Сообщения без ответов | Активные темы Текущее время: 24 июл 2019, 00:55



Ответить на тему  [ Сообщений: 2 ] 
IPSEC между Cisco 2911 и Huawei AR129. IKEv2-ERROR 
Автор Сообщение

Зарегистрирован: 30 сен 2013, 02:47
Сообщения: 43
Здравствуйте.

Не могу установить туннель (



Задача - установить туннель IPSEC между Huawei и Cisco. Использовал эту статью здесь https://forum.huawei.com/enterprise/en/ ... erface-to- the-Cisco-Router-Using-the-Host-Name / thread / 389243-863, но туннель не устанавливается.



Huawei AR129 за NAT. The Cisco 2911 с белым IP.





Cisco 2911:

Код:
hub-cnt-01#sh run

Building configuration...





Current configuration : 4730 bytes

!

! Last configuration change at 16:26:11 GMT Thu May 16 2019 by admin

!

version 15.7

service timestamps debug datetime localtime

service timestamps log datetime localtime

no service password-encryption

!

hostname hub-cnt-01

!

boot-start-marker

boot-end-marker

!

!

enable secret 5

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login local_access local

aaa authorization exec default local

!

!

!

!

!

!

aaa session-id common

clock timezone GMT 10 0

clock calendar-valid

!

!

!

!

ip domain name corp.viang.ru

ip host hub-cnt-01 172.16.100.3

ip cef

login block-for 60 attempts 3 within 30

login delay 5

no ipv6 cef

!

!

flow record nbar-appmon

 match ipv4 source address

 match ipv4 destination address

 match application name

 collect interface output

 collect counter bytes

 collect counter packets

 collect timestamp absolute first

 collect timestamp absolute last

!

!

flow monitor application-mon

 cache timeout active 60

 record nbar-appmon

!

multilink bundle-name authenticated

!

!

!

password encryption aes

!

!

license udi pid CISCO2911/K9 sn FHK1452F1Q6

!

!

!

object-group network local_cws_net

!

object-group network local_lan_subnets

 any

!

object-group network vpn_remote_subnets

 any

!

username admin secret 5

!

redundancy

!

!

!

!

!

zone security LAN

zone security WAN

zone security VPN

zone security DMZ

!

!

crypto isakmp policy 1

 encr aes

 hash sha256

 authentication pre-share

 group 14

crypto isakmp key 6 1111111111111111111111111 hostname Huawei

crypto isakmp identity hostname

crypto isakmp keepalive 10 periodic

!

crypto ipsec transform-set p1 esp-aes esp-sha256-hmac

 mode tunnel

!

!

!

crypto dynamic-map p1 1

 set transform-set p1

 match address 102

!

!

crypto map p1 1 ipsec-isakmp dynamic p1

!

!

!

!

!

interface Embedded-Service-Engine0/0

 no ip address

 shutdown

!

interface GigabitEthernet0/0

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 ip address 31.xx.xx.xx 255.255.255.248

 duplex auto

 speed auto

 crypto map p1

!

interface GigabitEthernet0/2

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface BRI0/1/0

 no ip address

 encapsulation hdlc

 shutdown

!

interface FastEthernet0/0/0

 no ip address

!

interface FastEthernet0/0/1

 no ip address

!

interface FastEthernet0/0/2

 no ip address

!

interface FastEthernet0/0/3

 no ip address

!

interface Vlan1

 ip address 172.16.100.3 255.255.255.0

!

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 31.xx.xxx.xx

ip ssh logging events

ip ssh version 2

!

ip access-list standard SNMP_ACCESS_RO

 permit 172.16.100.19

!

ip access-list extended ACCESS_SSH

 permit ip host 172.16.100.127 any log

ip access-list extended nat-list

 permit ip object-group local_lan_subnets any

!

ipv6 ioam timestamp

!

!

snmp-server community public RO SNMP_ACCESS_RO

access-list 102 permit ip 172.16.100.0 0.0.0.255 192.168.50.0 0.0.0.255

!

!

!

control-plane

!

!

 vstack

!

line con 0

 logging synchronous

 login authentication local_access

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line vty 0 4

 access-class ACCESS_SSH in

 privilege level 15

 logging synchronous

 login authentication local_access

 transport input ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 91.206.16.3

ntp server 89.109.251.23

ntp server 88.212.196.95

!

end



hub-cnt-01#






HUAWEI AR129:

Код:
[Huawei]display cur

[V200R009C00SPC500]

#

 drop illegal-mac alarm

#

 l2tp enable

#

ipv6

#

 ipsec authentication sha2 compatible enable

#

authentication-profile name default_authen_profile

authentication-profile name dot1x_authen_profile

authentication-profile name mac_authen_profile

authentication-profile name portal_authen_profile

authentication-profile name dot1xmac_authen_profile

authentication-profile name multi_authen_profile

#

ike local-name huawei

ipsec invalid-spi-recovery enable

#

dns resolve

dns proxy enable

#

dhcp enable

#

radius-server template default

#

pki realm default

#

ssl policy default_policy type server

 pki-realm default

 version tls1.0 tls1.1

 ciphersuite rsa_aes_128_cbc_sha

#

acl name GigabitEthernet0/0/4 2999

 rule 5 permit

#

acl number 3000

 rule 5 permit ip source 192.168.50.0 0.0.0.255 destination 172.16.100.0 0.0.0.255

acl number 3001

 rule 5 deny ip source 192.168.50.0 0.0.0.255 destination 172.16.100.0 0.0.0.255

 rule 10 permit ip

#

ipsec proposal prop1

 esp authentication-algorithm sha2-256

 esp encryption-algorithm aes-128

#

ike proposal default

 encryption-algorithm aes-256

 dh group14

 authentication-algorithm sha2-256

 authentication-method pre-share

 integrity-algorithm hmac-sha2-256

 prf hmac-sha2-256

ike proposal 1

 encryption-algorithm aes-128

 dh group14

 authentication-algorithm sha2-256

 authentication-method pre-share

 integrity-algorithm hmac-sha2-256

 prf hmac-sha2-256

#

ike peer peer1

 exchange-mode aggressive

 pre-shared-key cipher 111111111111111111111

 ike-proposal 1

 local-id-type fqdn

 remote-id hub-cnt-01

 remote-address 31.xx.xx.xx

#

ipsec policy policy1 10 isakmp

 security acl 3000

 ike-peer peer1

 proposal prop1

#

free-rule-template name default_free_rule

#

portal-access-profile name portal_access_profile

#

aaa

 authentication-scheme default

 authentication-scheme radius

  authentication-mode radius

 authorization-scheme default

 accounting-scheme default

 domain default

  authentication-scheme default

 domain default_admin

  authentication-scheme default

 local-user admin password irreversible-cipher

 local-user admin privilege level 15

 local-user admin service-type ssh http

#

web

 set fast-configuration state disable

 user-set Default

 user-set VIP

#

firewall zone Local

#

firewall defend syn-flood enable

firewall defend udp-flood enable

firewall defend icmp-flood enable

#

interface Vlanif1

 ip address 192.168.50.1 255.255.255.0

 dhcp select interface

 dhcp server dns-list 172.16.100.11 192.168.50.1

#

interface Ethernet0/0/0

#

interface Virtual-Template1

 ppp chap user vpn

 ppp chap password cipher

 ppp pap local-user vpn password cipher

 ppp ipcp dns admit-any

 ppp ipcp dns request

 tcp adjust-mss 1200

 ip address ppp-negotiate

 l2tp-auto-client enable

 nat outbound 2999

#

interface GigabitEthernet0/0/0

#

interface GigabitEthernet0/0/1

#

interface GigabitEthernet0/0/2

#

interface GigabitEthernet0/0/3

#

interface GigabitEthernet0/0/4

 nat outbound 2999

 ipsec policy policy1

 ip address dhcp-alloc

#

interface GigabitEthernet0/0/5

 description VirtualPort

 ip address dhcp-alloc

#

interface Cellular0/0/0

#

interface NULL0

#

l2tp-group 2

 undo tunnel authentication

 start l2tp ip 82.xx.xx.xx fullusername vpn

#

 snmp-agent local-engineid 800007DB038866394D3A5C

#

 sftp server enable

 stelnet server enable

#

 set web login-style simple

 http secure-server ssl-policy default_policy

 http server enable

 http secure-server enable

#

ip route-static 172.16.100.0 255.255.255.255 Virtual-Template1

ip route-static 172.16.100.0 255.255.255.255 172.16.100.2

ip route-static 172.16.100.10 255.255.255.255 172.16.100.2

ip route-static 172.16.100.11 255.255.255.255 172.16.100.2

ip route-static 172.16.100.12 255.255.255.255 172.16.100.2

ip route-static 172.16.100.13 255.255.255.255 172.16.100.2

ip route-static 172.16.100.14 255.255.255.255 172.16.100.2

ip route-static 172.16.100.15 255.255.255.255 172.16.100.2

ip route-static 172.16.100.24 255.255.255.255 172.16.100.2

ip route-static 172.16.100.40 255.255.255.255 172.16.100.2

ip route-static 172.16.100.41 255.255.255.255 172.16.100.2

ip route-static 172.16.100.44 255.255.255.255 172.16.100.2

#

fib regularly-refresh disable

#

user-interface con 0

 authentication-mode aaa

user-interface vty 0

 authentication-mode aaa

 user privilege level 15

user-interface vty 1 4

 authentication-mode aaa

#

wlan

 wmm-profile name wmmf id 0

 traffic-profile name traf id 0

 security-profile name secf id 0

 radio-profile name radiof id 0

  wmm-profile id 0

#

interface Wlan-Radio0/0/0

#

interface Wlan-Radio0/0/1

#

dot1x-access-profile name dot1x_access_profile

#

mac-access-profile name mac_access_profile

#

voice

 voip-address signalling interface Virtual-Template 1 dynamic

 voip-address media interface Virtual-Template 1 dynamic

 #

 sipag 1

  signalling-addr addr-name Virtual-Template1 5060

  media-addr addr-name Virtual-Template1

  primary-proxy-addr static 172.16.100.15 5060

 #

 sipaguser 1 port 0/0/0

  base-telno 120

  agid 1

 #

 diagnose

#

ops

#

autostart

#

secelog

#

return

[Huawei]





На Cisco пусто:

hub-cnt-01#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status



IPv6 Crypto ISAKMP SA



hub-cnt-01#



На Huawei тоже.





Включил дебаггинг на Cisco и вот результат:

.May 17 11:09:19: IKEv2:Received Packet [From 188.162.229.154:32774/To 31.200.236.206:500/VRF i0:f0]

Initiator SPI : 93505B913F7ED158 - Responder SPI : 0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST

Payload contents:

SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID



.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Verify SA init message

.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Insert SA

.May 17 11:09:19: IKEv2:Searching Policy with fvrf 0, local address 31.200.236.206

.May 17 11:09:19: IKEv2:Using the Default Policy for Proposal

.May 17 11:09:19: IKEv2:Found Policy 'default'

.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Processing IKE_SA_INIT message

.May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):Received Policies: : Failed to find a matching policyProposal 1: AES-CBC-128 SHA256 SHA256 DH_GROUP_2048_MODP/Group 14

.May 17 11:09:19:

.May 17 11:09:19:

.May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):Expected Policies: : Failed to find a matching policyProposal 1: AES-CBC-256 AES-CBC-192 AES-CBC-128 SHA512 SHA384 SHA256 SHA1 MD5 SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

.May 17 11:09:19:

.May 17 11:09:19:

.May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):: Failed to find a matching policy

.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Sending no proposal chosen notify



.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Sending Packet [To 188.162.229.154:32774/From 31.200.236.206:500/VRF i0:f0]

Initiator SPI : 93505B913F7ED158 - Responder SPI : 2BDA4287F67C5DB9 Message id: 0

IKEv2 IKE_SA_INIT Exchange RESPONSE

Payload contents:

NOTIFY(NO_PROPOSAL_CHOSEN)



.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Failed SA init exchange

.May 17 11:09:19: IKEv2-ERROR:(SESSION ID = 2784,SA ID = 1):Initial exchange failed: Initial exchange failed

.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Abort exchange

.May 17 11:09:19: IKEv2:(SESSION ID = 2784,SA ID = 1):Deleting SA



Как я понял политика IKE не совпадает. Но почему не могу понять. И на хуевее и на циско одинаковый proposal.


17 май 2019, 04:47
Профиль Отправить email

Зарегистрирован: 01 янв 1970, 03:00
Сообщения: 1833
Где то на хуавее забыли сказать что использовать надо IKEv1


19 май 2019, 12:59
Профиль ICQ
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ Сообщений: 2 ] 

Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 15


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
cron
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB