Remote-access VPN с сертификатами

Question

rdntw @rdntw

Remote-access VPN с сертификатами

добрый день!
возникла необходимость сделать доступ сотрудниками из любой точки в корпоративную сеть.
например, пользователь заливает сертификат на устройство ( ноутбук, iphone ), ставится туннель с роутером, роутер через радиус проверяет подлинность и дает добро. так?
но на практике что-то не получается…
вот кусок конфига

вот кусок конфига

aaa new-model
!
!
aaa authentication login authlist group radius local
aaa authorization network authlist group radius local 

username xxx privilege 15 secret 5 xxx

crypto isakmp policy 20
 encr 3des
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp client configuration address-pool local VPN_POOL
!
crypto isakmp client configuration group VPN_group
 key cisco
 pool VPN_POOL
 netmask 255.255.255.0
!

crypto ipsec transform-set TS esp-aes esp-sha-hmac 
!

!
!
crypto dynamic-map DM 10
 set transform-set TS 
 reverse-route
!
!
!
!
crypto map stat-map client authentication list authlist
crypto map stat-map isakmp authorization list authlist
crypto map stat-map client configuration address respond
crypto map stat-map 10 ipsec-isakmp dynamic DM 
!
!
!
ip ssh version 2
!
!
!
!
interface Loopback0
 ip address 10.0.1.42 255.255.255.255
 ip flow ingress
!
interface Loopback10
  descr for VPN_users
 ip address 10.11.180.254 255.255.255.0
!
interface GigabitEthernet0/0
 ip address xxx.26 255.255.255.224
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map stat-map
!

!
ip local pool VPN_POOL 10.11.180.1 10.11.180.5

!
ip nat inside source route-map nat interface GigabitEthernet0/0 overload

вот еще дебаг :)

*May  6 13:35:01: ISAKMP:(0):Authentication method offered does not match policy!
*May  6 13:35:01: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May  6 13:35:01: ISAKMP:(0):no offers accepted!
*May  6 13:35:01: ISAKMP:(0): phase 1 SA policy not acceptable! (local 91.221.16.26 remote 95.215.103.14)
*May  6 13:35:01: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*May  6 13:35:01: ISAKMP:(0): Failed to construct AG informational message.
*May  6 13:35:01: ISAKMP:(0): sending packet to 95.215.103.14 my_port 500 peer_port 500 (R) MM_NO_STATE
*May  6 13:35:01: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May  6 13:35:01: ISAKMP:(0):peer does not do paranoid keepalives.

*May  6 13:35:01: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (pee                                          r 95.215.103.14)
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID is DPD
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*May  6 13:35:01: ISAKMP:(0): vendor ID is NAT-T v2
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*May  6 13:35:01: ISAKMP:(0): vendor ID is NAT-T v3
*May  6 13:35:01: ISAKMP (0): FSM action returned error: 2
*May  6 13:35:01: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May  6 13:35:01: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*May  6 13:35:01: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (pee                                          r 95.215.103.14)
*May  6 13:35:01: ISAKMP: Unlocking peer struct 0x4A5A6F50 for isadb_mark_sa_deleted(), count 0
*May  6 13:35:01: ISAKMP: Deleting peer node by peer_reap for 95.215.103.14: 4A5A6F50
*May  6 13:35:01: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May  6 13:35:01: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

*May  6 13:35:01: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May  6 13:35:01: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 95.215.103.14)
*May  6 13:35:01: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*May  6 13:35:01: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*May  6 13:35:03: ISAKMP:(0):purging SA., sa=4A50FC40, delme=4A50FC40
*May  6 13:35:05: ISAKMP (0): received packet from 195.128.57.86 dport 500 sport 500 Global (R) MM_NO_STATE
*May  6 13:35:05: ISAKMP (0): received packet from 94.159.0.74 dport 500 sport 500 Global (N) NEW SA
*May  6 13:35:05: ISAKMP: Created a peer struct for 94.159.0.74, peer port 500
*May  6 13:35:05: ISAKMP: New peer created peer = 0x4A5A6F50 peer_handle = 0x8000156D
*May  6 13:35:05: ISAKMP: Locking peer struct 0x4A5A6F50, refcount 1 for crypto_isakmp_process_block
*May  6 13:35:05: ISAKMP:(0):Setting client config settings 4A913714
*May  6 13:35:05: ISAKMP:(0):(Re)Setting client xauth list  and state
*May  6 13:35:05: ISAKMP/xauth: initializing AAA request
*May  6 13:35:05: ISAKMP: local port 500, remote port 500
*May  6 13:35:05: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A5247A4
*May  6 13:35:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May  6 13:35:05: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*May  6 13:35:05: ISAKMP:(0): processing SA payload. message ID = 0
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID is DPD
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*May  6 13:35:05: ISAKMP:(0): vendor ID is NAT-T v2
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*May  6 13:35:05: ISAKMP:(0): vendor ID is NAT-T v3
*May  6 13:35:05: ISAKMP:(0): Authentication by xauth preshared
*May  6 13:35:05: ISAKMP:(0):Checking ISAKMP transform 0 against priority 20 policy
*May  6 13:35:05: ISAKMP:      encryption 3DES-CBC
*May  6 13:35:05: ISAKMP:      hash SHA
*May  6 13:35:05: ISAKMP:      auth pre-share
*May  6 13:35:05: ISAKMP:      default group 2
*May  6 13:35:05: ISAKMP:      life type in seconds
*May  6 13:35:05: ISAKMP:      life duration (basic) of 28800
*May  6 13:35:05: ISAKMP:(0):Authentication method offered does not match policy!
*May  6 13:35:05: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May  6 13:35:05: ISAKMP:(0):no offers accepted!
*May  6 13:35:05: ISAKMP:(0): phase 1 SA policy not acceptable! (local 91.221.16.26 remote 94.159.0.74)
*May  6 13:35:05: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*May  6 13:35:05: ISAKMP:(0): Failed to construct AG informational message.
*May  6 13:35:05: ISAKMP:(0): sending packet to 94.159.0.74 my_port 500 peer_port 500 (R) MM_NO_STATE
*May  6 13:35:05: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May  6 13:35:05: ISAKMP:(0):peer does not do paranoid keepalives.

Вопрос задан более трёх лет назад
4215 просмотров

Комментировать

Подписаться 5 Оценить Комментировать

Пригласить эксперта

Ответы на вопрос 5

Комментировать

4 комментария

rdntw @rdntw Автор вопроса

debug
#show crypto isakmp policy

Global IKE policy

Protection suite of priority 20

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit
*May 7 05:55:51: ISAKMP:(0):deleting SA reason «Phase1 SA policy proposal not accepted» state ® MM_NO_STATE (peer 195.128.57.86)

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID is DPD

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*May 7 05:55:51: ISAKMP:(0): vendor ID is NAT-T v2

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*May 7 05:55:51: ISAKMP:(0): vendor ID is NAT-T v3

*May 7 05:55:51: ISAKMP (0): FSM action returned error: 2

*May 7 05:55:51: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 7 05:55:51: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*May 7 05:55:51: ISAKMP:(0):deleting SA reason «Phase1 SA policy proposal not accepted» state ® MM_NO_STATE (peer 195.128.57.86)

*May 7 05:55:51: ISAKMP: Unlocking peer struct 0x4A5C63B0 for isadb_mark_sa_deleted(), count 0

*May 7 05:55:51: ISAKMP: Deleting peer node by peer_reap for 195.128.57.86: 4A5C63B0

*May 7 05:55:51: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*May 7 05:55:51: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA

*May 7 05:55:51: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*May 7 05:55:51: ISAKMP:(0):deleting SA reason «No reason» state ® MM_NO_STATE (peer 195.128.57.86)

*May 7 05:55:51: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

*May 7 05:55:51: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*May 7 05:55:51: ISAKMP (0): received packet from 94.159.0.74 dport 500 sport 500 Global (N) NEW SA

*May 7 05:55:51: ISAKMP: Created a peer struct for 94.159.0.74, peer port 500

*May 7 05:55:51: ISAKMP: New peer created peer = 0x4A9489EC peer_handle = 0x80005FF6

*May 7 05:55:51: ISAKMP: Locking peer struct 0x4A9489EC, refcount 1 for crypto_isakmp_process_block

*May 7 05:55:51: ISAKMP:(0):Setting client config settings 4A5C63B0

*May 7 05:55:51: ISAKMP:(0):(Re)Setting client xauth list and state

*May 7 05:55:51: ISAKMP/xauth: initializing AAA request

*May 7 05:55:51: ISAKMP: local port 500, remote port 500

*May 7 05:55:51: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A683BE4

*May 7 05:55:51: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 7 05:55:51: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*May 7 05:55:51: ISAKMP:(0): processing SA payload. message ID = 0

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID is DPD

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*May 7 05:55:51: ISAKMP:(0): vendor ID is NAT-T v2

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*May 7 05:55:51: ISAKMP:(0): vendor ID is NAT-T v3

*May 7 05:55:51: ISAKMP:(0): Authentication by xauth preshared

*May 7 05:55:51: ISAKMP:(0):Checking ISAKMP transform 0 against priority 20 policy

*May 7 05:55:51: ISAKMP: encryption 3DES-CBC

*May 7 05:55:51: ISAKMP: hash SHA

*May 7 05:55:51: ISAKMP: auth pre-share

*May 7 05:55:51: ISAKMP: default group 2

*May 7 05:55:51: ISAKMP: life type in seconds

*May 7 05:55:51: ISAKMP: life duration (basic) of 28800

*May 7 05:55:51: ISAKMP:(0):Authentication method offered does not match policy!

*May 7 05:55:51: ISAKMP:(0):atts are not acceptable. Next payload is 0

*May 7 05:55:51: ISAKMP:(0):no offers accepted!

*May 7 05:55:51: ISAKMP:(0): phase 1 SA policy not acceptable! (local 91.221.16.26 remote 94.159.0.74)

*May 7 05:55:51: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

*May 7 05:55:51: ISAKMP:(0): Failed to construct AG informational message.

*May 7 05:55:51: ISAKMP:(0): sending packet to 94.159.0.74 my_port 500 peer_port 500 ® MM_NO_STATE

*May 7 05:55:51: ISAKMP:(0):Sending an IKE IPv4 Packet.

*May 7 05:55:51: ISAKMP:(0):peer does not do paranoid keepalives.

*May 7 05:55:51: ISAKMP:(0):deleting SA reason «Phase1 SA policy proposal not accepted» state ® MM_NO_STATE (peer 94.159.0.74)

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID is DPD

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*May 7 05:55:51: ISAKMP:(0): vendor ID is NAT-T v2

*May 7 05:55:51: ISAKMP:(0): processing vendor id payload

*May 7 05:55:51: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*May 7 05:55:51: ISAKMP:(0): vendor ID is NAT-T v3

*May 7 05:55:51: ISAKMP (0): FSM action returned error: 2

*May 7 05:55:51: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 7 05:55:51: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*May 7 05:55:51: ISAKMP:(0):deleting SA reason «Phase1 SA policy proposal not accepted» state ® MM_NO_STATE (peer 94.159.0.74)

*May 7 05:55:51: ISAKMP: Unlocking peer struct 0x4A9489EC for isadb_mark_sa_deleted(), count 0

*May 7 05:55:51: ISAKMP: Deleting peer node by peer_reap for 94.159.0.74: 4A9489EC

*May 7 05:55:51: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*May 7 05:55:51: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA

*May 7 05:55:51: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*May 7 05:55:51: ISAKMP:(0):deleting SA reason «No reason» state ® MM_NO_STATE (peer 94.159.0.74)

*May 7 05:55:51: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

*May 7 05:55:51: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*May 7 05:55:56: ISAKMP (0): received packet from 95.215.103.14 dport 500 sport 500 Global (N) NEW SA

*May 7 05:55:56: ISAKMP: Created a peer struct for 95.215.103.14, peer port 500

*May 7 05:55:56: ISAKMP: New peer created peer = 0x4A5C63B0 peer_handle = 0x8000606B

*May 7 05:55:56: ISAKMP: Locking peer struct 0x4A5C63B0, refcount 1 for crypto_isakmp_process_block

*May 7 05:55:56: ISAKMP:(0):Setting client config settings 4A9489EC

*May 7 05:55:56: ISAKMP:(0):(Re)Setting client xauth list and state

*May 7 05:55:56: ISAKMP/xauth: initializing AAA request

*May 7 05:55:56: ISAKMP: local port 500, remote port 500

*May 7 05:55:56: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A43BD6C

*May 7 05:55:56: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 7 05:55:56: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*May 7 05:55:56: ISAKMP:(0): processing SA payload. message ID = 0

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID is DPD

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*May 7 05:55:56: ISAKMP:(0): vendor ID is NAT-T v2

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*May 7 05:55:56: ISAKMP:(0): vendor ID is NAT-T v3

*May 7 05:55:56: ISAKMP:(0): Authentication by xauth preshared

*May 7 05:55:56: ISAKMP:(0):Checking ISAKMP transform 0 against priority 20 policy

*May 7 05:55:56: ISAKMP: encryption 3DES-CBC

*May 7 05:55:56: ISAKMP: hash SHA

*May 7 05:55:56: ISAKMP: auth pre-share

*May 7 05:55:56: ISAKMP: default group 2

*May 7 05:55:56: ISAKMP: life type in seconds

*May 7 05:55:56: ISAKMP: life duration (basic) of 28800

*May 7 05:55:56: ISAKMP:(0):Authentication method offered does not match policy!

*May 7 05:55:56: ISAKMP:(0):atts are not acceptable. Next payload is 0

*May 7 05:55:56: ISAKMP:(0):no offers accepted!

*May 7 05:55:56: ISAKMP:(0): phase 1 SA policy not acceptable! (local 91.221.16.26 remote 95.215.103.14)

*May 7 05:55:56: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

*May 7 05:55:56: ISAKMP:(0): Failed to construct AG informational message.

*May 7 05:55:56: ISAKMP:(0): sending packet to 95.215.103.14 my_port 500 peer_port 500 ® MM_NO_STATE

*May 7 05:55:56: ISAKMP:(0):Sending an IKE IPv4 Packet.

*May 7 05:55:56: ISAKMP:(0):peer does not do paranoid keepalives.

*May 7 05:55:56: ISAKMP:(0):deleting SA reason «Phase1 SA policy proposal not accepted» state ® MM_NO_STATE (peer 95.215.103.14)

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID is DPD

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*May 7 05:55:56: ISAKMP:(0): vendor ID is NAT-T v2

*May 7 05:55:56: ISAKMP:(0): processing vendor id payload

*May 7 05:55:56: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*May 7 05:55:56: ISAKMP:(0): vendor ID is NAT-T v3

*May 7 05:55:56: ISAKMP (0): FSM action returned error: 2

*May 7 05:55:56: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 7 05:55:56: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*May 7 05:55:56: ISAKMP:(0):deleting SA reason «Phase1 SA policy proposal not accepted» state ® MM_NO_STATE (peer 95.215.103.14)

*May 7 05:55:56: ISAKMP: Unlocking peer struct 0x4A5C63B0 for isadb_mark_sa_deleted(), count 0

*May 7 05:55:56: ISAKMP: Deleting peer node by peer_reap for 95.215.103.14: 4A5C63B0

*May 7 05:55:56: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Написано более трёх лет назад

JDima @JDima

*May 7 05:55:51: ISAKMP:(0):Checking ISAKMP transform 0 against priority 20 policy

*May 7 05:55:51: ISAKMP: encryption 3DES-CBC

*May 7 05:55:51: ISAKMP: hash SHA

*May 7 05:55:51: ISAKMP: auth pre-share

*May 7 05:55:51: ISAKMP: default group 2

*May 7 05:55:51: ISAKMP: life type in seconds

*May 7 05:55:51: ISAKMP: life duration (basic) of 28800

*May 7 05:55:51: ISAKMP:(0):Authentication method offered does not match policy!

Это я жестоко тупанул…
VPN клиент шлет PSK. Сервер хочет RSA-SIG, и потому отбивает его.
Копайте настройки на клиенте.

Написано более трёх лет назад

rdntw @rdntw Автор вопроса

на стороне клиента тупее некуда… указал сертификат и IP и коннектишься…

Написано более трёх лет назад
JDima @JDima

Тогда лучше пересоздать профиль на клиенте.
Для начала можно обойтись и без xauth.

Написано более трёх лет назад

1 комментарий

Комментировать

Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы

Сетевое администрирование

+2 ещё

Средний
Как включить HBA на HP Array P420I (hp proliant dl380p gen8)?
- 2 подписчика
- 18 часов назад
- 78 просмотров
1

ответ
Компьютерные сети

+1 ещё

Средний
Чем мониторить arp на mikrotik?
- 3 подписчика
- 20 часов назад
- 226 просмотров
2

ответа
Компьютерные сети

+1 ещё

Простой
Почему роутер openwrt не видит клиента со статическим ip?
- 1 подписчик
- 21 час назад
- 63 просмотра
3

ответа
Компьютерные сети

Простой
Как обойти ограничение мобильного провайдера на максимальный файл?
- 1 подписчик
- вчера
- 156 просмотров
3

ответа
Компьютерные сети

Средний
Почему по вечерам снижается скорость загрузки с VPS?
- 4 подписчика
- вчера
- 496 просмотров
2

ответа
Компьютерные сети

+3 ещё

Простой
Как вывести время последнего онлайна хоста в Zabbix?
- 2 подписчика
- вчера
- 220 просмотров
2

ответа
Компьютерные сети

+1 ещё

Средний
Какие протоколы прикладного уровня над TCP/IP поддерживают постоянное соедиение как WebSocket?
- 2 подписчика
- 19 нояб.
- 3421 просмотр
6

ответов
Сетевое администрирование

+4 ещё

Средний
Почему Mail in a box недоступен по внешнему ip?
- 1 подписчик
- 19 нояб.
- 121 просмотр
2

ответа
Компьютерные сети

+2 ещё

Простой
Начинающий системный администратор. Вопрос по построению сети?
- 2 подписчика
- 19 нояб.
- 5333 просмотра
14

ответов
Компьютерные сети

+3 ещё

Простой
Как пробросить сервер за NAT провайдера?
- 1 подписчик
- 19 нояб.
- 378 просмотров
5

ответов
Показать ещё Загружается…

Контент-маркетолог

Хекслет

от 60 000 до 100 000 ₽

Преподаватель по нейросетям

CODDY

от 40 000 ₽

Младший аналитик

Сбер • Москва

от 130 000 ₽

Нарисовать проект Площадки для дизайнеров интерьеров

22 нояб. 2024, в 10:19

10000 руб./за проект

Сделать верстку двух страниц из фигмы

22 нояб. 2024, в 09:58

5000 руб./за проект

Доделать проект

22 нояб. 2024, в 09:57

3000 руб./за проект

Answer 1 · 2013-05-06 19:34:15

Вам надо на циске настроить аутентификацию по паре имя-пароль, xauth preshared. Эти данные передаются в профиле клиенту в дополнение к сертификатам.

Answer 2 · 2013-05-06 22:00:59

rdntw @rdntw Автор вопроса

итак же используются

Ответ написан более трёх лет назад

Комментировать

Answer 3 · 2013-05-06 23:06:17

JDima @JDima

crypto isakmp policy 20
authentication rsa-sig

Не сработает — новый дебаг.

Ответ написан более трёх лет назад

4 комментария

Answer 4 · 2013-05-07 07:59:29

kbool @kbool

А в качестве VPN клиента что выступает?

Ответ написан более трёх лет назад

1 комментарий

Answer 5 · 2022-09-19 16:20:28

Here are some topics to get more information:
https://www.networkingsignal.com/what-is-vpn-impor...
https://www.networkingsignal.com/what-is-a-remote-...
https://www.networkingsignal.com/stop-someone-from...
https://www.networkingsignal.com/what-is-site-to-s...

Remote-access VPN с сертификатами

Войдите, чтобы написать ответ

Минуточку внимания

Войдите на сайт