ShyLion Posted July 8, 2016 (edited) · Report post У кого нибудь получилось поднять L2TP vpdn на кисе так, чтоб с ведроида мог подключаться? Вот рабочий конфиг к которму винда цепляется без проблем. А вот с ведроидом беда. aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization console aaa authorization exec default local aaa authorization network default none aaa accounting network default none ! ! ! ! ! aaa session-id common aaa policy interface-config allow-subinterface ppp packet throttle 30 1 30 ! ip domain name local ! multilink bundle-name authenticated vpdn enable vpdn logging no vpdn logging cause normal ! vpdn-group VPN ! Default L2TP VPDN group description l2tp group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! username ppptest password 7 15021B1C102F3830 ! ! crypto keyring L2TP_IPSec pre-shared-key address 0.0.0.0 0.0.0.0 key IPsec ! crypto isakmp policy 60 encr 3des authentication pre-share group 2 crypto isakmp keepalive 30 ! crypto ipsec transform-set 3DES_SHA_tr esp-3des esp-sha-hmac mode transport ! crypto dynamic-map L2TP_IPSec 1 set nat demux set transform-set 3DES_SHA_tr ! crypto map OUTSIDE 65535 ipsec-isakmp dynamic L2TP_IPSec ! interface Loopback1 ip address 10.2.1.1 255.255.255.255 ! interface GigabitEthernet1.96 encapsulation dot1Q 96 ip address x.x.x.94 255.255.255.0 crypto map OUTSIDE ! interface Virtual-Template1 mtu 1400 ip unnumbered Loopback1 no ip redirects ip tcp adjust-mss 1360 peer default ip address pool ppp_pool no snmp trap link-status no keepalive ppp authentication ms-chap-v2 callin ppp link reorders ppp timeout retry 10 ! ip local pool ppp_pool 10.2.0.1 10.2.0.254 ! дебаг: *Jul 8 08:13:03.166: ISAKMP (0): received packet from y.y.y.42 dport 500 sport 55156 Global (N) NEW SA *Jul 8 08:13:03.166: ISAKMP: Created a peer struct for y.y.y.42, peer port 55156 *Jul 8 08:13:03.166: ISAKMP: New peer created peer = 0x7FBD8F18E860 peer_handle = 0x80000012 *Jul 8 08:13:03.166: ISAKMP: Locking peer struct 0x7FBD8F18E860, refcount 1 for crypto_isakmp_process_block *Jul 8 08:13:03.166: ISAKMP: local port 500, remote port 55156 *Jul 8 08:13:03.166: ISAKMP:(0):insert sa successfully sa = 7FBD945C0B50 *Jul 8 08:13:03.166: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jul 8 08:13:03.166: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 *Jul 8 08:13:03.166: ISAKMP:(0): processing SA payload. message ID = 0 *Jul 8 08:13:03.166: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.166: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Jul 8 08:13:03.166: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Jul 8 08:13:03.166: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.166: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch *Jul 8 08:13:03.166: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.166: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Jul 8 08:13:03.166: ISAKMP:(0): vendor ID is NAT-T v2 *Jul 8 08:13:03.166: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.166: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch *Jul 8 08:13:03.166: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.166: ISAKMP:(0): processing IKE frag vendor id payload *Jul 8 08:13:03.166: ISAKMP:(0):Support for IKE Fragmentation not enabled *Jul 8 08:13:03.166: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.166: ISAKMP:(0): vendor ID is DPD *Jul 8 08:13:03.166: ISAKMP:(0):found peer pre-shared key matching y.y.y.42 *Jul 8 08:13:03.166: ISAKMP:(0): local preshared key found *Jul 8 08:13:03.166: ISAKMP : Scanning profiles for xauth ... *Jul 8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 1 against priority 60 policy *Jul 8 08:13:03.166: ISAKMP: life type in seconds *Jul 8 08:13:03.166: ISAKMP: life duration (basic) of 28800 *Jul 8 08:13:03.166: ISAKMP: encryption AES-CBC *Jul 8 08:13:03.166: ISAKMP: keylength of 256 *Jul 8 08:13:03.166: ISAKMP: auth pre-share *Jul 8 08:13:03.166: ISAKMP: hash SHA *Jul 8 08:13:03.166: ISAKMP: default group 2 *Jul 8 08:13:03.166: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 08:13:03.166: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 2 against priority 60 policy *Jul 8 08:13:03.166: ISAKMP: life type in seconds *Jul 8 08:13:03.166: ISAKMP: life duration (basic) of 28800 *Jul 8 08:13:03.166: ISAKMP: encryption AES-CBC *Jul 8 08:13:03.166: ISAKMP: keylength of 256 *Jul 8 08:13:03.166: ISAKMP: auth pre-share *Jul 8 08:13:03.166: ISAKMP: hash MD5 *Jul 8 08:13:03.166: ISAKMP: default group 2 *Jul 8 08:13:03.166: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 08:13:03.166: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 3 against priority 60 policy *Jul 8 08:13:03.166: ISAKMP: life type in seconds *Jul 8 08:13:03.166: ISAKMP: life duration (basic) of 28800 *Jul 8 08:13:03.166: ISAKMP: encryption AES-CBC *Jul 8 08:13:03.166: ISAKMP: keylength of 128 *Jul 8 08:13:03.166: ISAKMP: auth pre-share *Jul 8 08:13:03.166: ISAKMP: hash SHA *Jul 8 08:13:03.166: ISAKMP: default group 2 *Jul 8 08:13:03.166: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 08:13:03.166: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 4 against priority 60 policy *Jul 8 08:13:03.166: ISAKMP: life type in seconds *Jul 8 08:13:03.166: ISAKMP: life duration (basic) of 28800 *Jul 8 08:13:03.166: ISAKMP: encryption AES-CBC *Jul 8 08:13:03.166: ISAKMP: keylength of 128 *Jul 8 08:13:03.166: ISAKMP: auth pre-share *Jul 8 08:13:03.166: ISAKMP: hash MD5 *Jul 8 08:13:03.166: ISAKMP: default group 2 *Jul 8 08:13:03.166: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8 08:13:03.166: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Jul 8 08:13:03.166: ISAKMP:(0):Checking ISAKMP transform 5 against priority 60 policy *Jul 8 08:13:03.166: ISAKMP: life type in seconds *Jul 8 08:13:03.166: ISAKMP: life duration (basic) of 28800 *Jul 8 08:13:03.166: ISAKMP: encryption 3DES-CBC *Jul 8 08:13:03.166: ISAKMP: auth pre-share *Jul 8 08:13:03.166: ISAKMP: hash SHA *Jul 8 08:13:03.166: ISAKMP: default group 2 *Jul 8 08:13:03.166: ISAKMP:(0):atts are acceptable. Next payload is 3 *Jul 8 08:13:03.166: ISAKMP:(0):Acceptable atts:actual life: 86400 *Jul 8 08:13:03.166: ISAKMP:(0):Acceptable atts:life: 0 *Jul 8 08:13:03.166: ISAKMP:(0):Basic life_in_seconds:28800 *Jul 8 08:13:03.166: ISAKMP:(0):Returning Actual lifetime: 28800 *Jul 8 08:13:03.166: ISAKMP:(0)::Started lifetime timer: 28800. *Jul 8 08:13:03.167: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.167: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch *Jul 8 08:13:03.167: ISAKMP (0): vendor ID is NAT-T RFC 3947 *Jul 8 08:13:03.167: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.167: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch *Jul 8 08:13:03.167: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.167: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Jul 8 08:13:03.167: ISAKMP:(0): vendor ID is NAT-T v2 *Jul 8 08:13:03.167: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.167: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch *Jul 8 08:13:03.167: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.167: ISAKMP:(0): processing IKE frag vendor id payload *Jul 8 08:13:03.167: ISAKMP:(0):Support for IKE Fragmentation not enabled *Jul 8 08:13:03.167: ISAKMP:(0): processing vendor id payload *Jul 8 08:13:03.167: ISAKMP:(0): vendor ID is DPD *Jul 8 08:13:03.167: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Jul 8 08:13:03.167: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 *Jul 8 08:13:03.167: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Jul 8 08:13:03.167: ISAKMP:(0): sending packet to y.y.y.42 my_port 500 peer_port 55156 (R) MM_SA_SETUP *Jul 8 08:13:03.167: ISAKMP:(0):Sending an IKE IPv4 Packet. *Jul 8 08:13:03.167: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jul 8 08:13:03.167: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 *Jul 8 08:13:03.284: ISAKMP (0): received packet from y.y.y.42 dport 500 sport 55156 Global (R) MM_SA_SETUP *Jul 8 08:13:03.284: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jul 8 08:13:03.284: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 *Jul 8 08:13:03.284: ISAKMP:(0): processing KE payload. message ID = 0 *Jul 8 08:13:03.285: ISAKMP:(0): processing NONCE payload. message ID = 0 *Jul 8 08:13:03.285: ISAKMP:(0):found peer pre-shared key matching y.y.y.42 *Jul 8 08:13:03.285: ISAKMP:received payload type 20 *Jul 8 08:13:03.285: ISAKMP (1022): His hash no match - this node outside NAT *Jul 8 08:13:03.285: ISAKMP:received payload type 20 *Jul 8 08:13:03.285: ISAKMP (1022): His hash no match - this node outside NAT *Jul 8 08:13:03.285: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Jul 8 08:13:03.285: ISAKMP:(1022):Old State = IKE_R_MM3 New State = IKE_R_MM3 *Jul 8 08:13:03.285: ISAKMP:(1022): sending packet to y.y.y.42 my_port 500 peer_port 55156 (R) MM_KEY_EXCH *Jul 8 08:13:03.285: ISAKMP:(1022):Sending an IKE IPv4 Packet. *Jul 8 08:13:03.285: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jul 8 08:13:03.285: ISAKMP:(1022):Old State = IKE_R_MM3 New State = IKE_R_MM4 *Jul 8 08:13:03.372: ISAKMP (1022): received packet from y.y.y.42 dport 4500 sport 9292 Global (R) MM_KEY_EXCH *Jul 8 08:13:03.372: ISAKMP:(1022):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jul 8 08:13:03.372: ISAKMP:(1022):Old State = IKE_R_MM4 New State = IKE_R_MM5 *Jul 8 08:13:03.372: ISAKMP:(1022): processing ID payload. message ID = 0 *Jul 8 08:13:03.372: ISAKMP (1022): ID payload next-payload : 8 type : 1 address : 10.66.50.27 protocol : 17 port : 500 length : 12 *Jul 8 08:13:03.372: ISAKMP:(0):: peer matches *none* of the profiles *Jul 8 08:13:03.372: ISAKMP:(1022): processing HASH payload. message ID = 0 *Jul 8 08:13:03.372: ISAKMP:(1022):SA authentication status: authenticated *Jul 8 08:13:03.372: ISAKMP:(1022):SA has been authenticated with y.y.y.42 *Jul 8 08:13:03.372: ISAKMP:(1022):Detected port floating to port = 9292 *Jul 8 08:13:03.372: ISAKMP: Trying to insert a peer x.x.x.94/y.y.y.42/9292/, and inserted successfully 7FBD8F18E860. *Jul 8 08:13:03.373: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Jul 8 08:13:03.373: ISAKMP:(1022):Old State = IKE_R_MM5 New State = IKE_R_MM5 *Jul 8 08:13:03.373: ISAKMP:(1022):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Jul 8 08:13:03.373: ISAKMP (1022): ID payload next-payload : 8 type : 1 address : x.x.x.94 protocol : 17 port : 0 length : 12 *Jul 8 08:13:03.373: ISAKMP:(1022):Total payload length: 12 *Jul 8 08:13:03.373: ISAKMP:(1022): sending packet to y.y.y.42 my_port 4500 peer_port 9292 (R) MM_KEY_EXCH *Jul 8 08:13:03.373: ISAKMP:(1022):Sending an IKE IPv4 Packet. *Jul 8 08:13:03.373: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jul 8 08:13:03.373: ISAKMP:(1022):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE *Jul 8 08:13:03.373: ISAKMP:(1022):IKE_DPD is enabled, initializing timers *Jul 8 08:13:03.373: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Jul 8 08:13:03.373: ISAKMP:(1022):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 8 08:13:03.452: ISAKMP (1022): received packet from y.y.y.42 dport 4500 sport 9292 Global (R) QM_IDLE *Jul 8 08:13:03.452: ISAKMP: set new node 2839478968 to QM_IDLE *Jul 8 08:13:03.452: ISAKMP:(1022): processing HASH payload. message ID = 2839478968 *Jul 8 08:13:03.452: ISAKMP:(1022): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 2839478968, sa = 0x7FBD945C0B50 *Jul 8 08:13:03.452: ISAKMP:(1022):SA authentication status: authenticated *Jul 8 08:13:03.452: ISAKMP:(1022): Process initial contact, bring down existing phase 1 and 2 SA's with local x.x.x.94 remote y.y.y.42 remote port 9292 *Jul 8 08:13:03.452: ISAKMP:(1022):deleting node 2839478968 error FALSE reason "Informational (in) state 1" *Jul 8 08:13:03.452: ISAKMP:(1022):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jul 8 08:13:03.452: ISAKMP:(1022):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jul 8 08:13:03.452: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 8 08:13:04.546: ISAKMP (1022): received packet from y.y.y.42 dport 4500 sport 9292 Global (R) QM_IDLE *Jul 8 08:13:04.546: ISAKMP: set new node 3271697679 to QM_IDLE *Jul 8 08:13:04.546: ISAKMP:(1022): processing HASH payload. message ID = 3271697679 *Jul 8 08:13:04.546: ISAKMP:(1022): processing SA payload. message ID = 3271697679 *Jul 8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1 *Jul 8 08:13:04.546: ISAKMP: transform 1, ESP_AES *Jul 8 08:13:04.546: ISAKMP: attributes in transform: *Jul 8 08:13:04.546: ISAKMP: SA life type in seconds *Jul 8 08:13:04.546: ISAKMP: SA life duration (basic) of 28800 *Jul 8 08:13:04.546: ISAKMP: encaps is 4 (Transport-UDP) *Jul 8 08:13:04.546: ISAKMP: key length is 256 *Jul 8 08:13:04.546: ISAKMP: authenticator is HMAC-SHA *Jul 8 08:13:04.546: ISAKMP:(1022):atts are acceptable. *Jul 8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1 *Jul 8 08:13:04.546: ISAKMP: transform 2, ESP_AES *Jul 8 08:13:04.546: ISAKMP: attributes in transform: *Jul 8 08:13:04.546: ISAKMP: SA life type in seconds *Jul 8 08:13:04.546: ISAKMP: SA life duration (basic) of 28800 *Jul 8 08:13:04.546: ISAKMP: encaps is 4 (Transport-UDP) *Jul 8 08:13:04.546: ISAKMP: key length is 256 *Jul 8 08:13:04.546: ISAKMP: authenticator is HMAC-MD5 *Jul 8 08:13:04.546: ISAKMP:(1022):atts are acceptable. *Jul 8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1 *Jul 8 08:13:04.546: ISAKMP: transform 3, ESP_AES *Jul 8 08:13:04.546: ISAKMP: attributes in transform: *Jul 8 08:13:04.546: ISAKMP: SA life type in seconds *Jul 8 08:13:04.546: ISAKMP: SA life duration (basic) of 28800 *Jul 8 08:13:04.546: ISAKMP: encaps is 4 (Transport-UDP) *Jul 8 08:13:04.546: ISAKMP: key length is 128 *Jul 8 08:13:04.546: ISAKMP: authenticator is HMAC-SHA *Jul 8 08:13:04.546: ISAKMP:(1022):atts are acceptable. *Jul 8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1 *Jul 8 08:13:04.546: ISAKMP: transform 4, ESP_AES *Jul 8 08:13:04.546: ISAKMP: attributes in transform: *Jul 8 08:13:04.546: ISAKMP: SA life type in seconds *Jul 8 08:13:04.546: ISAKMP: SA life duration (basic) of 28800 *Jul 8 08:13:04.546: ISAKMP: encaps is 4 (Transport-UDP) *Jul 8 08:13:04.546: ISAKMP: key length is 128 *Jul 8 08:13:04.546: ISAKMP: authenticator is HMAC-MD5 *Jul 8 08:13:04.546: ISAKMP:(1022):atts are acceptable. *Jul 8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1 *Jul 8 08:13:04.546: ISAKMP: transform 5, ESP_3DES *Jul 8 08:13:04.546: ISAKMP: attributes in transform: *Jul 8 08:13:04.546: ISAKMP: SA life type in seconds *Jul 8 08:13:04.546: ISAKMP: SA life duration (basic) of 28800 *Jul 8 08:13:04.546: ISAKMP: encaps is 4 (Transport-UDP) *Jul 8 08:13:04.546: ISAKMP: authenticator is HMAC-SHA *Jul 8 08:13:04.546: ISAKMP:(1022):atts are acceptable. *Jul 8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1 *Jul 8 08:13:04.546: ISAKMP: transform 6, ESP_3DES *Jul 8 08:13:04.546: ISAKMP: attributes in transform: *Jul 8 08:13:04.546: ISAKMP: SA life type in seconds *Jul 8 08:13:04.546: ISAKMP: SA life duration (basic) of 28800 *Jul 8 08:13:04.546: ISAKMP: encaps is 4 (Transport-UDP) *Jul 8 08:13:04.546: ISAKMP: authenticator is HMAC-MD5 *Jul 8 08:13:04.546: ISAKMP:(1022):atts are acceptable. *Jul 8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1 *Jul 8 08:13:04.546: ISAKMP: transform 7, ESP_DES *Jul 8 08:13:04.546: ISAKMP: attributes in transform: *Jul 8 08:13:04.546: ISAKMP: SA life type in seconds *Jul 8 08:13:04.546: ISAKMP: SA life duration (basic) of 28800 *Jul 8 08:13:04.546: ISAKMP: encaps is 4 (Transport-UDP) *Jul 8 08:13:04.546: ISAKMP: authenticator is HMAC-SHA *Jul 8 08:13:04.546: ISAKMP:(1022):atts are acceptable. *Jul 8 08:13:04.546: ISAKMP:(1022):Checking IPSec proposal 1 *Jul 8 08:13:04.546: ISAKMP: transform 8, ESP_DES *Jul 8 08:13:04.546: ISAKMP: attributes in transform: *Jul 8 08:13:04.546: ISAKMP: SA life type in seconds *Jul 8 08:13:04.546: ISAKMP: SA life duration (basic) of 28800 *Jul 8 08:13:04.546: ISAKMP: encaps is 4 (Transport-UDP) *Jul 8 08:13:04.546: ISAKMP: authenticator is HMAC-MD5 *Jul 8 08:13:04.546: ISAKMP:(1022):atts are acceptable. *Jul 8 08:13:04.546: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 08:13:04.546: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0, local_proxy= x.x.x.94/255.255.255.255/17/1701, remote_proxy= y.y.y.42/255.255.255.255/17/0, protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 08:13:04.546: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-sha-hmac } *Jul 8 08:13:04.546: ISAKMP:(1022): IPSec policy invalidated proposal with error 256 *Jul 8 08:13:04.548: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 08:13:04.548: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0, local_proxy= x.x.x.94/255.255.255.255/17/1701, remote_proxy= y.y.y.42/255.255.255.255/17/0, protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Jul 8 08:13:04.548: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-md5-hmac } *Jul 8 08:13:04.548: ISAKMP:(1022): IPSec policy invalidated proposal with error 256 *Jul 8 08:13:04.549: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 08:13:04.549: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0, local_proxy= x.x.x.94/255.255.255.255/17/1701, remote_proxy= y.y.y.42/255.255.255.255/17/0, protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Jul 8 08:13:04.549: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes esp-sha-hmac } *Jul 8 08:13:04.549: ISAKMP:(1022): IPSec policy invalidated proposal with error 256 *Jul 8 08:13:04.550: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 08:13:04.550: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0, local_proxy= x.x.x.94/255.255.255.255/17/1701, remote_proxy= y.y.y.42/255.255.255.255/17/0, protocol= ESP, transform= esp-aes esp-md5-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Jul 8 08:13:04.550: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes esp-md5-hmac } *Jul 8 08:13:04.550: ISAKMP:(1022): IPSec policy invalidated proposal with error 256 *Jul 8 08:13:04.551: IPSEC(validate_proposal_request): proposal part #1 *Jul 8 08:13:04.551: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0, local_proxy= x.x.x.94/255.255.255.255/17/1701, remote_proxy= y.y.y.42/255.255.255.255/17/0, protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 08:13:04.552: (ipsec_process_proposal)Map Accepted: L2TP_IPSec, 1 *Jul 8 08:13:04.552: ISAKMP:(1022): processing NONCE payload. message ID = 3271697679 *Jul 8 08:13:04.552: ISAKMP:(1022): processing ID payload. message ID = 3271697679 *Jul 8 08:13:04.552: ISAKMP:(1022): processing ID payload. message ID = 3271697679 *Jul 8 08:13:04.552: ISAKMP:(1022):QM Responder gets spi *Jul 8 08:13:04.552: ISAKMP:(1022):Node 3271697679, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jul 8 08:13:04.552: ISAKMP:(1022):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE *Jul 8 08:13:04.552: ISAKMP:(1022):Node 3271697679, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI *Jul 8 08:13:04.552: ISAKMP:(1022):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT *Jul 8 08:13:04.552: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 8 08:13:04.552: IPSEC(crypto_ipsec_create_ipsec_sas): Map found L2TP_IPSec, 1 *Jul 8 08:13:04.552: IPSEC(create_sa): sa created, (sa) sa_dest= x.x.x.94, sa_proto= 50, sa_spi= 0x61288C6B(1630047339), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2037 sa_lifetime(k/sec)= (4608000/3600), (identity) local= x.x.x.94:0, remote= y.y.y.42:0, local_proxy= x.x.x.94/255.255.255.255/17/1701, remote_proxy= y.y.y.42/255.255.255.255/17/9292 *Jul 8 08:13:04.552: IPSEC(create_sa): sa created, (sa) sa_dest= y.y.y.42, sa_proto= 50, sa_spi= 0xB3DC591(188597649), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2038 sa_lifetime(k/sec)= (4608000/3600), (identity) local= x.x.x.94:0, remote= y.y.y.42:0, local_proxy= x.x.x.94/255.255.255.255/17/1701, remote_proxy= y.y.y.42/255.255.255.255/17/9292 *Jul 8 08:13:04.615: ISAKMP: Failed to find peer index node to update peer_info_list *Jul 8 08:13:04.616: ISAKMP:(1022):Received IPSec Install callback... proceeding with the negotiation *Jul 8 08:13:04.616: ISAKMP:(1022):Successfully installed IPSEC SA (SPI:0x61288C6B) on GigabitEthernet1.96 *Jul 8 08:13:04.616: ISAKMP:(1022): sending packet to y.y.y.42 my_port 4500 peer_port 9292 (R) QM_IDLE *Jul 8 08:13:04.616: ISAKMP:(1022):Sending an IKE IPv4 Packet. *Jul 8 08:13:04.616: ISAKMP:(1022):Node 3271697679, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE *Jul 8 08:13:04.616: ISAKMP:(1022):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 *Jul 8 08:13:04.666: ISAKMP (1022): received packet from y.y.y.42 dport 4500 sport 9292 Global (R) QM_IDLE *Jul 8 08:13:04.666: ISAKMP:(1022):deleting node 3271697679 error FALSE reason "QM done (await)" *Jul 8 08:13:04.666: ISAKMP:(1022):Node 3271697679, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jul 8 08:13:04.666: ISAKMP:(1022):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Jul 8 08:13:04.666: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 8 08:13:04.666: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP *Jul 8 08:13:06.688: L2TP _____:________: L2TP: Parse IETF AVP 2, len 8, flag 0x8000 (M) *Jul 8 08:13:06.688: L2TP _____:________: L2TP: Parse IETF AVP 7, len 15, flag 0x8000 (M) *Jul 8 08:13:06.688: L2TP _____:________: L2TP: Parse IETF AVP 3, len 10, flag 0x8000 (M) *Jul 8 08:13:06.688: L2TP _____:________: L2TP: Parse IETF AVP 9, len 8, flag 0x8000 (M) *Jul 8 08:13:06.688: L2TP _____:________: L2TP: Parse IETF AVP 10, len 8, flag 0x8000 (M) *Jul 8 08:13:06.688: L2TP _____:________: No missing AVPs in SCCRQ *Jul 8 08:13:06.688: L2TP _____:________: *Jul 8 08:13:06.688: L2TP _____:________: Rx SCCRQ, flg TLS, ver 2, len 69 *Jul 8 08:13:06.688: L2TP _____:________: tnl 0, ns 0, nr 0 *Jul 8 08:13:06.688: L2TP _____:________: IETF v2: *Jul 8 08:13:06.688: L2TP _____:________: Protocol Version 1, Revision 0 *Jul 8 08:13:06.688: L2TP _____:________: Framing Cap both(0x3) *Jul 8 08:13:06.688: L2TP _____:________: Hostname " *Jul 8 08:13:06.688: L2TP _____:________: Hostname "anonymous" *Jul 8 08:13:06.688: L2TP _____:________: Assigned Tunnel I 0x000030AA (12458) *Jul 8 08:13:06.688: L2TP _____:________: Recv Window Size 1 *Jul 8 08:13:06.688: L2TP _____:________: *Jul 8 08:13:06.688: contiguous pak, size 69 C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 30 AA 80 08 00 00 00 0A 00 01 *Jul 8 08:13:06.688: VPDN L2X: ADD class AAA author, group "VPN" (group VPN) *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: Auth glob Overall Ignored, 93 *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: Tx SCCRP to anonymous tnl 12458 *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: IETF v2: *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: Protocol Version 1, Revision 0 *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: Framing Cap none(0x0) *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: Firmware Ver 0x1130 *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: Hostname " *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: Hostname "router" *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: Vendor Name *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: " *Jul 8 08:13:06.688: L2TP tnl 08083:00008F3B: "Cisco Systems, Inc." *Jul 8 08:13:06.689: L2TP tnl 08083:00008F3B: Assigned Tunnel I 0x00008F3B (36667) *Jul 8 08:13:06.689: L2TP tnl 08083:00008F3B: Recv Window Size 1024 *Jul 8 08:13:06.689: L2TP tnl 08083:00008F3B: *Jul 8 08:13:06.689: L2TP tnl 08083:00008F3B: O SCCRP 12458/0 ns/nr 0/1. cur/max resendQ sz 0/1 *Jul 8 08:13:06.689: L2TP tnl 08083:00008F3B: Tx SCCRP, flg TLS, ver 2, len 99 *Jul 8 08:13:06.689: L2TP tnl 08083:00008F3B: tnl 12458, ns 0, nr 1 *Jul 8 08:13:06.689: contiguous pak, size 99 C8 02 00 63 30 AA 00 00 00 00 00 01 80 08 00 00 00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 00 00 08 00 00 00 06 11 30 80 0C 00 00 00 07 72 6F 75 74 65 72 00 19 00 00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6D 73 2C 20 49 6E 63 2E 80 08 00 00 00 09 8F 3B 80 08 00 00 00 0A 04 00 *Jul 8 08:13:08.594: L2TP _____:________: L2TP: Parse IETF AVP 2, len 8, flag 0x8000 (M) *Jul 8 08:13:08.594: L2TP _____:________: L2TP: Parse IETF AVP 7, len 15, flag 0x8000 (M) *Jul 8 08:13:08.594: L2TP _____:________: L2TP: Parse IETF AVP 3, len 10, flag 0x8000 (M) *Jul 8 08:13:08.594: L2TP _____:________: L2TP: Parse IETF AVP 9, len 8, flag 0x8000 (M) *Jul 8 08:13:08.594: L2TP _____:________: L2TP: Parse IETF AVP 10, len 8, flag 0x8000 (M) *Jul 8 08:13:08.594: L2TP _____:________: No missing AVPs in SCCRQ *Jul 8 08:13:08.594: L2TP _____:________: *Jul 8 08:13:08.594: L2TP _____:________: Rx SCCRQ, flg TLS, ver 2, len 69 *Jul 8 08:13:08.594: L2TP _____:________: tnl 0, ns 0, nr 0 *Jul 8 08:13:08.594: L2TP _____:________: IETF v2: *Jul 8 08:13:08.594: L2TP _____:________: Protocol Version 1, Revision 0 *Jul 8 08:13:08.594: L2TP _____:________: Framing Cap both(0x3) *Jul 8 08:13:08.594: L2TP _____:________: Hostname " *Jul 8 08:13:08.594: L2TP _____:________: Hostname "anonymous" *Jul 8 08:13:08.594: L2TP _____:________: Assigned Tunnel I 0x000030AA (12458) *Jul 8 08:13:08.594: L2TP _____:________: Recv Window Size 1 *Jul 8 08:13:08.594: L2TP _____:________: *Jul 8 08:13:08.594: contiguous pak, size 69 C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 30 AA 80 08 00 00 00 0A 00 01 *Jul 8 08:13:08.594: L2TP _____:________: SCCRQ: processing failed: Tunnel exists, must be a duplicate SCCRQ *Jul 8 08:13:08.594: L2TP _____:________: SCCRQ: dropping packet *Jul 8 08:13:08.594: contiguous pak, size 69 C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00 00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00 03 00 00 00 03 80 08 00 00 00 09 30 AA 80 08 00 00 00 0A 00 01 Edited July 8, 2016 by ShyLion Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted July 8, 2016 · Report post Что интересно, аналогичный конфиг на 3945 работает и с ведроидом. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
YuryD Posted July 8, 2016 · Report post pptp с ведроида нормально цепляется и к киске 7206, и к mpd5. Я со смарта так на работу хожу. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted July 8, 2016 (edited) · Report post pptp с ведроида нормально цепляется и к киске 7206, и к mpd5. Я со смарта так на работу хожу. Это прекрасно. К 3945 аналогично. Только проблема с ASR1000 (если точнее CSR1000V, но там все также как на ASR). И ASR1000 и CSR1000V PPTP не умеют. Edited July 8, 2016 by ShyLion Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted July 8, 2016 · Report post На железном роутере asr1002x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin картина таже. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
unfraget Posted July 12, 2016 · Report post На железном роутере asr1002x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin картина таже. Смущает Jul 8 08:13:04.546: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-sha-hmac } Подхожую проблему пытаюсь решить в теме Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted July 12, 2016 · Report post На железном роутере asr1002x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin картина таже. Смущает Jul 8 08:13:04.546: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-sha-hmac } Подхожую проблему пытаюсь решить в теме Там дальше: *Jul 8 08:13:04.551: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= x.x.x.94:0, remote= y.y.y.42:0, local_proxy= x.x.x.94/255.255.255.255/17/1701, remote_proxy= y.y.y.42/255.255.255.255/17/0, protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jul 8 08:13:04.552: (ipsec_process_proposal)Map Accepted: L2TP_IPSec, 1 Да и show crypto ipsec sa показывает траффик, да и tcpdump на обоих сторонах показывает, что ведроид почему-то не отвечает уже на стадии L2TP. Но только ASRке, ISR роутеры отлично с ним работают. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
unfraget Posted July 12, 2016 · Report post Как вариант запихнуть в crypto dynamic-map L2TP_IPSec 1 set nat demux set transform-set 3DES_SHA_tr ACL в котором будет указанно что "пропихнуть" в туннель Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted July 12, 2016 · Report post Как вариант запихнуть в crypto dynamic-map L2TP_IPSec 1 set nat demux set transform-set 3DES_SHA_tr ACL в котором будет указанно что "пропихнуть" в туннель Я же говорю, IPSec поднимается и работает. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
M-a-x-Z Posted March 10, 2018 · Report post Ну и как?) Удалось андрюшу с кошкой подружить? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted March 12, 2018 · Report post Забросил. Для продакшена не требуется, появились другие задачи. Потом или ишак сдохнет, или шах помрет :) Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Telesis Posted March 12, 2018 · Report post Попробуй вот так. Spoiler no crypto isakmp default policy ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 20 lifetime 28800 ! crypto isakmp policy 20 encr aes 256 hash sha256 authentication pre-share group 14 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
M-a-x-Z Posted March 12, 2018 · Report post 6 часов назад, Telesis сказал: Попробуй вот так. Скрыть содержимое no crypto isakmp default policy ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 20 lifetime 28800 ! crypto isakmp policy 20 encr aes 256 hash sha256 authentication pre-share group 14 Ситуация не изменилась Но проблема не в политике isakmp 146% (или по крайней мере не в совместимых настройках шифрования). ISAKMP policy (если я не ошибаюсь) определяет параметры согласования фазы1 IKE, которая создаёт туннель под фазу 2. Фаза 2 при этом, судя по логам проходит нормально "000593: Mar 12 17:57:36.654: IPSEC(create_sa): sa created," Как доказательство - создаётся SA. Рабочая ассоциация от Win7: inbound esp sas: spi: 0xE5D2FFA8(3855810472) transform: esp-3des esp-sha-hmac , in use settings ={Transport UDP-Encaps, } conn id: 2029, flow_id: HW:29, sibling_flags FFFFFFFF80000008, crypto map: OUTSIDE sa timing: remaining key lifetime (k/sec): (249905/3531) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound esp sas: spi: 0x5A95216C(1519722860) transform: esp-3des esp-sha-hmac , in use settings ={Transport UDP-Encaps, } conn id: 2030, flow_id: HW:30, sibling_flags FFFFFFFF80000008, crypto map: OUTSIDE sa timing: remaining key lifetime (k/sec): (249952/3531) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) Ассоциация от Android inbound esp sas: spi: 0x6FFD2576(1878861174) transform: esp-3des esp-sha-hmac , in use settings ={Transport UDP-Encaps, } conn id: 2027, flow_id: HW:27, sibling_flags FFFFFFFF80000008, crypto map: OUTSIDE sa timing: remaining key lifetime (k/sec): (4607998/3460) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound esp sas: spi: 0xF79D634(259642932) transform: esp-3des esp-sha-hmac , in use settings ={Transport UDP-Encaps, } conn id: 2028, flow_id: HW:28, sibling_flags FFFFFFFF80000008, crypto map: OUTSIDE sa timing: remaining key lifetime (k/sec): (0/3460) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) Здесь видно, что в ходе ассоциации рабочий и не рабочий варианты пришли к одному crypto-transform. И вообще всё выглядит чинно и благородно. Но! а) процесс L2TP не начинается. б) почему-то в outbound esp sas "remaining key lifetime=0". Что бы это значило - не пойму... Хотя должно быть 4М, как у входящей ассоциации. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Axizzz Posted March 16, 2018 · Report post Решил внести свои 5 копеек в траблшутинг. Столкнулся с идентичной проблемой - уже месяц как в неравном бою с ASR 1001 (настроить надо любой ценой, ибо деньги фирмы потрачены). В итоге - настроили l2tp/ipsec server на ASR1001. Клиент Windows подключается (правда частный адрес шлюза не получает, но не суть). Android (4.4), iphone, mac os x не в какую не хотят. Также исходя из логов складывается впечатление что затык или в l2tp или DPD или в NAT-T. Клиенты подключаются из-за nat, а сам маршрутизатор нет, т.е. имеет белый ип. Также по наблюдениям клиент (Android) прекращает соединение раньше чем циска, примерно после этих строк: Mar 16 14:36:46.260: ISAKMP: (1034):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE Mar 16 14:36:46.260: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 16 14:36:46.260: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Mar 16 14:36:46.260: crypto engine: updating MTU size of IPSec SA HW:54 to 1500 (overhead=58) Mar 16 14:36:46.260: crypto_engine: Set IPSec MTU Иными словами потом циска отрабатывает DPD, а клиент (Android) уже не отвечает, т.к. прекратил соединение (меняет статус с "Подключение" на "Отключено") и после этого циска начинает удаление sa по таймауту. При этом в случае с виндой после тех же строк начинает литься лог L2TP, как и должно быть. Подскажите куда копать хотя бы? Уже всю голову сломал, что только не пробовал, знаю что многие строки в конфиге могут быть сто раз лишними, но в попытке починить пробовали самые разные варианты, с тем чтобы потом почистить. Поддержки у железки нет, так что одна надежда на матерых форумчан. Начали посещать мысли что проблема в ASR, может бага может еще что - причем ни у кого не смог найти конфига l2tp/ipsec именно на asr 1000 серии. Может кто поделится? Конфиг и логи "от и до" прилагаю (причем debug включены и isakmp и ipsec и l2tp all и aaa) Spoiler version 15.5 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config service unsupported-transceiver no platform punt-keepalive disable-kernel-core ! aaa new-model ! aaa group server radius DC1/DC2 server name DC1 server name DC2 deadtime 15 ! aaa authentication ppp default group DC1/DC2 aaa authorization exec default local aaa authorization network default group DC1/DC2 aaa accounting network default action-type start-stop group DC1/DC2 ! aaa session-id common aaa policy interface-config allow-subinterface ! ip name-server 192.168.100.14 192.168.100.1 ip domain name nvk.ru ip dhcp excluded-address 10.25.1.1 10.25.1.10 ! ip dhcp pool L2TP_pool import all network 10.25.1.0 255.255.255.0 default-router 10.25.1.1 dns-server 192.168.100.14 192.168.100.1 domain-name domain.ru lease 3 subscriber templating ! multilink bundle-name authenticated vpdn enable vpdn logging vpdn logging local ! vpdn-group L2TP/IPSEC/PPTP ! Default L2TP VPDN group description L2TP/IPSEC/PPTP accept-dialin protocol l2tp virtual-template 25 lcp renegotiation always no l2tp tunnel authentication l2tp ip udp checksum ip pmtu ip mtu adjust crypto keyring L2TP_keyring pre-shared-key address 0.0.0.0 0.0.0.0 key KEY crypto logging session crypto logging ezvpn crypto logging ikev2 ! crypto isakmp policy 90 encr aes authentication pre-share group 2 ! crypto isakmp policy 100 encr 3des authentication pre-share group 2 ! crypto isakmp policy 110 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key KEY address 0.0.0.0 no-xauth crypto isakmp invalid-spi-recovery crypto isakmp keepalive 120 5 periodic crypto isakmp profile L2TP keyring L2TP_keyring match identity address 0.0.0.0 keepalive 120 retry 5 ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set L2TP_TS1 esp-3des esp-md5-hmac mode transport crypto ipsec transform-set L2TP_TS2 esp-3des esp-sha-hmac mode transport crypto ipsec transform-set L2TP_TS3 esp-aes esp-md5-hmac mode transport crypto ipsec transform-set L2TP_TS4 esp-aes esp-sha-hmac mode transport ! crypto dynamic-map L2TP_dynmap 100 set transform-set L2TP_TS4 L2TP_TS3 L2TP_TS2 L2TP_TS1 set isakmp-profile L2TP reverse-route ! crypto map L2TP_ipsec 100 ipsec-isakmp dynamic L2TP_dynmap ! interface Loopback25 description Loopback for VPN ROAD WARRIOR ip address 10.25.1.1 255.255.255.0 zone-member security LAN crypto map L2TP_ipsec ! interface GigabitEthernet0/0/0 description I WAN ip address 89.xx.xx.xx 255.255.255.224 ip nat outside zone-member security IntInform negotiation auto nat64 enable no mop enabled crypto map L2TP_ipsec ip virtual-reassembly ! interface GigabitEthernet0/0/1 description II WAN no ip address ip nat outside zone-member security MagTelecom negotiation auto nat64 enable no mop enabled crypto map L2TP_ipsec ip virtual-reassembly ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto nat64 enable ip virtual-reassembly ! interface GigabitEthernet0/0/3 description LAN ip address 192.168.0.2 255.255.0.0 ip nat inside zone-member security LAN negotiation auto nat64 enable ip virtual-reassembly ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 192.168.0.10 255.255.0.0 negotiation auto ! interface Virtual-Template25 description L2TP IPSEC ROAD WARRIOR ip unnumbered Loopback25 ip mtu 1400 zone-member security LAN ip tcp adjust-mss 1360 peer default ip address dhcp-pool L2TP_pool no keepalive ppp mtu adaptive ppp authentication pap chap ms-chap ms-chap-v2 ppp ipcp dns 192.168.100.14 192.168.100.1 ppp multilink radius server DC1 address ipv4 192.168.100.1 auth-port 1812 acct-port 1813 key 7 KEY ! radius server DC2 address ipv4 192.168.100.14 auth-port 1812 acct-port 1813 key 7 KEY Spoiler Mar 16 14:36:44.931: ISAKMP-PAK: (0):received packet from 31.xx.xx.xx dport 500 sport 9868 Global (N) NEW SA Mar 16 14:36:44.931: ISAKMP: (0):Created a peer struct for 31.xx.xx.xx, peer port 9868 Mar 16 14:36:44.931: ISAKMP: (0):New peer created peer = 0x7F5FED5753D8 peer_handle = 0x8000003A Mar 16 14:36:44.931: ISAKMP: (0):Locking peer struct 0x7F5FED5753D8, refcount 1 for crypto_isakmp_process_block Mar 16 14:36:44.931: ISAKMP: (0):local port 500, remote port 9868 Mar 16 14:36:44.931: crypto_engine_select_crypto_engine: can't handle any more Mar 16 14:36:44.932: ISAKMP: (0):insert sa successfully sa = 7F5FEDD339B0 Mar 16 14:36:44.932: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 16 14:36:44.932: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1 Mar 16 14:36:44.932: ISAKMP: (0):processing SA payload. message ID = 0 Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.932: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch Mar 16 14:36:44.932: ISAKMP: (0):vendor ID is NAT-T RFC 3947 Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.932: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.932: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch Mar 16 14:36:44.932: ISAKMP: (0):vendor ID is NAT-T v2 Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.932: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.932: ISAKMP: (0):processing IKE frag vendor id payload Mar 16 14:36:44.932: ISAKMP: (0):Support for IKE Fragmentation not enabled Mar 16 14:36:44.932: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.932: ISAKMP: (0):vendor ID is DPD Mar 16 14:36:44.932: ISAKMP: (0):found peer pre-shared key matching 31.xx.xx.xx Mar 16 14:36:44.932: ISAKMP: (0):local preshared key found Mar 16 14:36:44.932: ISAKMP: (0):Scanning profiles for xauth ... L2TP Mar 16 14:36:44.932: ISAKMP: (0):Checking ISAKMP transform 1 against priority 90 policy Mar 16 14:36:44.932: ISAKMP: (0): life type in seconds Mar 16 14:36:44.932: ISAKMP: (0): life duration (basic) of 28800 Mar 16 14:36:44.932: ISAKMP: (0): encryption AES-CBC Mar 16 14:36:44.932: ISAKMP: (0): keylength of 256 Mar 16 14:36:44.932: ISAKMP: (0): auth pre-share Mar 16 14:36:44.932: ISAKMP: (0): hash SHA Mar 16 14:36:44.932: ISAKMP: (0): default group 2 Mar 16 14:36:44.932: ISAKMP-ERROR: (0):Proposed key length does not match policy Mar 16 14:36:44.932: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 Mar 16 14:36:44.932: ISAKMP: (0):Checking ISAKMP transform 2 against priority 90 policy Mar 16 14:36:44.932: ISAKMP: (0): life type in seconds Mar 16 14:36:44.932: ISAKMP: (0): life duration (basic) of 28800 Mar 16 14:36:44.932: ISAKMP: (0): encryption AES-CBC Mar 16 14:36:44.932: ISAKMP: (0): keylength of 256 Mar 16 14:36:44.932: ISAKMP: (0): auth pre-share Mar 16 14:36:44.932: ISAKMP: (0): hash MD5 Mar 16 14:36:44.932: ISAKMP: (0): default group 2 Mar 16 14:36:44.932: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy! Mar 16 14:36:44.932: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3 Mar 16 14:36:44.932: ISAKMP: (0):Checking ISAKMP transform 3 against priority 90 policy Mar 16 14:36:44.932: ISAKMP: (0): life type in seconds Mar 16 14:36:44.932: ISAKMP: (0): life duration (basic) of 28800 Mar 16 14:36:44.932: ISAKMP: (0): encryption AES-CBC Mar 16 14:36:44.932: ISAKMP: (0): keylength of 128 Mar 16 14:36:44.932: ISAKMP: (0): auth pre-share Mar 16 14:36:44.932: ISAKMP: (0): hash SHA Mar 16 14:36:44.932: ISAKMP: (0): default group 2 Mar 16 14:36:44.932: ISAKMP: (0):atts are acceptable. Next payload is 3 Mar 16 14:36:44.932: ISAKMP: (0):Acceptable atts:actual life: 86400 Mar 16 14:36:44.932: ISAKMP: (0):Acceptable atts:life: 0 Mar 16 14:36:44.932: ISAKMP: (0):Basic life_in_seconds:28800 Mar 16 14:36:44.932: ISAKMP: (0):Returning Actual lifetime: 28800 Mar 16 14:36:44.932: ISAKMP: (0):Started lifetime timer: 28800. Mar 16 14:36:44.932: crypto_engine_select_crypto_engine: can't handle any more Mar 16 14:36:44.932: crypto_engine: Create DH Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.934: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch Mar 16 14:36:44.934: ISAKMP: (0):vendor ID is NAT-T RFC 3947 Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.934: ISAKMP: (0):vendor ID seems Unity/DPD but major 164 mismatch Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.934: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch Mar 16 14:36:44.934: ISAKMP: (0):vendor ID is NAT-T v2 Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.934: ISAKMP: (0):vendor ID seems Unity/DPD but major 221 mismatch Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.934: ISAKMP: (0):processing IKE frag vendor id payload Mar 16 14:36:44.934: ISAKMP: (0):Support for IKE Fragmentation not enabled Mar 16 14:36:44.934: ISAKMP: (0):processing vendor id payload Mar 16 14:36:44.934: ISAKMP: (0):vendor ID is DPD Mar 16 14:36:44.934: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 16 14:36:44.934: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Mar 16 14:36:44.934: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID Mar 16 14:36:44.934: ISAKMP-PAK: (0):sending packet to 31.xx.xx.xx my_port 500 peer_port 9868 (R) MM_SA_SETUP Mar 16 14:36:44.934: ISAKMP: (0):Sending an IKE IPv4 Packet. Mar 16 14:36:44.934: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 16 14:36:44.935: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2 Mar 16 14:36:45.080: ISAKMP-PAK: (0):received packet from 31.xx.xx.xx dport 500 sport 9868 Global (R) MM_SA_SETUP Mar 16 14:36:45.080: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 16 14:36:45.080: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3 Mar 16 14:36:45.080: ISAKMP: (0):processing KE payload. message ID = 0 Mar 16 14:36:45.080: crypto_engine: Create DH shared secret Mar 16 14:36:45.082: ISAKMP: (0):processing NONCE payload. message ID = 0 Mar 16 14:36:45.082: ISAKMP: (0):found peer pre-shared key matching 31.xx.xx.xx Mar 16 14:36:45.082: crypto_engine: Create IKE SA Mar 16 14:36:45.082: crypto engine: deleting DH phase 2 SW:74 Mar 16 14:36:45.082: crypto_engine: Delete DH shared secret Mar 16 14:36:45.082: ISAKMP: (1034):received payload type 20 Mar 16 14:36:45.082: ISAKMP: (1034):His hash no match - this node outside NAT Mar 16 14:36:45.082: ISAKMP: (1034):received payload type 20 Mar 16 14:36:45.082: ISAKMP: (1034):His hash no match - this node outside NAT Mar 16 14:36:45.082: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 16 14:36:45.082: ISAKMP: (1034):Old State = IKE_R_MM3 New State = IKE_R_MM3 Mar 16 14:36:45.082: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 500 peer_port 9868 (R) MM_KEY_EXCH Mar 16 14:36:45.082: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:36:45.082: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 16 14:36:45.082: ISAKMP: (1034):Old State = IKE_R_MM3 New State = IKE_R_MM4 Mar 16 14:36:45.141: ISAKMP-PAK: (1034):received packet from 31.xx.xx.xx dport 4500 sport 50159 Global (R) MM_KEY_EXCH Mar 16 14:36:45.141: crypto_engine: Decrypt IKE packet Mar 16 14:36:45.141: ISAKMP: (1034):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 16 14:36:45.141: ISAKMP: (1034):Old State = IKE_R_MM4 New State = IKE_R_MM5 Mar 16 14:36:45.141: ISAKMP: (1034):processing ID payload. message ID = 0 Mar 16 14:36:45.141: ISAKMP: (1034):ID payload next-payload : 8 type : 1 Mar 16 14:36:45.141: ISAKMP: (1034): address : 10.249.191.92 Mar 16 14:36:45.141: ISAKMP: (1034): protocol : 17 port : 500 length : 12 Mar 16 14:36:45.141: ISAKMP: (0):peer matches L2TP profile Mar 16 14:36:45.141: ISAKMP: (1034):Found ADDRESS key in keyring L2TP_keyring Mar 16 14:36:45.141: ISAKMP: (1034):processing HASH payload. message ID = 0 Mar 16 14:36:45.141: crypto_engine: Generate IKE hash Mar 16 14:36:45.141: ISAKMP: (1034):SA authentication status: authenticated Mar 16 14:36:45.141: ISAKMP: (1034):SA has been authenticated with 31.xx.xx.xx Mar 16 14:36:45.141: ISAKMP: (1034):Detected port floating to port = 50159 Mar 16 14:36:45.141: ISAKMP: (0):Trying to insert a peer 89.yy.yy.yy/31.xx.xx.xx/50159/, Mar 16 14:36:45.141: ISAKMP: (0): and inserted successfully 7F5FED5753D8. Mar 16 14:36:45.143: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Mar 16 14:36:45.143: ISAKMP: (1034):Old State = IKE_R_MM5 New State = IKE_R_MM5 Mar 16 14:36:45.143: ISAKMP: (1034):SA is doing Mar 16 14:36:45.143: ISAKMP: (1034):pre-shared key authentication using id type ID_IPV4_ADDR Mar 16 14:36:45.143: ISAKMP: (1034):ID payload next-payload : 8 type : 1 Mar 16 14:36:45.143: ISAKMP: (1034): address : 89.yy.yy.yy Mar 16 14:36:45.143: ISAKMP: (1034): protocol : 17 port : 0 length : 12 Mar 16 14:36:45.143: ISAKMP: (1034):Total payload length: 12 Mar 16 14:36:45.143: crypto_engine: Generate IKE hash Mar 16 14:36:45.143: crypto_engine: Encrypt IKE packet Mar 16 14:36:45.143: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) MM_KEY_EXCH Mar 16 14:36:45.143: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:36:45.144: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Mar 16 14:36:45.144: ISAKMP: (1034):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE Mar 16 14:36:45.144: ISAKMP: (1034):IKE_DPD is enabled, initializing timers Mar 16 14:36:45.144: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Mar 16 14:36:45.144: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 16 14:36:45.180: ISAKMP-PAK: (1034):received packet from 31.xx.xx.xx dport 4500 sport 50159 Global (R) QM_IDLE Mar 16 14:36:45.180: ISAKMP: (1034):set new node 3214878306 to QM_IDLE Mar 16 14:36:45.180: crypto_engine: Decrypt IKE packet Mar 16 14:36:45.180: crypto_engine: Generate IKE hash Mar 16 14:36:45.180: ISAKMP: (1034):processing HASH payload. message ID = 3214878306 Mar 16 14:36:45.180: ISAKMP: (1034):processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 3214878306, sa = 0x7F5FEDD339B0 Mar 16 14:36:45.180: ISAKMP: (1034):SA authentication status: authenticated Mar 16 14:36:45.180: ISAKMP: (1034):Process initial contact, bring down existing phase 1 and 2 SA's with local 89.yy.yy.yy remote 31.xx.xx.xx remote port 50159 Mar 16 14:36:45.180: ISAKMP: (1034):deleting node 3214878306 error FALSE reason "Informational (in) state 1" Mar 16 14:36:45.180: ISAKMP: (1034):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Mar 16 14:36:45.180: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 16 14:36:45.180: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 16 14:36:46.212: ISAKMP-PAK: (1034):received packet from 31.xx.xx.xx dport 4500 sport 50159 Global (R) QM_IDLE Mar 16 14:36:46.212: ISAKMP: (1034):set new node 2956598744 to QM_IDLE Mar 16 14:36:46.212: crypto_engine: Decrypt IKE packet Mar 16 14:36:46.212: crypto_engine: Generate IKE hash Mar 16 14:36:46.212: ISAKMP: (1034):processing HASH payload. message ID = 2956598744 Mar 16 14:36:46.212: ISAKMP: (1034):processing SA payload. message ID = 2956598744 Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1 Mar 16 14:36:46.212: ISAKMP: (1034):transform 1, ESP_AES Mar 16 14:36:46.212: ISAKMP: (1034): attributes in transform: Mar 16 14:36:46.212: ISAKMP: (1034): SA life type in seconds Mar 16 14:36:46.212: ISAKMP: (1034): SA life duration (basic) of 28800 Mar 16 14:36:46.212: ISAKMP: (1034): encaps is 4 (Transport-UDP) Mar 16 14:36:46.212: ISAKMP: (1034): key length is 256 Mar 16 14:36:46.212: ISAKMP: (1034): authenticator is HMAC-SHA Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable. Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1 Mar 16 14:36:46.212: ISAKMP: (1034):transform 2, ESP_AES Mar 16 14:36:46.212: ISAKMP: (1034): attributes in transform: Mar 16 14:36:46.212: ISAKMP: (1034): SA life type in seconds Mar 16 14:36:46.212: ISAKMP: (1034): SA life duration (basic) of 28800 Mar 16 14:36:46.212: ISAKMP: (1034): encaps is 4 (Transport-UDP) Mar 16 14:36:46.212: ISAKMP: (1034): key length is 256 Mar 16 14:36:46.212: ISAKMP: (1034): authenticator is HMAC-MD5 Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable. Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1 Mar 16 14:36:46.212: ISAKMP: (1034):transform 3, ESP_AES Mar 16 14:36:46.212: ISAKMP: (1034): attributes in transform: Mar 16 14:36:46.212: ISAKMP: (1034): SA life type in seconds Mar 16 14:36:46.212: ISAKMP: (1034): SA life duration (basic) of 28800 Mar 16 14:36:46.212: ISAKMP: (1034): encaps is 4 (Transport-UDP) Mar 16 14:36:46.212: ISAKMP: (1034): key length is 128 Mar 16 14:36:46.212: ISAKMP: (1034): authenticator is HMAC-SHA Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable. Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1 Mar 16 14:36:46.212: ISAKMP: (1034):transform 4, ESP_AES Mar 16 14:36:46.212: ISAKMP: (1034): attributes in transform: Mar 16 14:36:46.212: ISAKMP: (1034): SA life type in seconds Mar 16 14:36:46.212: ISAKMP: (1034): SA life duration (basic) of 28800 Mar 16 14:36:46.212: ISAKMP: (1034): encaps is 4 (Transport-UDP) Mar 16 14:36:46.212: ISAKMP: (1034): key length is 128 Mar 16 14:36:46.212: ISAKMP: (1034): authenticator is HMAC-MD5 Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable. Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1 Mar 16 14:36:46.212: ISAKMP: (1034):transform 5, ESP_3DES Mar 16 14:36:46.212: ISAKMP: (1034): attributes in transform: Mar 16 14:36:46.212: ISAKMP: (1034): SA life type in seconds Mar 16 14:36:46.212: ISAKMP: (1034): SA life duration (basic) of 28800 Mar 16 14:36:46.212: ISAKMP: (1034): encaps is 4 (Transport-UDP) Mar 16 14:36:46.212: ISAKMP: (1034): authenticator is HMAC-SHA Mar 16 14:36:46.212: ISAKMP: (1034):atts are acceptable. Mar 16 14:36:46.212: ISAKMP: (1034):Checking IPSec proposal 1 Mar 16 14:36:46.212: ISAKMP: (1034):transform 6, ESP_3DES Mar 16 14:36:46.212: ISAKMP: (1034): attributes in transform: Mar 16 14:36:46.212: ISAKMP: (1034): SA life type in seconds Mar 16 14:36:46.212: ISAKMP: (1034): SA life duration (basic) of 28800 Mar 16 14:36:46.213: ISAKMP: (1034): encaps is 4 (Transport-UDP) Mar 16 14:36:46.213: ISAKMP: (1034): authenticator is HMAC-MD5 Mar 16 14:36:46.213: ISAKMP: (1034):atts are acceptable. Mar 16 14:36:46.213: ISAKMP: (1034):Checking IPSec proposal 1 Mar 16 14:36:46.213: ISAKMP: (1034):transform 7, ESP_DES Mar 16 14:36:46.213: ISAKMP: (1034): attributes in transform: Mar 16 14:36:46.213: ISAKMP: (1034): SA life type in seconds Mar 16 14:36:46.213: ISAKMP: (1034): SA life duration (basic) of 28800 Mar 16 14:36:46.213: ISAKMP: (1034): encaps is 4 (Transport-UDP) Mar 16 14:36:46.213: ISAKMP: (1034): authenticator is HMAC-SHA Mar 16 14:36:46.213: ISAKMP: (1034):atts are acceptable. Mar 16 14:36:46.213: ISAKMP: (1034):Checking IPSec proposal 1 Mar 16 14:36:46.213: ISAKMP: (1034):transform 8, ESP_DES Mar 16 14:36:46.213: ISAKMP: (1034): attributes in transform: Mar 16 14:36:46.213: ISAKMP: (1034): SA life type in seconds Mar 16 14:36:46.213: ISAKMP: (1034): SA life duration (basic) of 28800 Mar 16 14:36:46.213: ISAKMP: (1034): encaps is 4 (Transport-UDP) Mar 16 14:36:46.213: ISAKMP: (1034): authenticator is HMAC-MD5 Mar 16 14:36:46.213: ISAKMP: (1034):atts are acceptable. Mar 16 14:36:46.213: IPSEC(validate_proposal_request): proposal part #1 Mar 16 14:36:46.213: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0, local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701, remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0, protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 Mar 16 14:36:46.213: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-sha-hmac } Mar 16 14:36:46.213: ISAKMP-ERROR: (1034):IPSec policy invalidated proposal with error 256 Mar 16 14:36:46.215: IPSEC(validate_proposal_request): proposal part #1 Mar 16 14:36:46.215: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0, local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701, remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0, protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 Mar 16 14:36:46.215: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-md5-hmac } Mar 16 14:36:46.216: ISAKMP-ERROR: (1034):IPSec policy invalidated proposal with error 256 Mar 16 14:36:46.218: IPSEC(validate_proposal_request): proposal part #1 Mar 16 14:36:46.218: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0, local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701, remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0, protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 Mar 16 14:36:46.218: (ipsec_process_proposal)Map Accepted: L2TP_dynmap, 100 Mar 16 14:36:46.218: ISAKMP: (1034):processing NONCE payload. message ID = 2956598744 Mar 16 14:36:46.218: ISAKMP: (1034):processing ID payload. message ID = 2956598744 Mar 16 14:36:46.218: ISAKMP: (1034):processing ID payload. message ID = 2956598744 Mar 16 14:36:46.218: ISAKMP: (1034):QM Responder gets spi Mar 16 14:36:46.218: ISAKMP: (1034):Node 2956598744, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Mar 16 14:36:46.218: ISAKMP: (1034):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Mar 16 14:36:46.218: crypto_engine: Generate IKE hash Mar 16 14:36:46.218: ISAKMP: (1034):Node 2956598744, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Mar 16 14:36:46.218: ISAKMP: (1034):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT Mar 16 14:36:46.218: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 16 14:36:46.218: IPSEC(crypto_ipsec_create_ipsec_sas): Map found L2TP_dynmap, 100 Mar 16 14:36:46.218: crypto_engine: Generate IKE QM keys Mar 16 14:36:46.218: crypto_engine: Create IPSec SA (by keys) Mar 16 14:36:46.218: crypto_engine: Generate IKE QM keys Mar 16 14:36:46.218: crypto_engine: Create IPSec SA (by keys) Mar 16 14:36:46.218: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F5FE1ED37E8 Mar 16 14:36:46.219: IPSEC(create_sa): sa created, (sa) sa_dest= 89.yy.yy.yy, sa_proto= 50, sa_spi= 0x1FB4AB52(531934034), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2053 sa_lifetime(k/sec)= (4608000/28800), (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0, local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701, remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0 Mar 16 14:36:46.219: IPSEC(create_sa): sa created, (sa) sa_dest= 31.xx.xx.xx, sa_proto= 50, sa_spi= 0x81D6A4C(136145484), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2054 sa_lifetime(k/sec)= (4608000/28800), (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0, local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701, remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0 Mar 16 14:36:46.222: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list Mar 16 14:36:46.222: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Static keyword or dynamic SA create for 31.xx.xx.xx Mar 16 14:36:46.222: ISAKMP: (1034):Received IPSec Install callback... proceeding with the negotiation Mar 16 14:36:46.222: ISAKMP: (1034):Successfully installed IPSEC SA (SPI:0x1FB4AB52) on GigabitEthernet0/0/0 Mar 16 14:36:46.222: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 31.xx.xx.xx:50159 Id: 10.249.191.92 Mar 16 14:36:46.222: crypto_engine: Encrypt IKE packet Mar 16 14:36:46.222: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE Mar 16 14:36:46.222: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:36:46.222: ISAKMP: (1034):Node 2956598744, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE Mar 16 14:36:46.222: ISAKMP: (1034):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 Mar 16 14:36:46.260: ISAKMP-PAK: (1034):received packet from 31.xx.xx.xx dport 4500 sport 50159 Global (R) QM_IDLE Mar 16 14:36:46.260: crypto_engine: Decrypt IKE packet Mar 16 14:36:46.260: crypto_engine: Generate IKE hash Mar 16 14:36:46.260: ISAKMP: (1034):deleting node 2956598744 error FALSE reason "QM done (await)" Mar 16 14:36:46.260: ISAKMP: (1034):Node 2956598744, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Mar 16 14:36:46.260: ISAKMP: (1034):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE Mar 16 14:36:46.260: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 16 14:36:46.260: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Mar 16 14:36:46.260: crypto engine: updating MTU size of IPSec SA HW:54 to 1500 (overhead=58) Mar 16 14:36:46.260: crypto_engine: Set IPSec MTU Mar 16 14:36:49.483: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:034 TS:00001203763520680702 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 77.72.85.104:45149 => 89.yy.yy.yy:19869(target:class)-(IntInform_self:class-default) due to Policy drop:classify result with ip ident 64608 tcp flag 0x2, seq 138516001, ack 0 Mar 16 14:36:52.666: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:023 TS:00001203766695216412 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from GigabitEthernet0/0/0 187.10.19.36:16636 => 89.yy.yy.yy:23 (target:class)-(IntInform_self:class-default) Mar 16 14:37:35.180: ISAKMP: (1034):purging node 3214878306 Mar 16 14:37:36.260: ISAKMP: (1034):purging node 2956598744 Mar 16 14:37:52.818: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:030 TS:00001203826695380378 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from GigabitEthernet0/0/0 77.72.85.104:45149 => 89.yy.yy.yy:19869 (target:class)-(IntInform_self:class-default) Mar 16 14:38:04.466: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:098 TS:00001203838314227146 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 14.142.30.148:10110 => 89.yy.yy.yy:23(target:class)-(IntInform_self:class-default) due to Policy drop:classify result with ip ident 23908 tcp flag 0x2, seq 2099419365, ack 0 Mar 16 14:38:22.894: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:035 TS:00001203856696041123 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from GigabitEthernet0/0/0 77.72.85.104:45149 => 89.yy.yy.yy:14580 (target:class)-(IntInform_self:class-default) Mar 16 14:38:45.143: ISAKMP: (1034):set new node 2454442962 to QM_IDLE Mar 16 14:38:45.144: crypto_engine: Generate IKE hash Mar 16 14:38:45.144: crypto_engine: Encrypt IKE packet Mar 16 14:38:45.144: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE Mar 16 14:38:45.144: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:38:45.144: ISAKMP: (1034):purging node 2454442962 Mar 16 14:38:45.144: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE Mar 16 14:38:45.144: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 16 14:38:46.044: AAA/AUTHOR: auth_need : user= 'admin' ruser= 'ASR1001'rem_addr= '192.168.5.5' priv= 15 list= '' AUTHOR-TYPE= 'commands' Mar 16 14:38:50.144: ISAKMP-ERROR: (1034):DPD incrementing error counter (1/5) Mar 16 14:38:50.144: ISAKMP: (1034):set new node 414223230 to QM_IDLE Mar 16 14:38:50.144: crypto_engine: Generate IKE hash Mar 16 14:38:50.144: crypto_engine: Encrypt IKE packet Mar 16 14:38:50.144: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE Mar 16 14:38:50.144: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:38:50.144: ISAKMP: (1034):purging node 414223230 Mar 16 14:38:50.144: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE Mar 16 14:38:50.144: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 16 14:38:55.144: ISAKMP-ERROR: (1034):DPD incrementing error counter (2/5) Mar 16 14:38:55.144: ISAKMP: (1034):set new node 286657848 to QM_IDLE Mar 16 14:38:55.144: crypto_engine: Generate IKE hash Mar 16 14:38:55.144: crypto_engine: Encrypt IKE packet Mar 16 14:38:55.144: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE Mar 16 14:38:55.144: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:38:55.144: ISAKMP: (1034):purging node 286657848 Mar 16 14:38:55.144: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE Mar 16 14:38:55.144: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 16 14:38:59.798: AAA/AUTHOR: auth_need : user= 'admin' ruser= 'ASR1001'rem_addr= '192.168.5.5' priv= 15 list= '' AUTHOR-TYPE= 'commands' Mar 16 14:39:00.144: ISAKMP-ERROR: (1034):DPD incrementing error counter (3/5) Mar 16 14:39:00.144: ISAKMP: (1034):set new node 251706455 to QM_IDLE Mar 16 14:39:00.144: crypto_engine: Generate IKE hash Mar 16 14:39:00.144: crypto_engine: Encrypt IKE packet Mar 16 14:39:00.144: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE Mar 16 14:39:00.145: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:39:00.145: ISAKMP: (1034):purging node 251706455 Mar 16 14:39:00.145: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE Mar 16 14:39:00.145: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 16 14:39:05.145: ISAKMP-ERROR: (1034):DPD incrementing error counter (4/5) Mar 16 14:39:05.145: ISAKMP: (1034):set new node 1055979028 to QM_IDLE Mar 16 14:39:05.145: crypto_engine: Generate IKE hash Mar 16 14:39:05.145: crypto_engine: Encrypt IKE packet Mar 16 14:39:05.145: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE Mar 16 14:39:05.145: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:39:05.145: ISAKMP: (1034):purging node 1055979028 Mar 16 14:39:05.145: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE Mar 16 14:39:05.145: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 16 14:39:10.145: ISAKMP-ERROR: (1034):DPD incrementing error counter (5/5) Mar 16 14:39:10.145: ISAKMP-ERROR: (1034):Peer 31.xx.xx.xx not responding! Mar 16 14:39:10.147: ISAKMP: (1034):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE Mar 16 14:39:10.147: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 16 14:39:10.147: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 16 14:39:10.147: Delete IPsec SA by DPD, local 89.yy.yy.yy remote 31.xx.xx.xx peer port 50159 Mar 16 14:39:10.147: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 89.yy.yy.yy, sa_proto= 50, sa_spi= 0x1FB4AB52(531934034), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2053 sa_lifetime(k/sec)= (4608000/28800), (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0, local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701, remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0 Mar 16 14:39:10.147: IPSEC(delete_sa): SA found saving DEL kmi Mar 16 14:39:10.147: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 31.xx.xx.xx, sa_proto= 50, sa_spi= 0x81D6A4C(136145484), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2054 sa_lifetime(k/sec)= (4608000/28800), (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0, local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701, remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0 Mar 16 14:39:10.147: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list Mar 16 14:39:10.147: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list Mar 16 14:39:10.147: IPSEC(update_current_outbound_sa): updated peer 31.xx.xx.xx current outbound sa to SPI 0 Mar 16 14:39:10.147: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 89.yy.yy.yy, sa_proto= 50, sa_spi= 0x1FB4AB52(531934034), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2053 sa_lifetime(k/sec)= (4608000/28800), (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0, local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701, remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0 Mar 16 14:39:10.147: IPSEC(delete_sa): SA found saving DEL kmi Mar 16 14:39:10.147: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 31.xx.xx.xx, sa_proto= 50, sa_spi= 0x81D6A4C(136145484), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2054 sa_lifetime(k/sec)= (4608000/28800), (identity) local= 89.yy.yy.yy:0, remote= 31.xx.xx.xx:0, local_proxy= 89.yy.yy.yy/255.255.255.255/17/1701, remote_proxy= 31.xx.xx.xx/255.255.255.255/17/0 Mar 16 14:39:10.147: IPSEC(sibling_delete_notify_ident_action): Ident down, not sending DECR/DELETE Mar 16 14:39:10.147: crypto engine: deleting IPSec SA HW:53 Mar 16 14:39:10.147: crypto_engine: Delete IPSec SA Mar 16 14:39:10.147: crypto engine: deleting IPSec SA HW:54 Mar 16 14:39:10.147: crypto_engine: Delete IPSec SA Mar 16 14:39:10.148: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB IPSEC get IKMP peer index from peer 0x7F5FE1ED37E8 ikmp handle 0x8000003A IPSEC IKMP peer index 0 [ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x24000035,peer index 0 Mar 16 14:39:10.148: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 31.xx.xx.xx:50159 Id: 10.249.191.92 Mar 16 14:39:10.148: ISAKMP: (1034):set new node 488885328 to QM_IDLE Mar 16 14:39:10.148: crypto_engine: Generate IKE hash Mar 16 14:39:10.148: crypto_engine: Encrypt IKE packet Mar 16 14:39:10.148: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE Mar 16 14:39:10.148: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:39:10.148: ISAKMP: (1034):purging node 488885328 Mar 16 14:39:10.148: ISAKMP: (1034):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL Mar 16 14:39:10.148: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 16 14:39:10.148: ISAKMP: (1034):No more ipsec tunnels for this SA. Mar 16 14:39:10.148: ISAKMP: (1034):peer does not do paranoid keepalives. Mar 16 14:39:10.148: ISAKMP: (1034):deleting SA reason "End of ipsec tunnel" state (R) QM_IDLE (peer 31.xx.xx.xx) Mar 16 14:39:10.148: IPSEC(key_engine): got a queue event with 1 KMI message(s) Mar 16 14:39:10.148: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message Mar 16 14:39:10.148: ISAKMP (1034): IPSec has no more SA's with this peer. Won't keepalive phase 1. Mar 16 14:39:10.148: ISAKMP: (1034):set new node 3190534613 to QM_IDLE Mar 16 14:39:10.148: crypto_engine: Generate IKE hash Mar 16 14:39:10.148: crypto_engine: Encrypt IKE packet Mar 16 14:39:10.148: ISAKMP-PAK: (1034):sending packet to 31.xx.xx.xx my_port 4500 peer_port 50159 (R) QM_IDLE Mar 16 14:39:10.148: ISAKMP: (1034):Sending an IKE IPv4 Packet. Mar 16 14:39:10.148: ISAKMP: (1034):purging node 3190534613 Mar 16 14:39:10.149: ISAKMP: (1034):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Mar 16 14:39:10.149: ISAKMP: (1034):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA Mar 16 14:39:10.149: ISAKMP: (1034):deleting SA reason "End of ipsec tunnel" state (R) QM_IDLE (peer 31.xx.xx.xx) Mar 16 14:39:10.149: ISAKMP: (0):Unlocking peer struct 0x7F5FED5753D8 for isadb_mark_sa_deleted(), count 0 Mar 16 14:39:10.149: ISAKMP-ERROR: (0):crypto_ikmp_dpd_refcount_zero: Freeing dpd profile_name L2TP Mar 16 14:39:10.149: ISAKMP: (0):Deleting peer node by peer_reap for 31.xx.xx.xx: 7F5FED5753D8 Mar 16 14:39:10.152: crypto engine: deleting IKE SA SW:34 Mar 16 14:39:10.152: crypto engine: deleting DH SW:73 Mar 16 14:39:10.152: crypto_engine: Delete DH Mar 16 14:39:10.152: crypto_engine: Delete IKE SA Mar 16 14:39:10.152: ISAKMP: (1034):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Mar 16 14:39:10.152: ISAKMP: (1034):Old State = IKE_DEST_SA New State = IKE_DEST_SA Mar 16 14:39:10.152: IPSEC(key_engine): got a queue event with 1 KMI message(s) Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
M-a-x-Z Posted March 20, 2018 · Report post В 08.07.2016 в 14:00, ShyLion сказал: У кого нибудь получилось поднять L2TP vpdn на кисе так, чтоб с ведроида мог подключаться? Шах и мат любители кошек. Скажите спасибо, что это вообще работает. Вот официальный ответ Cisco TAC на запрс о предоставлении настроек под Android: Hi, The L2TP over IPSec is officially un-supported on IOS-XE. The code is there from the IOS code base, but it was never tested nor designed to work with the ASR platforms. Please refer to below document for details: Source - https://www.cisco.com/c/en/us/td/docs/routers/access/4400/release/notes/isr4451rn.html#96977 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted March 21, 2018 · Report post Это какой-то ... позор. С другой стороны просто перейдем все на IKEv2 со временем. по большому счету тройная инкапсуляция IPSec-L2TP-PPP давно просится на свалку. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
M-a-x-Z Posted March 21, 2018 · Report post 49 минут назад, ShyLion сказал: Это какой-то ... позор. С другой стороны просто перейдем все на IKEv2 со временем. по большому счету тройная инкапсуляция IPSec-L2TP-PPP давно просится на свалку. Его только под андрюшу шаттного нет. И в iOS только в последних. Зато винда от 7 до 10 поддерживает. Будем пробовать. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Axizzz Posted March 21, 2018 · Report post Вопрос ведь не в самом L2TP-IPSEC, а в том почему производитель не обеспечивает работоспособность того что заявлено в feature explorere (по моему так называется если не ошибаюсь) и за что заплачены немалые средства. В случае с ikev2 похоже также никто не даст гарантии что это будет работать как должно. То есть дело именно в подходе циски, по хорошему не нужно выпиливать якобы устаревшие протоколы - пользователь (эксплуатант) должен сам выбрать что ему нужнее. ИМХО. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
M-a-x-Z Posted March 21, 2018 (edited) · Report post 2 часа назад, Axizzz сказал: Вопрос ведь не в самом L2TP-IPSEC, а в том почему производитель не обеспечивает работоспособность того что заявлено в feature explorere (по моему так называется если не ошибаюсь) и за что заплачены немалые средства. В случае с ikev2 похоже также никто не даст гарантии что это будет работать как должно. То есть дело именно в подходе циски, по хорошему не нужно выпиливать якобы устаревшие протоколы - пользователь (эксплуатант) должен сам выбрать что ему нужнее. ИМХО. В Feature Guide такого нет. Там есть L2TP и есть IPsec. А L2TP/IPsec - нету. Формально они правы. Но неожиданно. Хотя самое смешное то, что только второй по счёту инженер TAC это знал. Первый обещал помочь настроить. Ну и они его и не вырезали. Правда и под платформу не адаптировали тоже. Этот франкенштейн даже частично работает. Edited March 21, 2018 by M-a-x-Z Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted March 21, 2018 · Report post Имхо просто l2tp/ipsec не выйдет скрестить с subscriber managementом. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Axizzz Posted March 22, 2018 · Report post 17 hours ago, M-a-x-Z said: В Feature Guide такого нет. Там есть L2TP и есть IPsec. А L2TP/IPsec - нету. Формально они правы. Но неожиданно. Хотя самое смешное то, что только второй по счёту инженер TAC это знал. Первый обещал помочь настроить. Ну и они его и не вырезали. Правда и под платформу не адаптировали тоже. Этот франкенштейн даже частично работает. Cisco уже не торт.. В таком случае не понятно что делать если необходима высокая производительность пограничного маршрутизатора (от 1Гбит/с с ipsec шифрованием) и l2tp/ipsec для большого количества подключений. Ведь у них согласно различным презентациям серии бьются согласно производительности в т.ч. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted March 22, 2018 · Report post 21 hours ago, Axizzz said: То есть дело именно в подходе циски Дело во всей индустрии в целом. Каждый тянет одеяло на себя и изобретает свой велосипед постоянно. Лебедь-Рак-Щука-и свора других животных никак не могут и не хотят договориться. Каждый производитель спит и видит как вы используете сугубо его решения, принося доход только им. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
M-a-x-Z Posted March 22, 2018 · Report post 19 часов назад, zhenya` сказал: Имхо просто l2tp/ipsec не выйдет скрестить с subscriber managementом. Зачем? Политика качества там цепляется на каждый туннель. Нет нужды парсить по IP 1 час назад, Axizzz сказал: Cisco уже не торт.. В таком случае не понятно что делать если необходима высокая производительность пограничного маршрутизатора (от 1Гбит/с с ipsec шифрованием) и l2tp/ipsec для большого количества подключений. Ведь у них согласно различным презентациям серии бьются согласно производительности в т.ч. Не знаю, как там ISR, но l2tp/IPsec просто списан в утиль, т.к. IOS-XE это теперь наше всё. Это его не в ASR больше нет. Это его у Cisco больше нет во всех новых моделях. Если нужен именно он - то придётся брать б/у ASR. Но там, походу, будут грабли при настройке современных клиентов. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted March 22, 2018 · Report post Подтверждаю, новые роутеры типа 4ххх серии уже идут с IOS-XE и путь по граблям уже в полный рост :) Вроде все то-же самое, но нет, кругом нюансы. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Axizzz Posted March 22, 2018 · Report post 1 hour ago, M-a-x-Z said: Зачем? Политика качества там цепляется на каждый туннель. Нет нужды парсить по IP Не знаю, как там ISR, но l2tp/IPsec просто списан в утиль, т.к. IOS-XE это теперь наше всё. Это его не в ASR больше нет. Это его у Cisco больше нет во всех новых моделях. Если нужен именно он - то придётся брать б/у ASR. Но там, походу, будут грабли при настройке современных клиентов. Стесняюсь спросить - у нас как раз б/у ASR 1001= был приобретен (потому и поддержки нет) и там IOS-XE. Насколько понял из ваших слов, туда можно старый IOS залить? Можете ткнуть в пруф? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...