CiscoForums.it

Salve, sto cercando di instaurare una vpn ipsec tra un cisco 1760 con ip dinamico e un Watchguard XTM22 con ip statico.
Usando l'IP per il remote peer e remote id sul watchguard la vpn sale ma quando imposto il dynamic dns dal debug Watchguard vedo:
iked WARNING: Mismatched ID settings at peer 78.13.XXX.XXX:500 caused an authentication failure Debug

Ho provato con "crypto isakmp identity hostname" o "set identity XXXXXXXXdns.org" sotto crypto map senza risultati.

Avete consigli?

Salve, ho settato il parametro self-identity come user-fqdn e sembrano matchare i peer ma ho questi log:

Mar 1 15:14:57.889: ISAKMP (0:0): received packet from 80.249.33.107 dport 500 sport 500 Global (N) NEW SA
Mar 1 15:14:57.893: ISAKMP: Created a peer struct for 80.249.33.107, peer port 500
Mar 1 15:14:57.893: ISAKMP: New peer created peer = 0x844164E0 peer_handle = 0x80000539
Mar 1 15:14:57.893: ISAKMP: Locking peer struct 0x844164E0, IKE refcount 1 for crypto_isakmp_process_block
Mar 1 15:14:57.893: ISAKMP:(0:0:N/A:0):Setting client config settings 84500584
Mar 1 15:14:57.893: ISAKMP: local port 500, remote port 500
Mar 1 15:14:57.893: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 84407F10
Mar 1 15:14:57.893: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Mar 1 15:14:57.897: ISAKMP:(0:0:N/A:0): processing ID payload. message ID = 0
Mar 1 15:14:57.897: ISAKMP (0:0): ID payload
next-payload : 13
type : 1
address : 80.249.33.107
protocol : 0
port : 0
length : 12
Mar 1 15:14:57.897: ISAKMP:(0:0:N/A:0):: peer matches UFFICIO profile
Mar 1 15:14:57.897: ISAKMP:(0:0:N/A:0): processing vendor id payload
Mar 1 15:14:57.897: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 215 mismatch
Mar 1 15:14:57.897: ISAKMP:(0:0:N/A:0): processing vendor id payload
Mar 1 15:14:57.897: ISAKMP:(0:0:N/A:0): vendor ID is DPD
Mar 1 15:14:57.897: ISAKMP:(0:0:N/A:0): processing vendor id payload
Mar 1 15:14:57.901: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 1 15:14:57.901: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
Mar 1 15:14:57.901: ISAKMP:(0:0:N/A:0):Found ADDRESS key in keyring UFFICIO_PSK
Mar 1 15:14:57.901: ISAKMP:(0:0:N/A:0): local preshared key found
Mar 1 15:14:57.901: ISAKMP : Looking for xauth in profile UFFICIO
Mar 1 15:14:57.901: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
Mar 1 15:14:57.901: ISAKMP: default group 2
Mar 1 15:14:57.901: ISAKMP: auth pre-share
Mar 1 15:14:57.901: ISAKMP: encryption 3DES-CBC
Mar 1 15:14:57.901: ISAKMP: hash SHA
Mar 1 15:14:57.901: ISAKMP: life type in seconds
Mar 1 15:14:57.901: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
Mar 1 15:14:57.905: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Mar 1 15:14:58.017: ISAKMP:(0:92:SW:1): processing KE payload. message ID = 0
Mar 1 15:14:58.161: ISAKMP:(0:92:SW:1): processing NONCE payload. message ID = 0
Mar 1 15:14:58.165: ISAKMP:(0:92:SW:1):Found ADDRESS key in keyring UFFICIO_PSK
Mar 1 15:14:58.165: ISAKMP:(0:92:SW:1):SKEYID state generated
Mar 1 15:14:58.169: ISAKMP:(0:92:SW:1): processing vendor id payload
Mar 1 15:14:58.169: ISAKMP:(0:92:SW:1): vendor ID seems Unity/DPD but major 215 mismatch
Mar 1 15:14:58.169: ISAKMP:(0:92:SW:1): processing vendor id payload
Mar 1 15:14:58.169: ISAKMP:(0:92:SW:1): vendor ID is DPD
Mar 1 15:14:58.169: ISAKMP:(0:92:SW:1): processing vendor id payload
Mar 1 15:14:58.169: ISAKMP:(0:92:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
Mar 1 15:14:58.169: ISAKMP:(0:92:SW:1): vendor ID is NAT-T v2
Mar 1 15:14:58.173: ISAKMP:(0:92:SW:1): constructed NAT-T vendor-02 ID
Mar 1 15:14:58.173: ISAKMP:(0:92:SW:1):SA is doing pre-shared key authentication using id type ID_USER_FQDN
Mar 1 15:14:58.173: ISAKMP (0:134217820): ID payload
next-payload : 10
type : 3
USER FQDN : luccarelli.homeip.net
protocol : 0
port : 0
length : 29
Mar 1 15:14:58.173: ISAKMP:(0:92:SW:1):Total payload length: 29
Mar 1 15:14:58.173: ISAKMP:(0:92:SW:1): sending packet to 80.249.33.107 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Mar 1 15:14:58.177: ISAKMP:(0:92:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Mar 1 15:14:58.177: ISAKMP:(0:92:SW:1):Old State = IKE_READY New State = IKE_R_AM2
term no
Mar 1 15:15:01.210: ISAKMP:(0:84:SW:1):purging SA., sa=831E5984, delme=831E5984
Mar 1 15:15:01.234: ISAKMP (0:134217820): received packet from 80.249.33.107 dport 500 sport 500 Global (R) AG_INIT_EXCH
Mar 1 15:15:01.234: ISAKMP:(0:92:SW:1): phase 1 packet is a duplicate of a previous packet.
Mar 1 15:15:01.234: ISAKMP:(0:92:SW:1): retransmitting due to retransmit phase 1
Mar 1 15:15:01.394: ISAKMP:(0:89:SW:1): retransmitting phase 1 AG_INIT_EXCH...
Mar 1 15:15:01.394: ISAKMP:(0:89:SW:1):peer does not do paranoid keepalives.

Mar 1 15:15:01.394: ISAKMP:(0:89:SW:1):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 80.249.33.107)
Mar 1 15:15:01.394: ISAKMP:(0:89:SW:1):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 80.249.33.107)
Mar 1 15:15:01.394: ISAKMP: Unlocking IKE struct 0x844203A0 for isadb_mark_sa_deleted(), count 0
Mar 1 15:15:01.398: ISAKMP: Deleting peer node by peer_reap for 80.249.33.107: 844203A0
Mar 1 15:15:01.398: ISAKMP:(0:89:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 1 15:15:01.398: ISAKMP:(0:89:SW:1):Old State = IKE_R_AM2 New State = IKE_DEST_SA

Mar 1 15:15:01.402: IPSEC(key_engine): got a queue event with 1 kei messages
Mar 1 15:15:01.735: ISAKMP:(0:92:SW:1): retransmitting phase 1 AG_INIT_EXCH...mon
Mar 1 15:15:01.735: ISAKMP (0:134217820): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 1 15:15:01.735: ISAKMP:(0:92:SW:1): retransmitting phase 1 AG_INIT_EXCH
Mar 1 15:15:01.735: ISAKMP:(0:92:SW:1): sending packet to 80.249.33.107 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Mar 1 15:15:03.794: ISAKMP (0:134217820): received packet from 80.249.33.107 dport 500 sport 500 Global (R) AG_INIT_EXCH
Mar 1 15:15:03.794: ISAKMP:(0:92:SW:1): phase 1 packet is a duplicate of a previous packet.
Mar 1 15:15:03.794: ISAKMP:(0:92:SW:1): retransmitting due to retransmit phase 1
Mar 1 15:15:03.954: ISAKMP:(0:90:SW:1): retransmitting phase 1 AG_INIT_EXCH...
Mar 1 15:15:03.954: ISAKMP (0:134217818): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 1 15:15:03.954: ISAKMP:(0:90:SW:1): retransmitting phase 1 AG_INIT_EXCH
Mar 1 15:15:03.954: ISAKMP:(0:90:SW:1): sending packet to 80.249.33.107 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Cisco-1760#
Mar 1 15:15:04.295: ISAKMP:(0:92:SW:1): retransmitting phase 1 AG_INIT_EXCH...
Mar 1 15:15:04.295: ISAKMP (0:134217820): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 1 15:15:04.295: ISAKMP:(0:92:SW:1): retransmitting phase 1 AG_INIT_EXCH
Mar 1 15:15:04.295: ISAKMP:(0:92:SW:1): sending packet to 80.249.33.107 my_port 500 peer_port 500 (R) AG_INIT_EXCH


Qualcuno ha idea del perchè di questi log?
Mar 1 15:14:58.173: ISAKMP:(0:92:SW:1): sending packet to 80.249.33.107 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Mar 1 15:14:58.177: ISAKMP:(0:92:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Mar 1 15:14:58.177: ISAKMP:(0:92:SW:1):Old State = IKE_READY New State = IKE_R_AM2
term no
Mar 1 15:15:01.210: ISAKMP:(0:84:SW:1):purging SA., sa=831E5984, delme=831E5984
Mar 1 15:15:01.234: ISAKMP (0:134217820): received packet from 80.249.33.107 dport 500 sport 500 Global (R) AG_INIT_EXCH
Mar 1 15:15:01.234: ISAKMP:(0:92:SW:1): phase 1 packet is a duplicate of a previous packet.
Mar 1 15:15:01.234: ISAKMP:(0:92:SW:1): retransmitting due to retransmit phase 1
Mar 1 15:15:01.394: ISAKMP:(0:89:SW:1): retransmitting phase 1 AG_INIT_EXCH...
Mar 1 15:15:01.394: ISAKMP:(0:89:SW:1):peer does not do paranoid keepalives.

Mar 1 15:15:01.394: ISAKMP:(0:89:SW:1):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 80.249.33.107)
Mar 1 15:15:01.394: ISAKMP:(0:89:SW:1):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 80.249.33.107)
Mar 1 15:15:01.394: ISAKMP: Unlocking IKE struct 0x844203A0 for isadb_mark_sa_deleted(), count 0
Mar 1 15:15:01.398: ISAKMP: Deleting peer node by peer_reap for 80.249.33.107: 844203A0
Mar 1 15:15:01.398: ISAKMP:(0:89:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 1 15:15:01.398: ISAKMP:(0:89:SW:1):Old State = IKE_R_AM2 New State = IKE_DEST_SA

Hai già guardato questo:
https://supportforums.cisco.com/thread/2065886

o questo:
http://www.tek-tips.com/viewthread.cfm?qid=1087487

o questo:
http://arstechnica.com/civis/viewtopic. ... 0&t=179369

o questo (issue 3):
http://www.isrcomputing.com/knowledge-b ... nnels.html

Rizio

Ho letto tutti i link; ne avevo già letto solo uno, ma non riesco a capire il problema della mia situazione. Usando l'ip in modalità main funziona, con dyndns e aggressive no.

thorpe ha scritto:Usando l'ip in modalità main funziona, con dyndns e aggressive no.

Scusa ma con il ddns come fai ad impostare l'ip su cui autorizzare la sessione crittata?

Non sono assolutamente un esperto di vpn perciò magari dico una cag..volata però non sono certo che tu riesca a farlo impostando un indirizzo dns invece che un ip nella sezione crypto key -e qui chiedo lumi ai guru del forum- sbaglio?

Rizio

Si è cosi, non sono stato chiaro io. Il cisco ha un ip dinamico ma l'endpoint della vpn, un firewall Watchguard, ha ip statico. Al momento ho lasciato impostato sul watchguard l'ip del cisco dato che è sempre acceso ma vorrei farlo funzionare con il dyndns.

Nessuno è riuscito nel mio intento?

Mah, non sembra, forse non è una ficiur interessante

Rizio