Problemone vpn client su c877w

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:
Contatta Wizard

Ciao belli, non riesco a capire il problema...
Ho un router Cisco 877w con ios c870-advipservicesk9-mz.124-11.T2.bin su cui non riesco a fare andare una connessione vpn client ipsec...

Ecco la config:

Codice: Seleziona tutto

version 12.4
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ***
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 5 log
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000
logging console critical
enable secret 5 $1$MdVO$rezGJtitBb1SsdOrVj.9S/
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
ip nbar pdlm WinMX.pdlm
ip nbar pdlm gnutella.pdlm
ip nbar pdlm eDonkey.pdlm
ip nbar pdlm directconnect.pdlm
ip nbar pdlm bittorrent.pdlm
!
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
no ip bootp server
ip name-server 208.67.222.222
ip ssh time-out 60
ip scp server enable
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect one-minute high 500
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS-OUT tcp
ip inspect name IDS-OUT udp
ip ips config location flash:ips-store/ retries 5 timeout 10
ip ips name IPS-IN
!
ip ips signature-category
  category all
   retired true
   event-action reset-tcp-connection deny-packet-inline produce-alert
  category viruses/worms/trojans
   retired false
  category ddos
   retired false
  category adware/spyware
   retired false
  category dos
   retired false
  category attack
   retired false
!
!
multilink bundle-name authenticated
!
!
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  address 208.69.32.130
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001
  quit
!
!
username admin privilege 15 password ***
username remoto password ****

class-map match-any FILTRO-P2P
 match protocol gnutella
 match protocol edonkey
 match protocol bittorrent
 match protocol directconnect
 match protocol winmx
!
!
policy-map QOS
 class FILTRO-P2P
   drop
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group remote-vpn
 key 9u8uhiucnuh%&/
 dns ***
 domain ***
 pool remote-pool
 acl 158
 save-password
 split-dns ***
 max-users 10
 banner ^C
--------------------------------------------------------------
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
--------------------------------------------------------------
  ^C
!
!
crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
!
crypto dynamic-map remote-dyn 10
 set transform-set VPN-CLI-SET
!
!
crypto map remotemap local-address ATM0.1
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 65535 ipsec-isakmp dynamic remote-dyn
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 description INTERFACCIA FISICA PER GESTIONE ADSL
 no ip address
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 ip address 82.90.68.5 255.255.255.0
 ip access-group 131 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat outside
 ip ips IPS-IN in
 ip virtual-reassembly
 no ip mroute-cache
 no snmp trap link-status
 pvc 8/35
  encapsulation aal5snap
 !
 crypto map remotemap
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 no ip route-cache cef
 no ip route-cache
 load-interval 30
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel least-congested 2427 2432 2437 2442 2447 2452 2457 2462
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 no ip route-cache
 no cdp enable
!
interface Vlan1
 description VLAN RETE ***
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip inspect IDS-OUT in
 ip virtual-reassembly
 ip route-cache flow
 no ip mroute-cache
!
ip local pool remote-pool 192.168.0.20 192.168.0.23
ip route 0.0.0.0 0.0.0.0 82.90.68.254
ip route 1.0.0.0 255.0.0.0 Null0
ip route 2.0.0.0 255.0.0.0 Null0
ip route 5.0.0.0 255.0.0.0 Null0
ip route 7.0.0.0 255.0.0.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 23.0.0.0 255.0.0.0 Null0
ip route 27.0.0.0 255.0.0.0 Null0
ip route 31.0.0.0 255.0.0.0 Null0
ip route 36.0.0.0 255.0.0.0 Null0
ip route 37.0.0.0 255.0.0.0 Null0
ip route 39.0.0.0 255.0.0.0 Null0
ip route 42.0.0.0 255.0.0.0 Null0
ip route 49.0.0.0 255.0.0.0 Null0
ip route 50.0.0.0 255.0.0.0 Null0
ip route 77.0.0.0 255.0.0.0 Null0
ip route 78.0.0.0 255.0.0.0 Null0
ip route 79.0.0.0 255.0.0.0 Null0
ip route 92.0.0.0 255.0.0.0 Null0
ip route 93.0.0.0 255.0.0.0 Null0
ip route 94.0.0.0 255.0.0.0 Null0
ip route 95.0.0.0 255.0.0.0 Null0
ip route 96.0.0.0 255.0.0.0 Null0
ip route 97.0.0.0 255.0.0.0 Null0
ip route 98.0.0.0 255.0.0.0 Null0
ip route 99.0.0.0 255.0.0.0 Null0
ip route 100.0.0.0 255.0.0.0 Null0
ip route 101.0.0.0 255.0.0.0 Null0
ip route 102.0.0.0 255.0.0.0 Null0
ip route 103.0.0.0 255.0.0.0 Null0
ip route 104.0.0.0 255.0.0.0 Null0
ip route 105.0.0.0 255.0.0.0 Null0
ip route 106.0.0.0 255.0.0.0 Null0
ip route 107.0.0.0 255.0.0.0 Null0
ip route 108.0.0.0 255.0.0.0 Null0
ip route 109.0.0.0 255.0.0.0 Null0
ip route 110.0.0.0 255.0.0.0 Null0
ip route 111.0.0.0 255.0.0.0 Null0
ip route 112.0.0.0 255.0.0.0 Null0
ip route 113.0.0.0 255.0.0.0 Null0
ip route 114.0.0.0 255.0.0.0 Null0
ip route 115.0.0.0 255.0.0.0 Null0
ip route 116.0.0.0 255.0.0.0 Null0
ip route 117.0.0.0 255.0.0.0 Null0
ip route 118.0.0.0 255.0.0.0 Null0
ip route 119.0.0.0 255.0.0.0 Null0
ip route 120.0.0.0 255.0.0.0 Null0
ip route 121.0.0.0 255.0.0.0 Null0
ip route 122.0.0.0 255.0.0.0 Null0
ip route 123.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 173.0.0.0 255.0.0.0 Null0
ip route 174.0.0.0 255.0.0.0 Null0
ip route 175.0.0.0 255.0.0.0 Null0
ip route 176.0.0.0 255.0.0.0 Null0
ip route 177.0.0.0 255.0.0.0 Null0
ip route 178.0.0.0 255.0.0.0 Null0
ip route 179.0.0.0 255.0.0.0 Null0
ip route 180.0.0.0 255.0.0.0 Null0
ip route 181.0.0.0 255.0.0.0 Null0
ip route 182.0.0.0 255.0.0.0 Null0
ip route 183.0.0.0 255.0.0.0 Null0
ip route 184.0.0.0 255.0.0.0 Null0
ip route 185.0.0.0 255.0.0.0 Null0
ip route 186.0.0.0 255.0.0.0 Null0
ip route 187.0.0.0 255.0.0.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.20 255.255.255.252 ATM0.1
ip route 197.0.0.0 255.0.0.0 Null0
ip route 223.0.0.0 255.0.0.0 Null0
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 120
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source list 101 interface ATM0.1 overload
!
logging history notifications
access-list 101 remark ************************************************************
access-list 101 remark **** ACL PER PAT E NAT0 ***
access-list 101 remark ************************************************************
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER PERMETTERE ACCESSO DA **** ***
access-list 131 remark *************************************************************
access-list 131 permit ip **** any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER TRAFFICO VPN  ***
access-list 131 remark *************************************************************
access-list 131 permit esp any any
access-list 131 permit udp any any eq isakmp
access-list 131 permit udp any any eq non500-isakmp
access-list 131 permit udp any eq isakmp any
access-list 131 permit udp any eq non500-isakmp any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER TRAFFICO NTP  ***
access-list 131 remark *************************************************************
access-list 131 permit udp any any eq ntp
access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 remark *************************************************************
access-list 131 deny   ip host 0.0.0.0 any log
access-list 131 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 131 deny   ip 0.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 1.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 2.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 5.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 7.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 23.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 27.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 31.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 36.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 37.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 39.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 42.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 49.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 50.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 77.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 78.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 79.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 92.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 93.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 94.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 95.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 96.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 97.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 98.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 99.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 100.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 101.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 102.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 103.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 104.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 105.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 106.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 107.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 108.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 109.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 110.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 111.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 112.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 113.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 114.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 115.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 116.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 117.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 118.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 119.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 120.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 121.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 122.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 123.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 169.254.0.0 0.0.255.255 any log-input
access-list 131 deny   ip 173.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 174.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 175.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 176.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 177.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 178.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 179.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 180.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 181.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 182.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 183.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 184.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 185.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 186.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 187.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 197.0.0.0 0.255.255.255 any log-input
access-list 131 deny   ip 223.0.0.0 0.255.255.255 any log-input
access-list 131 deny   icmp any any log-input fragments
access-list 131 permit ip any 224.0.0.0 15.255.255.255
access-list 131 permit 41 any any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 remark *************************************************************
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny   icmp any any
access-list 131 remark **************************************************************
access-list 131 remark *** ACL PER BLOCCARE WORM ***
access-list 131 remark **************************************************************
access-list 131 deny   tcp any any eq 135
access-list 131 deny   udp any any eq 135
access-list 131 deny   udp any any eq netbios-ns
access-list 131 deny   udp any any eq netbios-dgm
access-list 131 deny   tcp any any eq 139
access-list 131 deny   udp any any eq netbios-ss
access-list 131 deny   tcp any any eq 445
access-list 131 deny   tcp any any eq 8888
access-list 131 deny   tcp any any eq 8594
access-list 131 deny   tcp any any eq 8563
access-list 131 deny   tcp any any eq 7778
access-list 131 deny   tcp any any eq 593
access-list 131 deny   tcp any any eq 2049
access-list 131 deny   udp any any eq 2049
access-list 131 deny   tcp any any eq 2000
access-list 131 deny   tcp any any range 6000 6010
access-list 131 deny   udp any any eq 1433
access-list 131 deny   udp any any eq 1434
access-list 131 deny   udp any any eq 5554
access-list 131 deny   udp any any eq 9996
access-list 131 deny   udp any any eq 113
access-list 131 deny   udp any any eq 3067
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 remark *************************************************************
access-list 131 deny   ip any any log
access-list 131 remark *************************************************************
access-list 158 remark *** ACL PER SPLIT-TUNNEL DA VPN-CLIENT ***
access-list 158 remark *************************************************************
access-list 158 permit ip 192.168.0.0 0.0.0.255 192.168.0.20 0.0.0.3
access-list 158 remark *************************************************************
dialer-list 1 protocol ip permit
snmp-server community *** RO
snmp-server location ****
snmp-server contact ***
no cdp run
!
!
!
!
control-plane
!
banner motd ^C
****************************************************************
----------------------------------------------------------------
* ***           FIREWALL PERIMETRALE *** ***   *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *
****************************************************************
^C
!
line con 0
 login local
 no modem enable
 transport output ssh
 stopbits 1
line aux 0
 login local
 transport output ssh
line vty 0 4
 exec-timeout 0 0
 login local
 transport input telnet ssh
 transport output telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
ntp clock-period 17175094
ntp server 193.204.114.232
ntp server 193.204.114.233
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end
Vi dico che:
1) Debuggando sembra che non vengano accettate le policy e la fase 1 non va su (...).
2) La ios non ha problemi perchè giovedì l'ho installata su un 877 (non w ma non credo sia questo il problema) e con il vpn client problemi 0
3) Ho già tolto tutto...ids, ips, acl, qos ma non cambia nulla...

Grazie mille e buon fine settimana!
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
Top
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:
Contatta Wizard

Log dal vpn client:

1 12:48:09.750 05/19/07 Sev=Info/6 CERT/0x63600025
Attempting to find a Certificate using Serial Hash.

2 12:48:09.750 05/19/07 Sev=Info/6 CERT/0x63600026
Found a Certificate using Serial Hash.

3 12:48:09.750 05/19/07 Sev=Warning/3 GUI/0xA3B0000B
Reloaded the Certificates in all Certificate Stores successfully.

4 12:52:02.156 05/19/07 Sev=Info/4 CM/0x63100002
Begin connection process

5 12:52:02.171 05/19/07 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

6 12:52:02.171 05/19/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

7 12:52:02.171 05/19/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "82.90.68.5"

8 12:52:03.171 05/19/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 82.90.68.5.

9 12:52:03.218 05/19/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 82.90.68.5

10 12:52:03.218 05/19/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

11 12:52:03.218 05/19/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

12 12:52:08.546 05/19/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

13 12:52:08.546 05/19/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.90.68.5

14 12:52:13.546 05/19/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

15 12:52:13.546 05/19/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.90.68.5

16 12:52:18.546 05/19/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

17 12:52:18.546 05/19/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 82.90.68.5

18 12:52:23.546 05/19/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=E84E12401BBD4663 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

19 12:52:24.046 05/19/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E84E12401BBD4663 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

20 12:52:24.046 05/19/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "82.90.68.5" because of "DEL_REASON_PEER_NOT_RESPONDING"
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
Top
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:
Contatta Wizard

I log dal router:


001462: May 19 14:16:36.363 MEDT: ISAKMP (0:0): received packet from 79.8.38.171 dport 500 sport 500 Global (N) NEW SA
001463: May 19 14:16:36.363 MEDT: ISAKMP: Created a peer struct for 79.8.38.171, peer port 500
001464: May 19 14:16:36.363 MEDT: ISAKMP: New peer created peer = 0x8489A94C peer_handle = 0x80000085
001465: May 19 14:16:36.367 MEDT: ISAKMP: Locking peer struct 0x8489A94C, refcount 1 for crypto_isakmp_process_block
001466: May 19 14:16:36.367 MEDT: ISAKMP:(0):Setting client config settings 84849954
001467: May 19 14:16:36.367 MEDT: ISAKMP:(0):(Re)Setting client xauth list and state
001468: May 19 14:16:36.367 MEDT: ISAKMP/xauth: initializing AAA request
001469: May 19 14:16:36.367 MEDT: ISAKMP: local port 500, remote port 500
001470: May 19 14:16:36.367 MEDT: insert sa successfully sa = 836D5EE0
001471: May 19 14:16:36.367 MEDT: ISAKMP:(0): processing SA payload. message ID = 0
001472: May 19 14:16:36.367 MEDT: ISAKMP:(0): processing ID payload. message ID = 0
001473: May 19 14:16:36.367 MEDT: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : remote-vpn
protocol : 17
port : 500
length : 18
001474: May 19 14:16:36.367 MEDT: ISAKMP:(0):: peer matches *none* of the profiles
001475: May 19 14:16:36.367 MEDT: ISAKMP:(0): processing vendor id payload
001476: May 19 14:16:36.367 MEDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
001477: May 19 14:16:36.367 MEDT: ISAKMP:(0): vendor ID is XAUTH
001478: May 19 14:16:36.367 MEDT: ISAKMP:(0): processing vendor id payload
001479: May 19 14:16:36.367 MEDT: ISAKMP:(0): vendor ID is DPD
001480: May 19 14:16:36.371 MEDT: ISAKMP:(0): processing vendor id payload
001481: May 19 14:16:36.371 MEDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
001482: May 19 14:16:36.371 MEDT: ISAKMP:(0): processing vendor id payload
001483: May 19 14:16:36.371 MEDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
001484: May 19 14:16:36.371 MEDT: ISAKMP:(0): vendor ID is NAT-T v2
001485: May 19 14:16:36.371 MEDT: ISAKMP:(0): processing vendor id payload
001486: May 19 14:16:36.371 MEDT: ISAKMP:(0): vendor ID is Unity
001487: May 19 14:16:36.371 MEDT: ISAKMP:(0): Authentication by xauth preshared
001488: May 19 14:16:36.371 MEDT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
001489: May 19 14:16:36.371 MEDT: ISAKMP: encryption AES-CBC
001490: May 19 14:16:36.371 MEDT: ISAKMP: hash SHA
001491: May 19 14:16:36.371 MEDT: ISAKMP: default group 2
001492: May 19 14:16:36.371 MEDT: ISAKMP: auth XAUTHInitPreShared
001493: May 19 14:16:36.371 MEDT: ISAKMP: life type in seconds
001494: May 19 14:16:36.371 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001495: May 19 14:16:36.371 MEDT: ISAKMP: keylength of 256
001496: May 19 14:16:36.371 MEDT: ISAKMP:(0):Encryption algorithm offered does not match policy!
001497: May 19 14:16:36.371 MEDT: ISAKMP:(0):atts are not acceptable. Next payload is 3
001498: May 19 14:16:36.371 MEDT: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
001499: May 19 14:16:36.371 MEDT: ISAKMP: encryption AES-CBC
001500: May 19 14:16:36.371 MEDT: ISAKMP: hash MD5
001501: May 19 14:16:36.371 MEDT: ISAKMP: default group 2
001502: May 19 14:16:36.371 MEDT: ISAKMP: auth XAUTHInitPreShared
001503: May 19 14:16:36.375 MEDT: ISAKMP: life type in seconds
001504: May 19 14:16:36.375 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001505: May 19 14:16:36.375 MEDT: ISAKMP: keylength of 256
001506: May 19 14:16:36.375 MEDT: ISAKMP:(0):Encryption algorithm offered does not match policy!
001507: May 19 14:16:36.375 MEDT: ISAKMP:(0):atts are not acceptable. Next payload is 3
001508: May 19 14:16:36.375 MEDT: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
001509: May 19 14:16:36.375 MEDT: ISAKMP: encryption AES-CBC
001510: May 19 14:16:36.375 MEDT: ISAKMP: hash SHA
001511: May 19 14:16:36.375 MEDT: ISAKMP: default group 2
001512: May 19 14:16:36.375 MEDT: ISAKMP: auth pre-share
001513: May 19 14:16:36.375 MEDT: ISAKMP: life type in seconds
001514: May 19 14:16:36.375 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001515: May 19 14:16:36.375 MEDT: ISAKMP: keylength of 256
001516: May 19 14:16:36.375 MEDT: ISAKMP:(0):Encryption algorithm offered does not match policy!
001517: May 19 14:16:36.375 MEDT: ISAKMP:(0):atts are not acceptable. Next payload is 3
001518: May 19 14:16:36.375 MEDT: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
001519: May 19 14:16:36.375 MEDT: ISAKMP: encryption AES-CBC
001520: May 19 14:16:36.375 MEDT: ISAKMP: hash MD5
001521: May 19 14:16:36.375 MEDT: ISAKMP: default group 2
001522: May 19 14:16:36.375 MEDT: ISAKMP: auth pre-share
001523: May 19 14:16:36.375 MEDT: ISAKMP: life type in seconds
001524: May 19 14:16:36.375 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001525: May 19 14:16:36.375 MEDT: ISAKMP: keylength of 256
001526: May 19 14:16:36.379 MEDT: ISAKMP:(0):Encryption algorithm offered does not match policy!
001527: May 19 14:16:36.379 MEDT: ISAKMP:(0):atts are not acceptable. Next payload is 3
001528: May 19 14:16:36.379 MEDT: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
001529: May 19 14:16:36.379 MEDT: ISAKMP: encryption AES-CBC
001530: May 19 14:16:36.379 MEDT: ISAKMP: hash SHA
001531: May 19 14:16:36.379 MEDT: ISAKMP: default group 2
001532: May 19 14:16:36.379 MEDT: ISAKMP: auth XAUTHInitPreShared
001533: May 19 14:16:36.379 MEDT: ISAKMP: life type in seconds
001534: May 19 14:16:36.379 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001535: May 19 14:16:36.379 MEDT: ISAKMP: keylength of 128
001536: May 19 14:16:36.379 MEDT: ISAKMP:(0):Encryption algorithm offered does not match policy!
001537: May 19 14:16:36.379 MEDT: ISAKMP:(0):atts are not acceptable. Next payload is 3
001538: May 19 14:16:36.379 MEDT: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
001539: May 19 14:16:36.379 MEDT: ISAKMP: encryption AES-CBC
001540: May 19 14:16:36.379 MEDT: ISAKMP: hash MD5
001541: May 19 14:16:36.379 MEDT: ISAKMP: default group 2
001542: May 19 14:16:36.379 MEDT: ISAKMP: auth XAUTHInitPreShared
001543: May 19 14:16:36.379 MEDT: ISAKMP: life type in seconds
001544: May 19 14:16:36.379 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001545: May 19 14:16:36.379 MEDT: ISAKMP: keylength of 128
001546: May 19 14:16:36.379 MEDT: ISAKMP:(0):Encryption algorithm offered does not match policy!
001547: May 19 14:16:36.379 MEDT: ISAKMP:(0):atts are not acceptable. Next payload is 3
001548: May 19 14:16:36.379 MEDT: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
001549: May 19 14:16:36.379 MEDT: ISAKMP: encryption AES-CBC
001550: May 19 14:16:36.379 MEDT: ISAKMP: hash SHA
001551: May 19 14:16:36.379 MEDT: ISAKMP: default group 2
001552: May 19 14:16:36.383 MEDT: ISAKMP: auth pre-share
001553: May 19 14:16:36.383 MEDT: ISAKMP: life type in seconds
001554: May 19 14:16:36.383 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001555: May 19 14:16:36.383 MEDT: ISAKMP: keylength of 128
001556: May 19 14:16:36.383 MEDT: ISAKMP:(0):Encryption algorithm offered does not match policy!
001557: May 19 14:16:36.383 MEDT: ISAKMP:(0):atts are not acceptable. Next payload is 3
001558: May 19 14:16:36.383 MEDT: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
001559: May 19 14:16:36.383 MEDT: ISAKMP: encryption AES-CBC
001560: May 19 14:16:36.383 MEDT: ISAKMP: hash MD5
001561: May 19 14:16:36.383 MEDT: ISAKMP: default group 2
001562: May 19 14:16:36.383 MEDT: ISAKMP: auth pre-share
001563: May 19 14:16:36.383 MEDT: ISAKMP: life type in seconds
001564: May 19 14:16:36.383 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001565: May 19 14:16:36.383 MEDT: ISAKMP: keylength of 128
001566: May 19 14:16:36.383 MEDT: ISAKMP:(0):Encryption algorithm offered does not match policy!
001567: May 19 14:16:36.383 MEDT: ISAKMP:(0):atts are not acceptable. Next payload is 3
001568: May 19 14:16:36.383 MEDT: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
001569: May 19 14:16:36.383 MEDT: ISAKMP: encryption 3DES-CBC
001570: May 19 14:16:36.383 MEDT: ISAKMP: hash SHA
001571: May 19 14:16:36.383 MEDT: ISAKMP: default group 2
001572: May 19 14:16:36.383 MEDT: ISAKMP: auth XAUTHInitPreShared
001573: May 19 14:16:36.383 MEDT: ISAKMP: life type in seconds
001574: May 19 14:16:36.383 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001575: May 19 14:16:36.383 MEDT: ISAKMP:(0):Hash algorithm offered does not match policy!
001576: May 19 14:16:36.383 MEDT: ISAKMP:(0):atts are not acceptable. Next payload is 3
001577: May 19 14:16:36.383 MEDT: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
001578: May 19 14:16:36.383 MEDT: ISAKMP: encryption 3DES-CBC
001579: May 19 14:16:36.383 MEDT: ISAKMP: hash MD5
001580: May 19 14:16:36.383 MEDT: ISAKMP: default group 2
001581: May 19 14:16:36.387 MEDT: ISAKMP: auth XAUTHInitPreShared
001582: May 19 14:16:36.387 MEDT: ISAKMP: life type in seconds
001583: May 19 14:16:36.387 MEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
001584: May 19 14:16:36.387 MEDT: ISAKMP:(0):atts are acceptable. Next payload is 3
001585: May 19 14:16:36.387 MEDT: ISAKMP:(0): processing KE payload. message ID = 0
001586: May 19 14:16:36.387 MEDT: crypto_engine: Create DH shared secret
001587: May 19 14:16:36.427 MEDT: ISAKMP:(0): processing NONCE payload. message ID = 0
001588: May 19 14:16:36.427 MEDT: ISAKMP:(0): vendor ID is NAT-T v2
001589: May 19 14:16:36.431 MEDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
001590: May 19 14:16:36.431 MEDT: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

001591: May 19 14:16:36.431 MEDT: crypto_engine: Create IKE SA
001592: May 19 14:16:36.431 MEDT: crypto engine: deleting DH phase 2 SW:5
001593: May 19 14:16:36.431 MEDT: crypto_engine: Delete DH shared secret
001594: May 19 14:16:36.431 MEDT: ISAKMP:(2003): constructed NAT-T vendor-02 ID
001595: May 19 14:16:36.431 MEDT: ISAKMP:(2003):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
001596: May 19 14:16:36.435 MEDT: ISAKMP (0:2003): ID payload
next-payload : 10
type : 1
address : 82.90.68.5
protocol : 17
port : 0
length : 12
001597: May 19 14:16:36.435 MEDT: ISAKMP:(2003):Total payload length: 12
001598: May 19 14:16:36.435 MEDT: crypto_engine: Generate IKE hash
001599: May 19 14:16:36.435 MEDT: ISAKMP:(2003): sending packet to 79.8.38.171 my_port 500 peer_port 500 (R) AG_INIT_EXCH
001600: May 19 14:16:36.435 MEDT: ISAKMP:(2003):Sending an IKE IPv4 Packet.
001601: May 19 14:16:36.435 MEDT: ISAKMP:(2003):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
001602: May 19 14:16:36.435 MEDT: ISAKMP:(2003):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

001603: May 19 14:16:41.373 MEDT: ISAKMP (0:2003): received packet from 79.8.38.171 dport 500 sport 500 Global (R) AG_INIT_EXCH
001604: May 19 14:16:41.373 MEDT: ISAKMP:(2003): phase 1 packet is a duplicate of a previous packet.
001605: May 19 14:16:41.373 MEDT: ISAKMP:(2003): retransmitting due to retransmit phase 1
001606: May 19 14:16:41.873 MEDT: ISAKMP:(2003): retransmitting phase 1 AG_INIT_EXCH...
001607: May 19 14:16:41.873 MEDT: ISAKMP (0:2003): incrementing error counter on sa, attempt 1 of 1: retransmit phase 1
001608: May 19 14:16:41.873 MEDT: ISAKMP:(2003): retransmitting phase 1 AG_INIT_EXCH
001609: May 19 14:16:41.873 MEDT: ISAKMP:(2003): sending packet to 79.8.38.171 my_port 500 peer_port 500 (R) AG_INIT_EXCH
001610: May 19 14:16:41.873 MEDT: ISAKMP:(2003):Sending an IKE IPv4 Packet.
001611: May 19 14:16:46.384 MEDT: ISAKMP (0:2003): received packet from 79.8.38.171 dport 500 sport 500 Global (R) AG_INIT_EXCH
001612: May 19 14:16:46.384 MEDT: ISAKMP:(2003): phase 1 packet is a duplicate of a previous packet.
001613: May 19 14:16:46.384 MEDT: ISAKMP:(2003): retransmitting due to retransmit phase 1
001614: May 19 14:16:46.884 MEDT: ISAKMP:(2003): retransmitting phase 1 AG_INIT_EXCH...
001615: May 19 14:16:46.884 MEDT: ISAKMP:(2003):peer does not do paranoid keepalives.

001616: May 19 14:16:46.884 MEDT: ISAKMP:(2003):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 79.8.38.171)
001617: May 19 14:16:46.884 MEDT: ISAKMP:(2003):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 79.8.38.171)
001618: May 19 14:16:46.884 MEDT: ISAKMP: Unlocking peer struct 0x8489A94C for isadb_mark_sa_deleted(), count 0
001619: May 19 14:16:46.884 MEDT: ISAKMP: Deleting peer node by peer_reap for 79.8.38.171: 8489A94C
001620: May 19 14:16:46.884 MEDT: crypto engine: deleting IKE SA SW:3
001621: May 19 14:16:46.884 MEDT: crypto_engine: Delete IKE SA
001622: May 19 14:16:46.884 MEDT: ISAKMP:(2003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001623: May 19 14:16:46.884 MEDT: ISAKMP:(2003):Old State = IKE_R_AM2 New State = IKE_DEST_SA

001624: May 19 14:16:46.888 MEDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001625: May 19 14:16:51.458 MEDT: ISAKMP (0:2003): received packet from 79.8.38.171 dport 500 sport 500 Global (R) MM_NO_STATE
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
Top
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:
Contatta Wizard

Ho trovato il problema...erano le rotte verso la null0 (anti spoofing).
Stete attenti a questa guida: http://www.areanetworking.it/index_docs ... blackholes
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
Top
Rispondi

Torna a “VPN”