kktm: Ani na pix'ie ani na routerze zaden ruch nie jest przycinany.
Seba: PSK jest poprawne. Na wszelki wypadek wpisalem ponownie. Nic sie nie zmienilo.
Oto wyniki debugow:
Kod: Zaznacz cały
PIX# term mon
PIX# deb cry isa 127
PIX# deb cry ips 127
PIX# Dec 31 10:20:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 1 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 2 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 3 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 4 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 5 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 6 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 7 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 8 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 9 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 10 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 11 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 12 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 13 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 14 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 15 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 16 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 17 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 18 incomplete. No peer ,access-list or transform-set specified.
IPSEC(crypto_map_check): crypto map VPN_CRYPTO 19 incomplete. No peer ,access-list or transform-set specified.
Dec 31 10:20:33 [IKEv1]: IP = 212.77.100.101, IKE Initiator: New Phase 1, Intf inside, IKE Peer 212.77.100.101 local Proxy Address 213.180.130.150, remote Proxy Address 192.168.1.6, Crypto map (VPN_CRYPTO)
Dec 31 10:20:33 [IKEv1 DEBUG]: IP = 212.77.100.101, constructing ISAKMP SA payload
Dec 31 10:20:33 [IKEv1 DEBUG]: IP = 212.77.100.101, constructing NAT-Traversal VID ver 02 payload
Dec 31 10:20:33 [IKEv1 DEBUG]: IP = 212.77.100.101, constructing NAT-Traversal VID ver 03 payload
Dec 31 10:20:33 [IKEv1 DEBUG]: IP = 212.77.100.101, constructing Fragmentation VID + extended capabilities payload
Dec 31 10:20:33 [IKEv1]: IP = 212.77.100.101, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 292
Dec 31 10:20:41 [IKEv1]: IP = 212.77.100.101, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 292
Dec 31 10:20:49 [IKEv1]: IP = 212.77.100.101, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 292
Dec 31 10:20:57 [IKEv1]: IP = 212.77.100.101, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 292
Dec 31 10:21:05 [IKEv1 DEBUG]: IP = 212.77.100.101, IKE MM Initiator FSM error history (struct &0x25368a0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Dec 31 10:21:05 [IKEv1 DEBUG]: IP = 212.77.100.101, IKE SA MM:1d8118b8 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Dec 31 10:21:05 [IKEv1 DEBUG]: IP = 212.77.100.101, sending delete/delete with reason message
Dec 31 10:21:05 [IKEv1]: IP = 212.77.100.101, Removing peer from peer table failed, no match!
Dec 31 10:21:05 [IKEv1]: IP = 212.77.100.101, Error: Unable to remove PeerTblEntry
a na routerze:
Kod: Zaznacz cały
router#term mon
router#deb cry isa
Crypto ISAKMP debugging is on
router#deb cry ips
Crypto IPSEC debugging is on
router#
....cisza.
Z PIX'a router osiagalny oczywiscie jest:
Kod: Zaznacz cały
PIX# ping 212.77.100.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.77.100.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PIX#
Ciekawym jest to, ze pingujac z hosta zza PIX'a adres nalezacy do hosta za routerem (192.168.1.6) na routerze "debug ip icmp" pokazuje:
Kod: Zaznacz cały
*Mar 1 03:06:30.900: ICMP: dst (212.77.100.101) port unreachable sent to 213.180.130.155
*Mar 1 03:06:38.898: ICMP: dst (212.77.100.101) port unreachable sent to 213.180.130.155
*Mar 1 03:06:46.899: ICMP: dst (212.77.100.101) port unreachable sent to 213.180.130.155
*Mar 1 03:06:54.900: ICMP: dst (212.77.100.101) port unreachable sent to 213.180.130.155
Cos wiec do routera dociera. Tak jakby tunel sie na chwile zestawial??