LINUX.ORG.RU

Site-to-Site VPN Cisco2921-Openswan

 , , ,


0

1

Помогите понять почему не подымается туннель между Cisco2921 и Openswan Centos.

Настройки на Cisco:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

crypto isakmp key 12345 address 10.10.10.10

ip access-list extended SitesVPN
 permit ip any host 87.240.129.72
 permit ip any host 18.196.37.30

crypto ipsec transform-set centos esp-3des esp-sha-hmac

crypto map centosipsec 10 ipsec-isakmp 
 set peer 10.10.10.10
 set transform-set centos 
 match address SitesVPN

interface GigabitEthernet0/1
 ip address 192.168.10.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map centosipsec

Конфиги Openswan

ipsec.conf

version 2

config setup
        protostack=auto
        logfile=/var/log/pluto.log
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        fragicmp=yes
        oe=off
include /etc/ipsec.d/*.conf

office.conf:

conn nullgr
        left=10.10.10.10
        leftsubnet=192.168.1.10/32
        rightsubnet=172.16.100.0/24
        right=192.168.10.10
        authby=secret
        keyexchange=ike
        type=tunnel
        auto=start
        priority=1
        pfs=no
        ikev2=permit
        ike=3des-sha1-modp1024

ipsec.secret:

10.10.10.10 192.168.10.10: PSK "12345"

Ipsec на Centos запускается без ошибок.

На Cisco:

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.10.10   10.10.10.10    QM_IDLE           1212 ACTIVE

Но доступа к адресам vk и yandex нету.

В логах Cisco постоянно такое:

006586: Apr  4 09:50:01.171: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy
006587: Apr  4 09:50:01.171: ISAKMP:      life type in seconds
006588: Apr  4 09:50:01.171: ISAKMP:      life duration (basic) of 3600
006589: Apr  4 09:50:01.171: ISAKMP:      encryption 3DES-CBC
006590: Apr  4 09:50:01.171: ISAKMP:      hash MD5
006591: Apr  4 09:50:01.171: ISAKMP:      auth pre-share
006592: Apr  4 09:50:01.171: ISAKMP:      default group 14
006593: Apr  4 09:50:01.171: ISAKMP:(0):Hash algorithm offered does not match policy!
006594: Apr  4 09:50:01.171: ISAKMP:(0):atts are not acceptable. Next payload is 3
006595: Apr  4 09:50:01.171: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
006596: Apr  4 09:50:01.171: ISAKMP:      life type in seconds
006597: Apr  4 09:50:01.171: ISAKMP:      life duration (basic) of 3600
006598: Apr  4 09:50:01.171: ISAKMP:      encryption 3DES-CBC
006599: Apr  4 09:50:01.171: ISAKMP:      hash MD5
006600: Apr  4 09:50:01.171: ISAKMP:      auth pre-share
006601: Apr  4 09:50:01.171: ISAKMP:      default group 5
006602: Apr  4 09:50:01.171: ISAKMP:(0):Hash algorithm offered does not match policy!
006603: Apr  4 09:50:01.171: ISAKMP:(0):atts are not acceptable. Next payload is 0
006604: Apr  4 09:50:01.171: ISAKMP:(0):Checking ISAKMP transform 0 against priority 2 policy
006605: Apr  4 09:50:01.171: ISAKMP:      life type in seconds
006606: Apr  4 09:50:01.171: ISAKMP:      life duration (basic) of 3600
006607: Apr  4 09:50:01.171: ISAKMP:      encryption 3DES-CBC
006608: Apr  4 09:50:01.171: ISAKMP:      hash MD5
006609: Apr  4 09:50:01.171: ISAKMP:      auth pre-share
006610: Apr  4 09:50:01.171: ISAKMP:      default group 14
006611: Apr  4 09:50:01.171: ISAKMP:(0):Encryption algorithm offered does not match policy!
006612: Apr  4 09:50:01.171: ISAKMP:(0):atts are not acceptable. Next payload is 3
006613: Apr  4 09:50:01.171: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
006614: Apr  4 09:50:01.171: ISAKMP:      life type in seconds
006615: Apr  4 09:50:01.171: ISAKMP:      life duration (basic) of 3600
006616: Apr  4 09:50:01.171: ISAKMP:      encryption 3DES-CBC
006617: Apr  4 09:50:01.171: ISAKMP:      hash MD5
006618: Apr  4 09:50:01.171: ISAKMP:      auth pre-share
006619: Apr  4 09:50:01.171: ISAKMP:      default group 5
006620: Apr  4 09:50:01.171: ISAKMP:(0):Encryption algorithm offered does not match policy!
perrfect ()

в логах openswan такое:

 #5: max number of retransmissions (8) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKEv1 message
perrfect ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.