Назад | Перейти на главную страницу

Отказ туннеля IPv6IP Cisco ISR4431

У меня возникают проблемы с устранением неполадок, когда туннель IPv6IP не запускается, я включаю отладку ISAKMP, IPSEC и Crypto Engine и вижу следующие проблемы:

*Oct  4 04:00:10.356: ISAKMP (0): received packet from 10.167.224.4 dport 500 sport 500 Global (N) NEW SA
*Oct  4 04:00:10.356: ISAKMP: Created a peer struct for 10.167.224.4, peer port 500
*Oct  4 04:00:10.356: ISAKMP: New peer created peer = 0x7FF22535E020 peer_handle = 0x80000178
*Oct  4 04:00:10.356: ISAKMP: Locking peer struct 0x7FF22535E020, refcount 1 for crypto_isakmp_process_block
*Oct  4 04:00:10.356: ISAKMP: local port 500, remote port 500
*Oct  4 04:00:10.356: crypto_engine_select_crypto_engine: can't handle any more
*Oct  4 04:00:10.356: ISAKMP:(0):insert sa successfully sa = 7FF22540FAB0
*Oct  4 04:00:10.356: ISAKMP:(0): processing SA payload. message ID = 0
*Oct  4 04:00:10.356: ISAKMP:(0): processing ID payload. message ID = 0
*Oct  4 04:00:10.356: ISAKMP (0): ID payload
        next-payload : 13
        type         : 2
        FQDN name    : SSN001350fffe1232d0
        protocol     : 17
        port         : 500
        length       : 27
*Oct  4 04:00:10.356: ISAKMP:(0):: peer matches *none* of the profiles
*Oct  4 04:00:10.357: ISAKMP:(0): processing vendor id payload
*Oct  4 04:00:10.357: ISAKMP:(0): vendor ID is DPD
*Oct  4 04:00:10.357: ISAKMP:(0):Looking for a matching key for SSN001350fffe1232d0 in default
*Oct  4 04:00:10.357: ISAKMP:(0): local preshared key found
*Oct  4 04:00:10.357: ISAKMP : Scanning profiles for xauth ...
*Oct  4 04:00:10.357: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct  4 04:00:10.357: ISAKMP:      encryption 3DES-CBC
*Oct  4 04:00:10.357: ISAKMP:      hash SHA
*Oct  4 04:00:10.357: ISAKMP:      auth pre-share
*Oct  4 04:00:10.357: ISAKMP:      default group 2
*Oct  4 04:00:10.357: ISAKMP:      life type in seconds
*Oct  4 04:00:10.357: ISAKMP:      life duration (VPI) of  0xFF 0xFF 0xFF 0xFF
*Oct  4 04:00:10.357: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  4 04:00:10.357: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  4 04:00:10.357: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct  4 04:00:10.357: ISAKMP:      encryption 3DES-CBC
*Oct  4 04:00:10.357: ISAKMP:      hash SHA
*Oct  4 04:00:10.357: ISAKMP:      auth pre-share
*Oct  4 04:00:10.357: ISAKMP:      default group 2
*Oct  4 04:00:10.357: ISAKMP:      life type in seconds
*Oct  4 04:00:10.357: ISAKMP:      life duration (VPI) of  0xFF 0xFF 0xFF 0xFF
*Oct  4 04:00:10.357: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  4 04:00:10.357: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  4 04:00:10.357: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3 policy
*Oct  4 04:00:10.357: ISAKMP:      encryption 3DES-CBC
*Oct  4 04:00:10.357: ISAKMP:      hash SHA
*Oct  4 04:00:10.357: ISAKMP:      auth pre-share
*Oct  4 04:00:10.357: ISAKMP:      default group 2
*Oct  4 04:00:10.357: ISAKMP:      life type in seconds
*Oct  4 04:00:10.357: ISAKMP:      life duration (VPI) of  0xFF 0xFF 0xFF 0xFF
*Oct  4 04:00:10.357: ISAKMP:(0):atts are acceptable. Next payload is 0
*Oct  4 04:00:10.357: ISAKMP:(0):Acceptable atts:actual life: 86400
*Oct  4 04:00:10.357: ISAKMP:(0):Acceptable atts:life: 0
*Oct  4 04:00:10.357: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct  4 04:00:10.357: ISAKMP:(0):Fill atts in sa life_in_seconds:4294967295
*Oct  4 04:00:10.357: ISAKMP:(0):Returning Actual lifetime: 86400
*Oct  4 04:00:10.357: ISAKMP:(0)::Started lifetime timer: 86400.

*Oct  4 04:00:10.357: crypto_engine_select_crypto_engine: can't handle any more
*Oct  4 04:00:10.357: ISAKMP:(0): processing KE payload. message ID = 0
*Oct  4 04:00:10.357: crypto_engine: Create DH shared secret
*Oct  4 04:00:10.359: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct  4 04:00:10.359: ISAKMP:(0):Looking for a matching key for SSN001350fffe1232d0 in default
*Oct  4 04:00:10.359: crypto_engine: Create IKE SA
*Oct  4 04:00:10.359: crypto engine: deleting DH phase 2 SW:312
*Oct  4 04:00:10.359: crypto_engine: Delete DH shared secret
*Oct  4 04:00:10.362: ISAKMP:(1282): processing vendor id payload
*Oct  4 04:00:10.362: ISAKMP:(1282): vendor ID is DPD
*Oct  4 04:00:10.362: ISAKMP:(1282):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct  4 04:00:10.362: ISAKMP (1282): ID payload
        next-payload : 10
        type         : 1
        address      : 10.18.192.100
        protocol     : 0
        port         : 0
        length       : 12
*Oct  4 04:00:10.362: ISAKMP:(1282):Total payload length: 12
*Oct  4 04:00:10.362: crypto_engine: Generate IKE hash
*Oct  4 04:00:10.362: ISAKMP:(1282): sending packet to 10.167.224.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Oct  4 04:00:10.362: ISAKMP:(1282):Sending an IKE IPv4 Packet.
*Oct  4 04:00:10.362: ISAKMP:(1282):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct  4 04:00:10.362: ISAKMP:(1282):Old State = IKE_READY  New State = IKE_R_AM2

*Oct  4 04:00:20.362: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH...
*Oct  4 04:00:20.362: ISAKMP (1282): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Oct  4 04:00:20.362: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH
*Oct  4 04:00:20.362: ISAKMP:(1282): sending packet to 10.167.224.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Oct  4 04:00:20.362: ISAKMP:(1282):Sending an IKE IPv4 Packet.
*Oct  4 04:00:25.352: ISAKMP (1282): received packet from 10.167.224.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Oct  4 04:00:25.352: ISAKMP:(1282): phase 1 packet is a duplicate of a previous packet.
*Oct  4 04:00:25.352: ISAKMP:(1282): retransmitting due to retransmit phase 1
*Oct  4 04:00:25.852: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH...
*Oct  4 04:00:25.853: ISAKMP (1282): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Oct  4 04:00:25.853: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH
*Oct  4 04:00:25.853: ISAKMP:(1282): sending packet to 10.167.224.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Oct  4 04:00:25.853: ISAKMP:(1282):Sending an IKE IPv4 Packet.
*Oct  4 04:00:35.853: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH...
*Oct  4 04:00:35.853: ISAKMP (1282): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Oct  4 04:00:35.853: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH
*Oct  4 04:00:35.853: ISAKMP:(1282): sending packet to 10.167.224.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Oct  4 04:00:35.853: ISAKMP:(1282):Sending an IKE IPv4 Packet.
*Oct  4 04:00:45.853: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH...
*Oct  4 04:00:45.853: ISAKMP (1282): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct  4 04:00:45.853: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH
*Oct  4 04:00:45.853: ISAKMP:(1282): sending packet to 10.167.224.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Oct  4 04:00:45.853: ISAKMP:(1282):Sending an IKE IPv4 Packet.
*Oct  4 04:00:55.355: ISAKMP (1282): received packet from 10.167.224.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Oct  4 04:00:55.355: ISAKMP:(1282): phase 1 packet is a duplicate of a previous packet.
*Oct  4 04:00:55.355: ISAKMP:(1282): retransmitting due to retransmit phase 1
*Oct  4 04:00:55.855: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH...
*Oct  4 04:00:55.855: ISAKMP (1282): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Oct  4 04:00:55.855: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH
*Oct  4 04:00:55.855: ISAKMP:(1282): sending packet to 10.167.224.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Oct  4 04:00:55.855: ISAKMP:(1282):Sending an IKE IPv4 Packet.
*Oct  4 04:01:05.855: ISAKMP:(1282): retransmitting phase 1 AG_INIT_EXCH...
*Oct  4 04:01:05.855: ISAKMP:(1282):peer does not do paranoid keepalives.

*Oct  4 04:01:05.855: ISAKMP:(1282):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 10.167.224.4)
*Oct  4 04:01:05.855: ISAKMP:(1282):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 10.167.224.4)
*Oct  4 04:01:05.855: ISAKMP:(1282):Deleting the unauthenticated sa
*Oct  4 04:01:05.855: ISAKMP:(1282):Unlocking peer struct 0x7FF22535E020 for isadb_mark_sa_deleted(), count 0
*Oct  4 04:01:05.855: ISAKMP:(1282):Deleting the peer struct for unauthenticated sa
*Oct  4 04:01:05.855: ISAKMP: Deleting peer node by peer_reap for 10.167.224.4: 7FF22535E020
*Oct  4 04:01:05.861: crypto engine: deleting IKE SA SW:282
*Oct  4 04:01:05.861: crypto_engine: Delete IKE SA
*Oct  4 04:01:05.861: ISAKMP:(1282):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct  4 04:01:05.861: ISAKMP:(1282):Old State = IKE_R_AM2  New State = IKE_DEST_SA

Насколько я понимаю отладку, я вижу, что маршрутизатор пытается запустить туннель, но он потерял соединение и не может получить / подтвердить со стороны клиента предварительный общий ключ. Думаю, что-то в этом роде.

Мы будем благодарны за любые советы по дальнейшему устранению неполадок или рекомендации.

Спасибо!