Jump to content
Калькуляторы

L2TP IPsec PSK Android - Cisco ASR

У кого нибудь получилось поднять L2TP vpdn на кисе так, чтоб с ведроида мог подключаться?

 

Вот рабочий конфиг к которму винда цепляется без проблем. А вот с ведроидом беда.

 

aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization console
aaa authorization exec default local
aaa authorization network default none
aaa accounting network default none
!
!
!
!
!
aaa session-id common
aaa policy interface-config allow-subinterface
ppp packet throttle 30 1 30
!
ip domain name local
!
multilink bundle-name authenticated
vpdn enable
vpdn logging
no vpdn logging cause normal
!
vpdn-group VPN
! Default L2TP VPDN group
description l2tp group
accept-dialin
 protocol l2tp
 virtual-template 1
no l2tp tunnel authentication
!
username ppptest password 7 15021B1C102F3830
!
!
crypto keyring L2TP_IPSec
 pre-shared-key address 0.0.0.0 0.0.0.0 key IPsec
!
crypto isakmp policy 60
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 30
!
crypto ipsec transform-set 3DES_SHA_tr esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map L2TP_IPSec 1
set nat demux
set transform-set 3DES_SHA_tr
!
crypto map OUTSIDE 65535 ipsec-isakmp dynamic L2TP_IPSec
!
interface Loopback1
ip address 10.2.1.1 255.255.255.255
!
interface GigabitEthernet1.96
encapsulation dot1Q 96
ip address x.x.x.94 255.255.255.0
crypto map OUTSIDE
!
interface Virtual-Template1
mtu 1400
ip unnumbered Loopback1
no ip redirects
ip tcp adjust-mss 1360
peer default ip address pool ppp_pool
no snmp trap link-status
no keepalive
ppp authentication ms-chap-v2 callin
ppp link reorders
ppp timeout retry 10
!
ip local pool ppp_pool 10.2.0.1 10.2.0.254
!

 

дебаг:

 

*Jul  8 08:13:03.166: ISAKMP (0): received packet from y.y.y.42 dport 500 sport 55156 Global (N) NEW SA
*Jul  8 08:13:03.166: ISAKMP: Created a peer struct for y.y.y.42, peer port 55156
*Jul  8 08:13:03.166: ISAKMP: New peer created peer = 0x7FBD8F18E860 peer_handle = 0x80000012
*Jul  8 08:13:03.166: ISAKMP: Locking peer struct 0x7FBD8F18E860, refcount 1 for crypto_isakmp_process_block
*Jul  8 08:13:03.166: ISAKMP: local port 500, remote port 55156
*Jul  8 08:13:03.166: ISAKMP:(0):insert sa successfully sa = 7FBD945C0B50
*Jul  8 08:13:03.166: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul  8 08:13:03.166: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Jul  8 08:13:03.166: ISAKMP:(0): processing SA payload. message ID = 0
*Jul  8 08:13:03.166: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.166: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul  8 08:13:03.166: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul  8 08:13:03.166: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.166: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jul  8 08:13:03.166: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.166: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul  8 08:13:03.166: ISAKMP:(0): vendor ID is NAT-T v2
*Jul  8 08:13:03.166: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.166: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Jul  8 08:13:03.166: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.166: ISAKMP:(0): processing IKE frag vendor id payload
*Jul  8 08:13:03.166: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jul  8 08:13:03.166: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.166: ISAKMP:(0): vendor ID is DPD
*Jul  8 08:13:03.166: ISAKMP:(0):found peer pre-shared key matching y.y.y.42
*Jul  8 08:13:03.166: ISAKMP:(0): local preshared key found
*Jul  8 08:13:03.166: ISAKMP : Scanning profiles for xauth ...
*Jul  8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 1 against priority 60 policy
*Jul  8 08:13:03.166: ISAKMP:      life type in seconds
*Jul  8 08:13:03.166: ISAKMP:      life duration (basic) of 28800
*Jul  8 08:13:03.166: ISAKMP:      encryption AES-CBC
*Jul  8 08:13:03.166: ISAKMP:      keylength of 256
*Jul  8 08:13:03.166: ISAKMP:      auth pre-share
*Jul  8 08:13:03.166: ISAKMP:      hash SHA
*Jul  8 08:13:03.166: ISAKMP:      default group 2
*Jul  8 08:13:03.166: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul  8 08:13:03.166: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul  8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 2 against priority 60 policy
*Jul  8 08:13:03.166: ISAKMP:      life type in seconds
*Jul  8 08:13:03.166: ISAKMP:      life duration (basic) of 28800
*Jul  8 08:13:03.166: ISAKMP:      encryption AES-CBC
*Jul  8 08:13:03.166: ISAKMP:      keylength of 256
*Jul  8 08:13:03.166: ISAKMP:      auth pre-share
*Jul  8 08:13:03.166: ISAKMP:      hash MD5
*Jul  8 08:13:03.166: ISAKMP:      default group 2
*Jul  8 08:13:03.166: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul  8 08:13:03.166: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul  8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 3 against priority 60 policy
*Jul  8 08:13:03.166: ISAKMP:      life type in seconds
*Jul  8 08:13:03.166: ISAKMP:      life duration (basic) of 28800
*Jul  8 08:13:03.166: ISAKMP:      encryption AES-CBC
*Jul  8 08:13:03.166: ISAKMP:      keylength of 128
*Jul  8 08:13:03.166: ISAKMP:      auth pre-share
*Jul  8 08:13:03.166: ISAKMP:      hash SHA
*Jul  8 08:13:03.166: ISAKMP:      default group 2
*Jul  8 08:13:03.166: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul  8 08:13:03.166: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul  8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 4 against priority 60 policy
*Jul  8 08:13:03.166: ISAKMP:      life type in seconds
*Jul  8 08:13:03.166: ISAKMP:      life duration (basic) of 28800
*Jul  8 08:13:03.166: ISAKMP:      encryption AES-CBC
*Jul  8 08:13:03.166: ISAKMP:      keylength of 128
*Jul  8 08:13:03.166: ISAKMP:      auth pre-share
*Jul  8 08:13:03.166: ISAKMP:      hash MD5
*Jul  8 08:13:03.166: ISAKMP:      default group 2
*Jul  8 08:13:03.166: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul  8 08:13:03.166: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul  8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 5 against priority 60 policy
*Jul  8 08:13:03.166: ISAKMP:      life type in seconds
*Jul  8 08:13:03.166: ISAKMP:      life duration (basic) of 28800
*Jul  8 08:13:03.166: ISAKMP:      encryption 3DES-CBC
*Jul  8 08:13:03.166: ISAKMP:      auth pre-share
*Jul  8 08:13:03.166: ISAKMP:      hash SHA
*Jul  8 08:13:03.166: ISAKMP:      default group 2
*Jul  8 08:13:03.166: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jul  8 08:13:03.166: ISAKMP:(0):Acceptable atts:actual life: 86400
*Jul  8 08:13:03.166: ISAKMP:(0):Acceptable atts:life: 0
*Jul  8 08:13:03.166: ISAKMP:(0):Basic life_in_seconds:28800
*Jul  8 08:13:03.166: ISAKMP:(0):Returning Actual lifetime: 28800
*Jul  8 08:13:03.166: ISAKMP:(0)::Started lifetime timer: 28800.

*Jul  8 08:13:03.167: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.167: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul  8 08:13:03.167: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul  8 08:13:03.167: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.167: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jul  8 08:13:03.167: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.167: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul  8 08:13:03.167: ISAKMP:(0): vendor ID is NAT-T v2
*Jul  8 08:13:03.167: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.167: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Jul  8 08:13:03.167: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.167: ISAKMP:(0): processing IKE frag vendor id payload
*Jul  8 08:13:03.167: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jul  8 08:13:03.167: ISAKMP:(0): processing vendor id payload
*Jul  8 08:13:03.167: ISAKMP:(0): vendor ID is DPD
*Jul  8 08:13:03.167: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul  8 08:13:03.167: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Jul  8 08:13:03.167: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jul  8 08:13:03.167: ISAKMP:(0): sending packet to y.y.y.42 my_port 500 peer_port 55156 (R) MM_SA_SETUP
*Jul  8 08:13:03.167: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul  8 08:13:03.167: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul  8 08:13:03.167: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Jul  8 08:13:03.284: ISAKMP (0): received packet from y.y.y.42 dport 500 sport 55156 Global (R) MM_SA_SETUP
*Jul  8 08:13:03.284: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul  8 08:13:03.284: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Jul  8 08:13:03.284: ISAKMP:(0): processing KE payload. message ID = 0
*Jul  8 08:13:03.285: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jul  8 08:13:03.285: ISAKMP:(0):found peer pre-shared key matching y.y.y.42
*Jul  8 08:13:03.285: ISAKMP:received payload type 20
*Jul  8 08:13:03.285: ISAKMP (1022): His hash no match - this node outside NAT
*Jul  8 08:13:03.285: ISAKMP:received payload type 20
*Jul  8 08:13:03.285: ISAKMP (1022): His hash no match - this node outside NAT
*Jul  8 08:13:03.285: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul  8 08:13:03.285: ISAKMP:(1022):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Jul  8 08:13:03.285: ISAKMP:(1022): sending packet to y.y.y.42 my_port 500 peer_port 55156 (R) MM_KEY_EXCH
*Jul  8 08:13:03.285: ISAKMP:(1022):Sending an IKE IPv4 Packet.
*Jul  8 08:13:03.285: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul  8 08:13:03.285: ISAKMP:(1022):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Jul  8 08:13:03.372: ISAKMP (1022): received packet from y.y.y.42 dport 4500 sport 9292 Global (R) MM_KEY_EXCH
*Jul  8 08:13:03.372: ISAKMP:(1022):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul  8 08:13:03.372: ISAKMP:(1022):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Jul  8 08:13:03.372: ISAKMP:(1022): processing ID payload. message ID = 0
*Jul  8 08:13:03.372: ISAKMP (1022): ID payload
       next-payload : 8
       type         : 1
       address      : 10.66.50.27
       protocol     : 17
       port         : 500
       length       : 12
*Jul  8 08:13:03.372: ISAKMP:(0):: peer matches *none* of the profiles
*Jul  8 08:13:03.372: ISAKMP:(1022): processing HASH payload. message ID = 0
*Jul  8 08:13:03.372: ISAKMP:(1022):SA authentication status:
       authenticated
*Jul  8 08:13:03.372: ISAKMP:(1022):SA has been authenticated with y.y.y.42
*Jul  8 08:13:03.372: ISAKMP:(1022):Detected port floating to port = 9292
*Jul  8 08:13:03.372: ISAKMP: Trying to insert a peer x.x.x.94/y.y.y.42/9292/,  and inserted successfully 7FBD8F18E860.
*Jul  8 08:13:03.373: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul  8 08:13:03.373: ISAKMP:(1022):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Jul  8 08:13:03.373: ISAKMP:(1022):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul  8 08:13:03.373: ISAKMP (1022): ID payload
       next-payload : 8
       type         : 1
       address      : x.x.x.94
       protocol     : 17
       port         : 0
       length       : 12
*Jul  8 08:13:03.373: ISAKMP:(1022):Total payload length: 12
*Jul  8 08:13:03.373: ISAKMP:(1022): sending packet to y.y.y.42 my_port 4500 peer_port 9292 (R) MM_KEY_EXCH
*Jul  8 08:13:03.373: ISAKMP:(1022):Sending an IKE IPv4 Packet.
*Jul  8 08:13:03.373: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul  8 08:13:03.373: ISAKMP:(1022):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Jul  8 08:13:03.373: ISAKMP:(1022):IKE_DPD is enabled, initializing timers
*Jul  8 08:13:03.373: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul  8 08:13:03.373: ISAKMP:(1022):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jul  8 08:13:03.452: ISAKMP (1022): received packet from y.y.y.42 dport 4500 sport 9292 Global (R) QM_IDLE
*Jul  8 08:13:03.452: ISAKMP: set new node 2839478968 to QM_IDLE
*Jul  8 08:13:03.452: ISAKMP:(1022): processing HASH payload. message ID = 2839478968
*Jul  8 08:13:03.452: ISAKMP:(1022): processing NOTIFY INITIAL_CONTACT protocol 1
       spi 0, message ID = 2839478968, sa = 0x7FBD945C0B50
*Jul  8 08:13:03.452: ISAKMP:(1022):SA authentication status:
       authenticated
*Jul  8 08:13:03.452: ISAKMP:(1022): Process initial contact,
bring down existing phase 1 and 2 SA's with local x.x.x.94 remote y.y.y.42 remote port 9292
*Jul  8 08:13:03.452: ISAKMP:(1022):deleting node 2839478968 error FALSE reason "Informational (in) state 1"
*Jul  8 08:13:03.452: ISAKMP:(1022):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul  8 08:13:03.452: ISAKMP:(1022):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jul  8 08:13:03.452: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul  8 08:13:04.546: ISAKMP (1022): received packet from y.y.y.42 dport 4500 sport 9292 Global (R) QM_IDLE
*Jul  8 08:13:04.546: ISAKMP: set new node 3271697679 to QM_IDLE
*Jul  8 08:13:04.546: ISAKMP:(1022): processing HASH payload. message ID = 3271697679
*Jul  8 08:13:04.546: ISAKMP:(1022): processing SA payload. message ID = 3271697679
*Jul  8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1
*Jul  8 08:13:04.546: ISAKMP: transform 1, ESP_AES
*Jul  8 08:13:04.546: ISAKMP:   attributes in transform:
*Jul  8 08:13:04.546: ISAKMP:      SA life type in seconds
*Jul  8 08:13:04.546: ISAKMP:      SA life duration (basic) of 28800
*Jul  8 08:13:04.546: ISAKMP:      encaps is 4 (Transport-UDP)
*Jul  8 08:13:04.546: ISAKMP:      key length is 256
*Jul  8 08:13:04.546: ISAKMP:      authenticator is HMAC-SHA
*Jul  8 08:13:04.546: ISAKMP:(1022):atts are acceptable.
*Jul  8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1
*Jul  8 08:13:04.546: ISAKMP: transform 2, ESP_AES
*Jul  8 08:13:04.546: ISAKMP:   attributes in transform:
*Jul  8 08:13:04.546: ISAKMP:      SA life type in seconds
*Jul  8 08:13:04.546: ISAKMP:      SA life duration (basic) of 28800
*Jul  8 08:13:04.546: ISAKMP:      encaps is 4 (Transport-UDP)
*Jul  8 08:13:04.546: ISAKMP:      key length is 256
*Jul  8 08:13:04.546: ISAKMP:      authenticator is HMAC-MD5
*Jul  8 08:13:04.546: ISAKMP:(1022):atts are acceptable.
*Jul  8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1
*Jul  8 08:13:04.546: ISAKMP: transform 3, ESP_AES
*Jul  8 08:13:04.546: ISAKMP:   attributes in transform:
*Jul  8 08:13:04.546: ISAKMP:      SA life type in seconds
*Jul  8 08:13:04.546: ISAKMP:      SA life duration (basic) of 28800
*Jul  8 08:13:04.546: ISAKMP:      encaps is 4 (Transport-UDP)
*Jul  8 08:13:04.546: ISAKMP:      key length is 128
*Jul  8 08:13:04.546: ISAKMP:      authenticator is HMAC-SHA
*Jul  8 08:13:04.546: ISAKMP:(1022):atts are acceptable.
*Jul  8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1
*Jul  8 08:13:04.546: ISAKMP: transform 4, ESP_AES
*Jul  8 08:13:04.546: ISAKMP:   attributes in transform:
*Jul  8 08:13:04.546: ISAKMP:      SA life type in seconds
*Jul  8 08:13:04.546: ISAKMP:      SA life duration (basic) of 28800
*Jul  8 08:13:04.546: ISAKMP:      encaps is 4 (Transport-UDP)
*Jul  8 08:13:04.546: ISAKMP:      key length is 128
*Jul  8 08:13:04.546: ISAKMP:      authenticator is HMAC-MD5
*Jul  8 08:13:04.546: ISAKMP:(1022):atts are acceptable.
*Jul  8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1
*Jul  8 08:13:04.546: ISAKMP: transform 5, ESP_3DES
*Jul  8 08:13:04.546: ISAKMP:   attributes in transform:
*Jul  8 08:13:04.546: ISAKMP:      SA life type in seconds
*Jul  8 08:13:04.546: ISAKMP:      SA life duration (basic) of 28800
*Jul  8 08:13:04.546: ISAKMP:      encaps is 4 (Transport-UDP)
*Jul  8 08:13:04.546: ISAKMP:      authenticator is HMAC-SHA
*Jul  8 08:13:04.546: ISAKMP:(1022):atts are acceptable.
*Jul  8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1
*Jul  8 08:13:04.546: ISAKMP: transform 6, ESP_3DES
*Jul  8 08:13:04.546: ISAKMP:   attributes in transform:
*Jul  8 08:13:04.546: ISAKMP:      SA life type in seconds
*Jul  8 08:13:04.546: ISAKMP:      SA life duration (basic) of 28800
*Jul  8 08:13:04.546: ISAKMP:      encaps is 4 (Transport-UDP)
*Jul  8 08:13:04.546: ISAKMP:      authenticator is HMAC-MD5
*Jul  8 08:13:04.546: ISAKMP:(1022):atts are acceptable.
*Jul  8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1
*Jul  8 08:13:04.546: ISAKMP: transform 7, ESP_DES
*Jul  8 08:13:04.546: ISAKMP:   attributes in transform:
*Jul  8 08:13:04.546: ISAKMP:      SA life type in seconds
*Jul  8 08:13:04.546: ISAKMP:      SA life duration (basic) of 28800
*Jul  8 08:13:04.546: ISAKMP:      encaps is 4 (Transport-UDP)
*Jul  8 08:13:04.546: ISAKMP:      authenticator is HMAC-SHA
*Jul  8 08:13:04.546: ISAKMP:(1022):atts are acceptable.
*Jul  8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1
*Jul  8 08:13:04.546: ISAKMP: transform 8, ESP_DES
*Jul  8 08:13:04.546: ISAKMP:   attributes in transform:
*Jul  8 08:13:04.546: ISAKMP:      SA life type in seconds
*Jul  8 08:13:04.546: ISAKMP:      SA life duration (basic) of 28800
*Jul  8 08:13:04.546: ISAKMP:      encaps is 4 (Transport-UDP)
*Jul  8 08:13:04.546: ISAKMP:      authenticator is HMAC-MD5
*Jul  8 08:13:04.546: ISAKMP:(1022):atts are acceptable.
*Jul  8 08:13:04.546: IPSEC(validate_proposal_request): proposal part #1
*Jul  8 08:13:04.546: IPSEC(validate_proposal_request): proposal part #1,
 (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0,
   local_proxy= x.x.x.94/255.255.255.255/17/1701,
   remote_proxy= y.y.y.42/255.255.255.255/17/0,
   protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Transport-UDP),
   lifedur= 0s and 0kb,
   spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jul  8 08:13:04.546: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
   {esp-aes 256 esp-sha-hmac }
*Jul  8 08:13:04.546: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Jul  8 08:13:04.548: IPSEC(validate_proposal_request): proposal part #1
*Jul  8 08:13:04.548: IPSEC(validate_proposal_request): proposal part #1,
 (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0,
   local_proxy= x.x.x.94/255.255.255.255/17/1701,
   remote_proxy= y.y.y.42/255.255.255.255/17/0,
   protocol= ESP, transform= esp-aes 256 esp-md5-hmac  (Transport-UDP),
   lifedur= 0s and 0kb,
   spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jul  8 08:13:04.548: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
   {esp-aes 256 esp-md5-hmac }
*Jul  8 08:13:04.548: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Jul  8 08:13:04.549: IPSEC(validate_proposal_request): proposal part #1
*Jul  8 08:13:04.549: IPSEC(validate_proposal_request): proposal part #1,
 (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0,
   local_proxy= x.x.x.94/255.255.255.255/17/1701,
   remote_proxy= y.y.y.42/255.255.255.255/17/0,
   protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport-UDP),
   lifedur= 0s and 0kb,
   spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul  8 08:13:04.549: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
   {esp-aes esp-sha-hmac }
*Jul  8 08:13:04.549: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Jul  8 08:13:04.550: IPSEC(validate_proposal_request): proposal part #1
*Jul  8 08:13:04.550: IPSEC(validate_proposal_request): proposal part #1,
 (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0,
   local_proxy= x.x.x.94/255.255.255.255/17/1701,
   remote_proxy= y.y.y.42/255.255.255.255/17/0,
   protocol= ESP, transform= esp-aes esp-md5-hmac  (Transport-UDP),
   lifedur= 0s and 0kb,
   spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul  8 08:13:04.550: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
   {esp-aes esp-md5-hmac }
*Jul  8 08:13:04.550: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Jul  8 08:13:04.551: IPSEC(validate_proposal_request): proposal part #1
*Jul  8 08:13:04.551: IPSEC(validate_proposal_request): proposal part #1,
 (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0,
   local_proxy= x.x.x.94/255.255.255.255/17/1701,
   remote_proxy= y.y.y.42/255.255.255.255/17/0,
   protocol= ESP, transform= esp-3des esp-sha-hmac  (Transport-UDP),
   lifedur= 0s and 0kb,
   spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul  8 08:13:04.552: (ipsec_process_proposal)Map Accepted: L2TP_IPSec, 1
*Jul  8 08:13:04.552: ISAKMP:(1022): processing NONCE payload. message ID = 3271697679
*Jul  8 08:13:04.552: ISAKMP:(1022): processing ID payload. message ID = 3271697679
*Jul  8 08:13:04.552: ISAKMP:(1022): processing ID payload. message ID = 3271697679
*Jul  8 08:13:04.552: ISAKMP:(1022):QM Responder gets spi
*Jul  8 08:13:04.552: ISAKMP:(1022):Node 3271697679, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul  8 08:13:04.552: ISAKMP:(1022):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Jul  8 08:13:04.552: ISAKMP:(1022):Node 3271697679, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jul  8 08:13:04.552: ISAKMP:(1022):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Jul  8 08:13:04.552: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul  8 08:13:04.552: IPSEC(crypto_ipsec_create_ipsec_sas): Map found L2TP_IPSec, 1
*Jul  8 08:13:04.552: IPSEC(create_sa): sa created,
 (sa) sa_dest= x.x.x.94, sa_proto= 50,
   sa_spi= 0x61288C6B(1630047339),
   sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2037
   sa_lifetime(k/sec)= (4608000/3600),
 (identity) local= x.x.x.94:0, remote= y.y.y.42:0,
   local_proxy= x.x.x.94/255.255.255.255/17/1701,
   remote_proxy= y.y.y.42/255.255.255.255/17/9292
*Jul  8 08:13:04.552: IPSEC(create_sa): sa created,
 (sa) sa_dest= y.y.y.42, sa_proto= 50,
   sa_spi= 0xB3DC591(188597649),
   sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2038
   sa_lifetime(k/sec)= (4608000/3600),
 (identity) local= x.x.x.94:0, remote= y.y.y.42:0,
   local_proxy= x.x.x.94/255.255.255.255/17/1701,
   remote_proxy= y.y.y.42/255.255.255.255/17/9292
*Jul  8 08:13:04.615:  ISAKMP: Failed to find peer index node to update peer_info_list
*Jul  8 08:13:04.616: ISAKMP:(1022):Received IPSec Install callback... proceeding with the negotiation
*Jul  8 08:13:04.616: ISAKMP:(1022):Successfully installed IPSEC SA (SPI:0x61288C6B) on GigabitEthernet1.96
*Jul  8 08:13:04.616: ISAKMP:(1022): sending packet to y.y.y.42 my_port 4500 peer_port 9292 (R) QM_IDLE
*Jul  8 08:13:04.616: ISAKMP:(1022):Sending an IKE IPv4 Packet.
*Jul  8 08:13:04.616: ISAKMP:(1022):Node 3271697679, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Jul  8 08:13:04.616: ISAKMP:(1022):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
*Jul  8 08:13:04.666: ISAKMP (1022): received packet from y.y.y.42 dport 4500 sport 9292 Global (R) QM_IDLE
*Jul  8 08:13:04.666: ISAKMP:(1022):deleting node 3271697679 error FALSE reason "QM done (await)"
*Jul  8 08:13:04.666: ISAKMP:(1022):Node 3271697679, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul  8 08:13:04.666: ISAKMP:(1022):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Jul  8 08:13:04.666: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul  8 08:13:04.666: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jul  8 08:13:06.688: L2TP       _____:________: L2TP: Parse IETF AVP 2, len 8, flag 0x8000 (M)
*Jul  8 08:13:06.688: L2TP       _____:________: L2TP: Parse IETF AVP 7, len 15, flag 0x8000 (M)
*Jul  8 08:13:06.688: L2TP       _____:________: L2TP: Parse IETF AVP 3, len 10, flag 0x8000 (M)
*Jul  8 08:13:06.688: L2TP       _____:________: L2TP: Parse IETF AVP 9, len 8, flag 0x8000 (M)
*Jul  8 08:13:06.688: L2TP       _____:________: L2TP: Parse IETF AVP 10, len 8, flag 0x8000 (M)
*Jul  8 08:13:06.688: L2TP       _____:________: No missing AVPs in SCCRQ
*Jul  8 08:13:06.688: L2TP       _____:________:
*Jul  8 08:13:06.688: L2TP       _____:________: Rx SCCRQ, flg TLS, ver 2, len 69
*Jul  8 08:13:06.688: L2TP       _____:________:   tnl 0, ns 0, nr 0
*Jul  8 08:13:06.688: L2TP       _____:________:  IETF v2:
*Jul  8 08:13:06.688: L2TP       _____:________:   Protocol Version  1, Revision 0
*Jul  8 08:13:06.688: L2TP       _____:________:   Framing Cap       both(0x3)
*Jul  8 08:13:06.688: L2TP       _____:________:   Hostname           "
*Jul  8 08:13:06.688: L2TP       _____:________:   Hostname           "anonymous"
*Jul  8 08:13:06.688: L2TP       _____:________:   Assigned Tunnel I 0x000030AA (12458)
*Jul  8 08:13:06.688: L2TP       _____:________:   Recv Window Size  1
*Jul  8 08:13:06.688: L2TP       _____:________:
*Jul  8 08:13:06.688: contiguous pak, size 69

        C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00

        00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00

        00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00

        03 00 00 00 03 80 08 00 00 00 09 30 AA 80 08 00

        00 00 0A 00 01
*Jul  8 08:13:06.688: VPDN L2X: ADD class AAA author, group "VPN" (group VPN)
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B: Auth glob Overall Ignored, 93
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B: Tx SCCRP to anonymous tnl 12458
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:  IETF v2:
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:   Protocol Version  1, Revision 0
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:   Framing Cap       none(0x0)
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:   Firmware Ver      0x1130
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:   Hostname           "
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:   Hostname           "router"
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:   Vendor Name
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:      "
*Jul  8 08:13:06.688: L2TP tnl   08083:00008F3B:      "Cisco Systems, Inc."
*Jul  8 08:13:06.689: L2TP tnl   08083:00008F3B:   Assigned Tunnel I 0x00008F3B (36667)
*Jul  8 08:13:06.689: L2TP tnl   08083:00008F3B:   Recv Window Size  1024
*Jul  8 08:13:06.689: L2TP tnl   08083:00008F3B:
*Jul  8 08:13:06.689: L2TP tnl   08083:00008F3B: O SCCRP 12458/0 ns/nr 0/1. cur/max resendQ sz 0/1
*Jul  8 08:13:06.689: L2TP tnl   08083:00008F3B: Tx SCCRP, flg TLS, ver 2, len 99
*Jul  8 08:13:06.689: L2TP tnl   08083:00008F3B:   tnl 12458, ns 0, nr 1
*Jul  8 08:13:06.689: contiguous pak, size 99

        C8 02 00 63 30 AA 00 00 00 00 00 01 80 08 00 00

        00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00

        00 03 00 00 00 00 00 08 00 00 00 06 11 30 80 0C

        00 00 00 07 72 6F 75 74 65 72 00 19 00 00 00 08

        43 69 73 63 6F 20 53 79 73 74 65 6D 73 2C 20 49

        6E 63 2E 80 08 00 00 00 09 8F 3B 80 08 00 00 00

        0A 04 00
*Jul  8 08:13:08.594: L2TP       _____:________: L2TP: Parse IETF AVP 2, len 8, flag 0x8000 (M)
*Jul  8 08:13:08.594: L2TP       _____:________: L2TP: Parse IETF AVP 7, len 15, flag 0x8000 (M)
*Jul  8 08:13:08.594: L2TP       _____:________: L2TP: Parse IETF AVP 3, len 10, flag 0x8000 (M)
*Jul  8 08:13:08.594: L2TP       _____:________: L2TP: Parse IETF AVP 9, len 8, flag 0x8000 (M)
*Jul  8 08:13:08.594: L2TP       _____:________: L2TP: Parse IETF AVP 10, len 8, flag 0x8000 (M)
*Jul  8 08:13:08.594: L2TP       _____:________: No missing AVPs in SCCRQ
*Jul  8 08:13:08.594: L2TP       _____:________:
*Jul  8 08:13:08.594: L2TP       _____:________: Rx SCCRQ, flg TLS, ver 2, len 69
*Jul  8 08:13:08.594: L2TP       _____:________:   tnl 0, ns 0, nr 0
*Jul  8 08:13:08.594: L2TP       _____:________:  IETF v2:
*Jul  8 08:13:08.594: L2TP       _____:________:   Protocol Version  1, Revision 0
*Jul  8 08:13:08.594: L2TP       _____:________:   Framing Cap       both(0x3)
*Jul  8 08:13:08.594: L2TP       _____:________:   Hostname           "
*Jul  8 08:13:08.594: L2TP       _____:________:   Hostname           "anonymous"
*Jul  8 08:13:08.594: L2TP       _____:________:   Assigned Tunnel I 0x000030AA (12458)
*Jul  8 08:13:08.594: L2TP       _____:________:   Recv Window Size  1
*Jul  8 08:13:08.594: L2TP       _____:________:
*Jul  8 08:13:08.594: contiguous pak, size 69

        C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00

        00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00

        00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00

        03 00 00 00 03 80 08 00 00 00 09 30 AA 80 08 00

        00 00 0A 00 01
*Jul  8 08:13:08.594: L2TP       _____:________: SCCRQ: processing failed: Tunnel exists, must be a duplicate SCCRQ
*Jul  8 08:13:08.594: L2TP       _____:________: SCCRQ: dropping packet
*Jul  8 08:13:08.594: contiguous pak, size 69

        C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00

        00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00

        00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00

        03 00 00 00 03 80 08 00 00 00 09 30 AA 80 08 00

        00 00 0A 00 01

Edited by ShyLion

Share this post


Link to post
Share on other sites

pptp с ведроида нормально цепляется и к киске 7206, и к mpd5. Я со смарта так на работу хожу.

Share this post


Link to post
Share on other sites

pptp с ведроида нормально цепляется и к киске 7206, и к mpd5. Я со смарта так на работу хожу.

 

Это прекрасно. К 3945 аналогично. Только проблема с ASR1000 (если точнее CSR1000V, но там все также как на ASR).

И ASR1000 и CSR1000V PPTP не умеют.

Edited by ShyLion

Share this post


Link to post
Share on other sites

На железном роутере asr1002x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin картина таже.

Смущает

Jul  8 08:13:04.546: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
   {esp-aes 256 esp-sha-hmac }

 

Подхожую проблему пытаюсь решить в теме

Share this post


Link to post
Share on other sites

На железном роутере asr1002x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin картина таже.

Смущает

Jul  8 08:13:04.546: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
   {esp-aes 256 esp-sha-hmac }

 

Подхожую проблему пытаюсь решить в теме

 

Там дальше:

 

*Jul  8 08:13:04.551: IPSEC(validate_proposal_request): proposal part #1,
 (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0,
   local_proxy= x.x.x.94/255.255.255.255/17/1701,
   remote_proxy= y.y.y.42/255.255.255.255/17/0,
   protocol= ESP, transform= esp-3des esp-sha-hmac  (Transport-UDP),
   lifedur= 0s and 0kb,
   spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul  8 08:13:04.552: (ipsec_process_proposal)Map Accepted: L2TP_IPSec, 1

 

Да и show crypto ipsec sa показывает траффик, да и tcpdump на обоих сторонах показывает, что ведроид почему-то не отвечает уже на стадии L2TP. Но только ASRке, ISR роутеры отлично с ним работают.

Share this post


Link to post
Share on other sites

Как вариант запихнуть в

crypto dynamic-map L2TP_IPSec 1

set nat demux

set transform-set 3DES_SHA_tr

ACL в котором будет указанно что "пропихнуть" в туннель

Share this post


Link to post
Share on other sites

Как вариант запихнуть в

crypto dynamic-map L2TP_IPSec 1

set nat demux

set transform-set 3DES_SHA_tr

ACL в котором будет указанно что "пропихнуть" в туннель

 

Я же говорю, IPSec поднимается и работает.

Share this post


Link to post
Share on other sites

Забросил. Для продакшена не требуется, появились другие задачи.

Потом или ишак сдохнет, или шах помрет :)

Share this post


Link to post
Share on other sites

Попробуй вот так.

Spoiler

no crypto isakmp default policy

!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 20
 lifetime 28800
!
crypto isakmp policy 20
 encr aes 256
 hash sha256
 authentication pre-share
 group 14

 

Share this post


Link to post
Share on other sites

6 часов назад, Telesis сказал:

Попробуй вот так.

  Скрыть содержимое

no crypto isakmp default policy

!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 20
 lifetime 28800
!
crypto isakmp policy 20
 encr aes 256
 hash sha256
 authentication pre-share
 group 14

 

Ситуация не изменилась

 

Но проблема не в политике isakmp 146% (или по крайней мере не в совместимых настройках шифрования).

ISAKMP policy (если я не ошибаюсь) определяет параметры согласования фазы1 IKE, которая создаёт туннель под фазу 2.  Фаза 2 при этом, судя по логам проходит нормально "000593: Mar 12 17:57:36.654: IPSEC(create_sa): sa created,"

 

Как доказательство - создаётся SA.

 

Рабочая ассоциация от Win7:

     inbound esp sas:
      spi: 0xE5D2FFA8(3855810472)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2029, flow_id: HW:29, sibling_flags FFFFFFFF80000008, crypto map: OUTSIDE
        sa timing: remaining key lifetime (k/sec): (249905/3531)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound esp sas:
      spi: 0x5A95216C(1519722860)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2030, flow_id: HW:30, sibling_flags FFFFFFFF80000008, crypto map: OUTSIDE
        sa timing: remaining key lifetime (k/sec): (249952/3531)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)


Ассоциация от Android

     inbound esp sas:
      spi: 0x6FFD2576(1878861174)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2027, flow_id: HW:27, sibling_flags FFFFFFFF80000008, crypto map: OUTSIDE
        sa timing: remaining key lifetime (k/sec): (4607998/3460)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound esp sas:
      spi: 0xF79D634(259642932)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2028, flow_id: HW:28, sibling_flags FFFFFFFF80000008, crypto map: OUTSIDE
        sa timing: remaining key lifetime (k/sec): (0/3460)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

 

Здесь видно, что в ходе ассоциации рабочий и не рабочий варианты пришли к одному crypto-transform. И вообще всё выглядит чинно и благородно.

Но!

а) процесс L2TP не начинается.

б) почему-то в outbound esp sas "remaining key lifetime=0". Что бы это значило - не пойму... Хотя должно быть 4М, как у входящей ассоциации.

Share this post


Link to post
Share on other sites

Решил внести свои 5 копеек в траблшутинг. Столкнулся с идентичной проблемой - уже месяц как в неравном бою с ASR 1001 (настроить надо любой ценой, ибо деньги фирмы потрачены).

В итоге - настроили l2tp/ipsec server на ASR1001. Клиент Windows подключается (правда частный адрес шлюза не получает, но не суть). Android (4.4), iphone, mac os x не в какую не хотят. Также исходя из логов складывается впечатление что затык или в l2tp или DPD или в NAT-T. Клиенты подключаются из-за nat, а сам маршрутизатор нет, т.е. имеет белый ип. Также по наблюдениям клиент (Android) прекращает соединение раньше чем циска, примерно после этих строк:

 

Mar 16 14:36:46.260: ISAKMP: (1034):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Mar 16 14:36:46.260: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 16 14:36:46.260: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Mar 16 14:36:46.260: crypto engine: updating MTU size of IPSec SA HW:54 to 1500 (overhead=58)
Mar 16 14:36:46.260: crypto_engine: Set IPSec MTU

Иными словами потом циска отрабатывает DPD, а клиент (Android) уже не отвечает, т.к. прекратил соединение (меняет статус с "Подключение" на "Отключено") и после этого циска начинает удаление sa по таймауту.

 

При этом в случае с виндой после тех же строк начинает литься лог L2TP, как и должно быть.

 

Подскажите куда копать хотя бы? Уже всю голову сломал, что только не пробовал, знаю что многие строки в конфиге могут быть сто раз лишними, но в попытке починить пробовали самые разные варианты, с тем чтобы потом почистить. Поддержки у железки нет, так что одна надежда на матерых форумчан.

Начали посещать мысли что проблема в ASR, может бага может еще что - причем ни у кого не смог найти конфига l2tp/ipsec именно на asr 1000 серии. Может кто поделится?

 

Конфиг и логи "от и до" прилагаю (причем debug включены и isakmp и ipsec и l2tp all и aaa)

 

Spoiler

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service unsupported-transceiver
no platform punt-keepalive disable-kernel-core
!
aaa new-model
!
aaa group server radius DC1/DC2
 server name DC1
 server name DC2
 deadtime 15
!
aaa authentication ppp default group DC1/DC2
aaa authorization exec default local
aaa authorization network default group DC1/DC2
aaa accounting network default
 action-type start-stop
 group DC1/DC2
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
ip name-server 192.168.100.14 192.168.100.1

ip domain name nvk.ru
ip dhcp excluded-address 10.25.1.1 10.25.1.10
!
ip dhcp pool L2TP_pool
 import all
 network 10.25.1.0 255.255.255.0
 default-router 10.25.1.1
 dns-server 192.168.100.14 192.168.100.1
 domain-name domain.ru
 lease 3

subscriber templating
!
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
!
vpdn-group L2TP/IPSEC/PPTP
 ! Default L2TP VPDN group
 description L2TP/IPSEC/PPTP
 accept-dialin
  protocol l2tp
  virtual-template 25
 lcp renegotiation always
 no l2tp tunnel authentication
 l2tp ip udp checksum
 ip pmtu
 ip mtu adjust

crypto keyring L2TP_keyring
  pre-shared-key address 0.0.0.0 0.0.0.0 key KEY
crypto logging session
crypto logging ezvpn
crypto logging ikev2
!

crypto isakmp policy 90
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 110
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key KEY address 0.0.0.0         no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 5 periodic
crypto isakmp profile L2TP
   keyring L2TP_keyring
   match identity address 0.0.0.0
   keepalive 120 retry 5
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set L2TP_TS1 esp-3des esp-md5-hmac
 mode transport
crypto ipsec transform-set L2TP_TS2 esp-3des esp-sha-hmac
 mode transport
crypto ipsec transform-set L2TP_TS3 esp-aes esp-md5-hmac
 mode transport
crypto ipsec transform-set L2TP_TS4 esp-aes esp-sha-hmac
 mode transport
!
crypto dynamic-map L2TP_dynmap 100
 set transform-set L2TP_TS4 L2TP_TS3 L2TP_TS2 L2TP_TS1
 set isakmp-profile L2TP
 reverse-route
!
crypto map L2TP_ipsec 100 ipsec-isakmp dynamic L2TP_dynmap
!
interface Loopback25
 description Loopback for VPN ROAD WARRIOR
 ip address 10.25.1.1 255.255.255.0
 zone-member security LAN
 crypto map L2TP_ipsec
!
interface GigabitEthernet0/0/0
 description I WAN
 ip address 89.xx.xx.xx 255.255.255.224
 ip nat outside
 zone-member security IntInform
 negotiation auto
 nat64 enable
 no mop enabled
 crypto map L2TP_ipsec
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 description II WAN
 no ip address
 ip nat outside
 zone-member security MagTelecom
 negotiation auto
 nat64 enable
 no mop enabled
 crypto map L2TP_ipsec
 ip virtual-reassembly
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
 nat64 enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/3
 description LAN
 ip address 192.168.0.2 255.255.0.0
 ip nat inside
 zone-member security LAN
 negotiation auto
 nat64 enable
 ip virtual-reassembly
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 192.168.0.10 255.255.0.0
 negotiation auto
!
interface Virtual-Template25
 description L2TP IPSEC ROAD WARRIOR
 ip unnumbered Loopback25
 ip mtu 1400
 zone-member security LAN
 ip tcp adjust-mss 1360
 peer default ip address dhcp-pool L2TP_pool
 no keepalive
 ppp mtu adaptive
 ppp authentication pap chap ms-chap ms-chap-v2
 ppp ipcp dns 192.168.100.14 192.168.100.1
 ppp multilink
 
radius server DC1
 address ipv4 192.168.100.1 auth-port 1812 acct-port 1813
 key 7 KEY
!
radius server DC2
 address ipv4 192.168.100.14 auth-port 1812 acct-port 1813
 key 7 KEY

 

 

Spoiler


Mar 16 14:36:44.931: ISAKMP-PAK: (0):received packet from 31.xx.xx.xx dport 500 sport 9868 Global (N) NEW SA
Mar 16 14:36:44.931: ISAKMP: (0):Created a peer struct for 31.xx.xx.xx, peer port 9868
Mar 16 14:36:44.931: ISAKMP: (0):New peer created peer = 0x7F5FED5753D8 peer_handle = 0x8000003A
Mar 16 14:36:44.931: ISAKMP: (0):Locking peer struct 0x7F5FED5753D8, refcount 1 for crypto_isakmp_process_block
Mar 16 14:36:44.931: ISAKMP: (0):local port 500, remote port 9868
Mar 16 14:36:44.931: crypto_engine_select_crypto_engine: can't handle any more
Mar 16 14:36:44.932: ISAKMP: (0):insert sa successfully sa = 7F5FEDD339B0
Mar 16 14:36:44.932: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 16 14:36:44.932: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1

Mar 16 14:36:44.932: ISAKMP: (0):processing SA payload. message ID = 0
Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.932: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Mar 16 14:36:44.932: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.932: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.932: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Mar 16 14:36:44.932: ISAKMP: (0):vendor ID is NAT-T v2
Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.932: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.932: ISAKMP: (0):processing IKE frag vendor id payload
Mar 16 14:36:44.932: ISAKMP: (0):Support for IKE Fragmentation not enabled
Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.932: ISAKMP: (0):vendor ID is DPD
Mar 16 14:36:44.932: ISAKMP: (0):found peer pre-shared key matching 31.xx.xx.xx
Mar 16 14:36:44.932: ISAKMP: (0):local preshared key found
Mar 16 14:36:44.932: ISAKMP: (0):Scanning profiles for xauth ... L2TP
Mar 16 14:36:44.932: ISAKMP: (0):Checking ISAKMP transform 1 against priority 90 policy
Mar 16 14:36:44.932: ISAKMP: (0):      life type in seconds
Mar 16 14:36:44.932: ISAKMP: (0):      life duration (basic) of 28800
Mar 16 14:36:44.932: ISAKMP: (0):      encryption AES-CBC
Mar 16 14:36:44.932: ISAKMP: (0):      keylength of 256
Mar 16 14:36:44.932: ISAKMP: (0):      auth pre-share
Mar 16 14:36:44.932: ISAKMP: (0):      hash SHA
Mar 16 14:36:44.932: ISAKMP: (0):      default group 2
Mar 16 14:36:44.932: ISAKMP-ERROR: (0):Proposed key length does not match policy
Mar 16 14:36:44.932: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 16 14:36:44.932: ISAKMP: (0):Checking ISAKMP transform 2 against priority 90 policy
Mar 16 14:36:44.932: ISAKMP: (0):      life type in seconds
Mar 16 14:36:44.932: ISAKMP: (0):      life duration (basic) of 28800
Mar 16 14:36:44.932: ISAKMP: (0):      encryption AES-CBC
Mar 16 14:36:44.932: ISAKMP: (0):      keylength of 256
Mar 16 14:36:44.932: ISAKMP: (0):      auth pre-share
Mar 16 14:36:44.932: ISAKMP: (0):      hash MD5
Mar 16 14:36:44.932: ISAKMP: (0):      default group 2
Mar 16 14:36:44.932: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
Mar 16 14:36:44.932: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 16 14:36:44.932: ISAKMP: (0):Checking ISAKMP transform 3 against priority 90 policy
Mar 16 14:36:44.932: ISAKMP: (0):      life type in seconds
Mar 16 14:36:44.932: ISAKMP: (0):      life duration (basic) of 28800
Mar 16 14:36:44.932: ISAKMP: (0):      encryption AES-CBC
Mar 16 14:36:44.932: ISAKMP: (0):      keylength of 128
Mar 16 14:36:44.932: ISAKMP: (0):      auth pre-share
Mar 16 14:36:44.932: ISAKMP: (0):      hash SHA
Mar 16 14:36:44.932: ISAKMP: (0):      default group 2
Mar 16 14:36:44.932: ISAKMP: (0):atts are acceptable. Next payload is 3
Mar 16 14:36:44.932: ISAKMP: (0):Acceptable atts:actual life: 86400
Mar 16 14:36:44.932: ISAKMP: (0):Acceptable atts:life: 0
Mar 16 14:36:44.932: ISAKMP: (0):Basic life_in_seconds:28800
Mar 16 14:36:44.932: ISAKMP: (0):Returning Actual lifetime: 28800
Mar 16 14:36:44.932: ISAKMP: (0):Started lifetime timer: 28800.

Mar 16 14:36:44.932: crypto_engine_select_crypto_engine: can't handle any more
Mar 16 14:36:44.932: crypto_engine: Create DH
Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.934: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
Mar 16 14:36:44.934: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.934: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch
Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.934: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Mar 16 14:36:44.934: ISAKMP: (0):vendor ID is NAT-T v2
Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.934: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch
Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.934: ISAKMP: (0):processing IKE frag vendor id payload
Mar 16 14:36:44.934: ISAKMP: (0):Support for IKE Fragmentation not enabled
Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload
Mar 16 14:36:44.934: ISAKMP: (0):vendor ID is DPD
Mar 16 14:36:44.934: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 16 14:36:44.934: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Mar 16 14:36:44.934: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
Mar 16 14:36:44.934: ISAKMP-PAK: (0):sending packet to 31.xx.xx.xx my_port 500 peer_port 9868 (R) MM_SA_SETUP
Mar 16 14:36:44.934: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 16 14:36:44.934: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 16 14:36:44.935: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2

Mar 16 14:36:45.080: ISAKMP-PAK: (0):received packet from 31.xx.xx.xx dport 500 sport 9868 Global (R) MM_SA_SETUP
Mar 16 14:36:45.080: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 16 14:36:45.080: ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3

Mar 16 14:36:45.080: ISAKMP: (0):processing KE payload. message ID = 0
Mar 16 14:36:45.080: crypto_engine: Create DH shared secret
Mar 16 14:36:45.082: ISAKMP: (0):processing NONCE payload. message ID = 0
Mar 16 14:36:45.082: ISAKMP: (0):found peer pre-shared key matching 31.xx.xx.xx
Mar 16 14:36:45.082: crypto_engine: Create IKE SA
Mar 16 14:36:45.082: crypto engine: deleting DH phase 2 SW:74
Mar 16 14:36:45.082: crypto_engine: Delete DH shared secret
Mar 16 14:36:45.082: ISAKMP: (1034):received payload type 20
Mar 16 14:36:45.082: ISAKMP: (1034):His hash no match - this node outside NAT
Mar 16 14:36:45.082: ISAKMP: (1034):received payload type 20
Mar 16 14:36:45.082: ISAKMP: (1034):His hash no match - this node outside NAT
Mar 16 14:36:45.082: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 16 14:36:45.082: ISAKMP: (1034):Old State = IKE_R_MM3  New State = IKE_R_MM3

Mar 16 14:36:45.082: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 500 peer_port 9868 (R) MM_KEY_EXCH
Mar 16 14:36:45.082: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:36:45.082: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 16 14:36:45.082: ISAKMP: (1034):Old State = IKE_R_MM3  New State = IKE_R_MM4

Mar 16 14:36:45.141: ISAKMP-PAK: (1034):received packet from 31.xx.xx.xx dport 4500 sport 50159 Global (R) MM_KEY_EXCH
Mar 16 14:36:45.141: crypto_engine: Decrypt IKE packet
Mar 16 14:36:45.141: ISAKMP: (1034):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 16 14:36:45.141: ISAKMP: (1034):Old State = IKE_R_MM4  New State = IKE_R_MM5

Mar 16 14:36:45.141: ISAKMP: (1034):processing ID payload. message ID = 0
Mar 16 14:36:45.141: ISAKMP: (1034):ID payload
        next-payload : 8
        type         : 1
Mar 16 14:36:45.141: ISAKMP: (1034):    address      : 10.249.191.92
Mar 16 14:36:45.141: ISAKMP: (1034):    protocol     : 17
        port         : 500
        length       : 12
Mar 16 14:36:45.141: ISAKMP: (0):peer matches L2TP profile
Mar 16 14:36:45.141: ISAKMP: (1034):Found ADDRESS key in keyring L2TP_keyring
Mar 16 14:36:45.141: ISAKMP: (1034):processing HASH payload. message ID = 0
Mar 16 14:36:45.141: crypto_engine: Generate IKE hash
Mar 16 14:36:45.141: ISAKMP: (1034):SA authentication status:
        authenticated
Mar 16 14:36:45.141: ISAKMP: (1034):SA has been authenticated with 31.xx.xx.xx
Mar 16 14:36:45.141: ISAKMP: (1034):Detected port floating to port = 50159
Mar 16 14:36:45.141: ISAKMP: (0):Trying to insert a peer 89.yy.yy.yy/31.xx.xx.xx/50159/,
Mar 16 14:36:45.141: ISAKMP: (0): and inserted successfully 7F5FED5753D8.
Mar 16 14:36:45.143: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 16 14:36:45.143: ISAKMP: (1034):Old State = IKE_R_MM5  New State = IKE_R_MM5

Mar 16 14:36:45.143: ISAKMP: (1034):SA is doing
Mar 16 14:36:45.143: ISAKMP: (1034):pre-shared key authentication using id type ID_IPV4_ADDR
Mar 16 14:36:45.143: ISAKMP: (1034):ID payload
        next-payload : 8
        type         : 1
Mar 16 14:36:45.143: ISAKMP: (1034):    address      : 89.yy.yy.yy
Mar 16 14:36:45.143: ISAKMP: (1034):    protocol     : 17
        port         : 0
        length       : 12
Mar 16 14:36:45.143: ISAKMP: (1034):Total payload length: 12
Mar 16 14:36:45.143: crypto_engine: Generate IKE hash
Mar 16 14:36:45.143: crypto_engine: Encrypt IKE packet
Mar 16 14:36:45.143: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) MM_KEY_EXCH
Mar 16 14:36:45.143: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:36:45.144: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 16 14:36:45.144: ISAKMP: (1034):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

Mar 16 14:36:45.144: ISAKMP: (1034):IKE_DPD is enabled, initializing timers
Mar 16 14:36:45.144: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 16 14:36:45.144: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 16 14:36:45.180: ISAKMP-PAK: (1034):received packet from 31.xx.xx.xx dport 4500 sport 50159 Global (R) QM_IDLE
Mar 16 14:36:45.180: ISAKMP: (1034):set new node 3214878306 to QM_IDLE
Mar 16 14:36:45.180: crypto_engine: Decrypt IKE packet
Mar 16 14:36:45.180: crypto_engine: Generate IKE hash
Mar 16 14:36:45.180: ISAKMP: (1034):processing HASH payload. message ID = 3214878306
Mar 16 14:36:45.180: ISAKMP: (1034):processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 3214878306, sa = 0x7F5FEDD339B0
Mar 16 14:36:45.180: ISAKMP: (1034):SA authentication status:
        authenticated
Mar 16 14:36:45.180: ISAKMP: (1034):Process initial contact,
bring down existing phase 1 and 2 SA's with local 89.yy.yy.yy remote 31.xx.xx.xx remote port 50159
Mar 16 14:36:45.180: ISAKMP: (1034):deleting node 3214878306 error FALSE reason "Informational (in) state 1"
Mar 16 14:36:45.180: ISAKMP: (1034):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Mar 16 14:36:45.180: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 16 14:36:45.180: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 16 14:36:46.212: ISAKMP-PAK: (1034):received packet from 31.xx.xx.xx dport 4500 sport 50159 Global (R) QM_IDLE
Mar 16 14:36:46.212: ISAKMP: (1034):set new node 2956598744 to QM_IDLE
Mar 16 14:36:46.212: crypto_engine: Decrypt IKE packet
Mar 16 14:36:46.212: crypto_engine: Generate IKE hash
Mar 16 14:36:46.212: ISAKMP: (1034):processing HASH payload. message ID = 2956598744
Mar 16 14:36:46.212: ISAKMP: (1034):processing SA payload. message ID = 2956598744
Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1
Mar 16 14:36:46.212: ISAKMP: (1034):transform 1, ESP_AES
Mar 16 14:36:46.212: ISAKMP: (1034):   attributes in transform:
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life type in seconds
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life duration (basic) of 28800
Mar 16 14:36:46.212: ISAKMP: (1034):      encaps is 4 (Transport-UDP)
Mar 16 14:36:46.212: ISAKMP: (1034):      key length is 256
Mar 16 14:36:46.212: ISAKMP: (1034):      authenticator is HMAC-SHA
Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable.
Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1
Mar 16 14:36:46.212: ISAKMP: (1034):transform 2, ESP_AES
Mar 16 14:36:46.212: ISAKMP: (1034):   attributes in transform:
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life type in seconds
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life duration (basic) of 28800
Mar 16 14:36:46.212: ISAKMP: (1034):      encaps is 4 (Transport-UDP)
Mar 16 14:36:46.212: ISAKMP: (1034):      key length is 256
Mar 16 14:36:46.212: ISAKMP: (1034):      authenticator is HMAC-MD5
Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable.
Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1
Mar 16 14:36:46.212: ISAKMP: (1034):transform 3, ESP_AES
Mar 16 14:36:46.212: ISAKMP: (1034):   attributes in transform:
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life type in seconds
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life duration (basic) of 28800
Mar 16 14:36:46.212: ISAKMP: (1034):      encaps is 4 (Transport-UDP)
Mar 16 14:36:46.212: ISAKMP: (1034):      key length is 128
Mar 16 14:36:46.212: ISAKMP: (1034):      authenticator is HMAC-SHA
Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable.
Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1
Mar 16 14:36:46.212: ISAKMP: (1034):transform 4, ESP_AES
Mar 16 14:36:46.212: ISAKMP: (1034):   attributes in transform:
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life type in seconds
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life duration (basic) of 28800
Mar 16 14:36:46.212: ISAKMP: (1034):      encaps is 4 (Transport-UDP)
Mar 16 14:36:46.212: ISAKMP: (1034):      key length is 128
Mar 16 14:36:46.212: ISAKMP: (1034):      authenticator is HMAC-MD5
Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable.
Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1
Mar 16 14:36:46.212: ISAKMP: (1034):transform 5, ESP_3DES
Mar 16 14:36:46.212: ISAKMP: (1034):   attributes in transform:
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life type in seconds
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life duration (basic) of 28800
Mar 16 14:36:46.212: ISAKMP: (1034):      encaps is 4 (Transport-UDP)
Mar 16 14:36:46.212: ISAKMP: (1034):      authenticator is HMAC-SHA
Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable.
Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1
Mar 16 14:36:46.212: ISAKMP: (1034):transform 6, ESP_3DES
Mar 16 14:36:46.212: ISAKMP: (1034):   attributes in transform:
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life type in seconds
Mar 16 14:36:46.212: ISAKMP: (1034):      SA life duration (basic) of 28800
Mar 16 14:36:46.213: ISAKMP: (1034):      encaps is 4 (Transport-UDP)
Mar 16 14:36:46.213: ISAKMP: (1034):      authenticator is HMAC-MD5
Mar 16 14:36:46.213: ISAKMP: (1034):atts are acceptable.
Mar 16 14:36:46.213: ISAKMP: (1034):Checking IPSec proposal 1
Mar 16 14:36:46.213: ISAKMP: (1034):transform 7, ESP_DES
Mar 16 14:36:46.213: ISAKMP: (1034):   attributes in transform:
Mar 16 14:36:46.213: ISAKMP: (1034):      SA life type in seconds
Mar 16 14:36:46.213: ISAKMP: (1034):      SA life duration (basic) of 28800
Mar 16 14:36:46.213: ISAKMP: (1034):      encaps is 4 (Transport-UDP)
Mar 16 14:36:46.213: ISAKMP: (1034):      authenticator is HMAC-SHA
Mar 16 14:36:46.213: ISAKMP: (1034):atts are acceptable.
Mar 16 14:36:46.213: ISAKMP: (1034):Checking IPSec proposal 1
Mar 16 14:36:46.213: ISAKMP: (1034):transform 8, ESP_DES
Mar 16 14:36:46.213: ISAKMP: (1034):   attributes in transform:
Mar 16 14:36:46.213: ISAKMP: (1034):      SA life type in seconds
Mar 16 14:36:46.213: ISAKMP: (1034):      SA life duration (basic) of 28800
Mar 16 14:36:46.213: ISAKMP: (1034):      encaps is 4 (Transport-UDP)
Mar 16 14:36:46.213: ISAKMP: (1034):      authenticator is HMAC-MD5
Mar 16 14:36:46.213: ISAKMP: (1034):atts are acceptable.
Mar 16 14:36:46.213: IPSEC(validate_proposal_request): proposal part #1
Mar 16 14:36:46.213: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0,
    local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701,
    remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Transport-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Mar 16 14:36:46.213: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-sha-hmac }
Mar 16 14:36:46.213: ISAKMP-ERROR: (1034):IPSec policy invalidated proposal with error 256
Mar 16 14:36:46.215: IPSEC(validate_proposal_request): proposal part #1
Mar 16 14:36:46.215: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0,
    local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701,
    remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0,
    protocol= ESP, transform= esp-aes 256 esp-md5-hmac  (Transport-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Mar 16 14:36:46.215: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-md5-hmac }
Mar 16 14:36:46.216: ISAKMP-ERROR: (1034):IPSec policy invalidated proposal with error 256
Mar 16 14:36:46.218: IPSEC(validate_proposal_request): proposal part #1
Mar 16 14:36:46.218: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0,
    local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701,
    remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Mar 16 14:36:46.218: (ipsec_process_proposal)Map Accepted: L2TP_dynmap, 100
Mar 16 14:36:46.218: ISAKMP: (1034):processing NONCE payload. message ID = 2956598744
Mar 16 14:36:46.218: ISAKMP: (1034):processing ID payload. message ID = 2956598744
Mar 16 14:36:46.218: ISAKMP: (1034):processing ID payload. message ID = 2956598744
Mar 16 14:36:46.218: ISAKMP: (1034):QM Responder gets spi
Mar 16 14:36:46.218: ISAKMP: (1034):Node 2956598744, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 16 14:36:46.218: ISAKMP: (1034):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Mar 16 14:36:46.218: crypto_engine: Generate IKE hash
Mar 16 14:36:46.218: ISAKMP: (1034):Node 2956598744, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Mar 16 14:36:46.218: ISAKMP: (1034):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
Mar 16 14:36:46.218: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 16 14:36:46.218: IPSEC(crypto_ipsec_create_ipsec_sas): Map found L2TP_dynmap, 100
Mar 16 14:36:46.218: crypto_engine: Generate IKE QM keys
Mar 16 14:36:46.218: crypto_engine: Create IPSec SA (by keys)
Mar 16 14:36:46.218: crypto_engine: Generate IKE QM keys
Mar 16 14:36:46.218: crypto_engine: Create IPSec SA (by keys)
Mar 16 14:36:46.218: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F5FE1ED37E8
Mar 16 14:36:46.219: IPSEC(create_sa): sa created,
  (sa) sa_dest= 89.yy.yy.yy, sa_proto= 50,
    sa_spi= 0x1FB4AB52(531934034),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2053
    sa_lifetime(k/sec)= (4608000/28800),
  (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0,
    local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701,
    remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0
Mar 16 14:36:46.219: IPSEC(create_sa): sa created,
  (sa) sa_dest= 31.xx.xx.xx, sa_proto= 50,
    sa_spi= 0x81D6A4C(136145484),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2054
    sa_lifetime(k/sec)= (4608000/28800),
  (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0,
    local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701,
    remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0
Mar 16 14:36:46.222: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
Mar 16 14:36:46.222: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Static keyword or dynamic SA create for 31.xx.xx.xx
Mar 16 14:36:46.222: ISAKMP: (1034):Received IPSec Install callback... proceeding with the negotiation
Mar 16 14:36:46.222: ISAKMP: (1034):Successfully installed IPSEC SA (SPI:0x1FB4AB52) on GigabitEthernet0/0/0
Mar 16 14:36:46.222: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 31.xx.xx.xx:50159       Id: 10.249.191.92
Mar 16 14:36:46.222: crypto_engine: Encrypt IKE packet
Mar 16 14:36:46.222: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE
Mar 16 14:36:46.222: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:36:46.222: ISAKMP: (1034):Node 2956598744, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Mar 16 14:36:46.222: ISAKMP: (1034):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
Mar 16 14:36:46.260: ISAKMP-PAK: (1034):received packet from 31.xx.xx.xx dport 4500 sport 50159 Global (R) QM_IDLE
Mar 16 14:36:46.260: crypto_engine: Decrypt IKE packet
Mar 16 14:36:46.260: crypto_engine: Generate IKE hash
Mar 16 14:36:46.260: ISAKMP: (1034):deleting node 2956598744 error FALSE reason "QM done (await)"
Mar 16 14:36:46.260: ISAKMP: (1034):Node 2956598744, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 16 14:36:46.260: ISAKMP: (1034):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Mar 16 14:36:46.260: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 16 14:36:46.260: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Mar 16 14:36:46.260: crypto engine: updating MTU size of IPSec SA HW:54 to 1500 (overhead=58)
Mar 16 14:36:46.260: crypto_engine: Set IPSec MTU
Mar 16 14:36:49.483: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:034 TS:00001203763520680702 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 77.72.85.104:45149 => 89.yy.yy.yy:19869(target:class)-(IntInform_self:class-default) due to Policy drop:classify result with ip ident 64608 tcp flag 0x2, seq 138516001, ack 0
Mar 16 14:36:52.666: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:023 TS:00001203766695216412 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from GigabitEthernet0/0/0 187.10.19.36:16636 => 89.yy.yy.yy:23 (target:class)-(IntInform_self:class-default)
Mar 16 14:37:35.180: ISAKMP: (1034):purging node 3214878306
Mar 16 14:37:36.260: ISAKMP: (1034):purging node 2956598744
Mar 16 14:37:52.818: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:030 TS:00001203826695380378 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from GigabitEthernet0/0/0 77.72.85.104:45149 => 89.yy.yy.yy:19869 (target:class)-(IntInform_self:class-default)
Mar 16 14:38:04.466: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:098 TS:00001203838314227146 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 14.142.30.148:10110 => 89.yy.yy.yy:23(target:class)-(IntInform_self:class-default) due to Policy drop:classify result with ip ident 23908 tcp flag 0x2, seq 2099419365, ack 0
Mar 16 14:38:22.894: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:035 TS:00001203856696041123 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from GigabitEthernet0/0/0 77.72.85.104:45149 => 89.yy.yy.yy:14580 (target:class)-(IntInform_self:class-default)
Mar 16 14:38:45.143: ISAKMP: (1034):set new node 2454442962 to QM_IDLE
Mar 16 14:38:45.144: crypto_engine: Generate IKE hash
Mar 16 14:38:45.144: crypto_engine: Encrypt IKE packet
Mar 16 14:38:45.144: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE
Mar 16 14:38:45.144: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:38:45.144: ISAKMP: (1034):purging node 2454442962
Mar 16 14:38:45.144: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Mar 16 14:38:45.144: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 16 14:38:46.044: AAA/AUTHOR: auth_need : user= 'admin' ruser= 'ASR1001'rem_addr= '192.168.5.5' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Mar 16 14:38:50.144: ISAKMP-ERROR: (1034):DPD incrementing error counter (1/5)
Mar 16 14:38:50.144: ISAKMP: (1034):set new node 414223230 to QM_IDLE
Mar 16 14:38:50.144: crypto_engine: Generate IKE hash
Mar 16 14:38:50.144: crypto_engine: Encrypt IKE packet
Mar 16 14:38:50.144: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE
Mar 16 14:38:50.144: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:38:50.144: ISAKMP: (1034):purging node 414223230
Mar 16 14:38:50.144: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE
Mar 16 14:38:50.144: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 16 14:38:55.144: ISAKMP-ERROR: (1034):DPD incrementing error counter (2/5)
Mar 16 14:38:55.144: ISAKMP: (1034):set new node 286657848 to QM_IDLE
Mar 16 14:38:55.144: crypto_engine: Generate IKE hash
Mar 16 14:38:55.144: crypto_engine: Encrypt IKE packet
Mar 16 14:38:55.144: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE
Mar 16 14:38:55.144: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:38:55.144: ISAKMP: (1034):purging node 286657848
Mar 16 14:38:55.144: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE
Mar 16 14:38:55.144: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 16 14:38:59.798: AAA/AUTHOR: auth_need : user= 'admin' ruser= 'ASR1001'rem_addr= '192.168.5.5' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Mar 16 14:39:00.144: ISAKMP-ERROR: (1034):DPD incrementing error counter (3/5)
Mar 16 14:39:00.144: ISAKMP: (1034):set new node 251706455 to QM_IDLE
Mar 16 14:39:00.144: crypto_engine: Generate IKE hash
Mar 16 14:39:00.144: crypto_engine: Encrypt IKE packet
Mar 16 14:39:00.144: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE
Mar 16 14:39:00.145: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:39:00.145: ISAKMP: (1034):purging node 251706455
Mar 16 14:39:00.145: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE
Mar 16 14:39:00.145: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 16 14:39:05.145: ISAKMP-ERROR: (1034):DPD incrementing error counter (4/5)
Mar 16 14:39:05.145: ISAKMP: (1034):set new node 1055979028 to QM_IDLE
Mar 16 14:39:05.145: crypto_engine: Generate IKE hash
Mar 16 14:39:05.145: crypto_engine: Encrypt IKE packet
Mar 16 14:39:05.145: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE
Mar 16 14:39:05.145: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:39:05.145: ISAKMP: (1034):purging node 1055979028
Mar 16 14:39:05.145: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE
Mar 16 14:39:05.145: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 16 14:39:10.145: ISAKMP-ERROR: (1034):DPD incrementing error counter (5/5)
Mar 16 14:39:10.145: ISAKMP-ERROR: (1034):Peer 31.xx.xx.xx not responding!
Mar 16 14:39:10.147: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE
Mar 16 14:39:10.147: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 16 14:39:10.147: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 16 14:39:10.147: Delete IPsec SA by DPD, local 89.yy.yy.yy remote 31.xx.xx.xx peer port 50159
Mar 16 14:39:10.147: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 89.yy.yy.yy, sa_proto= 50,
    sa_spi= 0x1FB4AB52(531934034),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2053
    sa_lifetime(k/sec)= (4608000/28800),
  (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0,
    local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701,
    remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0
Mar 16 14:39:10.147: IPSEC(delete_sa): SA found saving DEL kmi
Mar 16 14:39:10.147: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 31.xx.xx.xx, sa_proto= 50,
    sa_spi= 0x81D6A4C(136145484),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2054
    sa_lifetime(k/sec)= (4608000/28800),
  (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0,
    local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701,
    remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0
Mar 16 14:39:10.147: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
Mar 16 14:39:10.147: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
Mar 16 14:39:10.147: IPSEC(update_current_outbound_sa): updated peer 31.xx.xx.xx current outbound sa to SPI 0
Mar 16 14:39:10.147: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 89.yy.yy.yy, sa_proto= 50,
    sa_spi= 0x1FB4AB52(531934034),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2053
    sa_lifetime(k/sec)= (4608000/28800),
  (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0,
    local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701,
    remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0
Mar 16 14:39:10.147: IPSEC(delete_sa): SA found saving DEL kmi
Mar 16 14:39:10.147: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 31.xx.xx.xx, sa_proto= 50,
    sa_spi= 0x81D6A4C(136145484),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2054
    sa_lifetime(k/sec)= (4608000/28800),
  (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0,
    local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701,
    remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0
Mar 16 14:39:10.147: IPSEC(sibling_delete_notify_ident_action): Ident down, not sending DECR/DELETE
Mar 16 14:39:10.147: crypto engine: deleting IPSec SA HW:53
Mar 16 14:39:10.147: crypto_engine: Delete IPSec SA
Mar 16 14:39:10.147: crypto engine: deleting IPSec SA HW:54
Mar 16 14:39:10.147: crypto_engine: Delete IPSec SA
Mar 16 14:39:10.148: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x7F5FE1ED37E8 ikmp handle 0x8000003A
IPSEC IKMP peer index 0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x24000035,peer index 0

Mar 16 14:39:10.148: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer 31.xx.xx.xx:50159       Id: 10.249.191.92
Mar 16 14:39:10.148: ISAKMP: (1034):set new node 488885328 to QM_IDLE
Mar 16 14:39:10.148: crypto_engine: Generate IKE hash
Mar 16 14:39:10.148: crypto_engine: Encrypt IKE packet
Mar 16 14:39:10.148: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE
Mar 16 14:39:10.148: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:39:10.148: ISAKMP: (1034):purging node 488885328
Mar 16 14:39:10.148: ISAKMP: (1034):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
Mar 16 14:39:10.148: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar 16 14:39:10.148: ISAKMP: (1034):No more ipsec tunnels for this SA.
Mar 16 14:39:10.148: ISAKMP: (1034):peer does not do paranoid keepalives.
Mar 16 14:39:10.148: ISAKMP: (1034):deleting SA reason "End of ipsec tunnel" state (R) QM_IDLE       (peer 31.xx.xx.xx)
Mar 16 14:39:10.148: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 16 14:39:10.148: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message
Mar 16 14:39:10.148: ISAKMP (1034): IPSec has no more SA's with this peer.  Won't keepalive phase 1.
Mar 16 14:39:10.148: ISAKMP: (1034):set new node 3190534613 to QM_IDLE
Mar 16 14:39:10.148: crypto_engine: Generate IKE hash
Mar 16 14:39:10.148: crypto_engine: Encrypt IKE packet
Mar 16 14:39:10.148: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE
Mar 16 14:39:10.148: ISAKMP: (1034):Sending an IKE IPv4 Packet.
Mar 16 14:39:10.148: ISAKMP: (1034):purging node 3190534613
Mar 16 14:39:10.149: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 16 14:39:10.149: ISAKMP: (1034):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Mar 16 14:39:10.149: ISAKMP: (1034):deleting SA reason "End of ipsec tunnel" state (R) QM_IDLE       (peer 31.xx.xx.xx)
Mar 16 14:39:10.149: ISAKMP: (0):Unlocking peer struct 0x7F5FED5753D8 for isadb_mark_sa_deleted(), count 0
Mar 16 14:39:10.149: ISAKMP-ERROR: (0):crypto_ikmp_dpd_refcount_zero: Freeing dpd profile_name L2TP
Mar 16 14:39:10.149: ISAKMP: (0):Deleting peer node by peer_reap for 31.xx.xx.xx: 7F5FED5753D8
Mar 16 14:39:10.152: crypto engine: deleting IKE SA SW:34
Mar 16 14:39:10.152: crypto engine: deleting DH SW:73
Mar 16 14:39:10.152: crypto_engine: Delete DH
Mar 16 14:39:10.152: crypto_engine: Delete IKE SA
Mar 16 14:39:10.152: ISAKMP: (1034):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 16 14:39:10.152: ISAKMP: (1034):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Mar 16 14:39:10.152: IPSEC(key_engine): got a queue event with 1 KMI message(s)

 

 

Share this post


Link to post
Share on other sites

В 08.07.2016 в 14:00, ShyLion сказал:

У кого нибудь получилось поднять L2TP vpdn на кисе так, чтоб с ведроида мог подключаться?

Шах и мат любители кошек. Скажите спасибо, что это вообще работает. Вот официальный ответ Cisco TAC на запрс о предоставлении настроек под Android:

 

Hi,

The L2TP over IPSec is officially un-supported on IOS-XE. The code is there from the IOS code base, but it was never tested nor designed to work with the ASR platforms. Please refer to below document for details:
Source - https://www.cisco.com/c/en/us/td/docs/routers/access/4400/release/notes/isr4451rn.html#96977

 

Share this post


Link to post
Share on other sites

Это какой-то ... позор. С другой стороны просто перейдем все на IKEv2 со временем.

 

по большому счету тройная инкапсуляция IPSec-L2TP-PPP давно просится на свалку.

Share this post


Link to post
Share on other sites

49 минут назад, ShyLion сказал:

Это какой-то ... позор. С другой стороны просто перейдем все на IKEv2 со временем.

 

по большому счету тройная инкапсуляция IPSec-L2TP-PPP давно просится на свалку.

Его только под андрюшу шаттного нет. И в iOS только в последних.

Зато винда от 7 до 10 поддерживает.

 

Будем пробовать.

 

Share this post


Link to post
Share on other sites

Вопрос ведь не в самом L2TP-IPSEC, а в том почему производитель не обеспечивает работоспособность того что заявлено в feature explorere (по моему так называется если не ошибаюсь) и за что заплачены немалые средства. В случае с ikev2 похоже также никто не даст гарантии что это будет работать как должно. То есть дело именно в подходе циски, по хорошему не нужно выпиливать якобы устаревшие протоколы - пользователь (эксплуатант) должен сам выбрать что ему нужнее. ИМХО.

Share this post


Link to post
Share on other sites

2 часа назад, Axizzz сказал:

Вопрос ведь не в самом L2TP-IPSEC, а в том почему производитель не обеспечивает работоспособность того что заявлено в feature explorere (по моему так называется если не ошибаюсь) и за что заплачены немалые средства. В случае с ikev2 похоже также никто не даст гарантии что это будет работать как должно. То есть дело именно в подходе циски, по хорошему не нужно выпиливать якобы устаревшие протоколы - пользователь (эксплуатант) должен сам выбрать что ему нужнее. ИМХО.

В Feature Guide такого нет. Там есть L2TP и есть IPsec. А L2TP/IPsec - нету.

Формально они правы. Но неожиданно.

Хотя самое смешное то, что только второй по счёту инженер TAC это знал. Первый обещал помочь настроить.

 

Ну и они его и не вырезали. Правда и под платформу не адаптировали тоже. Этот франкенштейн даже частично работает.

Edited by M-a-x-Z

Share this post


Link to post
Share on other sites

17 hours ago, M-a-x-Z said:

В Feature Guide такого нет. Там есть L2TP и есть IPsec. А L2TP/IPsec - нету.

Формально они правы. Но неожиданно.

Хотя самое смешное то, что только второй по счёту инженер TAC это знал. Первый обещал помочь настроить.

 

Ну и они его и не вырезали. Правда и под платформу не адаптировали тоже. Этот франкенштейн даже частично работает.

 

Cisco уже не торт.. В таком случае не понятно что делать если необходима высокая производительность пограничного маршрутизатора (от 1Гбит/с с ipsec шифрованием) и l2tp/ipsec для большого количества подключений. Ведь у них согласно различным презентациям серии бьются согласно производительности в т.ч.

 

 

Cisco-Routers-768x364.png

Share this post


Link to post
Share on other sites

21 hours ago, Axizzz said:

То есть дело именно в подходе циски

Дело во всей индустрии в целом. Каждый тянет одеяло на себя и изобретает свой велосипед постоянно. Лебедь-Рак-Щука-и свора других животных никак не могут и не хотят договориться.

Каждый производитель спит и видит как вы используете сугубо его решения, принося доход только им.

Share this post


Link to post
Share on other sites

19 часов назад, zhenya` сказал:

Имхо просто l2tp/ipsec не выйдет скрестить с subscriber managementом.

Зачем? Политика качества там цепляется на каждый туннель. Нет нужды парсить по IP

1 час назад, Axizzz сказал:

Cisco уже не торт.. В таком случае не понятно что делать если необходима высокая производительность пограничного маршрутизатора (от 1Гбит/с с ipsec шифрованием) и l2tp/ipsec для большого количества подключений. Ведь у них согласно различным презентациям серии бьются согласно производительности в т.ч.

Не знаю, как там ISR, но l2tp/IPsec просто списан в утиль, т.к. IOS-XE это теперь наше всё. Это его не в ASR больше нет. Это его у Cisco больше нет во всех новых моделях.

Если нужен именно он - то придётся брать б/у ASR. Но там, походу, будут грабли при настройке современных клиентов.

Share this post


Link to post
Share on other sites

Подтверждаю, новые роутеры типа 4ххх серии уже идут с IOS-XE и путь по граблям уже в полный рост :) Вроде все то-же самое, но нет, кругом нюансы.

Share this post


Link to post
Share on other sites

1 hour ago, M-a-x-Z said:

Зачем? Политика качества там цепляется на каждый туннель. Нет нужды парсить по IP

Не знаю, как там ISR, но l2tp/IPsec просто списан в утиль, т.к. IOS-XE это теперь наше всё. Это его не в ASR больше нет. Это его у Cisco больше нет во всех новых моделях.

Если нужен именно он - то придётся брать б/у ASR. Но там, походу, будут грабли при настройке современных клиентов.

Стесняюсь спросить - у нас как раз б/у ASR 1001= был приобретен (потому и поддержки нет) и там IOS-XE. Насколько понял из ваших слов, туда можно старый IOS залить? Можете ткнуть в пруф?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.