Problema VPN IPSec - site to site - verso cyberoam
Inviato: ven 01 apr , 2011 3:52 pm
Ciao a tutti,
sto tentando di mettere in piedi un tunnel vpn tra il nostro router (cisco 2801) e un apparato cyberoam.
Sul nostro router abbiamo già diversi tunnel VPN site-to-site con altre reti, e anche le dynamic map per i vari vpn-client, senza particolari problemi.
Ho provato anche a fare una configurazione "pulita" ovvero, senza altri tunnel, senza nat, senza niente... ma ho sempre lo stesso problema: il tunnel non mi va su.
Il debug isakmp mi scrive questo... da che parte dovrei guardare, secondo voi?
Grazie mille
Andrea.
Apr 1 14:48:12.542: ISAKMP:(0): SA request profile is (NULL)
Apr 1 14:48:12.542: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 500
Apr 1 14:48:12.542: ISAKMP: New peer created peer = 0x661C2D4C peer_handle = 0x80000003
Apr 1 14:48:12.542: ISAKMP: Locking peer struct 0x661C2D4C, refcount 1 for isakmp_initiator
Apr 1 14:48:12.542: ISAKMP: local port 500, remote port 500
Apr 1 14:48:12.542: ISAKMP: set new node 0 to QM_IDLE
Apr 1 14:48:12.542: insert sa successfully sa = 66DF4F5C
Apr 1 14:48:12.542: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Apr 1 14:48:12.542: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xxx
Apr 1 14:48:12.542: ISAKMP:(0): constructed NAT-T vendor-07 ID
Apr 1 14:48:12.542: ISAKMP:(0): constructed NAT-T vendor-03 ID
Apr 1 14:48:12.546: ISAKMP:(0): constructed NAT-T vendor-02 ID
Apr 1 14:48:12.546: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 1 14:48:12.546: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Apr 1 14:48:12.546: ISAKMP:(0): beginning Main Mode exchange
Apr 1 14:48:12.546: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:48:22.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:48:22.546: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Apr 1 14:48:22.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:48:22.546: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:48:32.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:48:32.546: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Apr 1 14:48:32.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:48:32.546: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:48:42.542: ISAKMP: set new node 0 to QM_IDLE
Apr 1 14:48:42.542: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local yyy.yyy.yyy.yyy, remote xxx.xxx.xxx.xxx)
Apr 1 14:48:42.542: ISAKMP: Error while processing SA request: Failed to initialize SA
Apr 1 14:48:42.542: ISAKMP: Error while processing KMI message 0, error 2.
Apr 1 14:48:42.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:48:42.546: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Apr 1 14:48:42.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:48:42.546: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:48:52.543: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:48:52.543: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Apr 1 14:48:52.543: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:48:52.543: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:49:02.539: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:49:02.539: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Apr 1 14:49:02.539: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:49:02.539: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:49:02.539: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:49:02.539: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:49:12.539: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:49:12.539: ISAKMP:(0):peer does not do paranoid keepalives.
Apr 1 14:49:12.539: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xxx.xxx.xxx.xxx)
Apr 1 14:49:12.539: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xxx.xxx.xxx.xxx)
Apr 1 14:49:12.539: ISAKMP: Unlocking peer struct 0x661C2D4C for isadb_mark_sa_deleted(), count 0
Apr 1 14:49:12.539: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.xxx.xxx: 661C2D4C
Apr 1 14:49:12.539: ISAKMP:(0):deleting node 1488023546 error FALSE reason "IKE deleted"
Apr 1 14:49:12.539: ISAKMP:(0):deleting node -227835848 error FALSE reason "IKE deleted"
Apr 1 14:49:12.539: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Apr 1 14:49:12.539: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Apr 1 14:50:02.533: ISAKMP:(0):purging node 1488023546
Apr 1 14:50:02.533: ISAKMP:(0):purging node -227835848
Apr 1 14:50:12.532: ISAKMP:(0):purging SA., sa=66DF4F5C, delme=66DF4F5C
sto tentando di mettere in piedi un tunnel vpn tra il nostro router (cisco 2801) e un apparato cyberoam.
Sul nostro router abbiamo già diversi tunnel VPN site-to-site con altre reti, e anche le dynamic map per i vari vpn-client, senza particolari problemi.
Ho provato anche a fare una configurazione "pulita" ovvero, senza altri tunnel, senza nat, senza niente... ma ho sempre lo stesso problema: il tunnel non mi va su.
Il debug isakmp mi scrive questo... da che parte dovrei guardare, secondo voi?
Grazie mille
Andrea.
Apr 1 14:48:12.542: ISAKMP:(0): SA request profile is (NULL)
Apr 1 14:48:12.542: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 500
Apr 1 14:48:12.542: ISAKMP: New peer created peer = 0x661C2D4C peer_handle = 0x80000003
Apr 1 14:48:12.542: ISAKMP: Locking peer struct 0x661C2D4C, refcount 1 for isakmp_initiator
Apr 1 14:48:12.542: ISAKMP: local port 500, remote port 500
Apr 1 14:48:12.542: ISAKMP: set new node 0 to QM_IDLE
Apr 1 14:48:12.542: insert sa successfully sa = 66DF4F5C
Apr 1 14:48:12.542: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Apr 1 14:48:12.542: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xxx
Apr 1 14:48:12.542: ISAKMP:(0): constructed NAT-T vendor-07 ID
Apr 1 14:48:12.542: ISAKMP:(0): constructed NAT-T vendor-03 ID
Apr 1 14:48:12.546: ISAKMP:(0): constructed NAT-T vendor-02 ID
Apr 1 14:48:12.546: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 1 14:48:12.546: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Apr 1 14:48:12.546: ISAKMP:(0): beginning Main Mode exchange
Apr 1 14:48:12.546: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:48:22.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:48:22.546: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Apr 1 14:48:22.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:48:22.546: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:48:32.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:48:32.546: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Apr 1 14:48:32.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:48:32.546: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:48:42.542: ISAKMP: set new node 0 to QM_IDLE
Apr 1 14:48:42.542: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local yyy.yyy.yyy.yyy, remote xxx.xxx.xxx.xxx)
Apr 1 14:48:42.542: ISAKMP: Error while processing SA request: Failed to initialize SA
Apr 1 14:48:42.542: ISAKMP: Error while processing KMI message 0, error 2.
Apr 1 14:48:42.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:48:42.546: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Apr 1 14:48:42.546: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:48:42.546: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:48:52.543: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:48:52.543: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Apr 1 14:48:52.543: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:48:52.543: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:49:02.539: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:49:02.539: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Apr 1 14:49:02.539: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:49:02.539: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:49:02.539: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 1 14:49:02.539: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 1 14:49:12.539: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 1 14:49:12.539: ISAKMP:(0):peer does not do paranoid keepalives.
Apr 1 14:49:12.539: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xxx.xxx.xxx.xxx)
Apr 1 14:49:12.539: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xxx.xxx.xxx.xxx)
Apr 1 14:49:12.539: ISAKMP: Unlocking peer struct 0x661C2D4C for isadb_mark_sa_deleted(), count 0
Apr 1 14:49:12.539: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.xxx.xxx: 661C2D4C
Apr 1 14:49:12.539: ISAKMP:(0):deleting node 1488023546 error FALSE reason "IKE deleted"
Apr 1 14:49:12.539: ISAKMP:(0):deleting node -227835848 error FALSE reason "IKE deleted"
Apr 1 14:49:12.539: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Apr 1 14:49:12.539: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Apr 1 14:50:02.533: ISAKMP:(0):purging node 1488023546
Apr 1 14:50:02.533: ISAKMP:(0):purging node -227835848
Apr 1 14:50:12.532: ISAKMP:(0):purging SA., sa=66DF4F5C, delme=66DF4F5C