router 1921 - Problema phase1 con vpn ipsec e ip dinamico

[liscio]

Ciao a tutti,
sto cercando di mettere in piedi un tunnel VPN tra due router, entrambi con connettività adsl e indirizzo pubblico dinamico.
Il router "remoto" è uno zyxel.
Il router "locale" è un cisco 1921.

Le politiche di crittografia delle due fasi, l'ho clonate da un altra config che ho funzionante, tra lo stesso zyxel e un cisco 2801 con ip pubblico statico.

Questo tunnel invece va fatto verso un 1921 con indirizzo dinamico.
Entrambi i router (1921 e lo zyxel) hanno configurato e correttamente funzionante il servizio di dynamic dns.

Il problema credo che sia sul match degli indirizzi, ma non riesco a capire come risolverlo... infatti se sullo zyxel imposto l'indirizzo del peer come "statico", inserendo l'indirizzo ip pubblico "corrente" del 1921, tutto funziona... quindi il problema non è nè nella correttezza della chiave, nè negli algoritmi di crittografia....
Se imposto sullo zyxel il peer come "dns" e inserisco il nome del dynamic dns del 1921, debuggando dal 1921 ottengo questo:

Codice: Seleziona tutto

Aug 24 16:27:12.431: IPSEC: Peer nome_dyndns_remoto's addr (ip_router_remoto) is stale, triggering DNS
Aug 24 16:27:12.515: IPSEC: Peer nome_dyndns_remoto has been DNS resolved to ip_router_remoto, expires in 00:00:40.
Aug 24 16:27:14.431: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= ip_router_locale, remote= ip_router_remoto, 
    local_proxy= 192.168.68.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Aug 24 16:27:14.431: ISAKMP:(0): SA request profile is (NULL)
Aug 24 16:27:14.431: ISAKMP: Created a peer struct for ip_router_remoto, peer port 500
Aug 24 16:27:14.431: ISAKMP: New peer created peer = 0x279FDC74 peer_handle = 0x8000000A
Aug 24 16:27:14.431: ISAKMP: Locking peer struct 0x279FDC74, refcount 1 for isakmp_initiator
Aug 24 16:27:14.431: ISAKMP: local port 500, remote port 500
Aug 24 16:27:14.431: ISAKMP: set new node 0 to QM_IDLE      
Aug 24 16:27:14.431: ISAKMP:(0):insert sa successfully sa = 31312050
Aug 24 16:27:14.431: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Aug 24 16:27:14.431: ISAKMP:(0):No pre-shared key with ip_router_remoto!
Aug 24 16:27:14.431: ISAKMP:(0):Looking for a matching key for nome_dyndns_remoto in default
Aug 24 16:27:14.431: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Aug 24 16:27:14.431: ISAKMP:(0): constructed NAT-T vendor-07 ID
Aug 24 16:27:14.431: ISAKMP:(0): constructed NAT-T vendor-03 ID
Aug 24 16:27:14.431: ISAKMP:(0): constructed NAT-T vendor-02 ID
Aug 24 16:27:14.431: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Aug 24 16:27:14.431: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

Aug 24 16:27:14.431: ISAKMP:(0): beginning Main Mode exchange
Aug 24 16:27:14.431: ISAKMP:(0): sending packet to ip_router_remoto my_port 500 peer_port 500 (I) MM_NO_STATE
Aug 24 16:27:14.431: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 24 16:27:15.603: ISAKMP (0): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_NO_STATE
Aug 24 16:27:15.603: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 24 16:27:15.603: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

Aug 24 16:27:15.603: ISAKMP:(0): processing SA payload. message ID = 0
Aug 24 16:27:15.603: ISAKMP:(0): processing vendor id payload
Aug 24 16:27:15.603: ISAKMP:(0): processing IKE frag vendor id payload
Aug 24 16:27:15.603: ISAKMP:(0):Support for IKE Fragmentation not enabled
Aug 24 16:27:15.603: ISAKMP:(0):No pre-shared key with ip_router_remoto!
Aug 24 16:27:15.603: ISAKMP:(0):Looking for a matching key for nome_dyndns_remoto in default
Aug 24 16:27:15.607: ISAKMP:(0): local preshared key found
Aug 24 16:27:15.607: ISAKMP : Scanning profiles for xauth ...
Aug 24 16:27:15.607: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Aug 24 16:27:15.607: ISAKMP:      encryption 3DES-CBC
Aug 24 16:27:15.607: ISAKMP:      hash MD5
Aug 24 16:27:15.607: ISAKMP:      auth pre-share
Aug 24 16:27:15.607: ISAKMP:      default group 2
Aug 24 16:27:15.607: ISAKMP:      life type in seconds
Aug 24 16:27:15.607: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
Aug 24 16:27:15.607: ISAKMP:(0):atts are acceptable. Next payload is 0
Aug 24 16:27:15.607: ISAKMP:(0):Acceptable atts:actual life: 0
Aug 24 16:27:15.607: ISAKMP:(0):Acceptable atts:life: 0
Aug 24 16:27:15.607: ISAKMP:(0):Fill atts in sa vpi_length:4
Aug 24 16:27:15.607: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Aug 24 16:27:15.607: ISAKMP:(0):Returning Actual lifetime: 86400
Aug 24 16:27:15.607: ISAKMP:(0)::Started lifetime timer: 86400.

Aug 24 16:27:15.607: ISAKMP:(0): processing vendor id payload
Aug 24 16:27:15.607: ISAKMP:(0): processing IKE frag vendor id payload
Aug 24 16:27:15.607: ISAKMP:(0):Support for IKE Fragmentation not enabled.
Aug 24 16:27:15.607: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 24 16:27:15.607: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

Aug 24 16:27:15.607: ISAKMP:(0): sending packet to ip_router_remoto my_port 500 peer_port 500 (I) MM_SA_SETUP
Aug 24 16:27:15.607: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 24 16:27:15.607: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 24 16:27:15.607: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

Aug 24 16:27:16.963: ISAKMP (0): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_SA_SETUP
Aug 24 16:27:16.963: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 24 16:27:16.963: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

Aug 24 16:27:16.963: ISAKMP:(0): processing KE payload. message ID = 0
Aug 24 16:27:16.991: ISAKMP:(0): processing NONCE payload. message ID = 0
Aug 24 16:27:16.991: ISAKMP:(0):No pre-shared key with ip_router_remoto!
Aug 24 16:27:16.991: ISAKMP:(0):Looking for a matching key for nome_dyndns_remoto in default
Aug 24 16:27:16.991: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 24 16:27:16.991: ISAKMP:(1006):Old State = IKE_I_MM4  New State = IKE_I_MM4 

Aug 24 16:27:16.991: ISAKMP:(1006):Send initial contact
Aug 24 16:27:16.991: ISAKMP:(1006):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Aug 24 16:27:16.991: ISAKMP (1006): ID payload 
        next-payload : 8
        type         : 1 
        address      : ip_router_locale 
        protocol     : 17 
        port         : 500 
        length       : 12
Aug 24 16:27:16.991: ISAKMP:(1006):Total payload length: 12
Aug 24 16:27:16.991: ISAKMP:(1006): sending packet to ip_router_remoto my_port 500 peer_port 500 (I) MM_KEY_EXCH
Aug 24 16:27:16.991: ISAKMP:(1006):Sending an IKE IPv4 Packet.
Aug 24 16:27:16.991: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 24 16:27:16.991: ISAKMP:(1006):Old State = IKE_I_MM4  New State = IKE_I_MM5 

Aug 24 16:27:17.331: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:27:17.331: ISAKMP: set new node 683722764 to QM_IDLE      
Aug 24 16:27:17.331: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:27:17.335: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:27:17.335: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:27:17.335: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:27:17.335: ISAKMP: Info Notify message requeue retry counter exceeded sa request from ip_router_remoto to ip_router_locale.
Aug 24 16:27:17.335: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:27:17.335: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH.
Aug 24 16:27:17.335: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:27:17.335: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:27:17.335: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:27:17.335: ISAKMP: Info Notify message requeue retry counter exceeded sa request from ip_router_remoto to ip_router_locale...
Aug 24 16:27:26.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH...
Aug 24 16:27:26.991: ISAKMP (1006): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Aug 24 16:27:26.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH
Aug 24 16:27:26.991: ISAKMP:(1006): sending packet to ip_router_remoto my_port 500 peer_port 500 (I) MM_KEY_EXCH
Aug 24 16:27:26.991: ISAKMP:(1006):Sending an IKE IPv4 Packet.
Aug 24 16:27:36.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH...
Aug 24 16:27:36.991: ISAKMP (1006): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 24 16:27:36.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH
Aug 24 16:27:36.991: ISAKMP:(1006): sending packet to ip_router_remoto my_port 500 peer_port 500 (I) MM_KEY_EXCH
Aug 24 16:27:36.991: ISAKMP:(1006):Sending an IKE IPv4 Packet.
Aug 24 16:27:44.431: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= ip_router_locale, remote= ip_router_remoto, 
    local_proxy= 192.168.68.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
Aug 24 16:27:44.431: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= ip_router_locale, remote= ip_router_remoto, 
    local_proxy= 192.168.68.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Aug 24 16:27:44.431: ISAKMP: set new node 0 to QM_IDLE      
Aug 24 16:27:44.431: ISAKMP:(1006):SA is still budding. Attached new ipsec request to it. (local ip_router_locale, remote ip_router_remoto)
Aug 24 16:27:44.431: ISAKMP: Error while processing SA request: Failed to initialize SA
Aug 24 16:27:44.431: ISAKMP: Error while processing KMI message 0, error 2.
Aug 24 16:27:46.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH...
Aug 24 16:27:46.991: ISAKMP (1006): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Aug 24 16:27:46.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH
Aug 24 16:27:46.991: ISAKMP:(1006): sending packet to ip_router_remoto my_port 500 peer_port 500 (I) MM_KEY_EXCH
Aug 24 16:27:46.991: ISAKMP:(1006):Sending an IKE IPv4 Packet.
Aug 24 16:27:56.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH...
Aug 24 16:27:56.991: ISAKMP (1006): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Aug 24 16:27:56.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH
Aug 24 16:27:56.991: ISAKMP:(1006): sending packet to ip_router_remoto my_port 500 peer_port 500 (I) MM_KEY_EXCH
Aug 24 16:27:56.991: ISAKMP:(1006):Sending an IKE IPv4 Packet.
Aug 24 16:28:06.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH...
Aug 24 16:28:06.991: ISAKMP (1006): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Aug 24 16:28:06.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH
Aug 24 16:28:06.991: ISAKMP:(1006): sending packet to ip_router_remoto my_port 500 peer_port 500 (I) MM_KEY_EXCH
Aug 24 16:28:06.991: ISAKMP:(1006):Sending an IKE IPv4 Packet.
Aug 24 16:28:10.731: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:28:10.731: ISAKMP: set new node -1879752075 to QM_IDLE      
Aug 24 16:28:10.731: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:28:10.731: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:28:10.731: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:28:10.731: ISAKMP (1006): received packet from ip_router_remoto dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 24 16:28:10.731: ISAKMP: Info Notify message requeue retry counter exceeded sa request from ip_router_remoto to ip_router_locale.
Aug 24 16:28:14.431: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= ip_router_locale, remote= ip_router_remoto, 
    local_proxy= 192.168.68.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)
Aug 24 16:28:16.991: ISAKMP:(1006): retransmitting phase 1 MM_KEY_EXCH...
Aug 24 16:28:16.991: ISAKMP:(1006):peer does not do paranoid keepalives.

Aug 24 16:28:16.991: ISAKMP:(1006):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer ip_router_remoto)
Aug 24 16:28:16.991: ISAKMP:(1006):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer ip_router_remoto) 
Aug 24 16:28:16.991: ISAKMP: Unlocking peer struct 0x279FDC74 for isadb_mark_sa_deleted(), count 0
Aug 24 16:28:16.991: ISAKMP: Deleting peer node by peer_reap for ip_router_remoto: 279FDC74
Aug 24 16:28:16.991: ISAKMP:(1006):deleting node 1805605827 error FALSE reason "IKE deleted"
Aug 24 16:28:16.991: ISAKMP:(1006):deleting node 683722764 error FALSE reason "IKE deleted"
Aug 24 16:28:16.991: ISAKMP:(1006):deleting node 286218773 error FALSE reason "IKE deleted"
Aug 24 16:28:16.991: ISAKMP:(1006):deleting node -1879752075 error FALSE reason "IKE deleted"
Aug 24 16:28:16.991: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug 24 16:28:16.991: ISAKMP:(1006):Old State = IKE_I_MM5  New State = IKE_DEST_SA 

Aug 24 16:28:16.991: IPSEC(key_engine): got a queue event with 1 KMI message(s)

potreste aiutarmi a capire dove sta il problema?

Grazie mille


Andrea.

[tony456]

ciao è possibile vedere anche la conf ??

[liscio]

Ciao!
grazie dell'interessamento.... cmq il mio post è di Agosto... alla fine ci ho rinunciato e ho aggirato il problema..... appena avrò un po' di tempo libero, però, vorrei riprovarci
in caso, mi rifaccio vivo!