forum.opennet.ru - "Помогите разобраться с ipsec." (3)

форумы

помощь

поиск

регистрация

майллист

вход/выход

слежка

"Помогите разобраться с ipsec."

Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[ Отслеживать ]

"Помогите разобраться с ipsec."	+/–
Сообщение от mshejh (ok) on 24-Янв-13, 11:35
Добрый день. Прошу вас помочь в настройке cisco 2911. Моя Cisco сейчас стоит за маршрутизатором DLink, который смотрит в инет. Хочу поднять на ней l2tp ipsec client до сервера vpn l2tp cisco. Есть IP, логин, пароль, ключ. На винде l2tp поднимается без проблем. Настроил ipsec. Конфиг: no aaa new-model ! no ipv6 cef ip source-route ip cef ! ! ! ip multicast-routing ! ip inspect WAAS flush-timeout 10 ! multilink bundle-name authenticated ! vpdn enable ! ! crypto isakmp policy 100 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp key avoccod8 address xxx.yyy.149.253 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set TS esp-3des esp-md5-hmac mode transport ! crypto map VPN 10 ipsec-isakmp set peer xxx.yyy.149.253 set transform-set TS match address L2TP_SA_DAILER1 ! interface GigabitEthernet0/2 ip address xxx.yyy.0.185 255.255.255.0 no ip proxy-arp ip flow ingress ip flow egress duplex auto speed auto no cdp enable crypto map VPN ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 xxx.yyy.0.1 ! ip access-list extended L2TP_SA_DAILER1 permit ip host xxx.yyy.0.185 host xxx.yyy.149.253 ! Начинаю пинговать сервер, получаю вот такой дебаг: Jan 24 07:02:18.449: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= xxx.yyy.0.185:500, remote= xxx.yyy.149.253:500, local_proxy= xxx.yyy.0.185/255.255.255.255/0/0 (type=1), remote_proxy= xxx.yyy.149.253/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Transport), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 Jan 24 07:02:18.449: ISAKMP:(0): SA request profile is (NULL) Jan 24 07:02:18.449: ISAKMP: Created a peer struct for xxx.yyy.149.253, peer port 500 Jan 24 07:02:18.449: ISAKMP: New peer created peer = 0x3003FF24 peer_handle = 0x8000001B Jan 24 07:02:18.449: ISAKMP: Locking peer struct 0x3003FF24, refcount 1 for isakmp_initiator Jan 24 07:02:18.449: ISAKMP: local port 500, remote port 500 Jan 24 07:02:18.449: ISAKMP: set new node 0 to QM_IDLE Jan 24 07:02:18.449: ISAKMP:(0):insert sa successfully sa = 31279FBC Jan 24 07:02:18.449: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. Jan 24 07:02:18.449: ISAKMP:(0):found peer pre-shared key matching xxx.yyy.149.253 Jan 24 07:02:18.449: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID Jan 24 07:02:18.449: ISAKMP:(0): constructed NAT-T vendor-07 ID Jan 24 07:02:18.449: ISAKMP:(0): constructed NAT-T vendor-03 ID Jan 24 07:02:18.449: ISAKMP:(0): constructed NAT-T vendor-02 ID Jan 24 07:02:18.449: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Jan 24 07:02:18.449: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 Jan 24 07:02:18.449: ISAKMP:(0): beginning Main Mode exchange Jan 24 07:02:18.449: ISAKMP:(0): sending packet to xxx.yyy.149.253 my_port 500 peer_port 500 (I) MM_NO_STATE Jan 24 07:02:18.449: ISAKMP:(0):Sending an IKE IPv4 Packet. Jan 24 07:02:18.457: ISAKMP (0): received packet from xxx.yyy.149.253 dport 500 sport 500 Global (I) MM_NO_STATE Jan 24 07:02:18.457: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 24 07:02:18.457: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 Jan 24 07:02:18.457: ISAKMP:(0): processing SA payload. message ID = 0 Jan 24 07:02:18.457: ISAKMP:(0): processing vendor id payload Jan 24 07:02:18.457: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 24 07:02:18.457: ISAKMP:(0): vendor ID is NAT-T v2 Jan 24 07:02:18.457: ISAKMP:(0): processing vendor id payload Jan 24 07:02:18.457: ISAKMP:(0): processing IKE frag vendor id payload Jan 24 07:02:18.457: ISAKMP:(0):Support for IKE Fragmentation not enabled Jan 24 07:02:18.457: ISAKMP:(0):found peer pre-shared key matching xxx.yyy.149.253 Jan 24 07:02:18.457: ISAKMP:(0): local preshared key found Jan 24 07:02:18.457: ISAKMP : Scanning profiles for xauth ... Jan 24 07:02:18.457: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy Jan 24 07:02:18.457: ISAKMP: encryption 3DES-CBC Jan 24 07:02:18.457: ISAKMP: hash MD5 Jan 24 07:02:18.457: ISAKMP: default group 2 Jan 24 07:02:18.457: ISAKMP: auth pre-share Jan 24 07:02:18.457: ISAKMP: life type in seconds Jan 24 07:02:18.457: ISAKMP: life duration (basic) of 28800 Jan 24 07:02:18.457: ISAKMP:(0):atts are acceptable. Next payload is 0 Jan 24 07:02:18.457: ISAKMP:(0):Acceptable atts:actual life: 0 Jan 24 07:02:18.457: ISAKMP:(0):Acceptable atts:life: 0 Jan 24 07:02:18.457: ISAKMP:(0):Basic life_in_seconds:28800 Jan 24 07:02:18.457: ISAKMP:(0):Returning Actual lifetime: 28800 Jan 24 07:02:18.457: ISAKMP:(0)::Started lifetime timer: 28800. Jan 24 07:02:18.457: ISAKMP:(0): processing vendor id payload Jan 24 07:02:18.457: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 24 07:02:18.457: ISAKMP:(0): vendor ID is NAT-T v2 Jan 24 07:02:18.457: ISAKMP:(0): processing vendor id payload Jan 24 07:02:18.457: ISAKMP:(0): processing IKE frag vendor id payload Jan 24 07:02:18.457: ISAKMP:(0):Support for IKE Fragmentation not enabled Jan 24 07:02:18.457: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 24 07:02:18.457: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 Jan 24 07:02:18.457: ISAKMP:(0): sending packet to xxx.yyy.149.253 my_port 500 peer_port 500 (I) MM_SA_SETUP Jan 24 07:02:18.457: ISAKMP:(0):Sending an IKE IPv4 Packet. Jan 24 07:02:18.457: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jan 24 07:02:18.457: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 Jan 24 07:02:18.465: ISAKMP (0): received packet from xxx.yyy.149.253 dport 500 sport 500 Global (I) MM_SA_SETUP Jan 24 07:02:18.465: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 24 07:02:18.465: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 Jan 24 07:02:18.465: ISAKMP:(0): processing KE payload. message ID = 0 Jan 24 07:02:18.489: ISAKMP:(0): processing NONCE payload. message ID = 0 Jan 24 07:02:18.489: ISAKMP:(0):found peer pre-shared key matching xxx.yyy.149.253 Jan 24 07:02:18.489: ISAKMP:(1023): processing vendor id payload Jan 24 07:02:18.489: ISAKMP:(1023): vendor ID is Unity Jan 24 07:02:18.489: ISAKMP:(1023): processing vendor id payload Jan 24 07:02:18.489: ISAKMP:(1023): vendor ID seems Unity/DPD but major 25 mismatch Jan 24 07:02:18.489: ISAKMP:(1023): vendor ID is XAUTH Jan 24 07:02:18.489: ISAKMP:(1023): processing vendor id payload Jan 24 07:02:18.489: ISAKMP:(1023): speaking to another IOS box! Jan 24 07:02:18.489: ISAKMP:(1023): processing vendor id payload Jan 24 07:02:18.489: ISAKMP:(1023):vendor ID seems Unity/DPD but hash mismatch Jan 24 07:02:18.489: ISAKMP:received payload type 20 Jan 24 07:02:18.489: ISAKMP (1023): NAT found, both nodes inside NAT Jan 24 07:02:18.489: ISAKMP:received payload type 20 Jan 24 07:02:18.489: ISAKMP (1023): My hash no match - this node inside NAT Jan 24 07:02:18.489: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 24 07:02:18.489: ISAKMP:(1023):Old State = IKE_I_MM4 New State = IKE_I_MM4 Jan 24 07:02:18.493: ISAKMP:(1023):Send initial contact Jan 24 07:02:18.493: ISAKMP:(1023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR Jan 24 07:02:18.493: ISAKMP (1023): ID payload next-payload : 8 type : 1 address : xxx.yyy.0.185 protocol : 17 port : 0 length : 12 Jan 24 07:02:18.493: ISAKMP:(1023):Total payload length: 12 Jan 24 07:02:18.493: ISAKMP:(1023): sending packet to xxx.yyy.149.253 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH Jan 24 07:02:18.493: ISAKMP:(1023):Sending an IKE IPv4 Packet. Jan 24 07:02:18.493: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jan 24 07:02:18.493: ISAKMP:(1023):Old State = IKE_I_MM4 New State = IKE_I_MM5 Jan 24 07:02:18.497: ISAKMP (1023): received packet from xxx.yyy.149.253 dport 4500 sport 4500 Global (I) MM_KEY_EXCH Jan 24 07:02:18.497: ISAKMP:(1023): processing ID payload. message ID = 0 Jan 24 07:02:18.497: ISAKMP (1023): ID payload next-payload : 8 type : 1 address : xxx.yyy.149.253 protocol : 17 port : 0 length : 12 Jan 24 07:02:18.497: ISAKMP:(0):: peer matches none of the profiles Jan 24 07:02:18.497: ISAKMP:(1023): processing HASH payload. message ID = 0 Jan 24 07:02:18.497: ISAKMP:received payload type 17 Jan 24 07:02:18.497: ISAKMP:(1023): processing keep alive: proposal=32767/32767 sec., actual=10/2 sec. Jan 24 07:02:18.497: ISAKMP:(1023): processing vendor id payload Jan 24 07:02:18.497: ISAKMP:(1023): vendor ID is DPD Jan 24 07:02:18.497: ISAKMP:(1023):SA authentication status: authenticated Jan 24 07:02:18.497: ISAKMP:(1023):SA has been authenticated with xxx.yyy.149.253 Jan 24 07:02:18.497: ISAKMP:(1023):Setting UDP ENC peer struct 0x2B348D50 sa= 0x31279FBC Jan 24 07:02:18.497: ISAKMP: Trying to insert a peer xxx.yyy.0.185/xxx.yyy.149.253/4500/, and inserted successfully 3003FF24. Jan 24 07:02:18.497: ISAKMP:(1023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 24 07:02:18.497: ISAKMP:(1023):Old State = IKE_I_MM5 New State = IKE_I_MM6 Jan 24 07:02:18.497: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 24 07:02:18.497: ISAKMP:(1023):Old State = IKE_I_MM6 New State = IKE_I_MM6 Jan 24 07:02:18.497: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jan 24 07:02:18.497: ISAKMP:(1023):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Jan 24 07:02:18.497: ISAKMP:(1023):IKE_DPD is enabled, initializing timers Jan 24 07:02:18.497: ISAKMP:(1023):beginning Quick Mode exchange, M-ID of 3005876739 Jan 24 07:02:18.497: ISAKMP:(1023):QM Initiator gets spi Jan 24 07:02:18.501: ISAKMP:(1023): sending packet to xxx.yyy.149.253 my_port 4500 peer_port 4500 (I) QM_IDLE Jan 24 07:02:18.501: ISAKMP:(1023):Sending an IKE IPv4 Packet. Jan 24 07:02:18.501: ISAKMP:(1023):Node 3005876739, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Jan 24 07:02:18.501: ISAKMP:(1023):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Jan 24 07:02:18.501: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Jan 24 07:02:18.501: ISAKMP:(1023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jan 24 07:02:18.505: ISAKMP (1023): received packet from xxx.yyy.149.253 dport 4500 sport 4500 Global (I) QM_IDLE Jan 24 07:02:18.505: ISAKMP: set new node -1062750928 to QM_IDLE Jan 24 07:02:18.505: ISAKMP:(1023): processing HASH payload. message ID = 3232216368 Jan 24 07:02:18.505: ISAKMP:(1023): processing DELETE payload. message ID = 3232216368 Jan 24 07:02:18.505: ISAKMP:(1023):peer does not do paranoid keepalives. Jan 24 07:02:18.505: ISAKMP:(1023):deleting SA reason "No reason" state (I) QM_IDLE (peer xxx.yyy.149.253) Jan 24 07:02:18.505: ISAKMP:(1023):deleting node -1062750928 error FALSE reason "Informational (in) state 1" Jan 24 07:02:18.505: ISAKMP: set new node -166047462 to QM_IDLE Jan 24 07:02:18.505: ISAKMP:(1023): sending packet to xxx.yyy.149.253 my_port 4500 peer_port 4500 (I) QM_IDLE Jan 24 07:02:18.505: ISAKMP:(1023):Sending an IKE IPv4 Packet. Jan 24 07:02:18.505: ISAKMP:(1023):purging node -166047462 Jan 24 07:02:18.505: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Jan 24 07:02:18.505: ISAKMP:(1023):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA Jan 24 07:02:18.505: ISAKMP:(1023):deleting SA reason "No reason" state (I) QM_IDLE (peer xxx.yyy.149.253) c2911_route# Jan 24 07:02:18.505: ISAKMP: Unlocking peer struct 0x3003FF24 for isadb_mark_sa_deleted(), count 0 Jan 24 07:02:18.505: ISAKMP: Deleting peer node by peer_reap for xxx.yyy.149.253: 3003FF24 Jan 24 07:02:18.509: ISAKMP:(1023):deleting node -1289090557 error FALSE reason "IKE deleted" Jan 24 07:02:18.509: ISAKMP:(1023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 24 07:02:18.509: ISAKMP:(1023):Old State = IKE_DEST_SA New State = IKE_DEST_SA Jan 24 07:02:18.509: IPSEC(key_engine): got a queue event with 1 KMI message(s) c2911_route# Jan 24 07:02:48.449: IPSEC(key_engine): request timer fired: count = 1, (identity) local= xxx.yyy.0.185:0, remote= xxx.yyy.149.253:0, local_proxy= xxx.yyy.0.185/255.255.255.255/0/0 (type=1), remote_proxy= xxx.yyy.149.253/255.255.255.255/0/0 (type=1) Насколько я понимаю первая фаза устанавливается: Jan 24 07:02:18.497: ISAKMP:(1023):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Далее стартует вторая фаза IPsec в быстром режиме (Quick Mode): Jan 24 07:02:18.497: ISAKMP:(1023):beginning Quick Mode exchange, M-ID of 3005876739 Jan 24 07:02:18.501: ISAKMP:(1023): sending packet to 193.104.149.253 my_port 4500 peer_port 4500 (I) QM_IDLE Jan 24 07:02:18.501: ISAKMP:(1023):Sending an IKE IPv4 Packet. Jan 24 07:02:18.501: ISAKMP:(1023):Node 3005876739, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Jan 24 07:02:18.501: ISAKMP:(1023):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Jan 24 07:02:18.501: ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Jan 24 07:02:18.501: ISAKMP:(1023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jan 24 07:02:18.505: ISAKMP (1023): received packet from 193.104.149.253 dport 4500 sport 4500 Global (I) QM_IDLE Jan 24 07:02:18.505: ISAKMP: set new node -1062750928 to QM_IDLE Jan 24 07:02:18.505: ISAKMP:(1023): processing HASH payload. message ID = 3232216368 Jan 24 07:02:18.505: ISAKMP:(1023): processing DELETE payload. message ID = 3232216368 Jan 24 07:02:18.505: ISAKMP:(1023):peer does not do paranoid keepalives. Но она не проходит, подскажите, пожалуйста, в чем может быть проблема. Опыта в настройке нет, и руки тоже кривые :)
Ответить \| Правка \| Cообщить модератору

Оглавление

Помогите разобраться с ipsec., spiegel, 18:01 , 24-Янв-13, (1)

Помогите разобраться с ipsec., mshejh, 08:52 , 25-Янв-13, (2)
Помогите разобраться с ipsec., mshejh, 08:53 , 25-Янв-13, (3)

Сообщения по теме [Сортировка по времени | RSS]

1. "Помогите разобраться с ipsec." +/–

Сообщение от spiegel (ok) on 24-Янв-13, 18:01

включите debug crypto ipsec

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

2. "Помогите разобраться с ipsec." +/–

Сообщение от mshejh (ok) on 25-Янв-13, 08:52

> включите debug crypto ipsec
Он включен.

Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору

3. "Помогите разобраться с ipsec." +/–

Сообщение от mshejh (ok) on 25-Янв-13, 08:53

> включите debug crypto ipsec
c2911_route#sh deb

Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on

Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "Помогите разобраться с ipsec."	+/–
Сообщение от spiegel (ok) on 24-Янв-13, 18:01
включите debug crypto ipsec
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору


	2. "Помогите разобраться с ipsec."	+/–
	Сообщение от mshejh (ok) on 25-Янв-13, 08:52
	> включите debug crypto ipsec Он включен.
	Ответить \| Правка \| ^ к родителю #1 \| Наверх \| Cообщить модератору


	3. "Помогите разобраться с ipsec."	+/–
	Сообщение от mshejh (ok) on 25-Янв-13, 08:53
	> включите debug crypto ipsec c2911_route#sh deb Cryptographic Subsystem: Crypto ISAKMP debugging is on Crypto IPSEC debugging is on
	Ответить \| Правка \| ^ к родителю #1 \| Наверх \| Cообщить модератору