Jump to content
Калькуляторы

Cisco 7201 L2TP with Ipsec

Коллеги, доброго дня!

 

Настраиваю сервер из сабжа.

 

Версия ПО:

boot system bootflash:/c7200p-adventerprisek9-mz.124-24.T8.bin
boot bootldr bootflash:/c7200p-boot-mz.124-24.T8.bin

 

Фазы ipsec проходят успешно, SA поднимаются:

 

fvrf/address: (none)/A.A.A.10
  protocol: ESP
     spi: 0x91B582CB(2444591819)
       transform: esp-3des esp-sha-hmac ,
       in use settings ={Transport, }
       conn id: 809, flow_id: SW:809, sibling_flags 80000006, crypto map: L2TP
       sa timing: remaining key lifetime (k/sec): (243973/3598)
       IV size: 8 bytes
       replay detection support: Y
       Status: ACTIVE

fvrf/address: (none)/C.C.C.20
  protocol: ESP
     spi: 0x26539D7E(643014014)
       transform: esp-3des esp-sha-hmac ,
       in use settings ={Transport, }
       conn id: 810, flow_id: SW:810, sibling_flags 80000006, crypto map: L2TP
       sa timing: remaining key lifetime (k/sec): (243974/3598)
       IV size: 8 bytes
       replay detection support: Y
       Status: ACTIVE

sh crypto isakmp sa        
IPv4 Crypto ISAKMP SA
A.A.A.10   C.C.C.20    QM_IDLE           1024 ACTIVE

 

Проблема в том что не поднимается туннель.

Приведу листинг debug'а:

Dec 22 13:22:30.441 MSK: ISAKMP:(1015):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Dec 22 13:22:30.441 MSK: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 22 13:22:30.441 MSK: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Dec 22 13:22:30.441 MSK: IPSEC(key_engine_enable_outbound): enable SA with spi 3310260358/50 
Dec 22 13:22:30.441 MSK: IPSEC(update_current_outbound_sa): updated peer C.C.C.20 current outbound sa to SPI C54E9086
Dec 22 13:22:30.441 MSK: L2TP       _____:________:  
Dec 22 13:22:30.441 MSK: L2TP       _____:________: I SCCRQ, flg TLS, ver 2, len 118
Dec 22 13:22:30.441 MSK: L2TP       _____:________:  IETF v2:
Dec 22 13:22:30.441 MSK: L2TP       _____:________:   Protocol Version  1, Revision 0
Dec 22 13:22:30.445 MSK: L2TP       _____:________:   Framing Cap       sync(0x1)
Dec 22 13:22:30.445 MSK: L2TP       _____:________:   Bearer Cap        none(0x0)
Dec 22 13:22:30.445 MSK: L2TP       _____:________:   Firmware Ver      0xA00
Dec 22 13:22:30.445 MSK: L2TP       _____:________:   Hostname          "C.C.C.20"
Dec 22 13:22:30.445 MSK: L2TP       _____:________:   Vendor Name       
Dec 22 13:22:30.445 MSK: L2TP       _____:________:     "Microsoft"
Dec 22 13:22:30.445 MSK: L2TP       _____:________:   Assigned Tunnel I 8
Dec 22 13:22:30.445 MSK: L2TP       _____:________:   Rx Window Size    8
Dec 22 13:22:30.445 MSK: L2TP       _____:________:  
Dec 22 13:22:30.445 MSK: L2X        _____:________: PROTO DB: no peer found for C.C.C.20
Dec 22 13:22:30.445 MSK: L2X  tnl   0125A:________: Create logical tunnel
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:________: Create tunnel
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:________:     version set to V2
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:________:     remote ip set to C.C.C.20
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:________:     local ip set to A.A.A.10
Dec 22 13:22:30.445 MSK: L2X        _____:________: PROTO DB: added cc with id 42078 (total 2)
Dec 22 13:22:30.445 MSK: L2X        _____:________: PROTO DB: added cc under rIP C.C.C.20, local host  cc id 42078 (total 1)
Dec 22 13:22:30.445 MSK: L2X        _____:________: PROTO DB: added cc :rIP C.C.C.20, rport 1701, r cc id 8 (total 1)
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: FSM-CC ev Rx-SCCRQ
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: FSM-CC    Idle->Proc-SCCRQ
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: FSM-CC do Rx-SCCRQ
Dec 22 13:22:30.445 MSK: L2X        _____:________: CC AUTHOR DB: searching for author entry for
Dec 22 13:22:30.445 MSK: l ip A.A.A.10, r ip C.C.C.20, l name <>, r name <C.C.C.20>
Dec 22 13:22:30.445 MSK: L2X        _____:________: CC AUTHOR DB: no remote ip tree db entry for C.C.C.20
Dec 22 13:22:30.445 MSK: L2X        _____:________: CC AUTHOR DB: no remote name tree db entry for C.C.C.20
Dec 22 13:22:30.445 MSK: L2X        _____:________: CC AUTHOR DB: no ip entry found, return name entry
Dec 22 13:22:30.445 MSK: L2X        _____:________: CC AUTHOR DB: no default context for index 1
Dec 22 13:22:30.445 MSK: L2TP       _____:________: L2TP CC AUTHOR DB: no default l2tp class name found
Dec 22 13:22:30.445 MSK: L2TP       _____:________: L2TP CC AUTHOR DB: default entry type not aaa mlist name
Dec 22 13:22:30.445 MSK: L2TP       _____:________: L2TP CC AUTHOR DB: L2TP CC Author attempts to use default mlist name <>
Dec 22 13:22:30.445 MSK: L2TP       _____:________: L2TP CC AUTHOR DB: L2TP CC Author attemps to query AAA with <null>
Dec 22 13:22:30.445 MSK: L2X        _____:________: Tunnel author started for C.C.C.20
Dec 22 13:22:30.445 MSK: L2TP       _____:________: L2TP CC AUTHOR DB: Queried AAA
Dec 22 13:22:30.445 MSK: L2X        _____:________: Tunnel author found
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: Author reply, data source: "VPN-L2TP"
Dec 22 13:22:30.445 MSK: L2X        _____:________: class [AAA author, group "VPN-L2TP"]
Dec 22 13:22:30.445 MSK: L2X        _____:________:   created
Dec 22 13:22:30.445 MSK: L2X        _____:________: class [AAA author, group "VPN-L2TP"]
Dec 22 13:22:30.445 MSK: L2X        _____:________:   App locked 0->1
Dec 22 13:22:30.445 MSK: L2X        _____:________: class [AAA author, group "VPN-L2TP"]
Dec 22 13:22:30.445 MSK: L2X        _____:________:   Protocol locked 0->1
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E:     class name AAA author, group "VPN-L2TP"
Dec 22 13:22:30.445 MSK: L2X        _____:________: class [AAA author, group "VPN-L2TP"]
Dec 22 13:22:30.445 MSK: L2X        _____:________:   App unlocked 1->0
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E:     peer cap sync set
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: FSM-CC ev SCCRQ-OK
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: FSM-CC    Proc-SCCRQ->Wt-SCCCN
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: FSM-CC do Tx-SCCRP
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: Open sock A.A.A.10:1701->C.C.C.20:1701
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: FSM-CC ev Sock-Ready
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: FSM-CC    in Wt-SCCCN
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: FSM-CC do Ignore-Sock-Up
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: Control connection authentication skipped/passed.
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E:  
Dec 22 13:22:30.445 MSK: L2TP tnl   0125A:0000A45E: O SCCRP to C.C.C.20 tnl 8
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:  IETF v2:
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:   Protocol Version  1, Revision 0
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:   Framing Cap       none(0x0)
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:   Firmware Ver      0x1130
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:   Hostname          "A.A.A.10"
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:   Vendor Name       
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:     "Cisco Systems, Inc."
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:   Assigned Tunnel I 42078
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:   Rx Window Size    1024
Dec 22 13:22:30.449 MSK: L2TP tnl   0125A:0000A45E:  
Dec 22 13:22:31.445 MSK: L2TP       _____:________: I SCCRQ, flg TLS, ver 2, len 118
Dec 22 13:22:31.445 MSK: L2TP       _____:________:  IETF v2:
Dec 22 13:22:31.445 MSK: L2TP       _____:________:   Protocol Version  1, Revision 0
Dec 22 13:22:31.445 MSK: L2TP       _____:________:   Framing Cap       sync(0x1)
Dec 22 13:22:31.445 MSK: L2TP       _____:________:   Bearer Cap        none(0x0)
Dec 22 13:22:31.445 MSK: L2TP       _____:________:   Firmware Ver      0xA00
Dec 22 13:22:31.445 MSK: L2TP       _____:________:   Hostname          "C.C.C.20"
Dec 22 13:22:31.445 MSK: L2TP       _____:________:   Vendor Name       
Dec 22 13:22:31.445 MSK: L2TP       _____:________:     "Microsoft"
Dec 22 13:22:31.445 MSK: L2TP       _____:________:   Assigned Tunnel I 8
Dec 22 13:22:31.445 MSK: L2TP       _____:________:   Rx Window Size    8
Dec 22 13:22:31.445 MSK: L2TP       _____:________:  
Dec 22 13:22:31.445 MSK: L2TP tnl   0125A:0000A45E: Tunnel exists, must be a duplicate SCCRQ
Dec 22 13:22:31.445 MSK: L2TP       _____:________: SCCRQ: processing failed
Dec 22 13:22:31.445 MSK: L2TP       _____:________: SCCRQ: dropping packet
Dec 22 13:22:31.449 MSK: L2TP tnl   0125A:0000A45E: O Resend SCCRP, flg TLS, ver 2, len 100
Dec 22 13:22:31.449 MSK: L2TP tnl   0125A:0000A45E: Drain unsentQ, cur/max resendQ sz 1/8, unsentQ 0
Dec 22 13:22:33.446 MSK: L2TP       _____:________:  
Dec 22 13:22:33.446 MSK: L2TP       _____:________: I SCCRQ, flg TLS, ver 2, len 118
Dec 22 13:22:33.446 MSK: L2TP       _____:________:  IETF v2:
Dec 22 13:22:33.446 MSK: L2TP       _____:________:   Protocol Version  1, Revision 0
Dec 22 13:22:33.446 MSK: L2TP       _____:________:   Framing Cap       sync(0x1)
Dec 22 13:22:33.446 MSK: L2TP       _____:________:   Bearer Cap        none(0x0)
Dec 22 13:22:33.446 MSK: L2TP       _____:________:   Firmware Ver      0xA00
Dec 22 13:22:33.446 MSK: L2TP       _____:________:   Hostname          "C.C.C.20"
Dec 22 13:22:33.446 MSK: L2TP       _____:________:   Vendor Name       
Dec 22 13:22:33.446 MSK: L2TP       _____:________:     "Microsoft"
Dec 22 13:22:33.446 MSK: L2TP       _____:________:   Assigned Tunnel I 8
Dec 22 13:22:33.446 MSK: L2TP       _____:________:   Rx Window Size    8
Dec 22 13:22:33.446 MSK: L2TP       _____:________:  
Dec 22 13:22:33.446 MSK: L2TP tnl   0125A:0000A45E: Tunnel exists, must be a duplicate SCCRQ
Dec 22 13:22:33.446 MSK: L2TP       _____:________: SCCRQ: processing failed
Dec 22 13:22:33.446 MSK: L2TP       _____:________: SCCRQ: dropping packet

 

 

Применённый конфиг:

aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization console
aaa authorization exec default local 
aaa authorization commands 15 default local 
aaa authorization network default local 

vpdn enable
!
vpdn-group VPN-L2TP
! Default L2TP VPDN group
accept-dialin
 protocol l2tp
 virtual-template 2
no l2tp tunnel authentication


username l2tp privilege 0 password 0 l2tp

crypto keyring L2TP_key 
 pre-shared-key address 0.0.0.0 0.0.0.0 key *****
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
!
crypto isakmp key **** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set L2TP esp-3des esp-sha-hmac 
mode transport
!
crypto dynamic-map L2TP-MAP 10
set nat demux
set transform-set L2TP 
match address l2tp-access
!
!
crypto map L2TP 10 ipsec-isakmp dynamic L2TP-MAP 
!
interface Loopback2
description L2TP POOL
ip address B.B.B.236 255.255.255.255
!
interface Loopback3
description L2TP SERVER
ip address A.A.A.10 255.255.255.255
crypto map L2TP
!
!
interface GigabitEthernet0/1.99
description ACCESS NET
encapsulation dot1Q 99
ip dhcp relay information trusted
ip address C.C.C.1 255.255.255.192
ip verify unicast reverse-path
ip helper-address Y.Y.Y.131
!
!
interface Virtual-Template2
ip unnumbered Loopback2
peer default ip address pool l2tp-pool
ppp mtu adaptive
ppp authentication ms-chap-v2 callin
!
ip local pool l2tp-pool B.B.B.237 B.B.B.239
!
ip access-list extended l2tp-access
permit udp any eq 1701 any
!

 

Подскажите, что я мог упустить, куда посмотреть?

 

Софт и железо поддерживает необходимые фичи.

На клиенте (Windows 10) возвращается ошибка, как будто бы где-то стоит firewall или nat.

Share this post


Link to post
Share on other sites

Коллеги, доброго дня!

 

Криптомапу перевесить на реальный интерфейс.

Чтобы цеплятся к лупбеку: crypto map L2TP local-address Loopback2

Edited by ShyLion

Share this post


Link to post
Share on other sites

Коллеги, доброго дня!

 

Настраиваю сервер из сабжа.

 

Софт и железо поддерживает необходимые фичи.

На клиенте (Windows 10) возвращается ошибка, как будто бы где-то стоит firewall или nat.

Что-то мне кажется, что в ACL вы потеряли порт 500 UDP.

Share this post


Link to post
Share on other sites

А слона и не заметил =(

 

Товарищ ShyLion, спасибо вам большое! Работает.

 

SergeiK, так ведь этот acl указывает лишь какой трафик шифровать. Или я не прав?

Share this post


Link to post
Share on other sites

А слона и не заметил =(

 

Товарищ ShyLion, спасибо вам большое! Работает.

 

SergeiK, так ведь этот acl указывает лишь какой трафик шифровать. Или я не прав?

Если заработало - значит правы :).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.