Anticisco http://anticisco.ru/forum/ |
|
L2TP/IPSec - No outbound SA found ? http://anticisco.ru/forum/viewtopic.php?f=2&t=10672 |
Страница 1 из 1 |
Автор: | avahtang [ 11 сен 2018, 16:32 ] |
Заголовок сообщения: | L2TP/IPSec - No outbound SA found ? |
Доброго дня, встала задача с обычного PPTP перейти на L2TP/IPSec с локальной авторизацией (удаленный клиент получает доступ внутрь нашей сети) Имеем ISR11xx. WAN - xDSL (87.х.х.х). LAN 192.168.100.1 Lo10 (по идее выступает как сорс для Virtual-Template) 172.23.0.1 Идем следующим образом: Код: aaa authentication login default local aaa authentication ppp default local aaaa authorization network default local ! ! aaa attribute list user1 attribute type addr 10.70.1.21 service vpdn protocol ip ! username user1 privilege 0 password 0 TestPasswr0d username user1 aaa attribute list user1 ! ip local pool pptppool_for_clients 10.70.1.1 10.70.1.20 ! vpdn enable vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication l2tp tunnel timeout no-session 15 ! interface Loopback10 ip address 172.23.0.1 255.255.255.0 ! interface Virtual-Template1 description PPTP_FOR_CLIENTS ip unnumbered Loopback10 peer default ip address pool pptppool_for_clients keepalive 5 ppp encrypt mppe 128 ppp authentication ms-chap-v2 ppp ipcp dns 192.168.100.1 ! crypto keyring keyring_ltp pre-shared-key address 0.0.0.0 0.0.0.0 key MyPaassww00rd ! crypto isakmp policy 1 encr 3des hash md5 group 5 ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp profile L2TP keyring keyring_ltp match identity address 0.0.0.0 crypto ipsec transform-set myset_windows3 esp-3des esp-sha-hmac mode transport ! crypto dynamic-map mydyn 1000 set transform-set myset_windows3 set isakmp-profile L2TP reverse-route ! crypto map myipsec 100 ipsec-isakmp dynamic mydyn ! interface Dialer0 ip nat outside crypto map myipsec При такой конфигурации, пробую из удаленной точки (виндовый пк, стандартный ВПН клиент) получаю в дебаг: Код: *Sep 11 13:13:19.071: IPSEC(validate_proposal_request): proposal part #1 *Sep 11 13:13:19.071: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 87.138.66.75:0, remote= 91.46.33.166:0, local_proxy= 87.138.66.75/255.255.255.255/17/1701, remote_proxy= 91.46.33.166/255.255.255.255/17/1701, protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *Sep 11 13:13:19.072: IPSEC(ipsec_process_proposal): invalid transform proposal received: {esp-aes 256 esp-sha-hmac } *Sep 11 13:13:19.072: IPSEC(validate_proposal_request): proposal part #1 *Sep 11 13:13:19.072: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 87.138.66.75:0, remote= 91.46.33.166:0, local_proxy= 87.138.66.75/255.255.255.255/17/1701, remote_proxy= 91.46.33.166/255.255.255.255/17/1701, protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Sep 11 13:13:19.072: IPSEC(ipsec_process_proposal): invalid transform proposal received: {esp-aes esp-sha-hmac } *Sep 11 13:13:19.073: IPSEC(validate_proposal_request): proposal part #1 *Sep 11 13:13:19.073: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 87.138.66.75:0, remote= 91.46.33.166:0, local_proxy= 87.138.66.75/255.255.255.255/17/1701, remote_proxy= 91.46.33.166/255.255.255.255/17/1701, protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Sep 11 13:13:19.073: (ipsec_process_proposal)Map Accepted: mydyn, 1000 *Sep 11 13:13:19.074: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Sep 11 13:13:19.074: IPSEC(crypto_ipsec_create_ipsec_sas): Map found mydyn, 1000TBAR_DBG ident_prep_create_sa: after initilize settings for time-based antireplay: do_ipd3p=0, ipd3p_type=0, win-size=0, do_tbar=0 *Sep 11 13:13:19.075: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F659C3050 *Sep 11 13:13:19.075: IPSEC(create_sa): sa created, (sa) sa_dest= 87.138.66.75, sa_proto= 50, sa_spi= 0x94824203(2491564547), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2003 sa_lifetime(k/sec)= (250000/3600), (identity) local= 87.138.66.75:0, remote= 91.46.33.166:0, local_proxy= 87.138.66.75/255.255.255.255/17/1701, remote_proxy= 91.46.33.166/255.255.255.255/17/1701 *Sep 11 13:13:19.075: IPSEC(create_sa): sa created, (sa) sa_dest= 91.46.33.166, sa_proto= 50, sa_spi= 0xC1BF58A4(3250542756), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2004 sa_lifetime(k/sec)= (250000/3600), (identity) local= 87.138.66.75:0, remote= 91.46.33.166:0, local_proxy= 87.138.66.75/255.255.255.255/17/1701, remote_proxy= 91.46.33.166/255.255.255.255/17/1701 *Sep 11 13:13:19.080: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Static keyword or dynamic SA create for 91.46.33.166 *Sep 11 13:13:19.111: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Sep 11 13:13:19.112: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Честно говоря, я не совсем понимаю, что не нравится IPSecy, чтобы установить соединение в итоге. No outbound SA..? |
Страница 1 из 1 | Часовой пояс: UTC + 3 часа |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |