Привет.
Стоит задача (точнее я ее сам себе поставил) подключения с android или iphone клиентов к 891, в общем организация VPN сервера c шифрованием. Перепробовал различные "рабочие" конфигурации найденные на просторах интернета - не подключается. Просил помощи у двух знакомых "цискарей", тоже не смогли решить проблему. Текущий конфиг прикладываю ниже, дебаг тоже. В чем ошибка - не знаю, я так понимаю не идет первая фаза, подключаюсь со своего телефона на android. Может быть:
1) кто-нибудь скажет в чем ошибка?
2) выложит свой рабочий конфиг?
3) за символические деньги на "пиво" удаленно поможет решить проблему?
Код:
Current configuration : 8534 bytes
!
! Last configuration change at 11:02:55 EKT Tue Dec 24 2019 by halt
! NVRAM config last updated at 11:01:26 EKT Tue Dec 24 2019 by halt
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname halt
!
boot-start-marker
boot system flash:c890-universalk9-mz.154-3.M8.bin
boot-end-marker
!
!
logging buffered 51200
no logging rate-limit
enable secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_list local
!
!
!
!
!
aaa session-id common
clock timezone EKT 5 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool MYDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 213.234.192.8 85.21.192.3
!
!
!
ip domain name beeline.ru
ip name-server 213.234.192.8
ip name-server 85.21.192.3
ip multicast-routing
ip inspect WAAS flush-timeout 10
ip inspect name INSPECT ftp
ip inspect name INSPECT h323
ip inspect name INSPECT icmp
ip inspect name INSPECT netshow
ip inspect name INSPECT rcmd
ip inspect name INSPECT realaudio
ip inspect name INSPECT rtsp
ip inspect name INSPECT streamworks
ip inspect name INSPECT tftp
ip inspect name INSPECT udp
ip inspect name INSPECT pptp
ip inspect name INSPECT dns
ip inspect name INSPECT tcp
ip ddns update method DynDNS
HTTP
add http://XXXXXXXXX@mail.ru:XXXXXXXXX@dynupdate.no-ip.com/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 0 5 0
!
ip cef
no ipv6 cef
l2tp-class beeline-l2tp-class
!
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
request-dialin
protocol pptp
rotary-group 0
initiate-to ip 46.146.247.7
!
!
!
!
!
!
cts logging verbose
license udi pid CISCO891-K9 sn FCZ171090L2
license accept end user agreement
!
!
username halt privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXX
username cisco password 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username vpn privilege 0 password 0 XXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
notification-timer 60000
!
!
!
!
!
pseudowire-class beeline-pseudowire-class
encapsulation l2tpv2
protocol l2tpv2 beeline-l2tp-class
ip local interface Vlan10
!
!
!
crypto isakmp policy 3
encr aes 256
hash sha256
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 14
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 14
!
crypto isakmp policy 30
encr 3des
authentication pre-share
group 14
!
crypto isakmp policy 40
authentication pre-share
group 14
crypto isakmp key XXXXXXXXXXXXXXXX address 0.0.0.0
!
crypto isakmp client configuration group local_list
key XXXXXXXXXXXXXXXX
pool Remote-Pool
acl 110
save-password
netmask 255.255.255.0
!
!
crypto ipsec transform-set VTI-TS ah-sha-hmac esp-3des
mode tunnel
crypto ipsec transform-set VTI-TS1 ah-sha-hmac esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set VTI-TS2 ah-sha256-hmac esp-aes
mode tunnel
!
!
crypto ipsec profile test-vti1
set transform-set VTI-TS VTI-TS1 VTI-TS2
!
!
crypto dynamic-map dynmap 10
set transform-set VTI-TS VTI-TS1 VTI-TS2
reverse-route
!
!
crypto map clientmap local-address Virtual-PPP1
crypto map clientmap client authentication list local_list
crypto map clientmap isakmp authorization list local_list
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
ip address 172.16.23.1 255.255.255.0
!
interface FastEthernet0
description TV
switchport access vlan 10
no ip address
!
interface FastEthernet1
description Link2-PC
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description WiFi-ASUS
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
description Synology
no ip address
!
interface FastEthernet7
description WAN
switchport access vlan 10
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-PPP1
ip ddns update hostname XXXXXXXXXXXXXXXXXXXXXXXXX
ip ddns update DynDNS
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1400
no peer neighbor-route
ppp chap hostname XXXXXXXXXXXXXXX
ppp chap password 0 XXXXXXXXXXXXX
no cdp enable
pseudowire 89.179.75.139 10 encapsulation l2tpv2 pw-class beeline-pseudowire-class
crypto map clientmap
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip pim dense-mode
ip nat inside
ip virtual-reassembly in
ip igmp helper-address 10.189.84.121
ip igmp join-group 224.0.1.40
ip igmp mroute-proxy Vlan10
!
interface Vlan10
ip address dhcp
ip pim dense-mode
!
interface Vlan100
ip address 192.168.0.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer0
ip address 10.0.1.211 255.255.255.0
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no peer neighbor-route
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp chap hostname XXXXXXXXXXXXXX
ppp chap password 0 XXXXXXXXXXXXXX
no cdp enable
!
ip local pool Remote-Pool 192.168.2.30 192.168.2.40
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static tcp 192.168.1.100 22 interface Virtual-PPP1 45002
ip nat inside source static tcp 192.168.1.100 5060 interface Virtual-PPP1 5060
ip nat inside source static udp 192.168.1.100 5060 interface Virtual-PPP1 5060
ip nat inside source static tcp 192.168.1.2 21 interface Virtual-PPP1 45003
ip nat inside source static tcp 192.168.1.20 3389 interface Virtual-PPP1 45001
ip nat inside source static tcp 192.168.1.50 3389 interface Virtual-PPP1 45004
ip nat inside source route-map NAT_TO_Dialler interface Dialer0 overload
ip nat inside source route-map NAT_TO_ISP interface Virtual-PPP1 overload
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 192.168.88.0 255.255.255.0 172.16.1.1
ip route 89.179.75.139 255.255.255.255 dhcp
ip route 89.179.75.138 255.255.255.255 dhcp
ip route 85.21.31.39 255.255.255.255 dhcp
ip route 78.107.196.21 255.255.255.255 dhcp
ip route 78.107.196.10 255.255.255.255 dhcp
ip route 78.107.196.14 255.255.255.255 dhcp
ip route 85.21.0.1 255.255.255.255 dhcp
!
ip access-list standard Internet-In
deny 192.168.1.0 0.0.0.255
permit any
!
ip access-list extended OUTSIDE-IN
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit icmp any any
permit tcp any any eq 22 telnet
permit gre any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
ip access-list extended TO_Dialler
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
permit icmp 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended TO_ISP
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny icmp 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vlan1-in
deny ip host 192.168.1.20 host 10.0.1.210
permit ip any any
!
dialer-list 1 protocol ip permit
!
route-map NAT_TO_ISP permit 10
match ip address TO_ISP
match interface Virtual-PPP1
!
route-map NAT_TO_Dialler permit 10
match ip address TO_Dialler
!
!
access-list 100 permit ip any host 10.0.1.210
access-list 100 permit ip host 10.0.1.210 any
access-list 101 permit ip host 192.168.1.1 host 10.0.1.210
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
vstack
alias exec sa sh ip access-list
alias exec sir sh ip ro
alias exec tn term no mon
!
line con 0
line 1
modem InOut
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
logging synchronous
transport input ssh
!
ntp server ntp1.stratum2.ru
!
end
Тип подключения в android клиенте - IPSEC Xauth PSK
DEBUG
Код:
Dec 25 03:48:41.523: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (N) NEW SA
Dec 25 03:48:41.523: ISAKMP: Created a peer struct for 89.30.112.34, peer port 500
Dec 25 03:48:41.523: ISAKMP: New peer created peer = 0x8F7F5E18 peer_handle = 0x8000001E
Dec 25 03:48:41.523: ISAKMP: Locking peer struct 0x8F7F5E18, refcount 1 for crypto_isakmp_process_block
Dec 25 03:48:41.523: ISAKMP:(0):Setting client config settings 8F72E75C
Dec 25 03:48:41.523: ISAKMP:(0):(Re)Setting client xauth list and state
Dec 25 03:48:41.523: ISAKMP/xauth: initializing AAA request
Dec 25 03:48:41.523: ISAKMP: local port 500, remote port 500
Dec 25 03:48:41.523: ISAKMP:(0):insert sa successfully sa = 90205E80
Dec 25 03:48:41.523: ISAKMP:(0): processing SA payload. message ID = 0
Dec 25 03:48:41.523: ISAKMP:(0): processing ID payload. message ID = 0
Dec 25 03:48:41.523: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : local_list1
protocol : 0
port : 0
length : 19
Dec 25 03:48:41.523: ISAKMP:(0):: peer matches *none* of the profiles
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): processing IKE frag vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Dec 25 03:48:41.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is NAT-T v2
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is XAUTH
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is Unity
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is DPD
Dec 25 03:48:41.523: ISAKMP:(0): Authentication by xauth preshared
Dec 25 03:48:41.523: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3 policy
Dec 25 03:48:41.523: ISAKMP: life type in seconds
Dec 25 03:48:41.523: ISAKMP: life duration (basic) of 28800
Dec 25 03:48:41.523: ISAKMP: encryption AES-CBC
Dec 25 03:48:41.523: ISAKMP: keylength of 256
Dec 25 03:48:41.523: ISAKMP: auth XAUTHInitPreShared
Dec 25 03:48:41.523: ISAKMP: hash SHA384
Dec 25 03:48:41.523: ISAKMP: default group 2
Dec 25 03:48:41.523: ISAKMP:(0):Hash algorithm offered does not match policy!
Dec 25 03:48:41.523: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 25 03:48:41.523: ISAKMP:(0):Checking ISAKMP transform 2 against priority 3 policy
Dec 25 03:48:41.523: ISAKMP: life type in seconds
Dec 25 03:48:41.523: ISAKMP: life duration (basic) of 28800
Dec 25 03:48:41.523: ISAKMP: encryption AES-CBC
Dec 25 03:48:41.523: ISAKMP: keylength of 256
Dec 25 03:48:41.523: ISAKMP: auth XAUTHInitPreShared
Dec 25 03:48:41.523: ISAKMP: hash SHA256
Dec 25 03:48:41.523: ISAKMP: default group 2
Dec 25 03:48:41.523: ISAKMP:(0):atts are acceptable. Next payload is 3
Dec 25 03:48:41.523: ISAKMP:(0):Acceptable atts:actual life: 86400
Dec 25 03:48:41.523: ISAKMP:(0):Acceptable atts:life: 0
Dec 25 03:48:41.523: ISAKMP:(0):Basic life_in_seconds:28800
Dec 25 03:48:41.523: ISAKMP:(0):Returning Actual lifetime: 28800
Dec 25 03:48:41.523: ISAKMP:(0)::Started lifetime timer: 28800.
Dec 25 03:48:41.523: ISAKMP:(0): processing KE payload. message ID = 0
Dec 25 03:48:41.543: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec 25 03:48:41.543: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 25 03:48:41.547: ISAKMP:(0): vendor ID is NAT-T v2
Dec 25 03:48:41.547: ISAKMP:(0):peer does not do paranoid keepalives.
Dec 25 03:48:41.547: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 89.30.112.34)
Dec 25 03:48:41.547: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
Dec 25 03:48:41.547: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Dec 25 03:48:41.547: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
Dec 25 03:48:41.547: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 89.30.112.34
halt#
Dec 25 03:48:41.547: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 89.30.112.34)
Dec 25 03:48:41.547: ISAKMP: Unlocking peer struct 0x8F7F5E18 for isadb_mark_sa_deleted(), count 0
Dec 25 03:48:41.547: ISAKMP: Deleting peer node by peer_reap for 89.30.112.34: 8F7F5E18
Dec 25 03:48:41.547: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec 25 03:48:41.547: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
Dec 25 03:48:41.547: IPSEC(key_engine): got a queue event with 1 KMI message(s)
halt#
Dec 25 03:48:44.539: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE
halt#
Dec 25 03:48:47.531: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE
halt#
Dec 25 03:48:50.539: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE
halt#
Dec 25 03:48:53.551: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE
halt#
Dec 25 03:49:41.550: ISAKMP:(0):purging SA., sa=90205E80, delme=90205E80