Anticisco http://anticisco.ru/forum/ |
|
IPSEC между Cisco 2911 и Huawei AR129. IKEv2-ERROR http://anticisco.ru/forum/viewtopic.php?f=2&t=10970 |
Страница 1 из 1 |
Автор: | MaxRAF [ 17 май 2019, 04:47 ] |
Заголовок сообщения: | IPSEC между Cisco 2911 и Huawei AR129. IKEv2-ERROR |
Здравствуйте. Не могу установить туннель ( Задача - установить туннель IPSEC между Huawei и Cisco. Использовал эту статью здесь https://forum.huawei.com/enterprise/en/ ... erface-to- the-Cisco-Router-Using-the-Host-Name / thread / 389243-863, но туннель не устанавливается. Huawei AR129 за NAT. The Cisco 2911 с белым IP. Cisco 2911: Код: hub-cnt-01#sh run Building configuration... Current configuration : 4730 bytes ! ! Last configuration change at 16:26:11 GMT Thu May 16 2019 by admin ! version 15.7 service timestamps debug datetime localtime service timestamps log datetime localtime no service password-encryption ! hostname hub-cnt-01 ! boot-start-marker boot-end-marker ! ! enable secret 5 ! aaa new-model ! ! aaa authentication login default local aaa authentication login local_access local aaa authorization exec default local ! ! ! ! ! ! aaa session-id common clock timezone GMT 10 0 clock calendar-valid ! ! ! ! ip domain name corp.viang.ru ip host hub-cnt-01 172.16.100.3 ip cef login block-for 60 attempts 3 within 30 login delay 5 no ipv6 cef ! ! flow record nbar-appmon match ipv4 source address match ipv4 destination address match application name collect interface output collect counter bytes collect counter packets collect timestamp absolute first collect timestamp absolute last ! ! flow monitor application-mon cache timeout active 60 record nbar-appmon ! multilink bundle-name authenticated ! ! ! password encryption aes ! ! license udi pid CISCO2911/K9 sn FHK1452F1Q6 ! ! ! object-group network local_cws_net ! object-group network local_lan_subnets any ! object-group network vpn_remote_subnets any ! username admin secret 5 ! redundancy ! ! ! ! ! zone security LAN zone security WAN zone security VPN zone security DMZ ! ! crypto isakmp policy 1 encr aes hash sha256 authentication pre-share group 14 crypto isakmp key 6 1111111111111111111111111 hostname Huawei crypto isakmp identity hostname crypto isakmp keepalive 10 periodic ! crypto ipsec transform-set p1 esp-aes esp-sha256-hmac mode tunnel ! ! ! crypto dynamic-map p1 1 set transform-set p1 match address 102 ! ! crypto map p1 1 ipsec-isakmp dynamic p1 ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1 ip address 31.xx.xx.xx 255.255.255.248 duplex auto speed auto crypto map p1 ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto ! interface BRI0/1/0 no ip address encapsulation hdlc shutdown ! interface FastEthernet0/0/0 no ip address ! interface FastEthernet0/0/1 no ip address ! interface FastEthernet0/0/2 no ip address ! interface FastEthernet0/0/3 no ip address ! interface Vlan1 ip address 172.16.100.3 255.255.255.0 ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 31.xx.xxx.xx ip ssh logging events ip ssh version 2 ! ip access-list standard SNMP_ACCESS_RO permit 172.16.100.19 ! ip access-list extended ACCESS_SSH permit ip host 172.16.100.127 any log ip access-list extended nat-list permit ip object-group local_lan_subnets any ! ipv6 ioam timestamp ! ! snmp-server community public RO SNMP_ACCESS_RO access-list 102 permit ip 172.16.100.0 0.0.0.255 192.168.50.0 0.0.0.255 ! ! ! control-plane ! ! vstack ! line con 0 logging synchronous login authentication local_access line aux 0 line 2 no activation-character no exec transport preferred none transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class ACCESS_SSH in privilege level 15 logging synchronous login authentication local_access transport input ssh ! scheduler allocate 20000 1000 ntp update-calendar ntp server 91.206.16.3 ntp server 89.109.251.23 ntp server 88.212.196.95 ! end hub-cnt-01# HUAWEI AR129: Код: [Huawei]display cur [V200R009C00SPC500] # drop illegal-mac alarm # l2tp enable # ipv6 # ipsec authentication sha2 compatible enable # authentication-profile name default_authen_profile authentication-profile name dot1x_authen_profile authentication-profile name mac_authen_profile authentication-profile name portal_authen_profile authentication-profile name dot1xmac_authen_profile authentication-profile name multi_authen_profile # ike local-name huawei ipsec invalid-spi-recovery enable # dns resolve dns proxy enable # dhcp enable # radius-server template default # pki realm default # ssl policy default_policy type server pki-realm default version tls1.0 tls1.1 ciphersuite rsa_aes_128_cbc_sha # acl name GigabitEthernet0/0/4 2999 rule 5 permit # acl number 3000 rule 5 permit ip source 192.168.50.0 0.0.0.255 destination 172.16.100.0 0.0.0.255 acl number 3001 rule 5 deny ip source 192.168.50.0 0.0.0.255 destination 172.16.100.0 0.0.0.255 rule 10 permit ip # ipsec proposal prop1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal default encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 ike proposal 1 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer peer1 exchange-mode aggressive pre-shared-key cipher 111111111111111111111 ike-proposal 1 local-id-type fqdn remote-id hub-cnt-01 remote-address 31.xx.xx.xx # ipsec policy policy1 10 isakmp security acl 3000 ike-peer peer1 proposal prop1 # free-rule-template name default_free_rule # portal-access-profile name portal_access_profile # aaa authentication-scheme default authentication-scheme radius authentication-mode radius authorization-scheme default accounting-scheme default domain default authentication-scheme default domain default_admin authentication-scheme default local-user admin password irreversible-cipher local-user admin privilege level 15 local-user admin service-type ssh http # web set fast-configuration state disable user-set Default user-set VIP # firewall zone Local # firewall defend syn-flood enable firewall defend udp-flood enable firewall defend icmp-flood enable # interface Vlanif1 ip address 192.168.50.1 255.255.255.0 dhcp select interface dhcp server dns-list 172.16.100.11 192.168.50.1 # interface Ethernet0/0/0 # interface Virtual-Template1 ppp chap user vpn ppp chap password cipher ppp pap local-user vpn password cipher ppp ipcp dns admit-any ppp ipcp dns request tcp adjust-mss 1200 ip address ppp-negotiate l2tp-auto-client enable nat outbound 2999 # interface GigabitEthernet0/0/0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 nat outbound 2999 ipsec policy policy1 ip address dhcp-alloc # interface GigabitEthernet0/0/5 description VirtualPort ip address dhcp-alloc # interface Cellular0/0/0 # interface NULL0 # l2tp-group 2 undo tunnel authentication start l2tp ip 82.xx.xx.xx fullusername vpn # snmp-agent local-engineid 800007DB038866394D3A5C # sftp server enable stelnet server enable # set web login-style simple http secure-server ssl-policy default_policy http server enable http secure-server enable # ip route-static 172.16.100.0 255.255.255.255 Virtual-Template1 ip route-static 172.16.100.0 255.255.255.255 172.16.100.2 ip route-static 172.16.100.10 255.255.255.255 172.16.100.2 ip route-static 172.16.100.11 255.255.255.255 172.16.100.2 ip route-static 172.16.100.12 255.255.255.255 172.16.100.2 ip route-static 172.16.100.13 255.255.255.255 172.16.100.2 ip route-static 172.16.100.14 255.255.255.255 172.16.100.2 ip route-static 172.16.100.15 255.255.255.255 172.16.100.2 ip route-static 172.16.100.24 255.255.255.255 172.16.100.2 ip route-static 172.16.100.40 255.255.255.255 172.16.100.2 ip route-static 172.16.100.41 255.255.255.255 172.16.100.2 ip route-static 172.16.100.44 255.255.255.255 172.16.100.2 # fib regularly-refresh disable # user-interface con 0 authentication-mode aaa user-interface vty 0 authentication-mode aaa user privilege level 15 user-interface vty 1 4 authentication-mode aaa # wlan wmm-profile name wmmf id 0 traffic-profile name traf id 0 security-profile name secf id 0 radio-profile name radiof id 0 wmm-profile id 0 # interface Wlan-Radio0/0/0 # interface Wlan-Radio0/0/1 # dot1x-access-profile name dot1x_access_profile # mac-access-profile name mac_access_profile # voice voip-address signalling interface Virtual-Template 1 dynamic voip-address media interface Virtual-Template 1 dynamic # sipag 1 signalling-addr addr-name Virtual-Template1 5060 media-addr addr-name Virtual-Template1 primary-proxy-addr static 172.16.100.15 5060 # sipaguser 1 port 0/0/0 base-telno 120 agid 1 # diagnose # ops # autostart # secelog # return [Huawei] На Cisco пусто: hub-cnt-01#sh cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status IPv6 Crypto ISAKMP SA hub-cnt-01# На Huawei тоже. Включил дебаггинг на Cisco и вот результат: .May 17 11:09:19: IKEv2:Received Packet [From 188.162.229.154:32774/To 31.200.236.206:500/VRF i0:f0] Initiator SPI : 93505B913F7ED158 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID .May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Verify SA init message .May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Insert SA .May 17 11:09:19: IKEv2:Searching Policy with fvrf 0, local address 31.200.236.206 .May 17 11:09:19: IKEv2:Using the Default Policy for Proposal .May 17 11:09:19: IKEv2:Found Policy 'default' .May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Processing IKE_SA_INIT message .May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):Received Policies: : Failed to find a matching policyProposal 1: AES-CBC-128 SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 .May 17 11:09:19: .May 17 11:09:19: .May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):Expected Policies: : Failed to find a matching policyProposal 1: AES-CBC-256 AES-CBC-192 AES-CBC-128 SHA512 SHA384 SHA256 SHA1 MD5 SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2 .May 17 11:09:19: .May 17 11:09:19: .May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):: Failed to find a matching policy .May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Sending no proposal chosen notify .May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Sending Packet [To 188.162.229.154:32774/From 31.200.236.206:500/VRF i0:f0] Initiator SPI : 93505B913F7ED158 - Responder SPI : 2BDA4287F67C5DB9 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: NOTIFY(NO_PROPOSAL_CHOSEN) .May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Failed SA init exchange .May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):Initial exchange failed: Initial exchange failed .May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Abort exchange .May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Deleting SA Как я понял политика IKE не совпадает. Но почему не могу понять. И на хуевее и на циско одинаковый proposal. |
Автор: | Lomax [ 19 май 2019, 12:59 ] |
Заголовок сообщения: | Re: IPSEC между Cisco 2911 и Huawei AR129. IKEv2-ERROR |
Где то на хуавее забыли сказать что использовать надо IKEv1 |
Страница 1 из 1 | Часовой пояс: UTC + 3 часа |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |