[catalist]

Добрый день!
Есть цыска ASR-1000
Ктонибудь настраивал на цыске IKEv2?

Пытаюсь подключиться с телефона, такое чувство что не получается адрес выдать, но это не точно.

aaa authorization network IKEv2 local
crypto ikev2 authorization policy VPN
 pool L2TP
 route set interface
!
crypto ikev2 proposal VPN
 encryption aes-cbc-256
 integrity sha256 sha1 md5 sha384 sha512
 group 14
!
crypto ikev2 policy VPN
 match address local xxxxxxxxxxxx
 proposal VPN
!
crypto ikev2 keyring VPN
 peer all
  identity email test@test.ru
  pre-shared-key yyyyyyyyy
 !
!
!
crypto ikev2 profile VPN
 match identity remote email test@test.ru
 identity local dn
 authentication local pre-share
 authentication remote pre-share
 keyring local VPN
 aaa authorization group psk list IKEv2 VPN
 virtual-template 1 mode auto

ip local pool L2TP 172.16.252.11 172.16.252.50

interface Virtual-Template1
 description FOR L2TP VPN
 ip address 172.16.252.1 255.255.255.0
 ip nat inside
 no logging event link-status
 peer default ip address pool L2TP
 no snmp trap link-status
 keepalive 5
 ppp authentication ms-chap-v2
 ppp ipcp dns 10.0.0.60

В конце логов вот такое:

033036: Jan 31 18:21:40: AAA/AUTHOR (0x575): Pick method list 'IKEv2'
033037: Jan 31 18:21:40: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
033038: Jan 31 18:21:40: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
033039: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Received valid config mode data
033040: Jan 31 18:21:40: IKEv2:Config data recieved:
033041: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Config-type: Config-request
033042: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-addr, length: 0
033043: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-netmask, length: 0
033044: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033045: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-dns, length: 0
033046: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv6-addr, length: 0
033047: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033048: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv6-dns, length: 0
033049: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033050: Jan 31 18:21:40: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
033051: Jan 31 18:21:40: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
033052: Jan 31 18:21:40: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
033053: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Set received config mode data
033054: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Processing IKE_AUTH message
033055: Jan 31 18:21:40: IKEv2:% DVTI create request sent for profile VPN with PSH index 1.

033056: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):
033057: Jan 31 18:21:40: IPSEC(key_engine): got a queue event with 1 KMI message(s)
033058: Jan 31 18:21:40: Cannot find crypto swsb : in crypto_ipsec_notify_isakmp_delete (), 604
033059: Jan 31 18:21:40: Cannot find crypto swsb : in crypto_ipsec_notify_isakmp_delete (), 604
033060: Jan 31 18:21:40: ISAKMP-ERROR: (0):ignoring request to send delete notify (no ISAKMP sa) src xxxxxxxxx dst yyyyyyyyyyy for SPI 0x0
033061: Jan 31 18:21:41: IKEv2-ERROR:: Negotiation context locked currently in use
033062: Jan 31 18:21:43: IKEv2-ERROR:: Negotiation context locked currently in use

И че ей надо не понятно, ошибки не гуглсятся.

[jffulcrum]

А что на телефоне, StrongSwan? Попробуйте с компа, чтобы логи клиента были

[fractal]

На второй фазе косяк, debug ikev2 делали? 

[fractal]

Клиент anyconnect? 

[catalist]

на телефоне iphone )

debug ikev2 включен но там везде пасс

ASR-1001-OFFICE#sh debug
General OS:
  AAA Authorization debugging is on
IOSXE Conditional Debug Configs:

Conditional Debug Global State: Stop

Radius protocol debugging is on
Radius packet protocol debugging is on

Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto IPSEC debugging is on

IKEV2:
  IKEv2 error debugging is on
  IKEv2 default debugging is on
PKI:
  verbose debug output debugging is on
 

 

 

вот полные логи:

032985: Jan 31 18:21:40: IKEv2:Received Packet [From xxxxxxxx:512/To yyyyyyyy:500/VRF i0:f0]
Initiator SPI : 23A9F58A5DEE618E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N NOTIFY(REDIRECT_SUPPORTED) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)

032986: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Verify SA init message
032987: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Insert SA
032988: Jan 31 18:21:40: IKEv2:Searching Policy with fvrf 0, local address yyyyyyyy
032989: Jan 31 18:21:40: IKEv2:Found Policy 'VPN'
032990: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Processing IKE_SA_INIT message
032991: Jan 31 18:21:40: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
032992: Jan 31 18:21:40: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
032993: Jan 31 18:21:40: IKEv2:Failed to retrieve Certificate Issuer list
032994: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
032995: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Request queued for computation of DH key
032996: Jan 31 18:21:40: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
032997: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
032998: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Request queued for computation of DH secret
032999: Jan 31 18:21:40: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
033000: Jan 31 18:21:40: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
033001: Jan 31 18:21:40: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
033002: Jan 31 18:21:40: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
033003: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Generating IKE_SA_INIT message
033004: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_2048_MODP/Group 14
033005: Jan 31 18:21:40: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
033006: Jan 31 18:21:40: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
033007: Jan 31 18:21:40: IKEv2:Failed to retrieve Certificate Issuer list

033008: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Sending Packet [To xxxxxxxx:512/From yyyyyyyy:500/VRF i0:f0]
Initiator SPI : 23A9F58A5DEE618E - Responder SPI : 2F530865CE1CF8B6 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

033009: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Completed SA init exchange
033010: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Starting timer (30 sec) to wait for auth message

033011: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Received Packet [From xxxxxxxx:5079/To yyyyyyyy:500/VRF i0:f0]
Initiator SPI : 23A9F58A5DEE618E - Responder SPI : 2F530865CE1CF8B6 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 IDi NOTIFY(INITIAL_CONTACT) IDr AUTH CFG NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) SA TSi TSr NOTIFY(Unknown - 16396)

033012: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Stopping timer to wait for auth message
033013: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Checking NAT discovery
033014: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):NAT OUTSIDE found
033015: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):NAT detected float to init port 5079, resp port 4500
033016: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Searching policy based on peer's identity 'aaaaa@bbbb.ru' of type 'RFC822 address'
033017: Jan 31 18:21:40: IKEv2:found matching IKEv2 profile 'VPN'
033018: Jan 31 18:21:40: ISAKMP: (0):peer matches VPN profile
033019: Jan 31 18:21:40: IKEv2:% Getting preshared key from profile keyring VPN
033020: Jan 31 18:21:40: IKEv2:% Matched peer block 'all'
033021: Jan 31 18:21:40: IKEv2:Searching Policy with fvrf 0, local address yyyyyyyy
033022: Jan 31 18:21:40: IKEv2:Found Policy 'VPN'
033023: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Verify peer's policy
033024: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Peer's policy verified
033025: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Get peer's authentication method
033026: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Peer's authentication method is 'PSK'
033027: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Get peer's preshared key for aaaaa@bbbb.ru
033028: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Verify peer's authentication data
033029: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Use preshared key for id aaaaa@bbbb.ru, key len 10
033030: Jan 31 18:21:40: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
033031: Jan 31 18:21:40: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
033032: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Verification of peer's authenctication data PASSED
033033: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Processing INITIAL_CONTACT
033034: Jan 31 18:21:40: IKEv2:Using mlist IKEv2 and username VPN for group author request
033035: Jan 31 18:21:40: AAA/BIND(00000575): Bind i/f
033036: Jan 31 18:21:40: AAA/AUTHOR (0x575): Pick method list 'IKEv2'
033037: Jan 31 18:21:40: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
033038: Jan 31 18:21:40: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
033039: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Received valid config mode data
033040: Jan 31 18:21:40: IKEv2:Config data recieved:
033041: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Config-type: Config-request
033042: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-addr, length: 0
033043: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-netmask, length: 0
033044: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033045: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-dns, length: 0
033046: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv6-addr, length: 0
033047: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033048: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv6-dns, length: 0
033049: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033050: Jan 31 18:21:40: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
033051: Jan 31 18:21:40: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
033052: Jan 31 18:21:40: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
033053: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Set received config mode data
033054: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Processing IKE_AUTH message
033055: Jan 31 18:21:40: IKEv2:% DVTI create request sent for profile VPN with PSH index 1.
033056: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):
033057: Jan 31 18:21:40: IPSEC(key_engine): got a queue event with 1 KMI message(s)
033058: Jan 31 18:21:40: Cannot find crypto swsb : in crypto_ipsec_notify_isakmp_delete (), 604
033059: Jan 31 18:21:40: Cannot find crypto swsb : in crypto_ipsec_notify_isakmp_delete (), 604
033060: Jan 31 18:21:40: ISAKMP-ERROR: (0):ignoring request to send delete notify (no ISAKMP sa) src yyyyyyyy dst xxxxxxxx for SPI 0x0
033061: Jan 31 18:21:41: IKEv2-ERROR:: Negotiation context locked currently in use
033062: Jan 31 18:21:43: IKEv2-ERROR:: Negotiation context locked currently in use
033064: Jan 31 18:21:47: IKEv2-ERROR:: Negotiation context locked currently in use
033065: Jan 31 18:21:55: IKEv2-ERROR:: Negotiation context locked currently in use
033079: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Verification of peer's authentication data FAILED
033080: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Sending authentication failure notify
033081: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Building packet for encryption.
Payload contents:
 NOTIFY(AUTHENTICATION_FAILED)

033082: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Sending Packet [To xxxxxxxx:5079/From yyyyyyyy:4500/VRF i0:f0]
Initiator SPI : 23A9F58A5DEE618E - Responder SPI : 2F530865CE1CF8B6 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

033083: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Auth exchange failed
033084: Jan 31 18:22:05: IKEv2-ERROR:(SESSION ID = 326,SA ID = 1):: Auth exchange failed
033085: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Abort exchange
033086: Jan 31 18:22:05: IKEv2:(SESSION ID = 326,SA ID = 1):Deleting SA

 

 

С компа завтра попробую

[jffulcrum]

1 час назад, catalist сказал:

033057: Jan 31 18:21:40: IPSEC(key_engine): got a queue event with 1 KMI message(s)
033058: Jan 31 18:21:40: Cannot find crypto swsb : in crypto_ipsec_notify_isakmp_delete (), 604
033059: Jan 31 18:21:40: Cannot find crypto swsb : in crypto_ipsec_notify_isakmp_delete (), 604
033060: Jan 31 18:21:40: ISAKMP-ERROR: (0):ignoring request to send delete notify (no ISAKMP sa) src yyyyyyyy dst xxxxxxxx for SPI 0x0

 

Это прилетает с другого конца. Клиенту что-то не понравилось и он отправил роутеру сигнал на разъединение.

[catalist]

блин на айфоне нет никаких логов....

может ему не понравилось что IP адреса нет?

033040: Jan 31 18:21:40: IKEv2:Config data recieved:
033041: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Config-type: Config-request
033042: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-addr, length: 0
033043: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-netmask, length: 0
033044: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033045: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv4-dns, length: 0
033046: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv6-addr, length: 0
033047: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0
033048: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: ipv6-dns, length: 0
033049: Jan 31 18:21:40: IKEv2:(SESSION ID = 326,SA ID = 1):Attrib type: unknown, length: 0

[catalist]

После ковыряний удалось продвинуться в вопросе, правда до след проблемы.Продвижение выразилось в том что создал новый VT интерфейс (на старом IP был прибит руками, на новом unnumbered), вот измениня:
Но соединение все равно не устанавливается.

interface Virtual-Template3 type tunnel
 ip unnumbered Loopback2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN


interface Loopback2
 description IKEv2 source interface
 ip address 172.16.253.1 255.255.255.0


ip local pool VPN 172.16.253.11 172.16.253.50



crypto ikev2 authorization policy VPN
 pool VPN
 route set interface

[jffulcrum]

До ip у вас не доходит, у вас фаза 2 не начинается, либо клиент не смог проверить подлинность сервера, либо не совпадают алгоритмы шифрования сервера и клиента.

[fractal]

Ошибки после (IKE_AUTH_Request)и (IKE_AUTH_Response) как раз на установление второй фазы проблемы, блин, в конфиге и proposal и policy и keyring с одним именем, крайне неудобно) 

[fractal]

а клиент стандартный? на айфон? возможно клиент не умеет PSK  метод? ранее была замечательная табличка

[catalist]

попробую поменять имена.

поставил клиент cisco anyconnect с ним тоже не поднимается, но там дело в том что нужны сертификаты, а гайды в инете везде как по прешаред ключам подключать а anyconnect прешаред ключи не умеет падла.

[fractal]

1 час назад, catalist сказал:

попробую поменять имена.

поставил клиент cisco anyconnect с ним тоже не поднимается, но там дело в том что нужны сертификаты, а гайды в инете везде как по прешаред ключам подключать а anyconnect прешаред ключи не умеет падла.

так eap сделать, не? https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

[catalist]

не могу зайти из-за санкций (

[jffulcrum]

FlexVPN: AnyConnect IKEv2 Remote Access with Local User Database - Cisco (googleusercontent.com)

[fractal]

4 часа назад, catalist сказал:

не могу зайти из-за санкций (

Vpn же можно включить, засейвить

[catalist]

думаете они по IP банят?

[fractal]

1 минуту назад, catalist сказал:

думаете они по IP банят?

Абсолютно точно) доки можно читать спокойно имея на российские ip, некоторые прошивки (на свитчи) можно качать имея уз зареганную через goggle и выходя не с российским ip

[Justas]

В 01.02.2023 в 10:26, catalist сказал:

После ковыряний удалось продвинуться в вопросе

 

Аналогичная фигня на ISR 1100. На девайсах Apple (iOS, MacOS) не поднимается VPN IKEv2 (авторизация по сертификату).

 

Под Windows работает.

 

Удалось починить?

[jffulcrum]

Для запрещенной в РФ любви с оборудованием Apple сначала стоит прочитать: https://support.apple.com/ru-ru/guide/deployment/depdf31db478/web

Особенно в части алгоритмов