- 締切済み
VPNが繋がらない(YAMAHA RTX1100)
【PC-A】--【拠点1ルータ1LAN内】--【拠点1ルータ2】--(Tunnel1)--【本社】--(Tunnel2)--【拠点2ルータ】 お世話になります。上記の様な配線の時、 【拠点1ルータ1LAN内】をYAMAHA RTX1100と交換したらVPNが繋がりません。 【本社】と【拠点2ルータ】はVPNが出来るのですが 【本社】と【拠点1ルータ1LAN内】はVPNが出来ません。 【PC-A】から本社WAN側までpingは通ります 【本社】に残ったログからIPsecの信号は受けている様ですが、 Tunnelが『UP』の状態になりません。 本社と各拠点からはInternetは問題なく出来ています。 【本社】に残ったログ [IKE] generate spi list payload same message repeated 1 times [IKE] generate sequence number payload [IKE] generate hash payload [IKE] generate ISAKMP header [IKE] send IKE message [IKE] 2d 81 8f [IKE] receive IKE message [IKE] f6 69 06 [IKE] ... omitted [IKE] respond ISAKMP phase to 111.111.111.111 [IKE] add ISAKMP context [214] f6 [IKE] receive message from unknown gateway 111.111.111.111 [IKE] receive IKE message [IKE] 2d 81 8f [IKE] receive heartbeat message from 222.222.222.222 [IKE] decrypted payload [IKE] 08 00 00 [IKE] process sequence number payload [IKE] receive sequence number 36 [IKE] process hash payload [IKE] process notification payload [IKE] receive notification from 222.222.222.222 [IKE] no SPI is specified. [IKE] still connected : no message [IKE] spi list payload 24 [IKE] receive spi list protocol = 3, n = 1 [IKE] spi 3b22054a [IKE] inactivate context [214] f6 [IKE] inactivate ISAKMP socket[1] [IKE] delete ISAKMP context [214] f6
- ryukyutaro
- お礼率47% (11/23)
- ネットワーク
- 回答数1
- ありがとう数6
- みんなの回答 (1)
- 専門家の回答
みんなの回答
- takataka65
- ベストアンサー率47% (48/102)
これかな? IPsec NATトラバーサル http://www.rtpro.yamaha.co.jp/RT/docs/ipsec/nat-traversal.html
お礼
takataka65さん、ありがとうございます。 手元のRTX1100ではNATトラバーサルコマンドはサポートされておりませんでした。 以下コンフィグです。お願い致します。 【本社】のコンフィグ (RTX1100/IPフィルター無し) ip route default gateway pp 1 ip route 192.168.0.0/24 gateway tunnel 2 ip route 192.168.88.0/24 gateway tunnel 1 ip lan1 address 192.168.21.1/24 pp disable all pp select 1 pp always-on on pppoe use lan3 pppoe auto connect on pppoe auto disconnect on pp auth accept pap chap pp auth myname *****@***** ***** ppp lcp mru on 1454 ppp ipcp msext on ppp ccp type none ip pp address AAA.AAA.AAA.AAA/32 ip pp mtu 1454 ip pp intrusion detection in on reject=on ip pp nat descriptor 1 pp enable 1 tunnel disable all tunnel select 1 tunnel name "本社⇔拠点1" ipsec tunnel 1 ipsec sa policy 1 1 esp 3des-cbc md5-hmac ipsec ike always-on 1 off ipsec ike encryption 1 3des-cbc ipsec ike esp-encapsulation 1 off ipsec ike group 1 modp768 ipsec ike hash 1 md5 ipsec ike keepalive log 1 on ipsec ike keepalive use 1 on ipsec ike local address 1 AAA.AAA.AAA.AAA ipsec ike log 1 message-info ipsec ike pfs 1 on ipsec ike pre-shared-key 1 text TEST ipsec ike remote address 1 any ipsec ike remote name 1 KYOTEN1 ipsec auto refresh 1 on tunnel enable 1 tunnel select 2 (省略) nat descriptor type 1 masquerade nat descriptor address outer 1 AAA.AAA.AAA.AAA nat descriptor address inner 1 auto nat descriptor masquerade incoming 1 reject nat descriptor masquerade static 1 1 192.168.21.1 esp nat descriptor masquerade static 1 2 192.168.21.1 udp 500 ipsec auto refresh on ipsec ike retry 10 5
補足
【拠点1ルータ1LAN内】のコンフィグ (RTX1100/IPフィルター無し) ip route default gateway 192.168.98.250 ip route 192.168.0.0/24 gateway tunnel 1 ip route 192.168.21.0/24 gateway tunnel 1 ip lan1 address 192.168.88.250/24 ip lan2 address 192.168.98.251/24 ip lan2 nat descriptor 1 pp disable all tunnel disable all tunnel select 1 tunnel name "拠点1⇔本社" ipsec tunnel 1 ipsec sa policy 1 1 esp 3des-cbc md5-hmac ipsec ike always-on 1 on ipsec ike encryption 1 3des-cbc ipsec ike esp-encapsulation 1 off ipsec ike group 1 modp768 ipsec ike hash 1 md5 ipsec ike keepalive log 1 on ipsec ike keepalive use 1 on ipsec ike local address 1 192.168.88.250 ipsec ike log 1 message-info ipsec ike local name 1 KYOTEN1 key-id ipsec ike pfs 1 on ipsec ike pre-shared-key 1 text TEST ipsec ike remote address 1 AAA.AAA.AAA.AAA ipsec auto refresh 1 on tunnel enable 1 nat descriptor type 1 masquerade nat descriptor address outer 1 primary nat descriptor address inner 1 auto nat descriptor masquerade incoming 1 reject nat descriptor masquerade static 1 1 192.168.88.250 esp nat descriptor masquerade static 1 2 192.168.88.250 udp 500 ipsec ike retry 10 5