наверх | Cообщить модератору

14. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от armanman (ok) on 08-Фев-11, 14:03

Ето Джуник
interfaces {
    ge-0/0/0 {
        description Internet;
        unit 0 {
            family inet {
                address 10.0.0.2/29;
            }
        }
    }
    ge-0/0/1 {
        description "DMZ INTERNET";
        unit 0 {
            family inet {
                address 192.168.103.26/24;
            }
        }
    }
    fxp0 {
        description "MANAGEMENT Interface";
        unit 0 {
            family inet {
                address 172.20.100.170/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 192.168.55.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            description "VPN Tunnel";
            family inet {
                mtu 1500;
                address 172.16.0.206/30;
            }
        }
    }
}
security {
    ike {
        proposal IKE_AES {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 86400;
        }
        policy ph1-policy {
            mode main;
            proposals IKE_AES;
            pre-shared-key ascii-text "$9$J2Zi.Pfz6CuTzlMX-2gTz3n/t"; ## SECRET-DATA
        }
        gateway mygateway {
            ike-policy ph1-policy;
            address 10.0.0.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal IPSEC_AES {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 86400;
        }
        policy Inet-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals IPSEC_AES;
        }
        vpn myvpn {
            bind-interface st0.0;
            ike {
                gateway mygateway;
                ipsec-policy Inet-policy;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        functional-zone management {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                st0.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    traceroute;
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    count;
                }
            }
        }
    }
}
applications {
    application windows_remote {
        protocol tcp;
        destination-port 3389;
    }
}

Ответить | Правка | ^ к родителю #13 | Наверх | Cообщить модератору

15. "Вот цисковсикй - не помню точно какая политика для ISAKMP" +/–

Сообщение от armanman (ok) on 08-Фев-11, 14:12

А вот и Циска
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 110
encr aes
authentication pre-share
!
crypto isakmp policy 210
encr aes
authentication pre-share
!
crypto isakmp policy 1000
authentication pre-share
crypto isakmp key password address 10.0.0.2
!
!
crypto ipsec transform-set 2juniper esp-aes esp-sha-hmac
!
crypto ipsec profile 2juniper
set transform-set 2juniper
set pfs group2
!
!
!
!
!
!
interface Tunnel72
bandwidth 10000
ip address 172.16.0.205 255.255.255.252
ip flow ingress
ip flow egress
ip tcp adjust-mss 1280
ip ospf authentication
ip ospf cost 400
ip ospf mtu-ignore
delay 400
keepalive 10 3
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 10.0.0.2
tunnel path-mtu-discovery
tunnel protection ipsec profile 2juniper
!
!
interface GigabitEthernet0/0
description Untrusted
ip address 10.0.0.1 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1/1
ip address 192.168.1.1 255.255.255.0
no ip route-cache
duplex full
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Tunnel72
!
access-list 101 permit ip any any

Ответить | Правка | ^ к родителю #14 | Наверх | Cообщить модератору

16. "а ключи точно одинаковые?" +/–

Сообщение от rijiy (??) on 08-Фев-11, 14:17

может еще всеже с софтом что нетак?

Ответить | Правка | ^ к родителю #15 | Наверх | Cообщить модератору

17. "а ключи точно одинаковые?" +/–

Сообщение от armanman (ok) on 08-Фев-11, 15:08

> может еще всеже с софтом что нетак?
да нет все так кажется, там последние прошивки ....

Ответить | Правка | ^ к родителю #16 | Наверх | Cообщить модератору

18. "а ключи точно одинаковые?" +/–

Сообщение от armanman (ok) on 08-Фев-11, 15:22

да ключи одинаковые

Ответить | Правка | ^ к родителю #17 | Наверх | Cообщить модератору

19. "а ключи точно одинаковые?" +/–

Сообщение от armanman (ok) on 08-Фев-11, 16:21

Вот снова дебаг

ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (N) NEW SA
ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
ISAKMP: New peer created peer = 0x30D2B87C peer_handle = 0x80000160
ISAKMP: Locking peer struct 0x30D2B87C, refcount 1 for crypto_isakmp_process_block
ISAKMP: local port 500, remote port 500
ISAKMP:(0):insert sa successfully sa = 311DF510
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
INternet#ping
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 0 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 0 against priority 100 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Proposed key length does not match policy
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Proposed key length does not match policy
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 0 against priority 110 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Diffie-Hellman group offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 110 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Diffie-Hellman group offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 0 against priority 210 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Diffie-Hellman group offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 210 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Diffie-Hellman group offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 0 against priority 1000 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 1000 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):no offers accepted!
ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.0.0.1 remote 10.0.0.2)
ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
ISAKMP:(0): Failed to construct AG informational message.
ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (R) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):peer does not do paranoid keepalives.
ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.0.0.2)
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP (0): FSM action returned error: 2
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.0.0.2)
ISAKMP: Unlocking peer struct 0x30D2B87C for isadb_mark_sa_deleted(), count 0
ISAKMP: Deleting peer node by peer_reap for 10.0.0.2: 30D2B87C
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA
ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.0.0.2)
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
ISAKMP: set new node 0 to QM_IDLE
ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.0.0.1, remote 10.0.0.2)
ISAKMP: Error while processing SA request: Failed to initialize SA
ISAKMP: Error while processing KMI message 0, error 2.
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.

Ответить | Правка | ^ к родителю #18 | Наверх | Cообщить модератору

20. "а ключи точно одинаковые?" +/–

Сообщение от armanman (ok) on 10-Фев-11, 11:09

Новое что происходит
на циске
INternet#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.0.0.2        10.0.0.1        QM_IDLE           1014 ACTIVE
И тунель поднялся Tunnel72
На циске время от времени выдается сообщение
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2061 local=10.0.0.1 remote=10.0.0.2 spi=64EC2E41 seqno=000000F2
Какие нибудь идеи?

Ответить | Правка | ^ к родителю #19 | Наверх | Cообщить модератору

21. "Между Cisco 2951 и SRX100h работает" +/–

Сообщение от Сталкер on 06-Июл-11, 17:07

Сделал точно по ссылке указанной выше (http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju...) - всё работает.

Ответить | Правка | ^ к родителю #20 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "VPN Tunnel между Cisco 878 и Juniper SRX"	+/–
Сообщение от armanman (ok) on 07-Фев-11, 20:42
Сорри ошибка по интерфейсу "VPN Tunnel между Cisco 878 и Juniper SRX" Существует Cisco 878 и Juniper SRX3600. Есть задача создать между ними VPN тунель. Cisco Trusted интерфейс 192.168.1.20 Cisco Untrusted интерфейс 10.0.0.1 Juniper SRX Trusted интерфейс 192.168.103.20 Juniper SRX Untrusted интерфейс 10.0.0.2 Помогите с конфигом !!!! СПАСИБО
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору


	2. "VPN Tunnel между Cisco 878 и Juniper SRX"	+/–
	Сообщение от rijiy (??) on 07-Фев-11, 21:28
	Сам недавно разбирался с этой темой Делаешь либо с созданием gre интерфейса на джунике http://axeldittmann.spaces.live.com/blog/cns!DDC34FAAF045450... Либо используешь st0 интерфейс на джунике - я сделал этим способом http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju... У меня все работает по второму примеру.
	Ответить \| Правка \| ^ к родителю #1 \| Наверх \| Cообщить модератору


	3. "VPN Tunnel между Cisco 878 и Juniper SRX"	+/–
	Сообщение от armanman (ok) on 07-Фев-11, 21:38
	> Сам недавно разбирался с этой темой > Делаешь либо с созданием gre интерфейса на джунике > http://axeldittmann.spaces.live.com/blog/cns!DDC34FAAF045450... > Либо используешь st0 интерфейс на джунике - я сделал этим способом > http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju... > У меня все работает по второму примеру. Я пробожал етим методом http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju... что то не получаетсиа, можно пример конфигов?
	Ответить \| Правка \| ^ к родителю #2 \| Наверх \| Cообщить модератору


	4. "вот Джуниковский"	+/–
	Сообщение от rijiy (??) on 07-Фев-11, 21:48
	interfaces { ge-0/0/0 { description "-- LAN"; unit 0 { description "-- LAN"; family inet { address 192.168.54.1/26; } } } fe-0/0/2 { description "-- TopNet-Tun"; unit 0 { description "-- TopNet-Tun"; family inet { filter { input Block-E; } address aa.bb.cc.dd/30; } } } } st0 { unit 0 { description "-- To LSR Peterstar"; family inet { mtu 1500; address 172.16.0.206/30; } } } } security { ike { proposal IKE_AES { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy ph1-policy { mode main; proposals IKE_AES; pre-shared-key ascii-text "qwertyui"; ## SECRET-DATA } gateway asdfgh { ike-policy ph1-policy; address ee.ff.gg.hh; external-interface fe-0/0/2.0; } } } ipsec { proposal IPSEC_AES { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy Inet-policy { perfect-forward-secrecy { keys group2; } proposals IPSEC_AES; } vpn asdfgh { bind-interface st0.0; ike { gateway asdfgh ; ipsec-policy Inet-policy; } establish-tunnels immediately; } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; st0.0; st0.1; } } security-zone untrust { host-inbound-traffic { system-services { ping; ssh; traceroute; ike; } } interfaces { ge-0/0/1.0; fe-0/0/2.0; } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; count; } } } } }
	Ответить \| Правка \| ^ к родителю #3 \| Наверх \| Cообщить модератору


	5. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от rijiy (??) on 07-Фев-11, 21:53
	Current configuration : 59340 bytes ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 100 encr aes 256 authentication pre-share group 5 ! crypto isakmp policy 110 encr aes authentication pre-share ! crypto isakmp policy 210 encr aes authentication pre-share group 2 ! crypto isakmp policy 1000 authentication pre-share crypto isakmp key qwertyui address aa.ss.dd.ff ! crypto ipsec transform-set 2juniper esp-aes esp-sha-hmac ! crypto ipsec profile 2juniper set transform-set 2juniper set pfs group2 ! interface Tunnel72 bandwidth 10000 ip address 172.16.0.205 255.255.255.252 ip flow ingress ip flow egress ip tcp adjust-mss 1280 no ip mroute-cache ip ospf authentication ip ospf authentication-key 7 qwerty ip ospf cost 400 ip ospf mtu-ignore delay 400 tunnel source GigabitEthernet0/0.2 tunnel destination zz.xx.cc.vv tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile 2juniper ! interface GigabitEthernet0/0.2 description -- WAN encapsulation dot1Q 40 ip address hh.jj.kk.ll 255.255.255.248 ip access-group Block-E in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip virtual-reassembly no ip mroute-cache no cdp enable ! interface GigabitEthernet0/1 description -- LAN ip address 10.10.0.60 255.255.240.0 ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1280 ip ospf authentication ip ospf authentication-key 7 zxcvbbn duplex auto speed auto !
	Ответить \| Правка \| ^ к родителю #3 \| Наверх \| Cообщить модератору


	6. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 11:55
	Черт не поднимается:(
	Ответить \| Правка \| ^ к родителю #5 \| Наверх \| Cообщить модератору


	7. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от rijiy (??) on 08-Фев-11, 11:57
	> Черт не поднимается:( это рабочий конфиг значит надо тебе смотреть зоны безопасности на джунипере ну и может блокирующий ACL на циске если есть. дебаги на крайняк посмотри ;-)
	Ответить \| Правка \| ^ к родителю #6 \| Наверх \| Cообщить модератору


	8. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 12:17
	Циска и Джуник чистые, я под тестинг сейчас поставил и учусь :) вот дебаг от циски SAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.0.0.1) ISAKMP: Unlocking peer struct 0x27E8590C for isadb_mark_sa_deleted(), count 0 ISAKMP: Deleting peer node by peer_reap for 10.0.0.1: 27E8590C ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA IPSEC(key_engine): got a queue event with 1 KMI message(s) ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.0.0.1) ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA ISAKMP (0): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_NO_STATE ISAKMP:(0):purging SA., sa=27E838D4, delme=27E838D4 ISAKMP:(0):purging node -401611315 ISAKMP:(0):purging node 701748318 IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 ISAKMP:(0): SA request profile is (NULL) ISAKMP: Created a peer struct for 10.0.0.1, peer port 500 ISAKMP: New peer created peer = 0x27E8590C peer_handle = 0x80000028 ISAKMP: Locking peer struct 0x27E8590C, refcount 1 for isakmp_initiator ISAKMP: local port 500, remote port 500 ISAKMP: set new node 0 to QM_IDLE ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 30D3452C ISAKMP:(0):Can not start Aggressive mode, trying Main mode. ISAKMP:(0):found peer pre-shared key matching 10.0.0.1 ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID ISAKMP:(0): constructed NAT-T vendor-07 ID ISAKMP:(0): constructed NAT-T vendor-03 ID ISAKMP:(0): constructed NAT-T vendor-02 ID ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 ISAKMP:(0): beginning Main Mode exchange ISAKMP:(0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE ISAKMP:(0):Sending an IKE IPv4 Packet. ISAKMP (0): received packet from 10.0.0.1 dport 500 sport 500 Global (I) MM_NO_STATE ISAKMP:(0):Couldn't find node: message_id -1040258146 ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.0.0.1 ISAKMP:(0):purging SA., sa=30D362AC, delme=30D362AC
	Ответить \| Правка \| ^ к родителю #7 \| Наверх \| Cообщить модератору


	9. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от rijiy (??) on 08-Фев-11, 12:23
	sh cry isa sa det на циске sh sec ike seс и sh sec ipsec sec на джунипере надо понимать там ничего нету? раз isakmp не устанавливается? я еще слышал что джуниковкий софт, с которым они идут глючный у меня стоит Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3) Model: srx210h JUNOS Software Release [10.2R3.10] на джунипере на зоне разрешены входящие подключения?
	Ответить \| Правка \| ^ к родителю #8 \| Наверх \| Cообщить модератору


	10. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 12:24
	Да на джунике разрешены входящие включения
	Ответить \| Правка \| ^ к родителю #9 \| Наверх \| Cообщить модератору


	11. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 12:28
	root@srxA-1> show security ipsec security-associations Total active tunnels: 0 root@srxA-1> show security ike security-associations
	Ответить \| Правка \| ^ к родителю #10 \| Наверх \| Cообщить модератору


	12. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 12:29
	Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal T - cTCP encapsulation, X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 0 10.0.0.1 10.0.0.2 ACTIVE 0 0 Engine-id:Conn-id = ??? 0 10.0.0.1 10.0.0.2 ACTIVE 0 0 Engine-id:Conn-id = ??? (deleted) 0 10.0.0.1 10.0.0.2 ACTIVE 0 0 Engine-id:Conn-id = ??? (deleted) IPv6 Crypto ISAKMP SA
	Ответить \| Правка \| ^ к родителю #11 \| Наверх \| Cообщить модератору


	13. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от rijiy (??) on 08-Фев-11, 13:02
	ну, брат, не знаю - вообще ничего не работает. Выложи целиком конфиги гляну бегло
	Ответить \| Правка \| ^ к родителю #12 \| Наверх \| Cообщить модератору


	14. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 14:03
	Ето Джуник interfaces { ge-0/0/0 { description Internet; unit 0 { family inet { address 10.0.0.2/29; } } } ge-0/0/1 { description "DMZ INTERNET"; unit 0 { family inet { address 192.168.103.26/24; } } } fxp0 { description "MANAGEMENT Interface"; unit 0 { family inet { address 172.20.100.170/24; } } } lo0 { unit 0 { family inet { address 192.168.55.1/32; } } } st0 { unit 0 { description "VPN Tunnel"; family inet { mtu 1500; address 172.16.0.206/30; } } } } security { ike { proposal IKE_AES { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy ph1-policy { mode main; proposals IKE_AES; pre-shared-key ascii-text "$9$J2Zi.Pfz6CuTzlMX-2gTz3n/t"; ## SECRET-DATA } gateway mygateway { ike-policy ph1-policy; address 10.0.0.1; external-interface ge-0/0/0.0; } } ipsec { proposal IPSEC_AES { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy Inet-policy { perfect-forward-secrecy { keys group2; } proposals IPSEC_AES; } vpn myvpn { bind-interface st0.0; ike { gateway mygateway; ipsec-policy Inet-policy; } establish-tunnels immediately; } } zones { functional-zone management { host-inbound-traffic { system-services { all; } } } security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; st0.0; } } security-zone untrust { host-inbound-traffic { system-services { ping; ssh; traceroute; ike; } } interfaces { ge-0/0/0.0; } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; count; } } } } } applications { application windows_remote { protocol tcp; destination-port 3389; } }
	Ответить \| Правка \| ^ к родителю #13 \| Наверх \| Cообщить модератору


	15. "Вот цисковсикй - не помню точно какая политика для ISAKMP"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 14:12
	А вот и Циска crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 100 encr aes 256 authentication pre-share group 5 ! crypto isakmp policy 110 encr aes authentication pre-share ! crypto isakmp policy 210 encr aes authentication pre-share ! crypto isakmp policy 1000 authentication pre-share crypto isakmp key password address 10.0.0.2 ! ! crypto ipsec transform-set 2juniper esp-aes esp-sha-hmac ! crypto ipsec profile 2juniper set transform-set 2juniper set pfs group2 ! ! ! ! ! ! interface Tunnel72 bandwidth 10000 ip address 172.16.0.205 255.255.255.252 ip flow ingress ip flow egress ip tcp adjust-mss 1280 ip ospf authentication ip ospf cost 400 ip ospf mtu-ignore delay 400 keepalive 10 3 tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 10.0.0.2 tunnel path-mtu-discovery tunnel protection ipsec profile 2juniper ! ! interface GigabitEthernet0/0 description Untrusted ip address 10.0.0.1 255.255.255.248 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly no ip route-cache duplex auto speed auto no cdp enable ! interface FastEthernet0/1/1 ip address 192.168.1.1 255.255.255.0 no ip route-cache duplex full speed auto no mop enabled ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 Tunnel72 ! access-list 101 permit ip any any
	Ответить \| Правка \| ^ к родителю #14 \| Наверх \| Cообщить модератору


	16. "а ключи точно одинаковые?"	+/–
	Сообщение от rijiy (??) on 08-Фев-11, 14:17
	может еще всеже с софтом что нетак?
	Ответить \| Правка \| ^ к родителю #15 \| Наверх \| Cообщить модератору


	17. "а ключи точно одинаковые?"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 15:08
	> может еще всеже с софтом что нетак? да нет все так кажется, там последние прошивки ....
	Ответить \| Правка \| ^ к родителю #16 \| Наверх \| Cообщить модератору


	18. "а ключи точно одинаковые?"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 15:22
	да ключи одинаковые
	Ответить \| Правка \| ^ к родителю #17 \| Наверх \| Cообщить модератору


	19. "а ключи точно одинаковые?"	+/–
	Сообщение от armanman (ok) on 08-Фев-11, 16:21
	Вот снова дебаг ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (N) NEW SA ISAKMP: Created a peer struct for 10.0.0.2, peer port 500 ISAKMP: New peer created peer = 0x30D2B87C peer_handle = 0x80000160 ISAKMP: Locking peer struct 0x30D2B87C, refcount 1 for crypto_isakmp_process_block ISAKMP: local port 500, remote port 500 ISAKMP:(0):insert sa successfully sa = 311DF510 ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 INternet#ping ISAKMP:(0): processing SA payload. message ID = 0 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID is DPD ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP:(0):found peer pre-shared key matching 10.0.0.2 ISAKMP:(0): local preshared key found ISAKMP : Scanning profiles for xauth ... ISAKMP:(0):Checking ISAKMP transform 0 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 0 ISAKMP:(0):Checking ISAKMP transform 0 against priority 100 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Proposed key length does not match policy ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Proposed key length does not match policy ISAKMP:(0):atts are not acceptable. Next payload is 0 ISAKMP:(0):Checking ISAKMP transform 0 against priority 110 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Diffie-Hellman group offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 1 against priority 110 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Diffie-Hellman group offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 0 ISAKMP:(0):Checking ISAKMP transform 0 against priority 210 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Diffie-Hellman group offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 1 against priority 210 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Diffie-Hellman group offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 0 ISAKMP:(0):Checking ISAKMP transform 0 against priority 1000 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 3 ISAKMP:(0):Checking ISAKMP transform 1 against priority 1000 policy ISAKMP: encryption AES-CBC ISAKMP: keylength of 128 ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0):Encryption algorithm offered does not match policy! ISAKMP:(0):atts are not acceptable. Next payload is 0 ISAKMP:(0):no offers accepted! ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.0.0.1 remote 10.0.0.2) ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init ISAKMP:(0): Failed to construct AG informational message. ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (R) MM_NO_STATE ISAKMP:(0):Sending an IKE IPv4 Packet. ISAKMP:(0):peer does not do paranoid keepalives. ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.0.0.2) ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID is DPD ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NAT-T v2 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch ISAKMP:(0): vendor ID is NAT-T v3 ISAKMP (0): FSM action returned error: 2 ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.0.0.2) ISAKMP: Unlocking peer struct 0x30D2B87C for isadb_mark_sa_deleted(), count 0 ISAKMP: Deleting peer node by peer_reap for 10.0.0.2: 30D2B87C ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.0.0.2) ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA ISAKMP: set new node 0 to QM_IDLE ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.0.0.1, remote 10.0.0.2) ISAKMP: Error while processing SA request: Failed to initialize SA ISAKMP: Error while processing KMI message 0, error 2. ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 ISAKMP:(0): retransmitting phase 1 MM_NO_STATE ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE ISAKMP:(0):Sending an IKE IPv4 Packet. ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 ISAKMP:(0): retransmitting phase 1 MM_NO_STATE ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE ISAKMP:(0):Sending an IKE IPv4 Packet.
	Ответить \| Правка \| ^ к родителю #18 \| Наверх \| Cообщить модератору


	20. "а ключи точно одинаковые?"	+/–
	Сообщение от armanman (ok) on 10-Фев-11, 11:09
	Новое что происходит на циске INternet#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.0.0.2 10.0.0.1 QM_IDLE 1014 ACTIVE И тунель поднялся Tunnel72 На циске время от времени выдается сообщение %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2061 local=10.0.0.1 remote=10.0.0.2 spi=64EC2E41 seqno=000000F2 Какие нибудь идеи?
	Ответить \| Правка \| ^ к родителю #19 \| Наверх \| Cообщить модератору


	21. "Между Cisco 2951 и SRX100h работает"	+/–
	Сообщение от Сталкер on 06-Июл-11, 17:07
	Сделал точно по ссылке указанной выше (http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju...) - всё работает.
	Ответить \| Правка \| ^ к родителю #20 \| Наверх \| Cообщить модератору