|
|
 |
MCSEboard.de MCSE Forum zu Windows XP / 2003 / 2008 Server & Windows Vista / Windows 7 |
 |
Cisco Forum — Allgemein
Cisco Forum: Alles zum Thema CISCO Zertifizierungen CCNA, CCNP, CCSP, CCIE etc. — Q & A zum Thema CISCO Router, Switches und Firewalls |
 |
|
12.01.2009, 08:37
|
#1
|
|
Newbie
Offline
Registriert seit: 08-2007
Beiträge: 32
|
IPsec zwischen Cisco 7301 und Cisco 1841
Hi,
ich versuche gerade zwischen einem 7301 und einem 1841 einen ganz normalen ipsec tunnel aufzubauen. vielleicht kann ja mal jemand drüber schauen.
7301 - Loopback1: 10.5.5.5
Code:
crypto isakmp policy 1
group 2
encryption 3des
authentication pre-share
crypto isakmp key cisco1841 address 10.1.1.1
crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac
!
crypto map cm_L1 17 ipsec-isakmp
set peer 10.1.1.1
set transform-set ts_cisco_170
match address 170
!
interface Loopback1
crypto map cm_L1
!
access-list 170 permit ip any 192.168.1.0 0.0.0.255
1841 - LAN: 192.168.1.0
Code:
crypto isakmp policy 1
group 2
encryption 3des
authentication pre-share
crypto isakmp key cisco1841 address 10.5.5.5
crypto ipsec transform-set ts_cisco_170 esp-des esp-md5-hmac
!
crypto map cm_D1 17 ipsec-isakmp
set peer 10.5.5.5
set transform-set ts_cisco_170
match address 170
!
interface Dialer1
crypto map cm_D1
!
access-list 170 permit ip 192.168.1.0 0.0.0.255 any
vor der bindung der crypto map auf die jeweiligen interface sind alle adressen von überall erreichbar.
–
hier noch die debugs
Debug: 1841
Code:
*Jan 12 08:27:33: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xF3F67FC4(4093018052), conn_id= 0, keysize= 0, flags= 0x0
*Jan 12 08:27:33: ISAKMP:(0): SA request profile is (NULL)
*Jan 12 08:27:33: ISAKMP: Created a peer struct for 10.5.5.5, peer port 500
*Jan 12 08:27:33: ISAKMP: New peer created peer = 0x652CE590 peer_handle = 0x80000013
*Jan 12 08:27:33: ISAKMP: Locking peer struct 0x652CE590, refcount 1 for isakmp_initiator
*Jan 12 08:27:33: ISAKMP: local port 500, remote port 500
*Jan 12 08:27:33: ISAKMP: set new node 0 to QM_IDLE
*Jan 12 08:27:33: insert sa successfully sa = 652CF07C
*Jan 12 08:27:33: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 12 08:27:33: ISAKMP:(0):found peer pre-shared key matching 10.5.5.5
*Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 12 08:27:33: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 12 08:27:33: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 12 08:27:33: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jan 12 08:27:33: ISAKMP:(0): beginning Main Mode exchange
*Jan 12 08:27:33: ISAKMP:(0): sending packet to 10.5.5.5 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 12 08:27:33: ISAKMP (0:0): received packet from 10.5.5.5 dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 12 08:27:33: ISAKMP:(0):Notify has no hash. Rejected.
*Jan 12 08:27:33: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Jan 12 08:27:33: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jan 12 08:27:33: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
Geändert von nimrod_ (12.01.2009 um 08:37 Uhr).
Grund: –––– Doppelpost – Automerge –––
|
|
|
|
|
|
12.01.2009, 08:38
|
#2
|
|
Newbie
Offline
Registriert seit: 08-2007
Beiträge: 32
|
Code:
*Jan 12 08:27:33: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.5.5.5
*Jan 12 08:28:03: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.1.1.1, remote= 10.5.5.5,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Jan 12 08:28:03: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.5.5.5,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x2AAA75D1(715814353), conn_id= 0, keysize= 0, flags= 0x0
*Jan 12 08:28:03: ISAKMP: set new node 0 to QM_IDLE
*Jan 12 08:28:03: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.1.1.1, remote 10.5.5.5)
*Jan 12 08:28:03: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 12 08:28:03: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 12 08:28:33: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.1.1.1, remote= 10.5.5.5,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
–
Debug: 7301
Code:
Jan 12 07:25:25.354: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 vpngreen (N) NEW SA
Jan 12 07:25:25.354: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500
Jan 12 07:25:25.354: ISAKMP: New peer created peer = 0x66DA103C peer_handle = 0x80000015
Jan 12 07:25:25.354: ISAKMP: Locking peer struct 0x66DA103C, refcount 1 for crypto_isakmp_process_block
Jan 12 07:25:25.354: ISAKMP: local port 500, remote port 500
Jan 12 07:25:25.354: insert sa successfully sa = 66DAC3BC
Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jan 12 07:25:25.354: ISAKMP:(0): processing SA payload. message ID = 0
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 12 07:25:25.354: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v3
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v2
Jan 12 07:25:25.354: ISAKMP:(0):No pre-shared key with 10.1.1.1!
Jan 12 07:25:25.354: ISAKMP : Scanning profiles for xauth ...
Jan 12 07:25:25.354: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Jan 12 07:25:25.354: ISAKMP: encryption 3DES-CBC
Jan 12 07:25:25.354: ISAKMP: hash SHA
Jan 12 07:25:25.354: ISAKMP: default group 2
Jan 12 07:25:25.354: ISAKMP: auth pre-share
Jan 12 07:25:25.354: ISAKMP: life type in seconds
Jan 12 07:25:25.354: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jan 12 07:25:25.354: ISAKMP:(0):Preshared authentication offered but does not match policy!
Jan 12 07:25:25.354: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 12 07:25:25.354: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
Jan 12 07:25:25.354: ISAKMP: encryption 3DES-CBC
Jan 12 07:25:25.354: ISAKMP: hash SHA
Jan 12 07:25:25.354: ISAKMP: default group 2
Jan 12 07:25:25.354: ISAKMP: auth pre-share
Jan 12 07:25:25.354: ISAKMP: life type in seconds
Jan 12 07:25:25.354: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jan 12 07:25:25.354: ISAKMP:(0):Encryption algorithm offered does not match policy!
Geändert von nimrod_ (12.01.2009 um 08:38 Uhr).
Grund: –––– Doppelpost – Automerge –––
|
|
|
|
|
|
12.01.2009, 08:39
|
#3
|
|
Newbie
Offline
Registriert seit: 08-2007
Beiträge: 32
|
Code:
Jan 12 07:25:25.354: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 12 07:25:25.354: ISAKMP:(0):no offers accepted!
Jan 12 07:25:25.354: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.5.5.5 remote 10.1.1.1)
Jan 12 07:25:25.354: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jan 12 07:25:25.354: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) MM_NO_STATE
Jan 12 07:25:25.354: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jan 12 07:25:25.354: ISAKMP:(0):peer does not do paranoid keepalives.
Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1)
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Jan 12 07:25:25.354: ISAKMP (0:0): vendor ID is NAT-T v7
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v3
Jan 12 07:25:25.354: ISAKMP:(0): processing vendor id payload
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jan 12 07:25:25.354: ISAKMP:(0): vendor ID is NAT-T v2
Jan 12 07:25:25.354: ISAKMP (0:0): FSM action returned error: 2
Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.1.1.1)
Jan 12 07:25:25.354: ISAKMP: Unlocking peer struct 0x66DA103C for isadb_mark_sa_deleted(), count 0
Jan 12 07:25:25.354: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: 66DA103C
Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
Jan 12 07:25:25.354: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jan 12 07:25:25.354: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.1.1.1)
Jan 12 07:25:25.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Jan 12 07:25:25.354: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Jan 12 07:26:25.354: ISAKMP:(0):purging SA., sa=66DAC3BC, delme=66DAC3BC
Jan 12 07:34:48.579: No peer struct to get peer description
|
|
|
|
|
|
12.01.2009, 09:10
|
#4
|
|
Board Veteran
Offline
Registriert seit: 10-2005
Ort: Muenchen
Beiträge: 3.140
|
Das es schon an Phase1 scheitert und die Werte identisch sind gibts bestimmt ein Problem mit dem Loopback und der IP-Adresse.
|
|
|
|
|
12.01.2009, 09:18
|
#5
|
|
Newbie
Offline
Registriert seit: 08-2007
Beiträge: 32
|
hast du eventuell eine etwas genauere vermutung? sitze hier an diesem fehler schon etwas und bin wahrscheinlich schon betriebsblind.
wie bereits geschrieben: zumindest ohne crypto kann ich von überall, nach überall (auch mit anderen source adressen) pingen, also ist zumindest das routing sauber. bin recht ratlos zur zeit.
|
|
|
|
|
12.01.2009, 09:26
|
#6
|
|
Board Veteran
Offline
Registriert seit: 10-2005
Ort: Muenchen
Beiträge: 3.140
|
Du bindest die crypto map ans Loopback, welche IP ist auf dem konfiguriert? Ausserdem postest du keine NAT configs, es kann also alles sein.
|
|
|
|
|
12.01.2009, 09:35
|
#7
|
|
Junior Member
Offline
Registriert seit: 10-2007
Beiträge: 113
|
Nimrod ich machen kein NAT in diesme Versuchsaufbau.
Code:
interface Loopback1
ip vrf forwarding vpngreen
ip address 10.5.5.5 255.255.255.255
crypto map cm_L1
end
Code:
Name Default RD Interfaces
vpngreen 100:159 Lo1
Po1.159
Vi3
Vi2
vpnred 100:158 Lo2
Po1.158
Wir haben uns an diesem Beispiel von Cisco orientiert. Leider erfolglos. |
|
|
|
|
12.01.2009, 09:45
|
#8
|
|
Board Veteran
Offline
Registriert seit: 10-2005
Ort: Muenchen
Beiträge: 3.140
|
debug crypto ipsec error
debug crypto isakmp error
debug crypto engine error
Auf dem 1800er eingeben und dann vom anderen Router einen Ping starten und Output posten ...
|
|
|
|
|
12.01.2009, 09:51
|
#9
|
|
Junior Member
Offline
Registriert seit: 10-2007
Beiträge: 113
|
Die einzige Ausgabe ist:
Code:
c1841-eth#sh debugging
Cryptographic Subsystem:
Crypto ISAKMP Error debugging is on
Crypto Engine Error debugging is on
Crypto IPSEC Error debugging is on
*Jan 12 09:49:20: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /192.168.1.1, src_addr= 10.5.5.5, prot= 1
Könnte dies an unserer ACL auf dem 7301 liegen?
Code:
access-list 170 permit ip any 192.168.1.0 0.0.0.255
|
|
|
|
|
12.01.2009, 10:03
|
#10
|
|
Newbie
Offline
Registriert seit: 08-2007
Beiträge: 32
|
ich hab ja so die vermutung, dass der 7301 die pakete nicht in den tunnel schiebt und somit auch nicht verschlüsselt... (aber was wei ein laie^^)
wir hatten da auch schon einmal eine teilweise funktionierende konfiguration mit einer dynamischen crypto map... kann das evtl. auch ein anhaltspunkt sein?
mit der konfiguration waren zumindest die crypto sessions up-active, ping ging nicht, weil wir da sehr viel, ich will mal sagen "müll" konfiguriert hatten, und dadurch wahrscheinlich das routing, bzw. die acl nicht mehr griffen
in der aktuelle konfig finde ich das
Code:
ISAKMP:(0):Notify has no hash. Rejected.
<<<<< 1841
sehr bedenklich. soweit ich das verstehe, sollten beide geräte die informationen ja eigentlich haben.
Geändert von nimrod_ (12.01.2009 um 10:19 Uhr).
|
|
|
|
|
|
Ähnliche Themen
|
| Thema |
Autor |
Forum |
Antworten |
Letzter Beitrag |
|
Vpn Cisco 1841
|
micha5576 |
Cisco Forum — Allgemein |
3 |
28.11.2007 09:40 |
|
Cisco 1841
|
thematrix |
Cisco Forum — Allgemein |
2 |
12.02.2007 16:05 |
|
VPN mit cisco 1841
|
Ciscler |
Cisco Forum — Allgemein |
3 |
08.05.2006 09:07 |
|
Cisco 1841
|
Ciscler |
Cisco Forum — Allgemein |
17 |
15.04.2006 16:50 |
|
Cisco 1841 T-dsl
|
micha5576 |
Cisco Forum — Allgemein |
2 |
19.01.2005 15:11 |
|
|
