Config Cisco:
Kod: Zaznacz cały
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key cisco address 1.1.1.21
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set aes-128-sha esp-aes esp-sha-hmac
!
crypto map 2 1 ipsec-isakmp
set peer 1.1.1.21
set security-association lifetime seconds 7200
set transform-set aes-128-sha
set pfs group2
match address 2014
!
interface GigabitEthernet1/0
ip address 1.1.1.12 255.255.255.0
negotiation auto
crypto map 2
!
Kiedy próbuję powyższą konfigurację zmienić tak aby korzystała z ISAKMP profiles to pojawia się problem.
Kod: Zaznacz cały
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp aggressive-mode disable
!
crypto keyring KEYRING
pre-shared-key address 1.1.1.21 key cisco
!
crypto isakmp profile ISAMKP_PROFILE
keyring KEYRING
match identity address 1.1.1.21 255.255.255.255
!
crypto ipsec transform-set aes-128-sha esp-aes esp-sha-hmac
!
crypto map 2 1 ipsec-isakmp
set peer 1.1.1.21
set security-association lifetime seconds 7200
set transform-set aes-128-sha
set pfs group2
set isakmp-profile ISAMKP_PROFILE
match address 2014
reverse-route
!
interface GigabitEthernet1/0
ip address 1.1.1.12 255.255.255.0
negotiation auto
crypto map 2
!
Kod: Zaznacz cały
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.1.1.21
map_db_check_isakmp_profile profile did not match
Crypto mapdb : proxy_match
Kod: Zaznacz cały
*May 11 13:17:25.854: ISAKMP (0:134217739): received packet from 1.1.1.21 dport 500 sport 500 Global (R) QM_IDLE
*May 11 13:17:25.854: ISAKMP: set new node 184370996 to QM_IDLE
*May 11 13:17:25.862: ISAKMP:(0:11:SW:1): processing HASH payload. message ID = 184370996
*May 11 13:17:25.862: ISAKMP:(0:11:SW:1): processing SA payload. message ID = 184370996
*May 11 13:17:25.862: ISAKMP:(0:11:SW:1):Checking IPSec proposal 1
*May 11 13:17:25.862: ISAKMP: transform 0, ESP_AES
*May 11 13:17:25.862: ISAKMP: attributes in transform:
*May 11 13:17:25.866: ISAKMP: key length is 128
*May 11 13:17:25.866: ISAKMP: authenticator is HMAC-SHA
*May 11 13:17:25.866: ISAKMP: group is 2
*May 11 13:17:25.866: ISAKMP: SA life type in seconds
*May 11 13:17:25.866: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x1C 0x20
*May 11 13:17:25.870: ISAKMP: encaps is 1 (Tunnel)
*May 11 13:17:25.870: ISAKMP:(0:11:SW:1):atts are acceptable.
*May 11 13:17:25.874:
ISAKMP:(0:11:SW:1): IPSec policy invalidated proposal
*May 11 13:17:25.874: ISAKMP:(0:11:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.12 remote 1.1.1.21)
*May 11 13:17:25.878: ISAKMP: set new node 734379644 to QM_IDLE
*May 11 13:17:25.882: ISAKMP:(0:11:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1702120824, message ID = 734379644
*May 11 13:17:25.886: ISAKMP:(0:11:SW:1): sending packet to 1.1.1.21 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 13:17:25.886: ISAKMP:(0:11:SW:1):purging node 734379644
*May 11 13:17:25.890: ISAKMP:(0:11:SW:1):deleting node 184370996 error TRUE reason "QM rejected"
*May 11 13:17:25.890: ISAKMP (0:134217739): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 184370996: state = IKE_QM_READY
*May 11 13:17:25.890: ISAKMP:(0:11:SW:1):Node 184370996, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May 11 13:17:25.894: ISAKMP:(0:11:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY
*May 11 13:17:25.894: %CRYPTO-6-
IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.1.1.21
*May 11 13:17:35.874: ISAKMP (0:134217739): received packet from 1.1.1.21 dport 500 sport 500 Global (R) QM_IDLE
*May 11 13:17:35.874: ISAKMP:(0:11:SW:1): phase 2 packet is a duplicate of a previous packet.
*May 11 13:17:35.874: ISAKMP:(0:11:SW:1): retransmitting due to retransmit phase 2
*May 11 13:17:35.874: ISAKMP:(0:11:SW:1): ignoring retransmission,because phase2 node marked dead 184370996
*May 11 13:17:45.882: ISAKMP (0:134217739): received packet from 1.1.1.21 dport 500 sport 500 Global (R) QM_IDLE
*May 11 13:17:45.886: ISAKMP:(0:11:SW:1): phase 2 packet is a duplicate of a previous packet.
*May 11 13:17:45.886: ISAKMP:(0:11:SW:1): retransmitting due to retransmit phase 2
*May 11 13:17:45.886: ISAKMP:(0:11:SW:1): ignoring retransmission,because phase2 node marked dead 184370996
*May 11 13:17:55.902: ISAKMP (0:134217739): received packet from 1.1.1.21 dport 500 sport 500 Global (R) QM_IDLE
*May 11 13:17:55.902: ISAKMP:(0:11:SW:1): phase 2 packet is a duplicate of a previous packet.
*May 11 13:17:55.902: ISAKMP:(0:11:SW:1): retransmitting due to retransmit phase 2
*May 11 13:17:55.902: ISAKMP:(0:11:SW:1): ignoring retransmission,because phase2 node marked dead 184370996
*May 11 13:18:05.886: ISAKMP (0:134217739): received packet from 1.1.1.21 dport 500 sport 500 Global (R) QM_IDLE
*May 11 13:18:05.886: ISAKMP:(0:11:SW:1): phase 2 packet is a duplicate of a previous packet.
*May 11 13:18:05.886: ISAKMP:(0:11:SW:1): retransmitting due to retransmit phase 2
*May 11 13:18:05.886: ISAKMP:(0:11:SW:1): ignoring retransmission,because phase2 node marked dead 184370996
*May 11 13:18:15.890: ISAKMP:(0:11:SW:1):purging node 184370996
*May 11 13:18:15.914: ISAKMP (0:134217739): received packet from 1.1.1.21 dport 500 sport 500 Global (R) QM_IDLE
*May 11 13:18:15.914: ISAKMP: set new node 184370996 to QM_IDLE
*May 11 13:18:15.914: ISAKMP:(0:11:SW:1): processing HASH payload. message ID = 184370996
*May 11 13:18:15.914: ISAKMP:(0:11:SW:1): processing SA payload. message ID = 184370996
*May 11 13:18:15.918: ISAKMP:(0:11:SW:1):Checking IPSec proposal 1
*May 11 13:18:15.918: ISAKMP: transform 0, ESP_AES
*May 11 13:18:15.918: ISAKMP: attributes in transform:
*May 11 13:18:15.918: ISAKMP: key length is 128
*May 11 13:18:15.918: ISAKMP: authenticator is HMAC-SHA
*May 11 13:18:15.918: ISAKMP: group is 2
*May 11 13:18:15.918: ISAKMP: SA life type in seconds
*May 11 13:18:15.918: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x1C 0x20
*May 11 13:18:15.918: ISAKMP: encaps is 1 (Tunnel)
*May 11 13:18:15.918
: ISAKMP:(0:11:SW:1):atts are acceptable.
*May 11 13:18:15.918: ISAKMP:(0:11:SW:1): IPSec policy invalidated proposal
*May 11 13:18:15.918: ISAKMP:(0:11:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.12 remote 1.1.1.21)
*May 11 13:18:15.918: ISAKMP: set new node 1920948922 to QM_IDLE
*May 11 13:18:15.918: ISAKMP:(0:11:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1702120824, message ID = 1920948922
*May 11 13:18:15.918: ISAKMP:(0:11:SW:1): sending packet to 1.1.1.21 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 13:18:15.918: ISAKMP:(0:11:SW:1):purging node 1920948922
*May 11 13:18:15.918: ISAKMP:(0:11:SW:1):deleting node 184370996 error TRUE reason "QM rejected"
*May 11 13:18:15.918: ISAKMP (0:134217739): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 184370996: state = IKE_QM_READY
*May 11 13:18:15.922: ISAKMP:(0:11:SW:1):Node 184370996, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May 11 13:18:15.922: ISAKMP:(0:11:SW:1):Old State = IKE_
QM_READY New State = IKE_QM_READY
