компьютерный форум
Вернуться   Компьютерный форум > Компьютерный форум > Компьютерное железо > Сеть

Закрытая тема
 
LinkBack Опции темы Опции просмотра
Старый 02.06.2009, 12:13   #1
Пользователи
 
Регистрация: 21.02.2006
Сообщений: 298
По умолчанию

Приветствую участников!

Сразу к делу:
Есть два устройства, одно UTM FortiGate, второе роутер 3com.
Хочу поднять между ними IPsec VPN.
Не получается.
Лог с 3com'a, читать снизу вверх:
все что я понимаю - это то что первая фаза согласования проходит успешно, а дальше все заново начинается. В итоге VPN не поднимается.
Настройки на обоих устройствах идентичны.
2009.06.02 16:41:33 [IKE MM] ISAKMP SA established.
2009.06.02 16:41:33 [IKE] PAYLOAD_HASH
2009.06.02 16:41:33 [IKE] Local ID : 'x.242.x.174' Type ID_IPV4_ADDR
2009.06.02 16:41:33 [IKE] PAYLOAD_ID
2009.06.02 16:41:33 [IKE] Construct payload:
2009.06.02 16:41:33 [IKE] Peer's ID is ID_IPV4_ADDR: 'x.204.x.124'
2009.06.02 16:41:33 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:41:33 [IKE] Notify type - IPSEC_INITIAL_CONTACT
2009.06.02 16:41:33 [IKE] PAYLOAD_NOTIFICATION
2009.06.02 16:41:33 [IKE] PAYLOAD_HASH
2009.06.02 16:41:33 [IKE] PAYLOAD_ID
2009.06.02 16:41:33 [IKE] + Payloads in XCHG_TYPE_ID_PROTECT:
2009.06.02 16:41:33 [IKE] - exchange type: ID Protection(main mode)
2009.06.02 16:41:33 [IKE] - Received 92 bytes from x.204.x.124:500.
2009.06.02 16:41:33 [IKE] ***Send packet!
2009.06.02 16:41:33 [IKE] PAYLOAD_NONCE
2009.06.02 16:41:33 [IKE] PAYLOAD_VID
2009.06.02 16:41:33 [IKE] PAYLOAD_KE
2009.06.02 16:41:33 [IKE] Construct payload:
2009.06.02 16:41:33 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:41:33 [IKE] PAYLOAD_NONCE
2009.06.02 16:41:33 [IKE] PAYLOAD_KE
2009.06.02 16:41:33 [IKE] + Payloads in XCHG_TYPE_ID_PROTECT:
2009.06.02 16:41:33 [IKE] - exchange type: ID Protection(main mode)
2009.06.02 16:41:33 [IKE] - Received 244 bytes from x.204.x.124:500.
2009.06.02 16:41:32 [IKE] ***Send packet!
2009.06.02 16:41:32 [IKE] PAYLOAD_SA
2009.06.02 16:41:32 [IKE] Construct payload:
2009.06.02 16:41:32 [IKE] ---> Transform #1 accepted
2009.06.02 16:41:32 [IKE] OAKLEY_GROUP_MODP1536 (extension)
2009.06.02 16:41:32 [IKE] OAKLEY_PRESHARED_KEY
2009.06.02 16:41:32 [IKE] OAKLEY_SHA
2009.06.02 16:41:32 [IKE] OAKLEY_3DES_CBC
2009.06.02 16:41:32 [IKE] : 28800
2009.06.02 16:41:32 [IKE] OAKLEY_LIFE_SECONDS
2009.06.02 16:41:32 [IKE] ->KEY_IKE(trans #1)
2009.06.02 16:41:32 [IKE] => parse PROTO_ISAKMP(proposal #1) payload
2009.06.02 16:41:32 [IKE MM] Main mode, we are responder.
2009.06.02 16:41:32 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:41:32 [IKE] PAYLOAD_VID
2009.06.02 16:41:32 [IKE] PAYLOAD_VID
2009.06.02 16:41:32 [IKE] PAYLOAD_VID
2009.06.02 16:41:32 [IKE] PAYLOAD_VID
2009.06.02 16:41:32 [IKE] PAYLOAD_VID
2009.06.02 16:41:32 [IKE] PAYLOAD_VID
2009.06.02 16:41:32 [IKE] PAYLOAD_VID
2009.06.02 16:41:32 [IKE] PAYLOAD_SA
2009.06.02 16:41:32 [IKE] + Payloads in XCHG_TYPE_ID_PROTECT:
2009.06.02 16:41:32 [IKE] - exchange type: ID Protection(main mode)
2009.06.02 16:41:32 [IKE] - Received 252 bytes from x.204.x.124:500.
2009.06.02 16:41:32 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:41:32 [IKE] PAYLOAD_DELETE
2009.06.02 16:41:32 [IKE] PAYLOAD_HASH
2009.06.02 16:41:32 [IKE] + Payloads in XCHG_TYPE_INFO:
2009.06.02 16:41:32 [IKE] - exchange type: Informational(main mode)
2009.06.02 16:41:32 [IKE] - Received 84 bytes from x.204.x.124:500.
2009.06.02 16:41:27 [IKE] Send DPD R_U_THERE_ACK payload
2009.06.02 16:41:27 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:41:27 [IKE] Notify type - R_U_THERE
2009.06.02 16:41:27 [IKE] PAYLOAD_NOTIFICATION
2009.06.02 16:41:27 [IKE] PAYLOAD_HASH
2009.06.02 16:41:27 [IKE] + Payloads in XCHG_TYPE_INFO:
2009.06.02 16:41:27 [IKE] - exchange type: Informational(main mode)
2009.06.02 16:41:27 [IKE] - Received 84 bytes from x.204.x.124:500.
2009.06.02 16:41:22 [IKE] Send DPD R_U_THERE_ACK payload
2009.06.02 16:41:22 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:41:22 [IKE] Notify type - R_U_THERE
2009.06.02 16:41:22 [IKE] PAYLOAD_NOTIFICATION
2009.06.02 16:41:22 [IKE] PAYLOAD_HASH
2009.06.02 16:41:22 [IKE] + Payloads in XCHG_TYPE_INFO:
2009.06.02 16:41:22 [IKE] - exchange type: Informational(main mode)
2009.06.02 16:41:22 [IKE] - Received 84 bytes from x.204.x.124:500.
2009.06.02 16:41:17 [IKE] Send DPD R_U_THERE_ACK payload
2009.06.02 16:41:17 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:41:17 [IKE] Notify type - R_U_THERE
2009.06.02 16:41:17 [IKE] PAYLOAD_NOTIFICATION
2009.06.02 16:41:17 [IKE] PAYLOAD_HASH
2009.06.02 16:41:17 [IKE] + Payloads in XCHG_TYPE_INFO:
2009.06.02 16:41:17 [IKE] - exchange type: Informational(main mode)
2009.06.02 16:41:17 [IKE] - Received 84 bytes from x.204.x.124:500.
2009.06.02 16:41:12 [IKE] ***Send packet!

Есть для сравнения лог успешно поднятого VPN 3com'a c 3com'ом:
2009.06.02 16:59:17 [IKE QM] IPSec SA established.
2009.06.02 16:59:17 [IKE] PAYLOAD_HASH
2009.06.02 16:59:17 [IKE] Construct payload:
2009.06.02 16:59:17 [IKE] remote client -> 192.168.1.0/24
2009.06.02 16:59:17 [IKE] received ID type ID_IPV4_ADDR_SUBNET
2009.06.02 16:59:17 [IKE] local client -> 192.168.3.0/24
2009.06.02 16:59:17 [IKE] received ID type ID_IPV4_ADDR_SUBNET
2009.06.02 16:59:17 [IKE] ---> Transform #1 accepted
2009.06.02 16:59:17 [IKE] AUTH_ALGORITHM_HMAC_SHA1
2009.06.02 16:59:17 [IKE] : 86400
2009.06.02 16:59:17 [IKE] SA_LIFE_TYPE_SECONDS
2009.06.02 16:59:17 [IKE] ENCAPSULATION_MODE_TUNNEL
2009.06.02 16:59:17 [IKE] ->ESP_DES(trans #1)
2009.06.02 16:59:17 [IKE] => parse PROTO_IPSEC_ESP(proposal #1) payload
2009.06.02 16:59:17 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:59:17 [IKE] PAYLOAD_ID
2009.06.02 16:59:17 [IKE] PAYLOAD_ID
2009.06.02 16:59:17 [IKE] PAYLOAD_NONCE
2009.06.02 16:59:17 [IKE] PAYLOAD_SA
2009.06.02 16:59:17 [IKE] PAYLOAD_HASH
2009.06.02 16:59:17 [IKE] + Payloads in XCHG_TYPE_QUICK:
2009.06.02 16:59:17 [IKE] - exchange type: IPsec(Quick mode)
2009.06.02 16:59:17 [IKE] - Received 156 bytes from x.105.x.157:500.
2009.06.02 16:59:17 [IKE] ***Send packet!
2009.06.02 16:59:17 [IKE] PAYLOAD_ID
2009.06.02 16:59:17 [IKE] PAYLOAD_ID
2009.06.02 16:59:17 [IKE] PAYLOAD_NONCE
2009.06.02 16:59:17 [IKE] AUTH_ALGORITHM_HMAC_SHA1
2009.06.02 16:59:17 [IKE] : 86400
2009.06.02 16:59:17 [IKE] SA_LIFE_TYPE_SECONDS
2009.06.02 16:59:17 [IKE] ENCAPSULATION_MODE_TUNNEL
2009.06.02 16:59:17 [IKE] ->ESP_DES(trans #1)
2009.06.02 16:59:17 [IKE] => construct PROTO_IPSEC_ESP(proposal #1) payload
2009.06.02 16:59:17 [IKE] PAYLOAD_SA
2009.06.02 16:59:17 [IKE] PAYLOAD_HASH
2009.06.02 16:59:17 [IKE] Construct payload:
2009.06.02 16:59:17 [IKE QM] Start Quick mode, we are initiator.
2009.06.02 16:59:17 [IKE MM] ISAKMP SA established.
2009.06.02 16:59:17 [IKE] Peer's ID is ID_IPV4_ADDR: '192.168.2.3'
2009.06.02 16:59:17 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:59:17 [IKE] PAYLOAD_HASH
2009.06.02 16:59:17 [IKE] PAYLOAD_ID
2009.06.02 16:59:17 [IKE] + Payloads in XCHG_TYPE_ID_PROTECT:
2009.06.02 16:59:17 [IKE] - exchange type: ID Protection(main mode)
2009.06.02 16:59:17 [IKE] - Received 60 bytes from x.105.x.157:500.
2009.06.02 16:59:17 [IKE] ***Send packet!
2009.06.02 16:59:17 [IKE] PAYLOAD_HASH
2009.06.02 16:59:17 [IKE] Local ID : 'x.242.x.174' Type ID_IPV4_ADDR
2009.06.02 16:59:17 [IKE] PAYLOAD_ID
2009.06.02 16:59:17 [IKE] Construct payload:
2009.06.02 16:59:17 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:59:17 [IKE] PAYLOAD_VID
2009.06.02 16:59:17 [IKE] PAYLOAD_NONCE
2009.06.02 16:59:17 [IKE] PAYLOAD_KE
2009.06.02 16:59:17 [IKE] + Payloads in XCHG_TYPE_ID_PROTECT:
2009.06.02 16:59:17 [IKE] - exchange type: ID Protection(main mode)
2009.06.02 16:59:17 [IKE] - Received 200 bytes from x.105.x.157:500.
2009.06.02 16:59:16 [IKE] ***Send packet!
2009.06.02 16:59:16 [IKE] PAYLOAD_VID
2009.06.02 16:59:16 [IKE] PAYLOAD_NONCE
2009.06.02 16:59:16 [IKE] PAYLOAD_KE
2009.06.02 16:59:16 [IKE] Construct payload:
2009.06.02 16:59:16 [IKE] ---> Transform #1 accepted
2009.06.02 16:59:16 [IKE] OAKLEY_GROUP_MODP1024
2009.06.02 16:59:16 [IKE] OAKLEY_PRESHARED_KEY
2009.06.02 16:59:16 [IKE] OAKLEY_MD5
2009.06.02 16:59:16 [IKE] OAKLEY_DES_CBC
2009.06.02 16:59:16 [IKE] : 28800
2009.06.02 16:59:16 [IKE] OAKLEY_LIFE_SECONDS
2009.06.02 16:59:16 [IKE] ->KEY_IKE(trans #1)
2009.06.02 16:59:16 [IKE] => parse PROTO_ISAKMP(proposal #1) payload
2009.06.02 16:59:16 [IKE] + Check in packet and/or construct out packet!
2009.06.02 16:59:16 [IKE] PAYLOAD_SA
2009.06.02 16:59:16 [IKE] + Payloads in XCHG_TYPE_ID_PROTECT:
2009.06.02 16:59:16 [IKE] - exchange type: ID Protection(main mode)
2009.06.02 16:59:16 [IKE] - Received 80 bytes from x.105.x.157:500.
2009.06.02 16:59:16 [IKE] ***Send packet!
2009.06.02 16:59:16 [IKE] OAKLEY_GROUP_MODP1024
2009.06.02 16:59:16 [IKE] OAKLEY_PRESHARED_KEY
2009.06.02 16:59:16 [IKE] OAKLEY_MD5
2009.06.02 16:59:16 [IKE] OAKLEY_DES_CBC
2009.06.02 16:59:16 [IKE] : 28800
2009.06.02 16:59:16 [IKE] OAKLEY_LIFE_SECONDS
2009.06.02 16:59:16 [IKE] ->KEY_IKE(trans #1)
2009.06.02 16:59:16 [IKE] => construct PROTO_ISAKMP(proposal #1) payload
2009.06.02 16:59:16 [IKE] PAYLOAD_SA
2009.06.02 16:59:16 [IKE] Construct payload to Security Gateway: x.105.x.157
2009.06.02 16:59:16 [IKE MM] Start IKE, we are initiator.

Мне хотя бы понять где искать собаку.




k0st вне форума  
Digg this Post!Bookmark Post in Technorati
02.06.2009, 12:13
Техник
реклама
По умолчанию

Старый 02.06.2009, 14:05   #2
Пользователи
 
Регистрация: 03.11.2005
Сообщений: 1,375
По умолчанию

Что-то я не вижу ошибок, может быть увеличить детализацию логов на UTM-е?
Z][ANSWER вне форума  
Digg this Post!Bookmark Post in Technorati
Старый 02.06.2009, 17:56   #3
Пользователи
 
Регистрация: 21.02.2006
Сообщений: 298
По умолчанию

Цитата:
[ANSWER' date='2.6.2009, 16:05' post='83650']
Что-то я не вижу ошибок, может быть увеличить детализацию логов на UTM-е?
Forti возвращает ошибки:
24 2009-06-02 17:32:21 notice delete_phase1_sa Deleted an Isakmp SA on the tunnel to x.242.x.174:500 ( - Remote Peer)
25 2009-06-02 17:32:21 error dpd IPsec DPD detected a failure on the tunnel to x.242.x.174:500
k0st вне форума  
Digg this Post!Bookmark Post in Technorati
Старый 21.06.2009, 10:29   #4
Пользователи
 
Регистрация: 21.02.2006
Сообщений: 298
По умолчанию

Можно тему закрыть.
k0st вне форума  
Digg this Post!Bookmark Post in Technorati
Закрытая тема


Опции темы
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.
Trackbacks are Вкл.
Pingbacks are Вкл.
Refbacks are Вкл.



Текущее время: 10:29. Часовой пояс GMT.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot
Content Relevant URLs by vBSEO 3.5.0 RC2