Коллеги, приветствую. Может кто подскажет, настраиваю на ISR2921 L2TP/Ipsec сервер, пытаюсь подключиться с клиента, первая фаза ставится, вторая тоже, но далее происходит такое, что пока не удалось победить.От клиента идут шифрованные запросы sccrq, а ответы от cisco sccrp идут уже мимо шифрования. Снимая дамп трафика на клиенте вижу эти ответы не шифрованные т.е, счетчики в show crypto ipsec sa увеличиваются только inbound.
Понимаю примерно, что нужно добавить acl, чтобы ответный трафик подпадал, но создание примерно вот такого не спасло ситуацию:
permit udp any eq 1701 any
Сейчас конфиг такой.
Код:
Current configuration : 8691 bytes
!
! Last configuration change at 21:49:44 UTC Mon Apr 3 2023 by admin
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service unsupported-transceiver
!
hostname Cisco2921
!
boot-start-marker
boot system flash:/c2900-universalk9-mz.SPA.157-3.M8.bin
boot-end-marker
!
!
enable secret 5
!
aaa new-model
!
!
aaa authentication ppp L2TP-AUTH local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.200.46
ip dhcp excluded-address 192.168.200.1
ip dhcp excluded-address 192.168.200.55
ip dhcp excluded-address 192.168.200.223
!
ip dhcp pool Local_PPPoE_Network
network 192.168.200.0 255.255.255.0
dns-server 192.168.200.1 8.8.8.8
default-router 192.168.200.1
lease 24
!
ip dhcp pool Wi-Fi_MWS_IPv4
network 172.16.77.0 255.255.255.0
dns-server 87.245.145.6 87.245.190.122
default-router 172.16.77.1
lease 24
!
ip dhcp pool VM_ESXi
network 10.120.17.0 255.255.255.0
dns-server 10.120.17.1
!
!
!
no ip domain lookup
ip domain name cisco2921.test
ip name-server 8.8.8.8
!
ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
vpdn session-limit 100
!
vpdn-group L2TP_REMOTE_USERS
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
lcp renegotiation always
no l2tp tunnel authentication
ip pmtu
!
!
!
key chain EIGRP
key 1
key-string 12345678
!
!
license udi pid CISCO2921/K9 sn ..
!
!
redundancy
!
!
!
!
!
!
crypto keyring KEY-L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key 12345678
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp profile IKE-L2TP
keyring KEY-L2TP
match identity address 0.0.0.0
!
!
crypto ipsec transform-set TRANS-L2TP esp-aes esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map CRYPTO_MAP_L2TP_USERS 10
set nat demux
set transform-set TRANS-L2TP
set isakmp-profile IKE-L2TP
match address test
!
!
crypto map CRYPTO_MAP_L2TP 10 ipsec-isakmp dynamic CRYPTO_MAP_L2TP_USERS
!
!
!
!
!
interface Loopback0
description --- l2tp vpn endpoint ---
ip address 10.120.17.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.6
description AKADO_IPv6
encapsulation dot1Q 6
ip address 10.1.1.2 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP
ip nat outside
ip virtual-reassembly in
ipv6 address ::1/127
ipv6 enable
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.67
description Public_IP_Address
encapsulation dot1Q 67
ip address .73 255.255.255.248
ipv6 nd managed-config-flag
crypto map CRYPTO_MAP_L2TP
!
interface GigabitEthernet0/1.77
encapsulation dot1Q 77
ip address 192.168.77.1 255.255.255.0
!
interface GigabitEthernet0/1.450
description NDMS_IPv6
encapsulation dot1Q 450
ipv6 address ::2/127
ipv6 enable
ipv6 nd prefix default no-advertise
!
interface GigabitEthernet0/1.777
encapsulation dot1Q 777
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.1613
encapsulation dot1Q 1613
ip address 172.16.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server Wi-Fi_MWS
!
interface GigabitEthernet0/1.1616
encapsulation dot1Q 1616
ip address 10.16.16.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.3000
encapsulation dot1Q 3000
ip address 10.16.17.1 255.255.255.252
ip policy route-map ds-lite
ipv6 address 5::2/127
ipv6 enable
!
interface GigabitEthernet0/1.3003
encapsulation dot1Q 3003
ip address 10.16.17.5 255.255.255.252
ip policy route-map mapt
ipv6 address 5::6/127
ipv6 enable
!
interface GigabitEthernet0/1.3006
encapsulation dot1Q 3006
ip address 10.16.17.9 255.255.255.252
ip policy route-map mapt
ipv6 address 5::8/127
ipv6 enable
ipv6 nd ra suppress
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.7
encapsulation dot1Q 7
ipv6 address 12::1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server DMZ-IPv6
!
interface FastEthernet0/1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/1
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
mtu 1404
ip unnumbered Loopback0
ip information-reply
ip tcp adjust-mss 1364
peer default ip address dhcp-pool VM_ESXi
ppp mtu adaptive
ppp authentication ms-chap-v2 L2TP-AUTH
!
interface Async0/0/0
no ip address
encapsulation slip
!
!
router eigrp 1
network 10.1.1.0 0.0.0.3
network 172.16.77.0 0.0.0.255
network 192.168.77.0
network .72 0.0.0.7
passive-interface default
no passive-interface GigabitEthernet0/0.6
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.6 10.1.1.1
ip route 100.65.1.0 255.255.255.240 GigabitEthernet0/1.3003 10.16.17.6
ip route 100.67.1.0 255.255.255.240 GigabitEthernet0/1.3006 10.16.17.10
ip route 192.168.5.0 255.255.255.0 192.168.77.5
ip ssh version 2
!
ip access-list extended MWS_IPv4_Backup
permit ip 172.16.77.0 0.0.0.255 any
ip access-list extended ds-lite
permit ip 10.16.17.0 0.0.0.3 any
ip access-list extended mapt
permit ip 10.16.17.4 0.0.0.3 any
permit ip 100.65.1.0 0.0.0.15 any
permit ip 10.16.17.8 0.0.0.3 any
permit ip 100.67.1.0 0.0.0.15 any
ip access-list extended test
permit udp any eq 1701 any
ip access-list extended vlan777_backup
permit ip 192.168.200.0 0.0.0.255 any
!
GigabitEthernet0/1.3006 5254.00fb.1f23
route-map mapt permit 10
match ip address mapt
set ip next-hop 10.16.16.1
!
route-map ds-lite permit 10
match ip address ds-lite
set ip next-hop 10.16.16.1
!
route-map MWS_NAT_Backup permit 10
match ip address MWS_NAT_Backup
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 3600 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
!
end
Спасибо