Доброго дня,
встала задача с обычного PPTP перейти на L2TP/IPSec с локальной авторизацией (удаленный клиент получает доступ внутрь нашей сети)
Имеем ISR11xx.
WAN - xDSL (87.х.х.х).
LAN 192.168.100.1
Lo10 (по идее выступает как сорс для Virtual-Template) 172.23.0.1
Идем следующим образом:
Код:
aaa authentication login default local
aaa authentication ppp default local
aaaa authorization network default local
!
!
aaa attribute list user1
attribute type addr 10.70.1.21 service vpdn protocol ip
!
username user1 privilege 0 password 0 TestPasswr0d
username user1 aaa attribute list user1
!
ip local pool pptppool_for_clients 10.70.1.1 10.70.1.20
!
vpdn enable
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
l2tp tunnel timeout no-session 15
!
interface Loopback10
ip address 172.23.0.1 255.255.255.0
!
interface Virtual-Template1
description PPTP_FOR_CLIENTS
ip unnumbered Loopback10
peer default ip address pool pptppool_for_clients
keepalive 5
ppp encrypt mppe 128
ppp authentication ms-chap-v2
ppp ipcp dns 192.168.100.1
!
crypto keyring keyring_ltp
pre-shared-key address 0.0.0.0 0.0.0.0 key MyPaassww00rd
!
crypto isakmp policy 1
encr 3des
hash md5
group 5
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile L2TP
keyring keyring_ltp
match identity address 0.0.0.0
crypto ipsec transform-set myset_windows3 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map mydyn 1000
set transform-set myset_windows3
set isakmp-profile L2TP
reverse-route
!
crypto map myipsec 100 ipsec-isakmp dynamic mydyn
!
interface Dialer0
ip nat outside
crypto map myipsec
При такой конфигурации, пробую из удаленной точки (виндовый пк, стандартный ВПН клиент) получаю в дебаг:
Код:
*Sep 11 13:13:19.071: IPSEC(validate_proposal_request): proposal part #1
*Sep 11 13:13:19.071: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 87.138.66.75:0, remote= 91.46.33.166:0,
local_proxy= 87.138.66.75/255.255.255.255/17/1701,
remote_proxy= 91.46.33.166/255.255.255.255/17/1701,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Sep 11 13:13:19.072: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes 256 esp-sha-hmac }
*Sep 11 13:13:19.072: IPSEC(validate_proposal_request): proposal part #1
*Sep 11 13:13:19.072: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 87.138.66.75:0, remote= 91.46.33.166:0,
local_proxy= 87.138.66.75/255.255.255.255/17/1701,
remote_proxy= 91.46.33.166/255.255.255.255/17/1701,
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Sep 11 13:13:19.072: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes esp-sha-hmac }
*Sep 11 13:13:19.073: IPSEC(validate_proposal_request): proposal part #1
*Sep 11 13:13:19.073: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 87.138.66.75:0, remote= 91.46.33.166:0,
local_proxy= 87.138.66.75/255.255.255.255/17/1701,
remote_proxy= 91.46.33.166/255.255.255.255/17/1701,
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Sep 11 13:13:19.073: (ipsec_process_proposal)Map Accepted: mydyn, 1000
*Sep 11 13:13:19.074: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 11 13:13:19.074: IPSEC(crypto_ipsec_create_ipsec_sas): Map found mydyn, 1000TBAR_DBG ident_prep_create_sa: after initilize settings for time-based antireplay: do_ipd3p=0, ipd3p_type=0, win-size=0, do_tbar=0
*Sep 11 13:13:19.075: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F659C3050
*Sep 11 13:13:19.075: IPSEC(create_sa): sa created,
(sa) sa_dest= 87.138.66.75, sa_proto= 50,
sa_spi= 0x94824203(2491564547),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2003
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 87.138.66.75:0, remote= 91.46.33.166:0,
local_proxy= 87.138.66.75/255.255.255.255/17/1701,
remote_proxy= 91.46.33.166/255.255.255.255/17/1701
*Sep 11 13:13:19.075: IPSEC(create_sa): sa created,
(sa) sa_dest= 91.46.33.166, sa_proto= 50,
sa_spi= 0xC1BF58A4(3250542756),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2004
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 87.138.66.75:0, remote= 91.46.33.166:0,
local_proxy= 87.138.66.75/255.255.255.255/17/1701,
remote_proxy= 91.46.33.166/255.255.255.255/17/1701
*Sep 11 13:13:19.080: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Static keyword or dynamic SA create for 91.46.33.166
*Sep 11 13:13:19.111: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 11 13:13:19.112: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Честно говоря, я не совсем понимаю, что не нравится IPSecy, чтобы установить соединение в итоге. No outbound SA..?