Re: Маршрутизаторы Элтекс
Добавлено: 09 апр 2020 14:11
Pyro_GI, покажите настройки object-group network для vpn-сети.
производство оборудования для телекоммуникаций
http://forum.eltex-co.ru/
Garri писал(а):А что покажет - show security ipsec vpn status IPSEC_VPN1 ?
Код: Выделить всё
GW1# sh security ike proposal IKE_prop1
Description: --
Encryption algorithm: aes256
Diffie-Hellman group: 2
Authentication algorithm: sha1
Код: Выделить всё
GW1# sh security ipsec vpn status IPSEC_VPN1
Currently active IKE SA:
Name: IPSEC_VPN1
State: Established
Version: v1-only
Unique ID: 215
Local host: X.X.X.227
Remote host: Y.Y.Y.244
Role: Responder
Initiator spi: 0xf17a37b02b6af8bd
Responder spi: 0x35426279d7f61beb
Encryption algorithm: des
Authentication algorithm: sha1
Diffie-Hellman group: 2
Established: 16 minutes and 55 seconds ago
Rekey time: 16 minutes and 55 seconds
Reauthentication time: 2 hours, 26 minutes and 12 seconds
Child IPsec SAs:
Name: IPSEC_VPN1
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha1
Rekey time: 14 minutes and 40 seconds
Life time: 28 minutes and 54 seconds
Established: 31 minutes and 6 seconds ago
Traffic statistics:
Input bytes: 11200
Output bytes: 46021573
Input packets: 132
Output packets: 100143
-------------------------------------------------------------
Name: IPSEC_VPN1
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha1
Rekey time: 7 minutes and 39 seconds
Life time: 21 minutes and 33 seconds
Established: 38 minutes and 27 seconds ago
Traffic statistics:
Input bytes: 613007
Output bytes: 59453490
Input packets: 1186
Output packets: 54556
-------------------------------------------------------------
Name: IPSEC_VPN1
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha1
Rekey time: 4 minutes and 17 seconds
Life time: 19 minutes and 9 seconds
Established: 40 minutes and 51 seconds ago
Traffic statistics:
Input bytes: 67572
Output bytes: 4170902
Input packets: 815
Output packets: 7064
-------------------------------------------------------------
Name: IPSEC_VPN1
State: Invalid
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha1
Rekey time: 49710 days, 6 hours, 24 minutes and 9 seconds
Life time: 13 minutes and 32 seconds
Established: 46 minutes and 28 seconds ago
Traffic statistics:
Input bytes: 15910055
Output bytes: 18007040
Input packets: 87500
Output packets: 27241
-------------------------------------------------------------
Name: IPSEC_VPN1
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha1
Rekey time: 28 minutes and 44 seconds
Life time: 45 minutes and 58 seconds
Established: 14 minutes and 2 seconds ago
Traffic statistics:
Input bytes: 8895623
Output bytes: 43007297
Input packets: 18501
Output packets: 58725
-------------------------------------------------------------
Garri писал(а):Pyro_GI, покажите настройки object-group network для vpn-сети.
Код: Выделить всё
object-group network USR_subnet
ip prefix 2.2.2.0/24
exit
Код: Выделить всё
ip route 2.2.2.0/24 tunnel vti 1
Код: Выделить всё
X.X.X.227 Y.Y.Y.244 1.1.1.0/24 2.2.2.0/24 Pre-shared key Established
Garri писал(а):Если настроен Site-to-Site , то с другой стороны тоже ESR стоит ?
Код: Выделить всё
2020-04-13 17:13:46 user.notice X.X.X.1 <2> 2020-04-13T17:13:46+03:00 %SYSTEM-C-KERNEL: [20440.860000] saesoc_add_frags:1105, Error - Fragments overflow max 18 cur 18 more 2
2020-04-13 17:13:46 user.notice X.X.X.1 <2> 2020-04-13T17:13:46+03:00 %SYSTEM-C-KERNEL: [20440.868000] saesoc_add_frags:1105, Error - Fragments overflow max 18 cur 18 more 2
2020-04-13 17:13:46 user.notice X.X.X.1 <2> 2020-04-13T17:13:46+03:00 %SYSTEM-C-KERNEL: [20441.016000] saesoc_add_frags:1105, Error - Fragments overflow max 18 cur 18 more 2
2020-04-13 17:13:47 user.notice X.X.X.1 <2> 2020-04-13T17:13:47+03:00 %SYSTEM-C-KERNEL: [20441.420000] saesoc_add_frags:1105, Error - Fragments overflow max 18 cur 18 more 2
2020-04-13 17:14:06 user.notice X.X.X.1 <2> 2020-04-13T17:14:06+03:00 %SYSTEM-C-KERNEL: [20460.184000] saesoc_add_frags:1105, Error - Fragments overflow max 18 cur 18 more 2
2020-04-13 17:14:06 user.notice X.X.X.1 <2> 2020-04-13T17:14:06+03:00 %SYSTEM-C-KERNEL: [20460.192000] saesoc_add_frags:1105, Error - Fragments overflow max 18 cur 18 more 2
Garri писал(а):Задайте вопрос ТП через сайт, что они скажут, самому интересно.
Encryption algorithm: des - этот баг уже известен, на работу не влияет, будет исправлен в следующих версиях ПО.
Garri писал(а):Что ответили?
Код: Выделить всё
GW1# sh security ipsec vpn authentication IPSEC_VPN1
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
Local host Remote host Local subnet Remote subnet Authentication State
--------------- --------------- ------------------- ------------------- ----------------------------------------- -----------
X.X.X.227 Y.Y.Y.244 10.62.1.0/24 10.19.19.0/24 Pre-shared key Established
Данная команда позволяет посмотреть список и параметры подключившихся IPsec-VPN-клиентов. Несмотря на большое количество сетей, показывать будет только одно подключение.
alexander346 писал(а):Добрый день! На одну фазу IKE должна быть только одна 2-я фаза.
Код: Выделить всё
Child IPsec SAs:
Name: IPSEC_VPN1
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha1
Rekey time: 14 minutes and 40 seconds
Life time: 28 minutes and 54 seconds
Established: 31 minutes and 6 seconds ago
Traffic statistics:
Input bytes: 11200
Output bytes: 46021573
Input packets: 132
Output packets: 100143
-------------------------------------------------------------
Name: IPSEC_VPN1
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha1
Rekey time: 7 minutes and 39 seconds
Life time: 21 minutes and 33 seconds
Established: 38 minutes and 27 seconds ago
Traffic statistics:
Input bytes: 613007
Output bytes: 59453490
Input packets: 1186
Output packets: 54556
-------------------------------------------------------------
Name: IPSEC_VPN1
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha1
Rekey time: 4 minutes and 17 seconds
Life time: 19 minutes and 9 seconds
Established: 40 minutes and 51 seconds ago
Traffic statistics:
Input bytes: 67572
Output bytes: 4170902
Input packets: 815
Output packets: 7064
Код: Выделить всё
GW1# sh security ipsec vpn authentication IPSEC_VPN1
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
2020-04-20T12:25:21+03:00 <network_ip_stringize_prefix> ip prefix is invalid
Local host Remote host Local subnet Remote subnet Authentication State
--------------- --------------- ------------------- ------------------- ----------------------------------------- -----------
X.X.X.227 Y.Y.Y.244 10.62.1.0/24 10.19.19.0/24 Pre-shared key Established
alexander346 писал(а):А SSH разрывается вероятнее из-за того, что PFsense постоянно переподнимает вторую фазу. Никаких проблем в ПО ESR здесь нет.