[решено] 3 маршрутизатора D-Link DI-804HV - Компьютерный форум OSzone.net

Компьютерный форум OSzone.net (http://forum.oszone.net/index.php)

- Сетевые технологии (http://forum.oszone.net/forumdisplay.php?f=31)

- - [решено] 3 маршрутизатора D-Link DI-804HV (http://forum.oszone.net/showthread.php?t=234800)

3 маршрутизатора D-Link DI-804HV

Здравствуйте.
Собственно сабж. Сначала их было два (т.к. было два офиса А и Б ), открылся новый филиал В и потребовался третий. Первые два настраивал не я, но они работали. В одном из работающих (Б) я добавил второй туннель и сделал там настройки идентичные рабочему, за исключением адресов и ключей. В новом маршрутизаторе (В) создал туннель и сделал настройки аналогичные второму туннелю в работающем маршрутизаторе.

Теперь по порядку проблемы.
1. Туннель поднимается с новым офисом (между Б и В), но пингуется только сам роутер, компьютеры в локалке не видны.
2. Отвалился уже работающий туннель между А и Б, постоянно висит в состоянии Establishing, настройки не менялись.

Тех. данные.
Роутеры D-Link DI-804HV. Прошивка на всех V1.53RU
В офисах А и Б соединение с Интернетом через PPPoE, выдаются белые айпишники. В офисе В статический IP, интернет в локалке раздаётся через NAT.

hosco,
Что в пишется в логах при поднятие туннеля?

Telepuzik, вот из логов в офисе А (тот что изначально работал):

Monday November 14, 2011 08:25:45 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:46 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:46 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:47 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:47 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:48 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:48 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:49 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:49 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:50 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:50 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:51 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:51 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:52 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:53 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:54 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:55 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:56 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:57 IKED re-TX : QINIT to 91.197.78.146
Monday November 14, 2011 08:25:58 IKED re-TX : QINIT to 91.197.78.146

Ещё:
Thursday May 17, 2012 13:50:11 error = 14
Thursday May 17, 2012 13:50:11 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 13:50:11 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 13:50:11 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 13:50:12 Receive IKE Q1(QINIT) : [91.197.78.146]-->[91.204.178.84]
Thursday May 17, 2012 13:50:12 Requested routing is [192.168.3.0|91.197.78.146]<->[91.204.178.84|192.168.0.0]
Thursday May 17, 2012 13:50:12 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-3DES AUTH:MD5 HASH:Others PFS(Group):Group1
Thursday May 17, 2012 13:50:12 error = 14
Thursday May 17, 2012 13:50:12 Receive IKE Q1(QINIT) : [91.197.78.146]-->[91.204.178.84]
Thursday May 17, 2012 13:50:12 Requested routing is [192.168.3.0|91.197.78.146]<->[91.204.178.84|192.168.0.0]
Thursday May 17, 2012 13:50:12 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-3DES AUTH:MD5 HASH:Others PFS(Group):Group1
Thursday May 17, 2012 13:50:12 error = 14
Thursday May 17, 2012 13:50:12 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 13:50:12 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 13:50:13 Receive IKE Q1(QINIT) : [91.197.78.146]-->[91.204.178.84]
Thursday May 17, 2012 13:50:13 Requested routing is [192.168.3.0|91.197.78.146]<->[91.204.178.84|192.168.0.0]
Thursday May 17, 2012 13:50:13 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-3DES AUTH:MD5 HASH:Others PFS(Group):Group1
Thursday May 17, 2012 13:50:13 error = 14
Thursday May 17, 2012 13:50:13 Receive IKE Q1(QINIT) : [91.197.78.146]-->[91.204.178.84]
Thursday May 17, 2012 13:50:13 Requested routing is [192.168.3.0|91.197.78.146]<->[91.204.178.84|192.168.0.0]

А вот лог роутера в офисе Б:

Thursday May 17, 2012 14:26:07 IKE phase2 (IPSec SA) remove : 192.168.3.0 <-> 192.168.0.0
Thursday May 17, 2012 14:26:07 inbound SPI = 0xbc0a66ed, outbound SPI = 0x0
Thursday May 17, 2012 14:26:07 Send IKE Q1(QINIT) : 192.168.3.0 --> 192.168.0.0
Thursday May 17, 2012 14:26:07 Receive IKE INFO : 91.204.178.84 --> 91.197.78.146
Thursday May 17, 2012 14:26:07 Disassociated: Blocked access attempt from 94.21.154.10:49093 to UDP port 23518
Thursday May 17, 2012 14:26:08 IKED re-TX : QINIT to 91.204.178.84
Thursday May 17, 2012 14:26:08 IKED re-TX : QINIT to 91.204.178.84
Thursday May 17, 2012 14:26:08 Send IKE (INFO) : delete [192.168.3.0|91.197.78.146]-->[91.204.178.84|192.168.0.0] phase 2
Thursday May 17, 2012 14:26:08 IKE phase2 (IPSec SA) remove : 192.168.3.0 <-> 192.168.0.0
Thursday May 17, 2012 14:26:08 inbound SPI = 0xbe0a9c59, outbound SPI = 0x0
Thursday May 17, 2012 14:26:08 Send IKE (INFO) : delete [192.168.3.0|91.197.78.146]-->[91.204.178.84|192.168.0.0] phase 2
Thursday May 17, 2012 14:26:08 IKE phase2 (IPSec SA) remove : 192.168.3.0 <-> 192.168.0.0
Thursday May 17, 2012 14:26:08 inbound SPI = 0xbd0a7c23, outbound SPI = 0x0
Thursday May 17, 2012 14:26:08 Send IKE Q1(QINIT) : 192.168.3.0 --> 192.168.0.0
Thursday May 17, 2012 14:26:08 Receive IKE Q1(QINIT) : [91.204.178.84]-->[91.197.78.146]
Thursday May 17, 2012 14:26:08 Requested routing is [192.168.0.0|91.204.178.84]<->[91.197.78.146|192.168.3.0]
Thursday May 17, 2012 14:26:08 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-DES AUTH:MD5 HASH:Others PFS(Group):Group2
Thursday May 17, 2012 14:26:08 error = 14
Thursday May 17, 2012 14:26:08 Receive IKE INFO : 91.204.178.84 --> 91.197.78.146
Thursday May 17, 2012 14:26:09 IKED re-TX : QINIT to 91.204.178.84

Цитата:

Цитата hosco

Thursday May 17, 2012 13:50:13 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-3DES AUTH:MD5 HASH:Others PFS(Group):Group1 »

Покажите скрин настроек HOME->VPN->TunnelName->Select IKE Proposal с устройств в офисе А и Б.

Цитата:

Цитата hosco

Прошивка на всех V1.53RU »

Прошивка точно на всех такая? Покупал недавно данное устройство в прошивке (если не ошибаюсь) 1.53RU нет поддержки 3DES пришлось устанавливать V1.51.

Telepuzik

Да, прошивка одинаковая, несколько раз проверил.

Скрины

hosco,
Давайте скрины настроек Select IPSEC Proposal.

hosco,
Настройки правильные только не понятно откуда берется вот это:

Цитата:

Цитата hosco

Thursday May 17, 2012 13:50:13 Try to match ESP with MODE:Tunnel PROTOCAL:ESP-3DES »

В офисе А пробЫвали роутер перезагружать?

Telepuzik, да пробовал конечно, первое что делаю. Старый дедовский способ - если что-то не работает, первым делом ребутни :)

hosco,
Попробуйте на роутере в офисе А выполнить следующие действия в настройках Select IPSEC Proposal:
1. IPSec Proposal index->IPSec boshe->Remove.
2. Задаете снова параметры Proposal Name, DH Group,Encap protocol,Encrypt algorithm и тд.
3. Proposal ID -> Выбираете нужный ID->Add to Proposal index
4.Apply.
5. Смотрим что будет в логах соединения.

Telepuzik, попробую. А при организации нескольких туннелей на одном устройстве не нужно дополнительно порт открывать, или ещё что-нибудь включить?
Вот эта строчка в логе меня смущает:
Thursday May 17, 2012 14:26:07 Disassociated: Blocked access attempt from 94.21.154.10:49093 to UDP port 23518

Рабочий туннель отвалился сразу после добавления нового, может новый занял место предыдущего? Его порт?

Вот новый лог, после удаления и создания заново:

Thursday May 17, 2012 16:10:55 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:10:56 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:10:57 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:01 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:02 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:02 Send IKE (INFO) : delete [192.168.0.0|91.204.178.84]-->[91.197.78.146|192.168.3.0] phase 2
Thursday May 17, 2012 16:11:02 IKE phase2 (IPSec SA) remove : 192.168.0.0 <-> 192.168.3.0
Thursday May 17, 2012 16:11:02 inbound SPI = 0x4e05a46e, outbound SPI = 0x0
Thursday May 17, 2012 16:11:02 Send IKE Q1(QINIT) : 192.168.0.0 --> 192.168.3.0
Thursday May 17, 2012 16:11:03 Send IKE (INFO) : delete [192.168.0.0|91.204.178.84]-->[91.197.78.146|192.168.3.0] phase 2
Thursday May 17, 2012 16:11:03 IKE phase2 (IPSec SA) remove : 192.168.0.0 <-> 192.168.3.0
Thursday May 17, 2012 16:11:03 inbound SPI = 0x4f0544be, outbound SPI = 0x0
Thursday May 17, 2012 16:11:04 Send IKE Q1(QINIT) : 192.168.0.0 --> 192.168.3.0
Thursday May 17, 2012 16:11:05 Receive IKE INFO : 91.197.78.146 --> 91.204.178.84
Thursday May 17, 2012 16:11:06 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:07 Send IKE (INFO) : delete [192.168.0.0|91.204.178.84]-->[91.197.78.146|192.168.3.0] phase 2
Thursday May 17, 2012 16:11:07 IKE phase2 (IPSec SA) remove : 192.168.0.0 <-> 192.168.3.0
Thursday May 17, 2012 16:11:07 inbound SPI = 0x5005070e, outbound SPI = 0x0
Thursday May 17, 2012 16:11:07 Send IKE Q1(QINIT) : 192.168.0.0 --> 192.168.3.0
Thursday May 17, 2012 16:11:07 Receive IKE INFO : 91.197.78.146 --> 91.204.178.84
Thursday May 17, 2012 16:11:07 Receive IKE INFO : 91.197.78.146 --> 91.204.178.84
Thursday May 17, 2012 16:11:08 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:09 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:09 Receive IKE INFO : 91.197.78.146 --> 91.204.178.84
Thursday May 17, 2012 16:11:10 Receive IKE INFO : 91.197.78.146 --> 91.204.178.84
Thursday May 17, 2012 16:11:11 Receive IKE INFO : 91.197.78.146 --> 91.204.178.84
Thursday May 17, 2012 16:11:12 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:13 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:14 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:16 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:17 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:17 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:17 Send IKE (INFO) : delete [192.168.0.0|91.204.178.84]-->[91.197.78.146|192.168.3.0] phase 2
Thursday May 17, 2012 16:11:17 IKE phase2 (IPSec SA) remove : 192.168.0.0 <-> 192.168.3.0
Thursday May 17, 2012 16:11:17 inbound SPI = 0x51052e5e, outbound SPI = 0x0
Thursday May 17, 2012 16:11:17 Send IKE Q1(QINIT) : 192.168.0.0 --> 192.168.3.0
Thursday May 17, 2012 16:11:18 IKED re-TX : QINIT to 91.197.78.146
Thursday May 17, 2012 16:11:18 Send IKE (INFO) : delete [192.168.0.0|91.204.178.84]-->[91.197.78.146|192.168.3.0] phase 2
Thursday May 17, 2012 16:11:18 IKE phase2 (IPSec SA) remove : 192.168.0.0 <-> 192.168.3.0
Thursday May 17, 2012 16:11:18 inbound SPI = 0x52055fae, outbound SPI = 0x0

Вот такое ещё:

Thursday May 17, 2012 13:47:28 IKED re-TX : INIT to 91.197.78.146
Thursday May 17, 2012 13:47:29 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:30 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:30 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:31 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:32 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:34 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:35 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:36 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:38 IKED re-TX : INIT to 91.197.78.146
Thursday May 17, 2012 13:47:40 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:42 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:44 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:45 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:46 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:50 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:52 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:54 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:55 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0
Thursday May 17, 2012 13:47:56 Error : 91.197.78.146 -> 91.204.178.84 QM must after P1 and MsgID!=0

А вот этим заполнячется лог, когда пытаюсь пинговать компьютер в локальной сети за роутером:

Thursday May 17, 2012 18:45:28 IPSec tunnel keep alive : peer IP 192.168.0.254
Thursday May 17, 2012 18:45:28 [192.168.3.0|91.197.78.146]-->[91.204.178.84|192.168.0.0]
Thursday May 17, 2012 18:45:35 Disassociated: Blocked access attempt from 62.63.87.46:37570 to UDP port 31446
Thursday May 17, 2012 18:45:35 Disassociated: Blocked access attempt from 213.79.119.202:23836 to UDP port 31446
Thursday May 17, 2012 18:45:36 IPSec tunnel keep alive : peer IP 192.168.0.254
Thursday May 17, 2012 18:45:36 [192.168.3.0|91.197.78.146]-->[91.204.178.84|192.168.0.0]
Thursday May 17, 2012 18:45:36 Disassociated: Blocked access attempt from 91.204.176.17:64420 to UDP port 31446
Thursday May 17, 2012 18:45:36 Disassociated: Blocked access attempt from 109.62.140.237:14872 to UDP port 31446
Thursday May 17, 2012 18:45:37 Disassociated: Blocked access attempt from 62.63.87.46:37570 to UDP port 31446
Thursday May 17, 2012 18:45:37 Disassociated: Blocked access attempt from 213.79.119.202:23836 to UDP port 31446
Thursday May 17, 2012 18:45:39 Disassociated: Blocked access attempt from 91.204.176.17:64420 to UDP port 31446
Thursday May 17, 2012 18:45:39 Disassociated: Blocked access attempt from 109.62.140.237:14872 to UDP port 31446
Thursday May 17, 2012 18:45:40 Disassociated: Blocked access attempt from 109.62.189.253:9282 to UDP port 31446
Thursday May 17, 2012 18:45:41 Disassociated: Blocked access attempt from 62.63.87.46:37570 to UDP port 31446
Thursday May 17, 2012 18:45:41 Disassociated: Blocked access attempt from 213.79.119.202:23836 to UDP port 31446
Thursday May 17, 2012 18:45:43 Disassociated: Blocked access attempt from 109.62.140.237:14872 to UDP port 31446
Thursday May 17, 2012 18:45:43 Disassociated: Blocked access attempt from 109.62.189.253:9282 to UDP port 31446
Thursday May 17, 2012 18:45:44 Disassociated: Blocked access attempt from 91.204.176.17:64420 to UDP port 31446
Thursday May 17, 2012 18:45:48 Disassociated: Blocked access attempt from 109.62.189.253:9282 to UDP port 31446

Выяснил причину. На всех роутерах прошивка 1.53RU, но на двух от 28 апреля, на остальных от 30 апреля. Сразу и не увидишь такую мелочь. Странная фигня, на FTP лежит как раз от 28 апреля, где теперь искать от 30-го?

Здравствуйте! Настроил тоже два туннеля, все работает. Но один раз в сутки рвется именно 2 туннель. Причем я их менял местами в центральном роутере. Рвется все равно тот, что стоит в ID вторым. В настройках IKE как раз время 86400, что соответствует 24 часам. Я так понимаю в это время происходит пере регистрация туннелей. Но первый же восстанавливается, второй же нужно пере запускать вручную войдя в VPN статус и нажав сначала DROP потом reconnect.

Кстати у автора в настройках IKE livetime меньше чем в настройках ipsec, а в пособии на DLink наоборот.