Форум Kerio-rus  

Вернуться   Форум Kerio-rus > Продукты > Kerio VPN

Важная информация

Ответ
 
Опции темы
Старый 21.08.2017, 17:01   #1
afdark
 
Регистрация: 21.08.2017
Сообщений: 5
Поблагодарили 0 раз(а) в 0 сообщениях
По умолчанию Kerio + ASA + IPSec VPN не идет трафик

Доброго дня, товарищи!
Не бейте новичка, но тут вот, в общем, заморочился. Есть на одной стороне ASA 5515(SW 9.5), на другой Kerio 9.0.0(442). Туннель между ними поднят, однако трафик ни туда ни обратно не идет?? Маршрут на Керио есть. На cisco вроде тоже прописал. Конфиг ниже. Что я делаю не так?


: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1)
!
hostname ASA-2
domain-name ****************
enable password ************** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ****************** encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address ************* 255.255.252.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.1
vlan 1
nameif vlan1
security-level 0
ip address ************* 255.255.255.0
!
interface GigabitEthernet0/2.2
vlan 20
nameif vlan20
security-level 0
ip address ************** 255.255.255.0
!
interface GigabitEthernet0/2.3
no vlan
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif Backup(gars)
security-level 0
ip address bbb.bbb.bbb.bbb 255.255.255.240
!
interface GigabitEthernet0/5
nameif Megafon
security-level 0
ip address aaa.aaa.aaa.aaa 255.255.255.240
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa951-smp-k8.bin
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name mangazeya.local
object network NETWORK_OBJ_10.10.120.0_24
subnet 10.10.120.0 255.255.255.0
object network NETWORK_OBJ_192.168.68.0_22
subnet 192.168.68.0 255.255.252.0
access-list Megafon_cryptomap extended permit ip 192.168.68.0 255.255.252.0 10.10.120.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan1 1500
mtu vlan20 1500
mtu management 1500
mtu Megafon 1500
mtu Backup(gars) 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,Megafon) source static NETWORK_OBJ_192.168.68.0_22 NETWORK_OBJ_192.168.68.0_22 destination static NETWORK_OBJ_10.10.120.0_24 NETWORK_OBJ_10.10.120.0_24 no-proxy-arp route-lookup
nat (inside,Backup(gars)) source static NETWORK_OBJ_192.168.68.0_22 NETWORK_OBJ_192.168.68.0_22 destination static NETWORK_OBJ_10.10.120.0_24 NETWORK_OBJ_10.10.120.0_24 no-proxy-arp route-lookup
route Megafon 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aaa 1 track 1
route Backup(gars) 0.0.0.0 0.0.0.0 bbb.bbb.bbb.bbb 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http ********* 255.255.255.0 management
http ********* 255.255.252.0 inside
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface Megafon
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set Crypto_Main esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map Megafon_map 1 match address Megafon_cryptomap
crypto map Megafon_map 1 set peer aaa.aaa.aaa.aaa
crypto map Megafon_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map Megafon_map 1 set reverse-route
crypto map Megafon_map interface Megafon
crypto ca trustpool policy
crypto ikev1 enable Megafon
crypto ikev1 enable Backup(gars)
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
tls-proxy maximum-session 500
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "AES256-SHA:AES128-SHAES-CBC3-SHAES-CBC-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHAES-CBC3-SHAES-CBC-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHAES-CBC3-SHAES-CBC-SHA"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_aaa.aaa.aaa.aaa internal
group-policy GroupPolicy_aaa.aaa.aaa.aaa attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username lankey password *************** encrypted privilege 15
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa general-attributes
default-group-policy GroupPolicy_aaa.aaa.aaa.aaa
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:20423bfc002f13ac52283774a1713c21
: end
ASA-2#
afdark вне форума   Ответить с цитированием Вверх
Старый 21.08.2017, 20:57   #2
exchar
Охуительный пейсатель
 
Регистрация: 21.04.2008
Сообщений: 2,620
Поблагодарили 175 раз(а) в 145 сообщениях
По умолчанию Re: Kerio + ASA + IPSec VPN не идет трафик

Цитата
Сообщение от afdark Посмотреть сообщение
Есть на одной стороне ASA 5515(SW 9.5), на другой Kerio 9.0.0(442).
а что в логах керио (error, warning, профильные опции лога debug) интересного по теме?

p.s. персонально я ASA и вообще циски не умею, так что ждем более профильных товарищей =)
__________________
"Помогая ленивым людям, ты помогаешь им сесть на твою шею" Сян-Цзы
exchar вне форума   Ответить с цитированием Вверх
Старый 22.08.2017, 07:23   #3
HOG
Одменестрадор
 
Аватар для HOG
 
Регистрация: 08.03.2006
Адрес: Из лесу, вестимо...
Сообщений: 5,828
Поблагодарили 81 раз(а) в 71 сообщениях
По умолчанию Re: Kerio + ASA + IPSec VPN не идет трафик

afdark, где режется??
__________________
[Для просмотра данной ссылки нужно зарегистрироваться]

керио
HOG вне форума   Ответить с цитированием Вверх
Старый 22.08.2017, 09:22   #4
afdark
 
Регистрация: 21.08.2017
Сообщений: 5
Поблагодарили 0 раз(а) в 0 сообщениях
По умолчанию Re: Kerio + ASA + IPSec VPN не идет трафик

exchar, какие опции имеет смысл включать? я включил ipsec, вижу примерно это
[22/Aug/2017 09:06:32] {charon} charon: 13[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts'
[22/Aug/2017 09:06:32] {charon} charon: 13[CFG] rereading crls from '/etc/ipsec.d/crls'
[22/Aug/2017 09:06:33] {charon} Ipsec component updated charon's config.
[22/Aug/2017 09:06:33] {IPsec} TunnelsList|thread: Tunnel 'test' is going down. Config changed
[22/Aug/2017 09:06:33] {charon} charon: 11[CFG] received stroke: terminate 'tunnel_9_1_1_1'
[22/Aug/2017 09:06:33] {IPsec} TunnelsList|thread: 'ipsec down tunnel_9_1_1_1' returned 0
[22/Aug/2017 09:06:33] {charon} charon: 11[CFG] no IKE_SA named 'tunnel_9_1_1_1' found
[22/Aug/2017 09:06:33] {charon} charon: 05[CFG] received stroke: terminate 'tunnel_9_1_1_2'
[22/Aug/2017 09:06:33] {charon} charon: 05[CFG] no IKE_SA named 'tunnel_9_1_1_2' found
[22/Aug/2017 09:06:33] {IPsec} TunnelsList|thread: 'ipsec down tunnel_9_1_1_2' returned 0
[22/Aug/2017 09:06:33] {IPsec} TunnelsList|thread: Tunnel 'test' should be up.
[22/Aug/2017 09:06:33] {charon} charon: 04[CFG] received stroke: initiate 'tunnel_9_1_1_1'
[22/Aug/2017 09:06:33] {charon} charon: 09[IKE] initiating Main Mode IKE_SA tunnel_9_1_1_1[27591] to ip_asa
[22/Aug/2017 09:06:33] {charon} charon: 09[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/MODP_1024_160/MODP_2048_224/MODP_2048_256
[22/Aug/2017 09:06:33] {charon} charon: 09[ENC] generating ID_PROT request 0 [ SA V V V V ]
[22/Aug/2017 09:06:33] {charon} charon: 09[NET] sending packet: from 192.168.19.55[500] to ip_asa[500] (220 bytes)
[22/Aug/2017 09:06:33] {charon} charon: 15[NET] received packet: from ip_asa[500] to 192.168.19.55[500] (124 bytes)
[22/Aug/2017 09:06:33] {charon} charon: 15[ENC] parsed ID_PROT response 0 [ SA V V ]
[22/Aug/2017 09:06:33] {charon} charon: 15[IKE] received NAT-T (RFC 3947) vendor ID
[22/Aug/2017 09:06:33] {charon} charon: 15[IKE] received FRAGMENTATION vendor ID
[22/Aug/2017 09:06:33] {charon} charon: 15[CFG] selecting proposal:
[22/Aug/2017 09:06:33] {charon} charon: 15[CFG] no acceptable ENCRYPTION_ALGORITHM found
[22/Aug/2017 09:06:33] {charon} charon: 15[CFG] selecting proposal:
[22/Aug/2017 09:06:33] {charon} charon: 15[CFG] proposal matches
[22/Aug/2017 09:06:33] {charon} charon: 15[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
[22/Aug/2017 09:06:33] {charon} charon: 15[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/MODP_1024_160/MODP_2048_224/MODP_2048_256
[22/Aug/2017 09:06:33] {charon} charon: 15[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
[22/Aug/2017 09:06:33] {charon} charon: 15[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[22/Aug/2017 09:06:33] {charon} charon: 15[NET] sending packet: from 192.168.19.55[500] to ip_asa[500] (308 bytes)
[22/Aug/2017 09:06:33] {charon} charon: 07[NET] received packet: from ip_asa[500] to 192.168.19.55[500] (368 bytes)
[22/Aug/2017 09:06:33] {charon} charon: 07[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
[22/Aug/2017 09:06:33] {charon} charon: 07[IKE] received Cisco Unity vendor ID
[22/Aug/2017 09:06:33] {charon} charon: 07[IKE] received XAuth vendor ID
[22/Aug/2017 09:06:33] {charon} charon: 07[ENC] received unknown vendor ID: a9:a3:a4:09:39:52:7d:af:5e:ff:1a:fb:d6:2bae
[22/Aug/2017 09:06:33] {charon} charon: 07[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
[22/Aug/2017 09:06:33] {charon} charon: 07[IKE] local host is behind NAT, sending keep alives
[22/Aug/2017 09:06:33] {charon} charon: 07[ENC] generating ID_PROT request 0 [ ID HASH ]
[22/Aug/2017 09:06:33] {charon} charon: 07[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (68 bytes)
[22/Aug/2017 09:06:33] {charon} charon: 01[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (84 bytes)
[22/Aug/2017 09:06:33] {charon} charon: 01[ENC] parsed ID_PROT response 0 [ ID HASH V ]
[22/Aug/2017 09:06:33] {charon} charon: 01[IKE] received DPD vendor ID
[22/Aug/2017 09:06:33] {charon} charon: 01[IKE] IKE_SA tunnel_9_1_1_1[27591] established between 192.168.19.55[control]...ip_asa[ip_asa]
[22/Aug/2017 09:06:33] {charon} charon: 01[IKE] scheduling reauthentication in 10098s
[22/Aug/2017 09:06:33] {charon} charon: 01[IKE] maximum IKE_SA lifetime 10638s
[22/Aug/2017 09:06:33] {charon} charon: 01[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
[22/Aug/2017 09:06:33] {charon} charon: 01[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
[22/Aug/2017 09:06:33] {charon} charon: 01[CFG] proposing traffic selectors for us:
[22/Aug/2017 09:06:33] {charon} charon: 01[CFG] 10.10.120.0/24
[22/Aug/2017 09:06:33] {charon} charon: 01[CFG] proposing traffic selectors for other:
[22/Aug/2017 09:06:33] {charon} charon: 01[CFG] 192.168.68.0/22
[22/Aug/2017 09:06:33] {charon} charon: 01[ENC] generating QUICK_MODE request 2162269196 [ HASH SA No ID ID ]
[22/Aug/2017 09:06:33] {charon} charon: 01[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (228 bytes)
[22/Aug/2017 09:06:33] {charon} charon: 03[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (188 bytes)
[22/Aug/2017 09:06:33] {charon} charon: 03[ENC] parsed QUICK_MODE response 2162269196 [ HASH SA No ID ID N((24576)) ]
[22/Aug/2017 09:06:33] {charon} charon: 03[CFG] selecting proposal:
[22/Aug/2017 09:06:33] {charon} charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found
[22/Aug/2017 09:06:33] {charon} charon: 03[CFG] selecting proposal:
[22/Aug/2017 09:06:33] {charon} charon: 03[CFG] proposal matches
[22/Aug/2017 09:06:33] {charon} charon: 03[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
[22/Aug/2017 09:06:33] {charon} charon: 03[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
[22/Aug/2017 09:06:33] {charon} charon: 03[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
[22/Aug/2017 09:06:33] {charon} charon: 03[IKE] CHILD_SA tunnel_9_1_1_1{19} established with SPIs c561676a_i 86ef50bf_o and TS 10.10.120.0/24 === 192.168.68.0/22
[22/Aug/2017 09:06:34] {IPsec} reqIdUp: reqId=19, tunnelId=9 (Right subnet: 192.168.68.0/255.255.252.0 via 3)
[22/Aug/2017 09:06:34] {IPsec} Registering new route 192.168.68.0/255.255.252.0 for tunnel test
[22/Aug/2017 09:06:34] {IPsec} Touching route 192.168.68.0/255.255.252.0 (via dev: 3)
[22/Aug/2017 09:06:34] {IPsec} Tunnel 9:test is up
[22/Aug/2017 09:06:34] {IPsec} Connection info read from kernel: 192.168.19.55:4500 === ip_asa:4500 (proto UDP)
[22/Aug/2017 09:06:34] {IPsec} Register tunnel test
[22/Aug/2017 09:06:34] {charon} charon: 03[ENC] generating QUICK_MODE request 2162269196 [ HASH ]
[22/Aug/2017 09:06:34] {charon} charon: 03[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (60 bytes)
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: 'ipsec up tunnel_9_1_1_1' returned 0
[22/Aug/2017 09:06:34] {charon} charon: 05[CFG] received stroke: initiate 'tunnel_9_2_1_1'
[22/Aug/2017 09:06:34] {charon} charon: 08[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
[22/Aug/2017 09:06:34] {charon} charon: 08[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
[22/Aug/2017 09:06:34] {charon} charon: 08[CFG] proposing traffic selectors for us:
[22/Aug/2017 09:06:34] {charon} charon: 08[CFG] 172.26.199.0/24
[22/Aug/2017 09:06:34] {charon} charon: 08[CFG] proposing traffic selectors for other:
[22/Aug/2017 09:06:34] {charon} charon: 08[CFG] 192.168.68.0/22
[22/Aug/2017 09:06:34] {charon} charon: 08[ENC] generating QUICK_MODE request 1154246580 [ HASH SA No ID ID ]
[22/Aug/2017 09:06:34] {charon} charon: 08[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (228 bytes)
[22/Aug/2017 09:06:34] {charon} charon: 09[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (188 bytes)
[22/Aug/2017 09:06:34] {charon} charon: 09[ENC] parsed QUICK_MODE response 1154246580 [ HASH SA No ID ID N((24576)) ]
[22/Aug/2017 09:06:34] {charon} charon: 09[CFG] selecting proposal:
[22/Aug/2017 09:06:34] {charon} charon: 09[CFG] no acceptable ENCRYPTION_ALGORITHM found
[22/Aug/2017 09:06:34] {charon} charon: 09[CFG] selecting proposal:
[22/Aug/2017 09:06:34] {charon} charon: 09[CFG] proposal matches
[22/Aug/2017 09:06:34] {charon} charon: 09[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
[22/Aug/2017 09:06:34] {charon} charon: 09[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
[22/Aug/2017 09:06:34] {charon} charon: 09[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
[22/Aug/2017 09:06:34] {charon} charon: 09[IKE] CHILD_SA tunnel_9_2_1_1{20} established with SPIs cce4d2b7_i 4561ce5a_o and TS 172.26.199.0/24 === 192.168.68.0/22
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: 'ipsec up tunnel_9_2_1_1' returned 0
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 10s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 10s.
[22/Aug/2017 09:06:34] {IPsec} reqIdUp: reqId=20, tunnelId=9 (Right subnet: 192.168.68.0/255.255.252.0 via 3)
[22/Aug/2017 09:06:34] {IPsec} Increasing refcount to route 192.168.68.0/255.255.252.0 for tunnel test. Route is now in use in 2 tunnels
[22/Aug/2017 09:06:34] {IPsec} Touching route 192.168.68.0/255.255.252.0 (via dev: 3)
[22/Aug/2017 09:06:34] {IPsec} Connection info read from kernel: 192.168.19.55:4500 === ip_asa:4500 (proto UDP)
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Tunnel 'test' will be checked in 9s.
[22/Aug/2017 09:06:34] {IPsec} TunnelsList|thread: Going to sleep for 9s.
[22/Aug/2017 09:06:34] {charon} charon: 09[ENC] generating QUICK_MODE request 1154246580 [ HASH ]
[22/Aug/2017 09:06:34] {charon} charon: 09[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (60 bytes)
[22/Aug/2017 09:06:44] {IPsec} TunnelsList|thread: Tunnel 'test' should be up.
[22/Aug/2017 09:06:44] {IPsec} TunnelsList|thread: All subtunnels of 'test' are up.
[22/Aug/2017 09:06:44] {IPsec} TunnelsList|thread: Going to sleep for 43s.
[22/Aug/2017 09:07:03] {charon} charon: 06[IKE] sending DPD request
[22/Aug/2017 09:07:03] {charon} charon: 06[ENC] generating INFORMATIONAL_V1 request 1740454002 [ HASH N(DPD) ]
[22/Aug/2017 09:07:03] {charon} charon: 06[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (92 bytes)
[22/Aug/2017 09:07:03] {charon} charon: 08[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (84 bytes)
[22/Aug/2017 09:07:03] {charon} charon: 08[ENC] parsed INFORMATIONAL_V1 request 4085466939 [ HASH N(DPD_ACK) ]
[22/Aug/2017 09:07:27] {charon} charon: 01[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (84 bytes)
[22/Aug/2017 09:07:27] {charon} charon: 01[ENC] parsed INFORMATIONAL_V1 request 2146770839 [ HASH N(DPD) ]
[22/Aug/2017 09:07:27] {charon} charon: 01[ENC] generating INFORMATIONAL_V1 request 2484422474 [ HASH N(DPD_ACK) ]
[22/Aug/2017 09:07:27] {charon} charon: 01[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (92 bytes)
[22/Aug/2017 09:07:27] {IPsec} TunnelsList|thread: Going to sleep for 60s.
[22/Aug/2017 09:07:47] {charon} charon: 02[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (84 bytes)
[22/Aug/2017 09:07:47] {charon} charon: 02[ENC] parsed INFORMATIONAL_V1 request 1751888862 [ HASH N(DPD) ]
[22/Aug/2017 09:07:47] {charon} charon: 02[ENC] generating INFORMATIONAL_V1 request 2764877318 [ HASH N(DPD_ACK) ]
[22/Aug/2017 09:07:47] {charon} charon: 02[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (92 bytes)
[22/Aug/2017 09:08:16] {charon} charon: 01[IKE] sending DPD request
[22/Aug/2017 09:08:16] {charon} charon: 01[ENC] generating INFORMATIONAL_V1 request 1021730564 [ HASH N(DPD) ]
[22/Aug/2017 09:08:16] {charon} charon: 01[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (92 bytes)
[22/Aug/2017 09:08:16] {charon} charon: 13[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (84 bytes)
[22/Aug/2017 09:08:16] {charon} charon: 13[ENC] parsed INFORMATIONAL_V1 request 1201163793 [ HASH N(DPD_ACK) ]
[22/Aug/2017 09:08:27] {IPsec} TunnelsList|thread: Going to sleep for 60s.
[22/Aug/2017 09:08:46] {charon} charon: 08[IKE] sending DPD request
[22/Aug/2017 09:08:46] {charon} charon: 08[ENC] generating INFORMATIONAL_V1 request 2957589042 [ HASH N(DPD) ]
[22/Aug/2017 09:08:46] {charon} charon: 08[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (92 bytes)
[22/Aug/2017 09:08:46] {charon} charon: 05[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (84 bytes)
[22/Aug/2017 09:08:46] {charon} charon: 05[ENC] parsed INFORMATIONAL_V1 request 2393318603 [ HASH N(DPD_ACK) ]
[22/Aug/2017 09:09:16] {charon} charon: 01[IKE] sending DPD request
[22/Aug/2017 09:09:16] {charon} charon: 01[ENC] generating INFORMATIONAL_V1 request 911322526 [ HASH N(DPD) ]
[22/Aug/2017 09:09:16] {charon} charon: 01[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (92 bytes)
[22/Aug/2017 09:09:16] {charon} charon: 13[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (84 bytes)
[22/Aug/2017 09:09:16] {charon} charon: 13[ENC] parsed INFORMATIONAL_V1 request 2081568392 [ HASH N(DPD_ACK) ]
[22/Aug/2017 09:09:27] {IPsec} TunnelsList|thread: Going to sleep for 60s.
[22/Aug/2017 09:09:46] {charon} charon: 06[IKE] sending DPD request
[22/Aug/2017 09:09:46] {charon} charon: 06[ENC] generating INFORMATIONAL_V1 request 1318123670 [ HASH N(DPD) ]
[22/Aug/2017 09:09:46] {charon} charon: 06[NET] sending packet: from 192.168.19.55[4500] to ip_asa[4500] (92 bytes)
[22/Aug/2017 09:09:46] {charon} charon: 08[NET] received packet: from ip_asa[4500] to 192.168.19.55[4500] (84 bytes)
[22/Aug/2017 09:09:46] {charon} charon: 08[ENC] parsed INFORMATIONAL_V1 request 349784795 [ HASH N(DPD_ACK) ]


Я еще вот чего думаю - а не может быть проблема в самой схеме, что собрана у меня на тест? Со стороны ASA все хорошо, там приходит пров и все, а вот со стороны керио - там USB-модем воткнут в ASUS RT-AC66U и за ним уже керио... Хотя на асусе VPN-passtrought настроен, да и порты я на всякий случай пробросил.
HOG, вопрос не ясен. Если бы я знал где режется трафик - тему тут не создавал.
afdark вне форума   Ответить с цитированием Вверх
Старый 23.08.2017, 07:17   #5
HOG
Одменестрадор
 
Аватар для HOG
 
Регистрация: 08.03.2006
Адрес: Из лесу, вестимо...
Сообщений: 5,828
Поблагодарили 81 раз(а) в 71 сообщениях
По умолчанию Re: Kerio + ASA + IPSec VPN не идет трафик

afdark, получается что у тебя Double NAT. Нужно включить логгирование дропнутых пакетов - тогда на Керио станет понятнее вообще до него что-то доходит, или нет. Кстати, USB модем можно вплоне себе воткнуть как минимум в сам керио...
__________________
[Для просмотра данной ссылки нужно зарегистрироваться]

керио
HOG вне форума   Ответить с цитированием Вверх
Старый 23.08.2017, 13:38   #6
afdark
 
Регистрация: 21.08.2017
Сообщений: 5
Поблагодарили 0 раз(а) в 0 сообщениях
По умолчанию Re: Kerio + ASA + IPSec VPN не идет трафик

HOG, он подхватится как полноценный сетевой интерфейс?
afdark вне форума   Ответить с цитированием Вверх
Старый 23.08.2017, 20:41   #7
HOG
Одменестрадор
 
Аватар для HOG
 
Регистрация: 08.03.2006
Адрес: Из лесу, вестимо...
Сообщений: 5,828
Поблагодарили 81 раз(а) в 71 сообщениях
По умолчанию Re: Kerio + ASA + IPSec VPN не идет трафик

afdark, естественно, если на таковое найдутся драйверы в составе ОС. Кстати, а что тебе мешает просто тупо попробовать??
__________________
[Для просмотра данной ссылки нужно зарегистрироваться]

керио
HOG вне форума   Ответить с цитированием Вверх
Старый 29.08.2017, 15:17   #8
afdark
 
Регистрация: 21.08.2017
Сообщений: 5
Поблагодарили 0 раз(а) в 0 сообщениях
По умолчанию Re: Kerio + ASA + IPSec VPN не идет трафик

Исключил лишний роутер из схема. Теперь подключение напрямую к прову. Ситуация таже. Трафика нет. В debug керио такие сообщения сыпятся
[29/Aug/2017 15:13:00] {charon} charon: 10[ENC] generating INFORMATIONAL_V1 request 2813218163 [ HASH N(DPD_ACK) ]
[29/Aug/2017 15:13:00] {charon} charon: 10[NET] sending packet: from aaaaaaaa[500] to bbbbbbb[500] (92 bytes)
[29/Aug/2017 15:13:15] {IPsec} TunnelsList|thread: Going to sleep for 60s.
[29/Aug/2017 15:13:30] {charon} charon: 11[IKE] sending DPD request
[29/Aug/2017 15:13:30] {charon} charon: 11[ENC] generating INFORMATIONAL_V1 request 3291379653 [ HASH N(DPD) ]
[29/Aug/2017 15:13:30] {charon} charon: 11[NET] sending packet: from aaaaaaaaa[500] to bbbbbbbb[500] (92 bytes)
[29/Aug/2017 15:13:30] {charon} charon: 02[NET] received packet: from bbbbbbbb[500] to aaaaaaa[500] (84 bytes)
[29/Aug/2017 15:13:30] {charon} charon: 02[ENC] parsed INFORMATIONAL_V1 request 607563070 [ HASH N(DPD_ACK) ]
[29/Aug/2017 15:14:00] {charon} charon: 03[IKE] sending DPD request
[29/Aug/2017 15:14:00] {charon} charon: 03[ENC] generating INFORMATIONAL_V1 request 1921245026 [ HASH N(DPD) ]
[29/Aug/2017 15:14:00] {charon} charon: 03[NET] sending packet: from aaaaaaaa[500] to bbbbbbb[500] (92 bytes)
[29/Aug/2017 15:14:00] {charon} charon: 13[NET] received packet: from bbbbbbb[500] to aaaaaa[500] (84 bytes)
[29/Aug/2017 15:14:00] {charon} charon: 13[ENC] parsed INFORMATIONAL_V1 request 2920561293 [ HASH N(DPD_ACK) ]
[29/Aug/2017 15:14:15] {IPsec} TunnelsList|thread: Going to sleep for 60s.
[29/Aug/2017 15:14:30] {charon} charon: 10[IKE] sending DPD request
[29/Aug/2017 15:14:30] {charon} charon: 10[ENC] generating INFORMATIONAL_V1 request 786051934 [ HASH N(DPD) ]
[29/Aug/2017 15:14:30] {charon} charon: 10[NET] sending packet: from aaaaaaa[500] to bbbbbbbb[500] (92 bytes)
[29/Aug/2017 15:14:30] {charon} charon: 14[NET] received packet: from bbbbbb[500] to aaaaaaa[500] (84 bytes)
[29/Aug/2017 15:14:30] {charon} charon: 14[ENC] parsed INFORMATIONAL_V1 request 1982873268 [ HASH N(DPD_ACK) ]
[29/Aug/2017 15:14:50] {charon} charon: 02[NET] received packet: from bbbbbbb[500] to aaaaaaaaa[500] (84 bytes)
[29/Aug/2017 15:14:50] {charon} charon: 02[ENC] parsed INFORMATIONAL_V1 request 1646231721 [ HASH N(DPD) ]
[29/Aug/2017 15:14:50] {charon} charon: 02[ENC] generating INFORMATIONAL_V1 request 4064833712 [ HASH N(DPD_ACK) ]
[29/Aug/2017 15:14:50] {charon} charon: 02[NET] sending packet: from aaaaaa[500] to bbbbbbbb[500] (92 bytes)
afdark вне форума   Ответить с цитированием Вверх
Ответ


Опции темы

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход


Текущее время: 01:33. Часовой пояс GMT +3.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc. Перевод: zCarot
© Kerio-rus.ru
Фонарёвка: всё о фонарях