[ sveti sava @ 03.06.2011. 14:20 ] @
Da li se neko bavio ovom problematikom. Tunel je konfigurisan na obe strane i sve radi osim jedne sitnice. Jedini je problem sto sam tunel mora ASA (ili host iz njene interne mreze) da inicira ( i tada sve radi kako treba, NAT exclusioni namesteni na ASI i mikrotiku itd., sve sljaka kako treba), jer ako je inicijator Mikrotik, tunel se nece podici, ASA odbija Mikrotikovu ponudu i to u IKE fazi 2 samog procesa. Transform setovi identicni, isakmp policy isti itd, kao sto rekoh sve radi kako treba ako ASA inicira tunel. Log sa ASE: Jun 03 14:02:03 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, QM FSM error (P2 struct &0xd84b7828, mess id 0xd7b18460)! Jun 03 14:02:03 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Removing peer from correlator table failed, no match! Jun 03 14:02:03 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Session is being torn down. Reason: Phase 2 Mismatch Guglao, citao i na kraju videh da drugi takodje imaju isti problem. Jel neko uspeo ovo da resi? Hvala i pozdrav, Milos EDIT: evo malo teskog debug-a :-) ... Jun 03 15:22:39 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, PHASE 1 COMPLETED ... Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing hash payload Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing SA payload Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing nonce payload Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing ke payload Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing ISA_KE for PFS in phase 2 Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing ID payload Jun 03 15:22:40 [IKEv1 DECODE]: Group = 192.168.190.115, IP = 192.168.190.115, ID_IPV4_ADDR_SUBNET ID received--192.168.88.0--255.255.255.0 Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.88.0, Mask 255.255.255.0, Protocol 0, Port 0 Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing ID payload Jun 03 15:22:40 [IKEv1 DECODE]: Group = 192.168.190.115, IP = 192.168.190.115, ID_IPV4_ADDR_SUBNET ID received--192.168.87.0--255.255.255.0 Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Received local IP Proxy Subnet data in ID Payload: Address 192.168.87.0, Mask 255.255.255.0, Protocol 0, Port 0 Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, QM IsRekeyed old sa not found by addr Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Static Crypto Map check, checking map = mapa, seq = 10... Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Static Crypto Map check, map mapa, seq = 10 is a successful match Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, IKE Remote Peer configured for crypto map: mapa Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing IPSec SA payload Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, All IPSec SA proposals found unacceptable! ... [Ovu poruku je menjao sveti sava dana 03.06.2011. u 15:50 GMT+1] |