anikishov Posted December 22, 2016 · Report post Коллеги, доброго дня! Настраиваю сервер из сабжа. Версия ПО: boot system bootflash:/c7200p-adventerprisek9-mz.124-24.T8.bin boot bootldr bootflash:/c7200p-boot-mz.124-24.T8.bin Фазы ipsec проходят успешно, SA поднимаются: fvrf/address: (none)/A.A.A.10 protocol: ESP spi: 0x91B582CB(2444591819) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 809, flow_id: SW:809, sibling_flags 80000006, crypto map: L2TP sa timing: remaining key lifetime (k/sec): (243973/3598) IV size: 8 bytes replay detection support: Y Status: ACTIVE fvrf/address: (none)/C.C.C.20 protocol: ESP spi: 0x26539D7E(643014014) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 810, flow_id: SW:810, sibling_flags 80000006, crypto map: L2TP sa timing: remaining key lifetime (k/sec): (243974/3598) IV size: 8 bytes replay detection support: Y Status: ACTIVE sh crypto isakmp sa IPv4 Crypto ISAKMP SA A.A.A.10 C.C.C.20 QM_IDLE 1024 ACTIVE Проблема в том что не поднимается туннель. Приведу листинг debug'а: Dec 22 13:22:30.441 MSK: ISAKMP:(1015):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE Dec 22 13:22:30.441 MSK: IPSEC(key_engine): got a queue event with 1 KMI message(s) Dec 22 13:22:30.441 MSK: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Dec 22 13:22:30.441 MSK: IPSEC(key_engine_enable_outbound): enable SA with spi 3310260358/50 Dec 22 13:22:30.441 MSK: IPSEC(update_current_outbound_sa): updated peer C.C.C.20 current outbound sa to SPI C54E9086 Dec 22 13:22:30.441 MSK: L2TP _____:________: Dec 22 13:22:30.441 MSK: L2TP _____:________: I SCCRQ, flg TLS, ver 2, len 118 Dec 22 13:22:30.441 MSK: L2TP _____:________: IETF v2: Dec 22 13:22:30.441 MSK: L2TP _____:________: Protocol Version 1, Revision 0 Dec 22 13:22:30.445 MSK: L2TP _____:________: Framing Cap sync(0x1) Dec 22 13:22:30.445 MSK: L2TP _____:________: Bearer Cap none(0x0) Dec 22 13:22:30.445 MSK: L2TP _____:________: Firmware Ver 0xA00 Dec 22 13:22:30.445 MSK: L2TP _____:________: Hostname "C.C.C.20" Dec 22 13:22:30.445 MSK: L2TP _____:________: Vendor Name Dec 22 13:22:30.445 MSK: L2TP _____:________: "Microsoft" Dec 22 13:22:30.445 MSK: L2TP _____:________: Assigned Tunnel I 8 Dec 22 13:22:30.445 MSK: L2TP _____:________: Rx Window Size 8 Dec 22 13:22:30.445 MSK: L2TP _____:________: Dec 22 13:22:30.445 MSK: L2X _____:________: PROTO DB: no peer found for C.C.C.20 Dec 22 13:22:30.445 MSK: L2X tnl 0125A:________: Create logical tunnel Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:________: Create tunnel Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:________: version set to V2 Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:________: remote ip set to C.C.C.20 Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:________: local ip set to A.A.A.10 Dec 22 13:22:30.445 MSK: L2X _____:________: PROTO DB: added cc with id 42078 (total 2) Dec 22 13:22:30.445 MSK: L2X _____:________: PROTO DB: added cc under rIP C.C.C.20, local host cc id 42078 (total 1) Dec 22 13:22:30.445 MSK: L2X _____:________: PROTO DB: added cc :rIP C.C.C.20, rport 1701, r cc id 8 (total 1) Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: FSM-CC ev Rx-SCCRQ Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: FSM-CC Idle->Proc-SCCRQ Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: FSM-CC do Rx-SCCRQ Dec 22 13:22:30.445 MSK: L2X _____:________: CC AUTHOR DB: searching for author entry for Dec 22 13:22:30.445 MSK: l ip A.A.A.10, r ip C.C.C.20, l name <>, r name <C.C.C.20> Dec 22 13:22:30.445 MSK: L2X _____:________: CC AUTHOR DB: no remote ip tree db entry for C.C.C.20 Dec 22 13:22:30.445 MSK: L2X _____:________: CC AUTHOR DB: no remote name tree db entry for C.C.C.20 Dec 22 13:22:30.445 MSK: L2X _____:________: CC AUTHOR DB: no ip entry found, return name entry Dec 22 13:22:30.445 MSK: L2X _____:________: CC AUTHOR DB: no default context for index 1 Dec 22 13:22:30.445 MSK: L2TP _____:________: L2TP CC AUTHOR DB: no default l2tp class name found Dec 22 13:22:30.445 MSK: L2TP _____:________: L2TP CC AUTHOR DB: default entry type not aaa mlist name Dec 22 13:22:30.445 MSK: L2TP _____:________: L2TP CC AUTHOR DB: L2TP CC Author attempts to use default mlist name <> Dec 22 13:22:30.445 MSK: L2TP _____:________: L2TP CC AUTHOR DB: L2TP CC Author attemps to query AAA with <null> Dec 22 13:22:30.445 MSK: L2X _____:________: Tunnel author started for C.C.C.20 Dec 22 13:22:30.445 MSK: L2TP _____:________: L2TP CC AUTHOR DB: Queried AAA Dec 22 13:22:30.445 MSK: L2X _____:________: Tunnel author found Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: Author reply, data source: "VPN-L2TP" Dec 22 13:22:30.445 MSK: L2X _____:________: class [AAA author, group "VPN-L2TP"] Dec 22 13:22:30.445 MSK: L2X _____:________: created Dec 22 13:22:30.445 MSK: L2X _____:________: class [AAA author, group "VPN-L2TP"] Dec 22 13:22:30.445 MSK: L2X _____:________: App locked 0->1 Dec 22 13:22:30.445 MSK: L2X _____:________: class [AAA author, group "VPN-L2TP"] Dec 22 13:22:30.445 MSK: L2X _____:________: Protocol locked 0->1 Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: class name AAA author, group "VPN-L2TP" Dec 22 13:22:30.445 MSK: L2X _____:________: class [AAA author, group "VPN-L2TP"] Dec 22 13:22:30.445 MSK: L2X _____:________: App unlocked 1->0 Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: peer cap sync set Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: FSM-CC ev SCCRQ-OK Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: FSM-CC Proc-SCCRQ->Wt-SCCCN Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: FSM-CC do Tx-SCCRP Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: Open sock A.A.A.10:1701->C.C.C.20:1701 Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: FSM-CC ev Sock-Ready Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: FSM-CC in Wt-SCCCN Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: FSM-CC do Ignore-Sock-Up Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: Control connection authentication skipped/passed. Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: Dec 22 13:22:30.445 MSK: L2TP tnl 0125A:0000A45E: O SCCRP to C.C.C.20 tnl 8 Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: IETF v2: Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: Protocol Version 1, Revision 0 Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: Framing Cap none(0x0) Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: Firmware Ver 0x1130 Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: Hostname "A.A.A.10" Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: Vendor Name Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: "Cisco Systems, Inc." Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: Assigned Tunnel I 42078 Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: Rx Window Size 1024 Dec 22 13:22:30.449 MSK: L2TP tnl 0125A:0000A45E: Dec 22 13:22:31.445 MSK: L2TP _____:________: I SCCRQ, flg TLS, ver 2, len 118 Dec 22 13:22:31.445 MSK: L2TP _____:________: IETF v2: Dec 22 13:22:31.445 MSK: L2TP _____:________: Protocol Version 1, Revision 0 Dec 22 13:22:31.445 MSK: L2TP _____:________: Framing Cap sync(0x1) Dec 22 13:22:31.445 MSK: L2TP _____:________: Bearer Cap none(0x0) Dec 22 13:22:31.445 MSK: L2TP _____:________: Firmware Ver 0xA00 Dec 22 13:22:31.445 MSK: L2TP _____:________: Hostname "C.C.C.20" Dec 22 13:22:31.445 MSK: L2TP _____:________: Vendor Name Dec 22 13:22:31.445 MSK: L2TP _____:________: "Microsoft" Dec 22 13:22:31.445 MSK: L2TP _____:________: Assigned Tunnel I 8 Dec 22 13:22:31.445 MSK: L2TP _____:________: Rx Window Size 8 Dec 22 13:22:31.445 MSK: L2TP _____:________: Dec 22 13:22:31.445 MSK: L2TP tnl 0125A:0000A45E: Tunnel exists, must be a duplicate SCCRQ Dec 22 13:22:31.445 MSK: L2TP _____:________: SCCRQ: processing failed Dec 22 13:22:31.445 MSK: L2TP _____:________: SCCRQ: dropping packet Dec 22 13:22:31.449 MSK: L2TP tnl 0125A:0000A45E: O Resend SCCRP, flg TLS, ver 2, len 100 Dec 22 13:22:31.449 MSK: L2TP tnl 0125A:0000A45E: Drain unsentQ, cur/max resendQ sz 1/8, unsentQ 0 Dec 22 13:22:33.446 MSK: L2TP _____:________: Dec 22 13:22:33.446 MSK: L2TP _____:________: I SCCRQ, flg TLS, ver 2, len 118 Dec 22 13:22:33.446 MSK: L2TP _____:________: IETF v2: Dec 22 13:22:33.446 MSK: L2TP _____:________: Protocol Version 1, Revision 0 Dec 22 13:22:33.446 MSK: L2TP _____:________: Framing Cap sync(0x1) Dec 22 13:22:33.446 MSK: L2TP _____:________: Bearer Cap none(0x0) Dec 22 13:22:33.446 MSK: L2TP _____:________: Firmware Ver 0xA00 Dec 22 13:22:33.446 MSK: L2TP _____:________: Hostname "C.C.C.20" Dec 22 13:22:33.446 MSK: L2TP _____:________: Vendor Name Dec 22 13:22:33.446 MSK: L2TP _____:________: "Microsoft" Dec 22 13:22:33.446 MSK: L2TP _____:________: Assigned Tunnel I 8 Dec 22 13:22:33.446 MSK: L2TP _____:________: Rx Window Size 8 Dec 22 13:22:33.446 MSK: L2TP _____:________: Dec 22 13:22:33.446 MSK: L2TP tnl 0125A:0000A45E: Tunnel exists, must be a duplicate SCCRQ Dec 22 13:22:33.446 MSK: L2TP _____:________: SCCRQ: processing failed Dec 22 13:22:33.446 MSK: L2TP _____:________: SCCRQ: dropping packet Применённый конфиг: aaa authentication login default local aaa authentication enable default enable aaa authentication ppp default local aaa authorization console aaa authorization exec default local aaa authorization commands 15 default local aaa authorization network default local vpdn enable ! vpdn-group VPN-L2TP ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 2 no l2tp tunnel authentication username l2tp privilege 0 password 0 l2tp crypto keyring L2TP_key pre-shared-key address 0.0.0.0 0.0.0.0 key ***** ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 3600 ! ! crypto isakmp key **** address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 3600 ! ! crypto ipsec transform-set L2TP esp-3des esp-sha-hmac mode transport ! crypto dynamic-map L2TP-MAP 10 set nat demux set transform-set L2TP match address l2tp-access ! ! crypto map L2TP 10 ipsec-isakmp dynamic L2TP-MAP ! interface Loopback2 description L2TP POOL ip address B.B.B.236 255.255.255.255 ! interface Loopback3 description L2TP SERVER ip address A.A.A.10 255.255.255.255 crypto map L2TP ! ! interface GigabitEthernet0/1.99 description ACCESS NET encapsulation dot1Q 99 ip dhcp relay information trusted ip address C.C.C.1 255.255.255.192 ip verify unicast reverse-path ip helper-address Y.Y.Y.131 ! ! interface Virtual-Template2 ip unnumbered Loopback2 peer default ip address pool l2tp-pool ppp mtu adaptive ppp authentication ms-chap-v2 callin ! ip local pool l2tp-pool B.B.B.237 B.B.B.239 ! ip access-list extended l2tp-access permit udp any eq 1701 any ! Подскажите, что я мог упустить, куда посмотреть? Софт и железо поддерживает необходимые фичи. На клиенте (Windows 10) возвращается ошибка, как будто бы где-то стоит firewall или nat. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
ShyLion Posted December 23, 2016 (edited) · Report post Коллеги, доброго дня! Криптомапу перевесить на реальный интерфейс. Чтобы цеплятся к лупбеку: crypto map L2TP local-address Loopback2 Edited December 23, 2016 by ShyLion Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
SergeiK Posted December 23, 2016 · Report post Коллеги, доброго дня! Настраиваю сервер из сабжа. Софт и железо поддерживает необходимые фичи. На клиенте (Windows 10) возвращается ошибка, как будто бы где-то стоит firewall или nat. Что-то мне кажется, что в ACL вы потеряли порт 500 UDP. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
anikishov Posted December 23, 2016 · Report post А слона и не заметил =( Товарищ ShyLion, спасибо вам большое! Работает. SergeiK, так ведь этот acl указывает лишь какой трафик шифровать. Или я не прав? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
SergeiK Posted December 23, 2016 · Report post А слона и не заметил =( Товарищ ShyLion, спасибо вам большое! Работает. SergeiK, так ведь этот acl указывает лишь какой трафик шифровать. Или я не прав? Если заработало - значит правы :). Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...