Здравствуйте.
Не могу установить туннель (
Задача - установить туннель IPSEC между Huawei и Cisco. Использовал эту статью здесь
https://forum.huawei.com/enterprise/en/ ... erface-to- the-Cisco-Router-Using-the-Host-Name / thread / 389243-863, но туннель не устанавливается.
Huawei AR129 за NAT. The Cisco 2911 с белым IP.
Cisco 2911:Код:
hub-cnt-01#sh run
Building configuration...
Current configuration : 4730 bytes
!
! Last configuration change at 16:26:11 GMT Thu May 16 2019 by admin
!
version 15.7
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname hub-cnt-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_access local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 10 0
clock calendar-valid
!
!
!
!
ip domain name corp.viang.ru
ip host hub-cnt-01 172.16.100.3
ip cef
login block-for 60 attempts 3 within 30
login delay 5
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
multilink bundle-name authenticated
!
!
!
password encryption aes
!
!
license udi pid CISCO2911/K9 sn FHK1452F1Q6
!
!
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
username admin secret 5
!
redundancy
!
!
!
!
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
!
!
crypto isakmp policy 1
encr aes
hash sha256
authentication pre-share
group 14
crypto isakmp key 6 1111111111111111111111111 hostname Huawei
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set p1 esp-aes esp-sha256-hmac
mode tunnel
!
!
!
crypto dynamic-map p1 1
set transform-set p1
match address 102
!
!
crypto map p1 1 ipsec-isakmp dynamic p1
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 31.xx.xx.xx 255.255.255.248
duplex auto
speed auto
crypto map p1
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0/0/0
no ip address
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
!
interface Vlan1
ip address 172.16.100.3 255.255.255.0
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 31.xx.xxx.xx
ip ssh logging events
ip ssh version 2
!
ip access-list standard SNMP_ACCESS_RO
permit 172.16.100.19
!
ip access-list extended ACCESS_SSH
permit ip host 172.16.100.127 any log
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
!
ipv6 ioam timestamp
!
!
snmp-server community public RO SNMP_ACCESS_RO
access-list 102 permit ip 172.16.100.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
control-plane
!
!
vstack
!
line con 0
logging synchronous
login authentication local_access
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class ACCESS_SSH in
privilege level 15
logging synchronous
login authentication local_access
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 91.206.16.3
ntp server 89.109.251.23
ntp server 88.212.196.95
!
end
hub-cnt-01#
HUAWEI AR129:Код:
[Huawei]display cur
[V200R009C00SPC500]
#
drop illegal-mac alarm
#
l2tp enable
#
ipv6
#
ipsec authentication sha2 compatible enable
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
#
ike local-name huawei
ipsec invalid-spi-recovery enable
#
dns resolve
dns proxy enable
#
dhcp enable
#
radius-server template default
#
pki realm default
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
acl name GigabitEthernet0/0/4 2999
rule 5 permit
#
acl number 3000
rule 5 permit ip source 192.168.50.0 0.0.0.255 destination 172.16.100.0 0.0.0.255
acl number 3001
rule 5 deny ip source 192.168.50.0 0.0.0.255 destination 172.16.100.0 0.0.0.255
rule 10 permit ip
#
ipsec proposal prop1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 1
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer peer1
exchange-mode aggressive
pre-shared-key cipher 111111111111111111111
ike-proposal 1
local-id-type fqdn
remote-id hub-cnt-01
remote-address 31.xx.xx.xx
#
ipsec policy policy1 10 isakmp
security acl 3000
ike-peer peer1
proposal prop1
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme default
domain default_admin
authentication-scheme default
local-user admin password irreversible-cipher
local-user admin privilege level 15
local-user admin service-type ssh http
#
web
set fast-configuration state disable
user-set Default
user-set VIP
#
firewall zone Local
#
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
interface Vlanif1
ip address 192.168.50.1 255.255.255.0
dhcp select interface
dhcp server dns-list 172.16.100.11 192.168.50.1
#
interface Ethernet0/0/0
#
interface Virtual-Template1
ppp chap user vpn
ppp chap password cipher
ppp pap local-user vpn password cipher
ppp ipcp dns admit-any
ppp ipcp dns request
tcp adjust-mss 1200
ip address ppp-negotiate
l2tp-auto-client enable
nat outbound 2999
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
nat outbound 2999
ipsec policy policy1
ip address dhcp-alloc
#
interface GigabitEthernet0/0/5
description VirtualPort
ip address dhcp-alloc
#
interface Cellular0/0/0
#
interface NULL0
#
l2tp-group 2
undo tunnel authentication
start l2tp ip 82.xx.xx.xx fullusername vpn
#
snmp-agent local-engineid 800007DB038866394D3A5C
#
sftp server enable
stelnet server enable
#
set web login-style simple
http secure-server ssl-policy default_policy
http server enable
http secure-server enable
#
ip route-static 172.16.100.0 255.255.255.255 Virtual-Template1
ip route-static 172.16.100.0 255.255.255.255 172.16.100.2
ip route-static 172.16.100.10 255.255.255.255 172.16.100.2
ip route-static 172.16.100.11 255.255.255.255 172.16.100.2
ip route-static 172.16.100.12 255.255.255.255 172.16.100.2
ip route-static 172.16.100.13 255.255.255.255 172.16.100.2
ip route-static 172.16.100.14 255.255.255.255 172.16.100.2
ip route-static 172.16.100.15 255.255.255.255 172.16.100.2
ip route-static 172.16.100.24 255.255.255.255 172.16.100.2
ip route-static 172.16.100.40 255.255.255.255 172.16.100.2
ip route-static 172.16.100.41 255.255.255.255 172.16.100.2
ip route-static 172.16.100.44 255.255.255.255 172.16.100.2
#
fib regularly-refresh disable
#
user-interface con 0
authentication-mode aaa
user-interface vty 0
authentication-mode aaa
user privilege level 15
user-interface vty 1 4
authentication-mode aaa
#
wlan
wmm-profile name wmmf id 0
traffic-profile name traf id 0
security-profile name secf id 0
radio-profile name radiof id 0
wmm-profile id 0
#
interface Wlan-Radio0/0/0
#
interface Wlan-Radio0/0/1
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
voice
voip-address signalling interface Virtual-Template 1 dynamic
voip-address media interface Virtual-Template 1 dynamic
#
sipag 1
signalling-addr addr-name Virtual-Template1 5060
media-addr addr-name Virtual-Template1
primary-proxy-addr static 172.16.100.15 5060
#
sipaguser 1 port 0/0/0
base-telno 120
agid 1
#
diagnose
#
ops
#
autostart
#
secelog
#
return
[Huawei]
На Cisco пусто:
hub-cnt-01#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
hub-cnt-01#
На Huawei тоже.
Включил дебаггинг на Cisco и вот результат:.May 17 11:09:19: IKEv2:Received Packet [From 188.162.229.154:32774/To 31.200.236.206:500/VRF i0:f0]
Initiator SPI : 93505B913F7ED158 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID
.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Verify SA init message
.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Insert SA
.May 17 11:09:19: IKEv2:Searching Policy with fvrf 0, local address 31.200.236.206
.May 17 11:09:19: IKEv2:Using the Default Policy for Proposal
.May 17 11:09:19: IKEv2:Found Policy 'default'
.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Processing IKE_SA_INIT message
.May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):Received Policies: : Failed to find a matching policyProposal 1: AES-CBC-128 SHA256 SHA256 DH_GROUP_2048_MODP/Group 14
.May 17 11:09:19:
.May 17 11:09:19:
.May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):Expected Policies: : Failed to find a matching policyProposal 1: AES-CBC-256 AES-CBC-192 AES-CBC-128 SHA512 SHA384 SHA256 SHA1 MD5 SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
.May 17 11:09:19:
.May 17 11:09:19:
.May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):: Failed to find a matching policy
.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Sending no proposal chosen notify
.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Sending Packet [To 188.162.229.154:32774/From 31.200.236.206:500/VRF i0:f0]
Initiator SPI : 93505B913F7ED158 - Responder SPI : 2BDA4287F67C5DB9 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(NO_PROPOSAL_CHOSEN)
.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Failed SA init exchange
.May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):Initial exchange failed: Initial exchange failed
.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Abort exchange
.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Deleting SA
Как я понял политика IKE не совпадает. Но почему не могу понять. И на хуевее и на циско одинаковый proposal.