gre ipsec strongswan cisco ios (ошибки)

SHar · Сообщение **SHar** » 20.04.2021 12:49

Здравствуйте уважаемые господа!
Делаю туннель сеть-сеть между cisco2911 и Centos7 на strongswan
Конфиги:
XXXX- public ip cisco
YYYY - public ip Linux
Strongswan

Код: Выделить всё

conn cisco
        
        type=tunnel                          #IPSec Type: Tunnel
        authby=secret                        #Authentication via Shared Secret
        left=%defaultroute                   #strongswan outside address
        leftsubnet=10.0.1.6/32               #Local Subnets being Tunneled
        leftid=YYYY                #Connection PublicIP (OtherPartyConnectionId)
        right=XXXX                   #Remote Participant PublicIP
        rightsubnet=10.0.1.5/32              #Remote Subnets being Tunneled
        rightid=XXXX                 #IKEID sent by IOS
        auto=start
        compress = yes
        ike=3des-md5-modp1024!               #IKE Phase 1 Algorithm
#        esp=3des-md5-modp1024!
        esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes256-sha256
        mark=%unique
        ikelifetime=28800
        keyingtries=%forever                 #Attempts to Negotiate a Connection
        #keylife=59m
        #rekeymargin=3m
        leftprotoport=47
        rightprotoport=47
        rekey=yes                            #Enable Rekeying
        keyexchange=ikev1
        dpdtimeout=10                        #Dead Peer Detection Timeout
        dpddelay=3                           #Dead Peer Detection Delay

Соответственно ключ совпадает
cisco

Код: Выделить всё

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key <<key>> address YYYY   
!         
!
crypto ipsec transform-set 1DES ah-md5-hmac esp-3des esp-md5-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC
 set security-association lifetime seconds 28800
 set transform-set 1DES 
 set pfs group2
!

!
!
!
!
!
!

!
interface Tunnel1
 description Virtual
 ip address 10.0.1.5 255.255.255.252
 ip mtu 1400
 tunnel source XXXX
 tunnel destination YYYY
 tunnel protection ipsec profile IPSEC

Логи
charon[6358]: 11[ENC] generating QUICK_MODE request 945195132 [ HASH SA No KE ID ID ]
charon[6358]: 11[NET] sending packet: from YYYY[500] to XXXX[500] (300 bytes)
charon[6358]: 12[NET] received packet: from XXXX[500] to YYYY[500] (84 bytes)
charon[6358]: 12[ENC] parsed INFORMATIONAL_V1 request 2917458150 [ HASH N(NO_PROP) ]
charon[6358]: 12[IKE] received NO_PROPOSAL_CHOSEN error notify
charon[6358]: 13[NET] received packet: from XXXX[500] to YYYY[500] (164 bytes)
charon[6358]: 13[ENC] parsed QUICK_MODE request 3649755865 [ HASH SA No ID ID ]
charon[6358]: 13[IKE] no matching CHILD_SA config found for XXXX/32[gre] === YYYY/32[gre]
charon[6358]: 13[ENC] generating INFORMATIONAL_V1 request 3185025512 [ HASH N(INVAL_ID) ]
charon[6358]: 13[NET] sending packet: from YYYY[500] to XXXX[500] (68 bytes)
received HASH payload does not match
Прошу подсказать соответствие цисковских и линуксовых (стронгсвановских) пропосалов
Прошу помощи, уже и ракун попробовал
Линукс на хецнере