我正在尝试在我们和客户之间连接 VPN。客户有一个 Checkpoint FW(不确定哪个版本),我有一个 2811。
症状:隧道(会话)出现,我可以ping通,对方无法与我通信,我什至看不到包进来,但是当我在加密上调试时出现大量错误
ISAKMP (0:16559): received packet from 2.1.64.189 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -1881551979 to QM_IDLE
crypto_engine: Decrypt IKE packet
crypto_engine: Generate IKE hash
ISAKMP:(16559): processing HASH payload. message ID = -1881551979
ISAKMP:(16559): processing SA payload. message ID = -1881551979
ISAKMP:(16559):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: group is 2
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1 (Tunnel)
ISAKMP:(16559):atts are acceptable.
IPSEC(ipsec_process_proposal): peer address 2.1.64.189 not found
ISAKMP:(16559): IPSec policy invalidated proposal with error 64
ISAKMP:(16559): phase 2 SA policy not acceptable! (local 1.2.226.74 remote 2.1.64.189)
ISAKMP: set new node -1932908402 to QM_IDLE
crypto_engine: Generate IKE hash
ISAKMP:(16559):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 120039592, message ID = -1932908402
crypto_engine: Encrypt IKE packet
ISAKMP:(16559): sending packet to 2.1.64.189 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(16559):Sending an IKE IPv4 Packet.
ISAKMP:(16559):purging node -1932908402
ISAKMP:(16559):deleting node -1881551979 error TRUE reason "QM rejected"
ISAKMP:(16559):Node -1881551979, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(16559):Old State = IKE_QM_READY New State = IKE_QM_READY
我们在 phase2 以及 PFS/no PFS、其他 DH 组上尝试了不同的编码和散列,但得到了相同的错误
我的配置的相关部分:
crypto isakmp policy 4
encr aes 256
authentication pre-share
group 2
crypto isakmp key ........... address 2.1.64.189
crypto ipsec transform-set C1 esp-3des esp-md5-hmac
crypto map grvpn 4 ipsec-isakmp
set peer 2.1.64.189
set transform-set C1
set pfs group2
match address C1
ip access-list extended C1
permit ip 172.30.130.0 0.0.0.255 192.168.33.160 0.0.0.7
permit ip 192.168.33.160 0.0.0.7 172.30.130.0 0.0.0.255