svetogor82 Posted April 23, 2014 не могу собрать шифрованый тунель между mikrotik и cisco # apr/23/2014 09:21:44 by RouterOS 6.12 # software id = J46A-68XZ # /interface gre add local-address=1.1.1.5 name=gre-tunnel10 remote-address=2.2.2.2 /ip hotspot user profile set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \ mac-cookie-timeout=3d /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des /port set 0 name=serial0 set 1 name=serial1 /routing ospf area set [ find default=yes ] disabled=yes name="area 10" add area-id=0.0.0.10 name=area1 /routing ospf instance set [ find default=yes ] redistribute-connected=as-type-2 router-id=\ 10.0.90.25 /ip address add address=1.1.1.5/24 comment="default configuration" interface=ether1 \ network=1.1.1.0 add address=172.16.0.17/16 interface=ether2 network=172.16.0.0 add address=10.0.90.25/30 interface=gre-tunnel10 network=10.0.90.24 /ip dns set servers=172.16.0.5 /ip firewall filter add action=drop chain=input comment=drop_all disabled=yes in-interface=ether1 \ protocol=tcp add action=drop chain=input disabled=yes in-interface=ether1 protocol=udp add chain=output comment=out protocol=udp add chain=output protocol=tcp add chain=input comment="Allow IPSec-esp" protocol=ipsec-esp add chain=input comment="Allow IKE" dst-port=500 protocol=udp add chain=input comment="Allow IPSec-ah" protocol=ipsec-ah add chain=input comment=icp_input protocol=icmp add chain=input comment=ssh dst-port=22 protocol=tcp add chain=input dst-port=22 protocol=tcp add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=3h chain=input connection-state=new dst-port=22 \ protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input connection-state=new dst-port=22 \ protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input connection-state=new dst-port=22 \ protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input connection-state=new dst-port=22 \ protocol=tcp add chain=input comment=www dst-port=80 protocol=tcp add chain=input dst-port=443 protocol=tcp add chain=input comment="access to winbox" dst-port=8291 in-interface=ether1 \ protocol=tcp add chain=input dst-port=8291 in-interface=ether2 protocol=tcp add chain=input connection-state=new dst-port=8291,65522 protocol=tcp add chain=input comment=dns dst-port=53 in-interface=all-ethernet protocol=\ udp add chain=input dst-port=53 in-interface=all-ethernet protocol=tcp add chain=input connection-state=established add chain=input connection-state=related add chain=input dst-port=1723 protocol=tcp add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \ protocol=tcp src-address-list=ftp_blacklist add chain=output content="530 Login incorrect" dst-limit=\ 1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=1h chain=output content="530 Login incorrect" \ protocol=tcp /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip ipsec peer add address=2.2.2.2/32 enc-algorithm=3des hash-algorithm=md5 secret=\ "pass" /ip route add distance=1 gateway=1.1.1.1 add disabled=yes distance=1 dst-address=10.0.90.26/32 gateway=gre-tunnel10 /ip upnp set allow-disable-external-interface=no /lcd interface set sfp-sfpplus1 interface=sfp-sfpplus1 set sfp-sfpplus2 interface=sfp-sfpplus2 set ether1 interface=ether1 set ether2 interface=ether2 set ether3 interface=ether3 set ether4 interface=ether4 set ether5 interface=ether5 set ether6 interface=ether6 set ether7 interface=ether7 set ether8 interface=ether8 /routing ospf interface add cost=700 interface=gre-tunnel10 network-type=broadcast /routing ospf network add area=area1 network=10.0.90.0/24 /system clock set time-zone-name=Europe/Moscow /system leds set 0 type=interface-speed set 2 type=interface-speed /system ntp client set enabled=yes mode=unicast primary-ntp=194.149.67.129 secondary-ntp=\ 172.16.0.5 /system routerboard settings set cpu-frequency=1200MHz memory-frequency=1066DDR на cisco crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key pass address 0.0.0.0 0.0.0.0 crypto ipsec transform-set tr-3des esp-3des crypto ipsec profile prof_tun set transform-set tr-3des interface Tunnel10 bandwidth 30 ip address 10.0.90.26 255.255.255.252 ip mtu 1476 ip virtual-reassembly in ip route-cache policy ip ospf cost 700 ip ospf 100 area 10 tunnel source 2.2.2.2 tunnel mode ipsec ipv4 tunnel destination 1.1.1.5 tunnel protection ipsec profile prof_tun с cisco show interfaces tunnel 10 Tunnel10 is up, line protocol is down Hardware is Tunnel Internet address is 10.0.90.26/30 MTU 17940 bytes, BW 30 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 83.167.101.203, destination 91.216.48.5 Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1500 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "prof_tun") Last input 01:30:07, output 01:30:08, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 24660 packets input, 2397924 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 24417 packets output, 3108372 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out с microtik ping 10.0.90.26 HOST SIZE TTL TIME STATUS 10.0.90.26 timeout 10.0.90.26 timeout 10.0.90.26 timeout 10.0.90.26 timeout 10.0.90.26 timeout 10.0.90.26 timeout Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
myst Posted April 23, 2014 На микротике: ip ipsec proposal add name="AES-128" auth-algorithms=md5 enc-algorithms=aes-128 lifetime=8m20s ip ipsec policy add src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.1/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=AES-128 priority=10 ip ipsec add address=1.1.1.1/32 port=500 auth-method=pre-shared-key secret="PASS" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1536 lifetime=8m20s lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1 На циске: crypto isakmp policy 66 encr 3des authentication pre-share group 5 lifetime 500 crypto isakmp key PASS address 2.2.2.2 no-xauth crypto ipsec transform-set ipsec-transform esp-3des esp-md5-hmac mode transport require crypto ipsec transform-set ipsec-transform-aes esp-aes esp-md5-hmac mode transport require crypto ipsec df-bit clear ! crypto ipsec profile ipsec-ipsec-aes set transform-set ipsec-transform-aes interface Tunnel123 description # Tunnel123 # ip address 172.16.0.1 255.255.255.252 ip mtu 1450 ip ospf network point-to-point ip ospf cost 10 ip ospf mtu-ignore ip ospf 1 area 0.0.0.0 tunnel source 1.1.1.1 tunnel mode ipip tunnel destination 2.2.2.2 tunnel protection ipsec profile ipsec-ipsec-aes Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 23, 2014 ip ipsec proposal add name="AES-128" auth-algorithms=md5 enc-algorithms=aes-128 lifetime=8m20s invalid value for argument enc-algorithms ip ipsec proposal add name="AES-128" auth-algorithms=md5 enc-algorithms=aes-128- aes-128-cbc aes-128-ctr aes-128-gcm Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
myst Posted April 23, 2014 ROS 6ка там синтаксис поменялся aes-128-cbc Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 23, 2014 ip ipsec add address=1.1.1.1/32 port=500 auth-method=pre-shared-key secret="PASS" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1536 lifetime=8m20s lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1 add нету /ip ipsec> IP security supports secure (encrypted) communications over IP networks .. -- go up to ip export -- Print or save an export script that can be used to restore configuration installed-sa -- Currently installed security associations key -- mode-config -- peer -- IKE peer configuration policy -- Security policies proposal -- phase2 IKE proposal settings remote-peers -- Remote peers statistics -- user -- Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
myst Posted April 23, 2014 ip ipsec peer add Печатал от руки, забыл Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 23, 2014 (edited) /ip ipsec peer> add address=1.1.1.5 port=500 auth-method=pre-shared-key secret=PASS generate-policy= eneratePolicy ::= no | port-override | port-strict port-override -- force policy to use any port port-strict -- use ports from peer's proposal Edited April 23, 2014 by svetogor82 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 23, 2014 не хочет по прежнему соединяться /ip ipsec policy> print detail Flags: T - template, X - disabled, D - dynamic, I - inactive 0 src-address=1.1/1.5/32 src-port=any dst-address=2.2.2.2/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=1.1.1.5 sa-dst-address=2.2.2.2 proposal=AES-128 priority=10 /ip ipsec peer> print detail Flags: X - disabled 0 address=2.2.2.2/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="pass" generate-policy=port-override exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1536 lifetime=8m20s lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1 /ip ipsec remote-peers> print detail local-address=1.1.1.5 remote-address=2.2.2.2 state=message-3-sent side=initiator /ip ipsec proposal> print detail Flags: X - disabled, * - default 0 X* name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 1 name="AES-128" auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=8m20s pfs-group=modp1024 с cisco crypto isakmp key pass address 2.2.2.2 255.255.255.0 no-xauth crypto ipsec transform-set tr-3des esp-3des crypto ipsec transform-set ipsec-transform esp-3des esp-md5-hmac mode transport require crypto ipsec transform-set ipsec-transform-aes esp-aes esp-md5-hmac mode transport require crypto ipsec df-bit clear ! crypto ipsec profile ipsec-ipsec-aes set transform-set ipsec-transform-aes ! crypto ipsec profile prof_tun set transform-set tr-3des interface Tunnel20 ip address 10.0.90.26 255.255.255.252 ip mtu 1450 ip ospf cost 700 ip ospf mtu-ignore ip ospf 100 area 10 tunnel source 2.2.2.2 tunnel mode ipip tunnel destination 1.1.1.5 tunnel protection ipsec profile ipsec-ipsec-aes show interfaces tunnel 20 show interfaces tunnel 20 Tunnel20 is up, line protocol is up Hardware is Tunnel Description: odincovo Internet address is 10.0.90.26/30 MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 2.2.2.2, destination 1.1.1.5 Tunnel protocol/transport IP/IP Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1480 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "ipsec-ipsec-aes") Last input never, output 02:03:53, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 809 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 810 packets output, 78480 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out ping 10.0.90.25 source 10.0.90.26 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.90.25, timeout is 2 seconds: Packet sent with a source address of 10.0.90.26 ..... Success rate is 0 percent (0/5) Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
myst Posted April 23, 2014 А если выключить IPSEC на обоих концах? работает? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 23, 2014 да работает если выключить ipsec Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
myst Posted April 23, 2014 (edited) да работает если выключить ipsec Включай дебаг IPSEC на циске и смотри что происходит. Я дал полностью рабочий конфиг у меня так работают десятки девайсов. Edited April 23, 2014 by myst Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 23, 2014 на cisco в логах только %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 1.1.1.5 failed its sanity check or is malformed Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
YuryD Posted April 23, 2014 на cisco в логах только %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 1.1.1.5 failed its sanity check or is malformed Время синхронизовать не пробовали ? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 23, 2014 поменял на cisco crypto isakmp key pass address 2.2.2.2 255.255.255.0 no-xauth на crypto isakmp key pass address 1.1.1.5 255.255.255.0 no-xauth ошибка пропала время на устройствах стоит одинаковое может на cisco забыл какие-нибудь логи включить сейчас включено General-purpose tunnel: Tunnel Interface debugging is on Cryptographic Subsystem: Crypto ISAKMP debugging is on Crypto IPSEC Error debugging is on Crypto IPSEC High Availability debugging is on EzVPN: EzVPN debugging is on Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 23, 2014 еще в логах Tunnel20: IP/IP encapsulated 2.2.2.2->1.1.1.5 (linktype=7, len=96) Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
YuryD Posted April 23, 2014 еще в логах Tunnel20: IP/IP encapsulated 2.2.2.2->1.1.1.5 (linktype=7, len=96) Тут надо с азов видимо проверять. Ipsec поднимется, если все параметры с обоих концов совпадут, поднимал между разными железяками. И еще надо проверить маршрутизацию меж сетями клиентов, что должно идти в туннель, а что - мимо... Нельзя например в ipsec завернуть весь интернет, только описанные сети и маски, и уж одинаковые сети завернуть в ipsec мне ни разу не удалось, только маршутизируемые. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
myst Posted April 24, 2014 еще в логах Tunnel20: IP/IP encapsulated 2.2.2.2->1.1.1.5 (linktype=7, len=96) Тут надо с азов видимо проверять. Ipsec поднимется, если все параметры с обоих концов совпадут, поднимал между разными железяками. И еще надо проверить маршрутизацию меж сетями клиентов, что должно идти в туннель, а что - мимо... Нельзя например в ipsec завернуть весь интернет, только описанные сети и маски, и уж одинаковые сети завернуть в ipsec мне ни разу не удалось, только маршутизируемые. В IPsec можно завернуть что угодно. Было бы желание. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 24, 2014 после перезагруздки cisco в логах поевилось *Apr 24 05:59:55.251: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 2.2.2.2:0, remote= 1.1.1.5:0, local_proxy= 2.2.2.2/255.255.255.255/4/0 (type=1), remote_proxy= 1.1.1.5/255.255.255.255/4/0 (type=1) *Apr 24 05:59:55.275: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Apr 24 06:00:02.871: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.5:500, local_proxy= 2.2.2.2/255.255.255.255/4/0 (type=1), remote_proxy= 1.1.1.5/255.255.255.255/4/0 (type=1), protocol= ESP, transform= esp-aes esp-md5-hmac (Transport), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Apr 24 06:00:05.203: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 2.2.2.2:500, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-3des (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
myst Posted April 24, 2014 перезагрузка то зачем??!! =))) clear crypto sa Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 24, 2014 еще в логах *Apr 24 08:57:36.551: ISAKMP: set new node 0 to QM_IDLE *Apr 24 08:57:36.551: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.5) *Apr 24 08:57:36.551: ISAKMP: Error while processing SA request: Failed to initialize SA *Apr 24 08:57:36.551: ISAKMP: Error while processing KMI message 0, error 2. *Apr 24 08:57:40.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... *Apr 24 08:57:40.247: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 *Apr 24 08:57:40.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE *Apr 24 08:57:40.247: ISAKMP:(0): sending packet to 1.1.1.5 my_port 500 peer_port 500 (I) MM_NO_STATE *Apr 24 08:57:40.247: ISAKMP:(0):Sending an IKE IPv4 Packet. *Apr 24 08:57:43.523: ISAKMP:(0):purging node -808193248 *Apr 24 08:57:43.523: ISAKMP:(0):purging node 412670883 *Apr 24 08:57:44.539: ISAKMP (0): received packet from 1.1.1.5 dport 500 sport 500 Global (R) MM_NO_STATE *Apr 24 08:57:45.207: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... *Apr 24 08:57:45.207: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 *Apr 24 08:57:45.207: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
myst Posted April 24, 2014 local-address=0.0.0.0 вот это непонятно откуда в ipsec peer Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
svetogor82 Posted April 24, 2014 прописал там адрес но на ситуацию это не повлеяло local-address=1.1.1.5 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...