2009/7/23 Vincenzo Milasi <[email protected]>: > Ciao , ho un problema con una vpn tra un asa e un cisco 877. L'asa ha > un indirizzo pubblico, mentre il cisco 877 è in rete fastweb. > > Il cisco 877 ha la seguente configurazione : > > crypto isakmp policy 9 > encr aes 256 > authentication pre-share > group 5 > ! > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key xxx address IP_remote_ASA no-xauth > ! > crypto ipsec security-association idle-time 86400 > ! > crypto ipsec transform-set asa-set esp-3des esp-md5-hmac > crypto ipsec transform-set asa esp-aes 256 esp-sha-hmac > ! > crypto map asa 1 ipsec-isakmp > set peer IP_remote_ASA > set transform-set asa > set pfs group2 > match address 100 > ! > > > > interface Vlan1 > description $WAN$ > ip address ip_vlan1 255.255.255.0 > ip verify unicast reverse-path > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat outside > ip virtual-reassembly > ip route-cache flow > crypto map asa > ! > > > > access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 > access-list 100 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.7 > > > > Sull ' ASA : > > > crypto map outside_map 1 match address outside_cryptomap_1 > crypto map outside_map 1 set pfs > crypto map outside_map 1 set peer ip_vlan1 > crypto map outside_map 1 set transform-set ESP-AES-256-SHA > > > crypto isakmp policy 9 > authentication pre-share > encryption aes-256 > hash sha > group 5 > lifetime 86400 > crypto isakmp policy 10 > authentication pre-share > encryption 3des > hash sha > group 2 > lifetime 86400 > > tunnel-group ip_vlan1 type ipsec-l2l > tunnel-group ip_vlan1 general-attributes > default-group-policy pippo > tunnel-group ip_vlan1 ipsec-attributes > pre-shared-key * > > > > > Di seguito i log : > > > > > asa# Jul 23 13:19:13 [IKEv1 DEBUG]: Pitcher: received a key acquire > message, spi 0x0 > Jul 23 13:19:13 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:15 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:16 [IKEv1 DEBUG]: IP = ip_vlan1, IKE MM Initiator FSM > error history (struct &0xd9f58d80) <state>, <event>: MM_DONE, > EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, > EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, > EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, > EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY > Jul 23 13:19:16 [IKEv1 DEBUG]: IP = ip_vlan1, IKE SA MM:15da7cc9 > terminating: flags 0x01000022, refcnt 0, tuncnt 0 > Jul 23 13:19:16 [IKEv1 DEBUG]: IP = ip_vlan1, sending delete/delete > with reason message > Jul 23 13:19:16 [IKEv1]: IP = ip_vlan1, Removing peer from peer table > failed, no match! > Jul 23 13:19:16 [IKEv1]: IP = ip_vlan1, Error: Unable to remove PeerTblEntry > Jul 23 13:19:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:18 [IKEv1]: IP = ip_vlan1, IKE Initiator: New Phase 1, > Intf inside, IKE Peer ip_vlan1 local Proxy Address 192.168.0.0, > remote Proxy Address 192.168.2.0, Crypto map (outside_map) > Jul 23 13:19:18 [IKEv1 DEBUG]: IP = ip_vlan1, constructing ISAKMP SA payload > Jul 23 13:19:18 [IKEv1 DEBUG]: IP = ip_vlan1, constructing > NAT-Traversal VID ver 02 payload > Jul 23 13:19:18 [IKEv1 DEBUG]: IP = ip_vlan1, constructing > NAT-Traversal VID ver 03 payload > Jul 23 13:19:18 [IKEv1 DEBUG]: IP = ip_vlan1, constructing > Fragmentation VID + extended capabilities payload > Jul 23 13:19:18 [IKEv1]: IP = ip_vlan1, IKE_DECODE SENDING Message > (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + > VENDOR (13) + NONE (0) total length : 224 > Jul 23 13:19:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:20 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:23 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:25 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:26 [IKEv1]: IP = ip_vlan1, IKE_DECODE RESENDING Message > (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + > VENDOR (13) + NONE (0) total length : 224 > Jul 23 13:19:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:28 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:30 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:33 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:34 [IKEv1]: IP = ip_vlan1, IKE_DECODE RESENDING Message > (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + > VENDOR (13) + NONE (0) total length : 224 > Jul 23 13:19:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:35 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:38 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:40 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:42 [IKEv1]: IP = ip_vlan1, IKE_DECODE RESENDING Message > (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + > VENDOR (13) + NONE (0) total length : 224 > Jul 23 13:19:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:43 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:45 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:48 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:49 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > Jul 23 13:19:50 [IKEv1 DEBUG]: IP = ip_vlan1, IKE MM Initiator FSM > error history (struct &0xd9f58d80) <state>, <event>: MM_DONE, > EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, > EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, > EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, > EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY > Jul 23 13:19:50 [IKEv1 DEBUG]: IP = ip_vlan1, IKE SA MM:9dfe6a35 > terminating: flags 0x01000022, refcnt 0, tuncnt 0 > Jul 23 13:19:50 [IKEv1 DEBUG]: IP = ip_vlan1, sending delete/delete > with reason message > Jul 23 13:19:50 [IKEv1]: IP = ip_vlan1, Removing peer from peer table > failed, no match! > Jul 23 13:19:50 [IKEv1]: IP = ip_vlan1, Error: Unable to remove PeerTblEntry > Jul 23 13:19:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:53 [IKEv1]: IP = ip_vlan1, IKE Initiator: New Phase 1, > Intf inside, IKE Peer ip_vlan1 local Proxy Address 192.168.0.0, > remote Proxy Address 192.168.2.0, Crypto map (outside_map) > Jul 23 13:19:53 [IKEv1 DEBUG]: IP = ip_vlan1, constructing ISAKMP SA payload > Jul 23 13:19:53 [IKEv1 DEBUG]: IP = ip_vlan1, constructing > NAT-Traversal VID ver 02 payload > Jul 23 13:19:53 [IKEv1 DEBUG]: IP = ip_vlan1, constructing > NAT-Traversal VID ver 03 payload > Jul 23 13:19:53 [IKEv1 DEBUG]: IP = ip_vlan1, constructing > Fragmentation VID + extended capabilities payload > Jul 23 13:19:53 [IKEv1]: IP = ip_vlan1, IKE_DECODE SENDING Message > (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + > VENDOR (13) + NONE (0) total length : 224 > Jul 23 13:19:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:54 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > undebuJul 23 13:19:58 [IKEv1 DEBUG]: Pitcher: received a key acquire > message, spi 0x0 > Jul 23 13:19:58 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > gJul 23 13:19:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:19:59 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > allJul 23 13:20:01 [IKEv1]: IP = ip_vlan1, IKE_DECODE RESENDING > Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR > (13) + VENDOR (13) + NONE (0) total length : 224 > Jul 23 13:20:04 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > Jul 23 13:20:04 [IKEv1]: IP = ip_vlan1, Queuing KEY-ACQUIRE messages > to be processed when P1 SA is complete. > > > > > Ho già abilitato il nat-traversal settandolo a 3600. > > Grazie dell'aiuto. >
Annullo la richiesta suddetta, ho già risolto. Grazie a tutti comunque _______________________________________________ http://cug.areanetworking.it [email protected] http://ml.areanetworking.it/mailman/listinfo/cug
