Сообщения без ответов | Активные темы Текущее время: 28 мар 2024, 17:41



Ответить на тему  [ Сообщений: 4 ] 
VPN с android или iphone 
Автор Сообщение

Зарегистрирован: 09 мар 2018, 16:19
Сообщения: 47
Привет.

Стоит задача (точнее я ее сам себе поставил) подключения с android или iphone клиентов к 891, в общем организация VPN сервера c шифрованием. Перепробовал различные "рабочие" конфигурации найденные на просторах интернета - не подключается. Просил помощи у двух знакомых "цискарей", тоже не смогли решить проблему. Текущий конфиг прикладываю ниже, дебаг тоже. В чем ошибка - не знаю, я так понимаю не идет первая фаза, подключаюсь со своего телефона на android. Может быть:
1) кто-нибудь скажет в чем ошибка?
2) выложит свой рабочий конфиг?
3) за символические деньги на "пиво" удаленно поможет решить проблему?


Код:
Current configuration : 8534 bytes
!
! Last configuration change at 11:02:55 EKT Tue Dec 24 2019 by halt
! NVRAM config last updated at 11:01:26 EKT Tue Dec 24 2019 by halt
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname halt
!
boot-start-marker
boot system flash:c890-universalk9-mz.154-3.M8.bin
boot-end-marker
!
!
logging buffered 51200
no logging rate-limit
enable secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_list local
!
!
!
!
!
aaa session-id common
clock timezone EKT 5 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool MYDHCP
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 213.234.192.8 85.21.192.3
!
!
!
ip domain name beeline.ru
ip name-server 213.234.192.8
ip name-server 85.21.192.3
ip multicast-routing
ip inspect WAAS flush-timeout 10
ip inspect name INSPECT ftp
ip inspect name INSPECT h323
ip inspect name INSPECT icmp
ip inspect name INSPECT netshow
ip inspect name INSPECT rcmd
ip inspect name INSPECT realaudio
ip inspect name INSPECT rtsp
ip inspect name INSPECT streamworks
ip inspect name INSPECT tftp
ip inspect name INSPECT udp
ip inspect name INSPECT pptp
ip inspect name INSPECT dns
ip inspect name INSPECT tcp
ip ddns update method DynDNS
 HTTP
  add http://XXXXXXXXX@mail.ru:XXXXXXXXX@dynupdate.no-ip.com/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 0 0 5 0
!
ip cef
no ipv6 cef
l2tp-class beeline-l2tp-class
!
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pptp
  rotary-group 0
 initiate-to ip 46.146.247.7
!
!
!
!
!
!
cts logging verbose
license udi pid CISCO891-K9 sn FCZ171090L2
license accept end user agreement
!
!
username halt privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXX
username cisco password 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username vpn privilege 0 password 0 XXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
 notification-timer 60000
!
!
!
!
!
pseudowire-class beeline-pseudowire-class
 encapsulation l2tpv2
 protocol l2tpv2 beeline-l2tp-class
 ip local interface Vlan10
!
!
!
crypto isakmp policy 3
 encr aes 256
 hash sha256
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 14
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 14
!
crypto isakmp policy 30
 encr 3des
 authentication pre-share
 group 14
!
crypto isakmp policy 40
 authentication pre-share
 group 14
crypto isakmp key XXXXXXXXXXXXXXXX address 0.0.0.0
!
crypto isakmp client configuration group local_list
 key XXXXXXXXXXXXXXXX
 pool Remote-Pool
 acl 110
 save-password
 netmask 255.255.255.0
!
!
crypto ipsec transform-set VTI-TS ah-sha-hmac esp-3des
 mode tunnel
crypto ipsec transform-set VTI-TS1 ah-sha-hmac esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set VTI-TS2 ah-sha256-hmac esp-aes
 mode tunnel
!
!
crypto ipsec profile test-vti1
 set transform-set VTI-TS VTI-TS1 VTI-TS2
!
!
crypto dynamic-map dynmap 10
 set transform-set VTI-TS VTI-TS1 VTI-TS2
 reverse-route
!
!
crypto map clientmap local-address Virtual-PPP1
crypto map clientmap client authentication list local_list
crypto map clientmap isakmp authorization list local_list
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
 ip address 172.16.23.1 255.255.255.0
!
interface FastEthernet0
 description TV
 switchport access vlan 10
 no ip address
!
interface FastEthernet1
 description Link2-PC
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 description WiFi-ASUS
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 description Synology
 no ip address
!
interface FastEthernet7
 description WAN
 switchport access vlan 10
 no ip address
!
interface FastEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-PPP1
 ip ddns update hostname XXXXXXXXXXXXXXXXXXXXXXXXX
 ip ddns update DynDNS
 ip address negotiated
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly in
 ip tcp adjust-mss 1400
 no peer neighbor-route
 ppp chap hostname XXXXXXXXXXXXXXX
 ppp chap password 0 XXXXXXXXXXXXX
 no cdp enable
 pseudowire 89.179.75.139 10 encapsulation l2tpv2 pw-class beeline-pseudowire-class
 crypto map clientmap
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip igmp helper-address 10.189.84.121
 ip igmp join-group 224.0.1.40
 ip igmp mroute-proxy Vlan10
!
interface Vlan10
 ip address dhcp
 ip pim dense-mode
!
interface Vlan100
 ip address 192.168.0.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
!
interface Dialer0
 ip address 10.0.1.211 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 0
 dialer string 123
 dialer vpdn
 dialer-group 1
 no peer neighbor-route
 ppp pfc local request
 ppp pfc remote apply
 ppp encrypt mppe auto
 ppp chap hostname XXXXXXXXXXXXXX
 ppp chap password 0 XXXXXXXXXXXXXX
 no cdp enable
!
ip local pool Remote-Pool 192.168.2.30 192.168.2.40
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static tcp 192.168.1.100 22 interface Virtual-PPP1 45002
ip nat inside source static tcp 192.168.1.100 5060 interface Virtual-PPP1 5060
ip nat inside source static udp 192.168.1.100 5060 interface Virtual-PPP1 5060
ip nat inside source static tcp 192.168.1.2 21 interface Virtual-PPP1 45003
ip nat inside source static tcp 192.168.1.20 3389 interface Virtual-PPP1 45001
ip nat inside source static tcp 192.168.1.50 3389 interface Virtual-PPP1 45004
ip nat inside source route-map NAT_TO_Dialler interface Dialer0 overload
ip nat inside source route-map NAT_TO_ISP interface Virtual-PPP1 overload
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 192.168.88.0 255.255.255.0 172.16.1.1
ip route 89.179.75.139 255.255.255.255 dhcp
ip route 89.179.75.138 255.255.255.255 dhcp
ip route 85.21.31.39 255.255.255.255 dhcp
ip route 78.107.196.21 255.255.255.255 dhcp
ip route 78.107.196.10 255.255.255.255 dhcp
ip route 78.107.196.14 255.255.255.255 dhcp
ip route 85.21.0.1 255.255.255.255 dhcp
!
ip access-list standard Internet-In
 deny   192.168.1.0 0.0.0.255
 permit any
!
ip access-list extended OUTSIDE-IN
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 permit icmp any any
 permit tcp any any eq 22 telnet
 permit gre any any
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
ip access-list extended TO_Dialler
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
 permit icmp 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended TO_ISP
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   icmp 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vlan1-in
 deny   ip host 192.168.1.20 host 10.0.1.210
 permit ip any any
!
dialer-list 1 protocol ip permit
!
route-map NAT_TO_ISP permit 10
 match ip address TO_ISP
 match interface Virtual-PPP1
!
route-map NAT_TO_Dialler permit 10
 match ip address TO_Dialler
!
!
access-list 100 permit ip any host 10.0.1.210
access-list 100 permit ip host 10.0.1.210 any
access-list 101 permit ip host 192.168.1.1 host 10.0.1.210
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
 vstack
alias exec sa sh ip access-list
alias exec sir sh ip ro
alias exec tn term no mon
!
line con 0
line 1
 modem InOut
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 logging synchronous
 transport input ssh
!
ntp server ntp1.stratum2.ru
!
end


Тип подключения в android клиенте - IPSEC Xauth PSK
DEBUG

Код:
Dec 25 03:48:41.523: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (N) NEW SA
Dec 25 03:48:41.523: ISAKMP: Created a peer struct for 89.30.112.34, peer port 500
Dec 25 03:48:41.523: ISAKMP: New peer created peer = 0x8F7F5E18 peer_handle = 0x8000001E
Dec 25 03:48:41.523: ISAKMP: Locking peer struct 0x8F7F5E18, refcount 1 for crypto_isakmp_process_block
Dec 25 03:48:41.523: ISAKMP:(0):Setting client config settings 8F72E75C
Dec 25 03:48:41.523: ISAKMP:(0):(Re)Setting client xauth list  and state
Dec 25 03:48:41.523: ISAKMP/xauth: initializing AAA request
Dec 25 03:48:41.523: ISAKMP: local port 500, remote port 500
Dec 25 03:48:41.523: ISAKMP:(0):insert sa successfully sa = 90205E80
Dec 25 03:48:41.523: ISAKMP:(0): processing SA payload. message ID = 0
Dec 25 03:48:41.523: ISAKMP:(0): processing ID payload. message ID = 0
Dec 25 03:48:41.523: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : local_list1
        protocol     : 0
        port         : 0
        length       : 19
Dec 25 03:48:41.523: ISAKMP:(0):: peer matches *none* of the profiles
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): processing IKE frag vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Dec 25 03:48:41.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is NAT-T v2
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is XAUTH
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is Unity
Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload
Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is DPD
Dec 25 03:48:41.523: ISAKMP:(0): Authentication by xauth preshared
Dec 25 03:48:41.523: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3 policy
Dec 25 03:48:41.523: ISAKMP:      life type in seconds
Dec 25 03:48:41.523: ISAKMP:      life duration (basic) of 28800
Dec 25 03:48:41.523: ISAKMP:      encryption AES-CBC
Dec 25 03:48:41.523: ISAKMP:      keylength of 256
Dec 25 03:48:41.523: ISAKMP:      auth XAUTHInitPreShared
Dec 25 03:48:41.523: ISAKMP:      hash SHA384
Dec 25 03:48:41.523: ISAKMP:      default group 2
Dec 25 03:48:41.523: ISAKMP:(0):Hash algorithm offered does not match policy!
Dec 25 03:48:41.523: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 25 03:48:41.523: ISAKMP:(0):Checking ISAKMP transform 2 against priority 3 policy
Dec 25 03:48:41.523: ISAKMP:      life type in seconds
Dec 25 03:48:41.523: ISAKMP:      life duration (basic) of 28800
Dec 25 03:48:41.523: ISAKMP:      encryption AES-CBC
Dec 25 03:48:41.523: ISAKMP:      keylength of 256
Dec 25 03:48:41.523: ISAKMP:      auth XAUTHInitPreShared
Dec 25 03:48:41.523: ISAKMP:      hash SHA256
Dec 25 03:48:41.523: ISAKMP:      default group 2
Dec 25 03:48:41.523: ISAKMP:(0):atts are acceptable. Next payload is 3
Dec 25 03:48:41.523: ISAKMP:(0):Acceptable atts:actual life: 86400
Dec 25 03:48:41.523: ISAKMP:(0):Acceptable atts:life: 0
Dec 25 03:48:41.523: ISAKMP:(0):Basic life_in_seconds:28800
Dec 25 03:48:41.523: ISAKMP:(0):Returning Actual lifetime: 28800
Dec 25 03:48:41.523: ISAKMP:(0)::Started lifetime timer: 28800.

Dec 25 03:48:41.523: ISAKMP:(0): processing KE payload. message ID = 0
Dec 25 03:48:41.543: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec 25 03:48:41.543: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 25 03:48:41.547: ISAKMP:(0): vendor ID is NAT-T v2
Dec 25 03:48:41.547: ISAKMP:(0):peer does not do paranoid keepalives.

Dec 25 03:48:41.547: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 89.30.112.34)
Dec 25 03:48:41.547: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
Dec 25 03:48:41.547: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Dec 25 03:48:41.547: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

Dec 25 03:48:41.547: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 89.30.112.34
halt#
Dec 25 03:48:41.547: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 89.30.112.34)
Dec 25 03:48:41.547: ISAKMP: Unlocking peer struct 0x8F7F5E18 for isadb_mark_sa_deleted(), count 0
Dec 25 03:48:41.547: ISAKMP: Deleting peer node by peer_reap for 89.30.112.34: 8F7F5E18
Dec 25 03:48:41.547: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec 25 03:48:41.547: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

Dec 25 03:48:41.547: IPSEC(key_engine): got a queue event with 1 KMI message(s)
halt#
Dec 25 03:48:44.539: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE
halt#
Dec 25 03:48:47.531: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE
halt#
Dec 25 03:48:50.539: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE
halt#
Dec 25 03:48:53.551: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE
halt#
Dec 25 03:49:41.550: ISAKMP:(0):purging SA., sa=90205E80, delme=90205E80




25 дек 2019, 06:51
Профиль

Зарегистрирован: 18 июн 2015, 08:26
Сообщения: 155
Я не то чтобы гуру по цискам, сам здесь (и не только) частенько вопросы задаю, но - Вам, скорее всего, следует развернуть на маршрутизаторе Anyconnect. Т.е., настроить сервер, сертификаты, залить образы под нужные ОС на флеш. Мануалов по настройке этого добра на роутерах хватает, ну вот, например https://jakondo.ru/nastrojka-webvpn-any ... o-2911-k9/


25 дек 2019, 12:45
Профиль

Зарегистрирован: 07 сен 2014, 02:54
Сообщения: 548
Откуда: Msk
halt писал(а):
Стоит задача (точнее я ее сам себе поставил) подключения с android или iphone клиентов к 891

Вы хотите халявы или разобраться "как оно работает"?
Если второе, то для начала разберитесь, чем отличается aaa authentication от aaa authorization.

halt писал(а):
Перепробовал различные "рабочие" конфигурации найденные на просторах интернета - не подключается.

Она не хочет! :-)
Метод "мартышка и очки" очень редко с Cisco прокатывает.

А так, действительно, попробуйте лучше настроить AnyConnect или IKEv2, (сначала из Винды, это нагляднее).
По ним наверное проще найти "рабочие конфиги", и меньше букаф. :-)
А IPSec XAuth - это уже legacy, причем довольно сложное в настройке.

_________________
Knowledge is Power


26 дек 2019, 03:20
Профиль

Зарегистрирован: 09 мар 2018, 16:19
Сообщения: 47
Спасибо!
Запустил anyconnect, усё поднялось.


29 дек 2019, 15:34
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ Сообщений: 4 ] 

Кто сейчас на конференции

Сейчас этот форум просматривают: Google [Bot] и гости: 49


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB