URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 1243
[ Назад ]

Исходное сообщение
" Cisco ASA 5512 + ZyWALL USG 20"
Отправлено mitgard , 25-Фев-14 12:55

Добрый день.
Не могу заставить работать. Не пойму, в чем дело. Первую фазу проходит, на второй затык.
Логи циски:
Feb 25 10:31:33 [IKEv1]IP = [IP of ZyWALL], IKE_DECODE RECEIVED Message (msgid=7020468f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 118
Feb 25 10:31:33 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], processing hash payload
Feb 25 10:31:33 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], processing notify payload
Feb 25 10:31:33 [IKEv1]Group = [IP of ZyWALL], IP = [IP of ZyWALL], Received non-routine Notify message: No proposal chosen (14)
Feb 25 10:31:41 [IKEv1]IP = [IP of ZyWALL], IKE_DECODE RECEIVED Message (msgid=7020468f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 118
Feb 25 10:31:41 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], processing hash payload
Feb 25 10:31:41 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], processing notify payload
Feb 25 10:31:41 [IKEv1]Group = [IP of ZyWALL], IP = [IP of ZyWALL], Received non-routine Notify message: No proposal chosen (14)
Feb 25 10:31:49 [IKEv1]Group = [IP of ZyWALL], IP = [IP of ZyWALL], QM FSM error (P2 struct &0x00007fffa3c8a2c0, mess id 0xa46553a6)!
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], IKE QM Initiator FSM error history (struct &0x00007fffa3c8a2c0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], sending delete/delete with reason message
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], constructing blank hash payload
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], constructing IPSec delete payload
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], constructing qm hash payload
Feb 25 10:31:49 [IKEv1]IP = [IP of ZyWALL], IKE_DECODE SENDING Message (msgid=3b2cc295) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], IKE Deleting SA: Remote Proxy 192.168.1.0, Local Proxy 192.168.26.0
Feb 25 10:31:49 [IKEv1]Group = [IP of ZyWALL], IP = [IP of ZyWALL], Removing peer from correlator table failed, no match!
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], IKE SA MM:4997e6e2 rcv'd Terminate: state MM_ACTIVE  flags 0x00000062, refcnt 1, tuncnt 0
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], IKE SA MM:4997e6e2 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], sending delete/delete with reason message
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], constructing blank hash payload
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], constructing IKE delete payload
Feb 25 10:31:49 [IKEv1 DEBUG]Group = [IP of ZyWALL], IP = [IP of ZyWALL], constructing qm hash payload
Feb 25 10:31:49 [IKEv1]IP = [IP of ZyWALL], IKE_DECODE SENDING Message (msgid=5af08af2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Feb 25 10:31:49 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xd23adfc2
Feb 25 10:31:49 [IKEv1]Group = [IP of ZyWALL], IP = [IP of ZyWALL], Session is being torn down. Reason: Lost Service
Feb 25 10:31:49 [IKEv1]Ignoring msg to mark SA with dsID 1429504 dead because SA deleted
Логи зухеля: https://imageshack.com/i/171bvzp

Содержание

Cisco ASA 5512 + ZyWALL USG 20,spiegel, 14:41 , 25-Фев-14
- Cisco ASA 5512 + ZyWALL USG 20,mitgard, 14:52 , 25-Фев-14
  - Cisco ASA 5512 + ZyWALL USG 20,spiegel, 14:59 , 25-Фев-14
    - Cisco ASA 5512 + ZyWALL USG 20,mitgard, 15:10 , 25-Фев-14
    - Cisco ASA 5512 + ZyWALL USG 20,mitgard, 15:12 , 25-Фев-14
      - Cisco ASA 5512 + ZyWALL USG 20,mitgard, 17:56 , 25-Фев-14
        
        Cisco ASA 5512 + ZyWALL USG 20,mitgard, 14:04 , 26-Фев-14

Сообщения в этом обсуждении

" Cisco ASA 5512 + ZyWALL USG 20"
Отправлено spiegel , 25-Фев-14 14:41

> ZyWALL], Received non-routine Notify message: No proposal chosen (14)
Проверьте crypto isakmp policy

" Cisco ASA 5512 + ZyWALL USG 20"
Отправлено mitgard , 25-Фев-14 14:52

>> ZyWALL], Received non-routine Notify message: No proposal chosen (14)
> Проверьте crypto isakmp policy
crypto ikev1 policy 15
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
!
Ну как то так.
На зухеле идентично. DES/SHA1.

" Cisco ASA 5512 + ZyWALL USG 20"
Отправлено spiegel , 25-Фев-14 14:59

crypto ipsec transform-set ... тоже совпадают? В логе ZyWall - Phase 2 remote policy mismatch

" Cisco ASA 5512 + ZyWALL USG 20"
Отправлено mitgard , 25-Фев-14 15:10

> crypto ipsec transform-set ... тоже совпадают? В логе ZyWall - Phase 2
> remote policy mismatch
Ага, в первую очередь проверял:
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

" Cisco ASA 5512 + ZyWALL USG 20"
Отправлено mitgard , 25-Фев-14 15:12

> crypto ipsec transform-set ... тоже совпадают? В логе ZyWall - Phase 2
> remote policy mismatch
Забыл добавить это:
!
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
!
crypto map SITEVPN 15 match address SITE_KCMSKRED_CRMAP
crypto map SITEVPN 15 set peer <IP of ZyWALL>
crypto map SITEVPN 15 set ikev1 transform-set ESP-DES-SHA

" Cisco ASA 5512 + ZyWALL USG 20"
Отправлено mitgard , 25-Фев-14 17:56

>[оверквотинг удален]
>> remote policy mismatch
> Забыл добавить это:
> !
> crypto ipsec ikev2 ipsec-proposal DES
> protocol esp encryption des
> protocol esp integrity sha-1 md5
> !
> crypto map SITEVPN 15 match address SITE_KCMSKRED_CRMAP
> crypto map SITEVPN 15 set peer <IP of ZyWALL>
> crypto map SITEVPN 15 set ikev1 transform-set ESP-DES-SHA
В смысле, это тоже в конфиге есть, но туннель все равно не поднимается.

" Cisco ASA 5512 + ZyWALL USG 20"
Отправлено mitgard , 26-Фев-14 14:04

>[оверквотинг удален]
>> !
>> crypto ipsec ikev2 ipsec-proposal DES
>>  protocol esp encryption des
>>  protocol esp integrity sha-1 md5
>> !
>> crypto map SITEVPN 15 match address SITE_KCMSKRED_CRMAP
>> crypto map SITEVPN 15 set peer <IP of ZyWALL>
>> crypto map SITEVPN 15 set ikev1 transform-set ESP-DES-SHA
> В смысле, это тоже в конфиге есть, но туннель все равно не
> поднимается.
Туннель поднялся.
Оказывается, на ZyWALL надо было в настройке VPN Connection - <Имя подключения>, при просмотре настроек в расширенном режиме, надо было явно указать группу (настройка: PFS: DH<номер группы>). В Циске задается в параметре:
!
crypto ikev1 policy 15
0...
group 2
...
!
Т.е. в моем случае это "group 2", а значит и в ZyWALL значение "PFS: DH2".
Но вот беда - пинги не ходят.
#sh cry ikev1 sa:
3   IKE Peer: <IP of ZyWALL>
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
Т.е. вроде бы все нормально, но пингов нет. НАТ проверил, все в норме.