Не поднимается тоннель ipsec, в чем может быть проблема?

Всем привет! Настраиваю ipsec тоннель между двумя asa. Тоннель не поднимается и, даже не пытается. Порты 500 и 4500 доступны
Тоннель между айпишниками 150.97 и 78.54
Вот конфиг:

asa 1:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
subnet 192.168.2.0 255.255.255.0
object network CC-Local
subnet 192.168.3.0 255.255.255.0
object network K2-Lan
subnet 192.168.10.0 255.255.255.0
object network loop
subnet 0.0.0.0 0.0.0.0
object network K1-local
subnet 192.168.1.0 255.255.255.0
object network ML
host 94.141.183.3
object network obj_0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network ASA-NAUKA
host 84.47.183.210
object network ASA-Starlink
host 81.17.150.98
object network ContactCenter
host 62.141.65.170
object network Internal_IP
host 192.168.10.1
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object udp
service-object tcp
service-object icmp echo
service-object tcp destination eq echo
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object udp
service-object tcp
service-object udp destination eq isakmp
service-object icmp
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object ASA-NAUKA
network-object object ML
network-object object Google-DNS
network-object object ContactCenter
network-object 192.168.10.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object udp
service-object tcp
service-object icmp alternate-address
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp traceroute
service-object udp destination eq isakmp
object-group service DM_INLINE_UDP_1 udp
port-object eq 4500
port-object eq isakmp
port-object eq sip
object-group service DM_INLINE_UDP_2 udp
port-object eq 4500
port-object eq isakmp
object-group network external_ip
network-object object ext_ip
access-list outside_access_in_1 extended permit udp any any eq isakmp
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list outside_access_in_1 extended permit udp any object-group DM_INLINE_UDP_1 any
access-list outside_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 object CC-Local
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 any
access-list outside_cryptomap_2 extended permit ip 10.10.10.0 255.255.255.0 object K1-local
access-list outside_cryptomap extended permit ip object K2-Lan object K74-local
access-list global_access_1 extended permit udp any any eq isakmp
access-list global_access_1 extended permit object-group DM_INLINE_SERVICE_3 any any
access-list global_access_1 extended permit udp any object-group DM_INLINE_UDP_2 any
access-list Dostup_izvne standard permit any4
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source static any interface destination static OG OG
!
object network obj_0.0.0.0
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
access-group global_access_1 global
route outside 0.0.0.0 0.0.0.0 10.202.92.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
t
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime kilobytes 3600
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 81.17.150.97
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
!
group-policy GroupPolicy_81.17.150.97 internal
group-policy GroupPolicy_81.17.150.97 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 81.17.150.97 type ipsec-l2l
tunnel-group 81.17.150.97 general-attributes
default-group-policy GroupPolicy_81.17.150.97
tunnel-group 81.17.150.97 ipsec-attributes
ikev1 pre-shared-key #key#
ikev2 remote-authentication pre-shared-key #key#
ikev2 local-authentication pre-shared-key #key#
  • Вопрос задан
  • 618 просмотров
Пригласить эксперта
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы