IPsec tunel: Cisco ASA <-> Mikrotik
Da li se neko bavio ovom problematikom. Tunel je konfigurisan na obe strane i sve radi osim jedne sitnice. Jedini je problem sto sam tunel mora ASA (ili host iz njene interne mreze) da inicira ( i tada sve radi kako treba, NAT exclusioni namesteni na ASI i mikrotiku itd., sve sljaka kako treba), jer ako je inicijator Mikrotik, tunel se nece podici, ASA odbija Mikrotikovu ponudu i to u IKE fazi 2 samog procesa. Transform setovi identicni, isakmp policy isti itd, kao sto rekoh sve radi kako treba ako ASA inicira tunel.
Log sa ASE:
Jun 03 14:02:03 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, QM FSM error (P2 struct &0xd84b7828, mess id 0xd7b18460)!
Jun 03 14:02:03 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Removing peer from correlator table failed, no match!
Jun 03 14:02:03 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Session is being torn down. Reason: Phase 2 Mismatch
Guglao, citao i na kraju videh da drugi takodje imaju isti problem. Jel neko uspeo ovo da resi?
Hvala i pozdrav,
Milos
EDIT:
evo malo teskog debug-a :-)
...
Jun 03 15:22:39 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, PHASE 1 COMPLETED
...
Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing hash payload
Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing SA payload
Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing nonce payload
Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing ke payload
Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing ISA_KE for PFS in phase 2
Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing ID payload
Jun 03 15:22:40 [IKEv1 DECODE]: Group = 192.168.190.115, IP = 192.168.190.115, ID_IPV4_ADDR_SUBNET ID received--192.168.88.0--255.255.255.0
Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.88.0, Mask 255.255.255.0, Protocol 0, Port 0
Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing ID payload
Jun 03 15:22:40 [IKEv1 DECODE]: Group = 192.168.190.115, IP = 192.168.190.115, ID_IPV4_ADDR_SUBNET ID received--192.168.87.0--255.255.255.0
Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Received local IP Proxy Subnet data in ID Payload: Address 192.168.87.0, Mask 255.255.255.0, Protocol 0, Port 0
Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, QM IsRekeyed old sa not found by addr
Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Static Crypto Map check, checking map = mapa, seq = 10...
Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, Static Crypto Map check, map mapa, seq = 10 is a successful match
Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, IKE Remote Peer configured for crypto map: mapa
Jun 03 15:22:40 [IKEv1 DEBUG]: Group = 192.168.190.115, IP = 192.168.190.115, processing IPSec SA payload
Jun 03 15:22:40 [IKEv1]: Group = 192.168.190.115, IP = 192.168.190.115, All IPSec SA proposals found unacceptable!
...
[Ovu poruku je menjao sveti sava dana 03.06.2011. u 15:50 GMT+1]
 |  |
 |
