Windows
Cisco 和 XP 之間的 IPsec 隧道,路由器啟動時快速模式失敗
我一直在嘗試在路由器和我的 Windows XP 機器之間建立一個 IPsec 隧道。路由器是192.168.254.30,XP機器是192.168.254.128。但是,我似乎無法讓隧道正常工作。我已將隧道設置為應用 ICMP,並且 ping 從任何一側都不起作用。在 Windows 端,我可以看到它正在被應用,因為我得到“協商 IP 安全”。
IOS配置:
! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_TEST ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging no logging console enable secret 5 $1$3p0B$h21M/3z9dR0n3gnJPWjBm/ enable password test1 ! aaa new-model ! ! aaa authentication ppp default group radius local aaa authorization network default group radius aaa session-id common ip subnet-zero ! ! ip cef ! ip audit po max-events 100 vpdn enable ! vpdn-group 1 ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 l2tp security crypto-profile l2tpprof no l2tp tunnel authentication ! async-bootp dns-server 192.168.254.253 ! ! ! ! ! ! ! ! ! ! ! ! username atestuser password 0 atestuser ! ! ! ! crypto isakmp policy 1 authentication pre-share ! crypto isakmp policy 2 authentication pre-share crypto isakmp key testvpn address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set l2tptrans esp-3des esp-md5-hmac mode transport crypto ipsec transform-set radius-trans-set esp-des esp-md5-hmac ! crypto map l2tpmap 2 ipsec-isakmp set peer 192.168.254.128 set transform-set radius-trans-set match address for_radius crypto map l2tpmap 10 ipsec-isakmp profile l2tpprof set transform-set l2tptrans ! ! ! ! interface Loopback0 ip address 172.16.7.1 255.255.255.0 ! interface FastEthernet0/0 ip address 172.16.6.1 255.255.255.0 speed auto half-duplex ! interface FastEthernet1/0 ip address 192.168.254.30 255.255.255.0 duplex auto speed auto crypto map l2tpmap ! interface Virtual-Template1 ip unnumbered Loopback0 ip access-group vpn-in in peer default ip address pool RA_VPN_pool ppp authentication ms-chap-v2 ! ip local pool RA_VPN_pool 10.20.10.1 10.20.10.100 ip http server no ip http secure-server no ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 ! ! ! ip access-list extended for_radius permit udp any host 192.168.254.128 permit icmp any host 192.168.254.128 ip access-list extended vpn-in permit ip any 192.168.254.0 0.0.0.255 permit ip any 172.16.6.0 0.0.0.255 ! radius-server host 192.168.254.253 auth-port 1645 acct-port 1646 key ciscosecret ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password test ! ! end
在 Windows 端:
我創建了一個 IPsec 策略。該 IPsec 策略有兩個 IP 過濾器。如本文件中所述,每個方向一個。路由器上的錯誤:
當我嘗試從路由器 ping 時,我在 7 上通過 IPsec 和 isakmp 調試得到以下資訊:
VPN_TEST#ping 192.168.254.128 rep 2 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 192.168.254.128, timeout is 2 seconds: .. Success rate is 0 percent (0/2) VPN_TEST#show log Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled) Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled Buffer logging: level debugging, 3513 messages logged, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 85 message lines logged Log Buffer (4096 bytes): I_MM4 *Mar 2 01:26:59.829: ISAKMP (0:1): processing KE payload. message ID = 0 *Mar 2 01:26:59.845: ISAKMP (0:1): processing NONCE payload. message ID = 0 *Mar 2 01:26:59.845: ISAKMP: Looking for a matching key for 192.168.254.128 in default : success *Mar 2 01:26:59.845: ISAKMP (0:1): found peer pre-shared key matching 192.168.254.128 *Mar 2 01:26:59.849: ISAKMP (0:1): SKEYID state generated *Mar 2 01:26:59.849: ISAKMP:received payload type 20 *Mar 2 01:26:59.849: ISAKMP:received payload type 20 *Mar 2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4 *Mar 2 01:26:59.849: ISAKMP (0:1): Send initial contact *Mar 2 01:26:59.849: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Mar 2 01:26:59.849: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 192.168.254.30 protocol : 17 port : 500 length : 12 *Mar 2 01:26:59.849: ISAKMP (1): Total payload length: 12 *Mar 2 01:26:59.849: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Mar 2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5 *Mar 2 01:26:59.853: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) MM_KEY_EXCH *Mar 2 01:26:59.853: ISAKMP (0:1): processing ID payload. message ID = 0 *Mar 2 01:26:59.853: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 192.168.254.128 protocol : 0 port : 0 length : 12 *Mar 2 01:26:59.853: ISAKMP (0:1): processing HASH payload. message ID = 0 *Mar 2 01:26:59.853: ISAKMP (0:1): SA authentication status: authenticated *Mar 2 01:26:59.853: ISAKMP (0:1): SA has been authenticated with 192.168.254.128 *Mar 2 01:26:59.853: ISAKMP (0:1): peer matches *none* of the profiles *Mar 2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6 *Mar 2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6 *Mar 2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Mar 2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE *Mar 2 01:26:59.857: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -952376679 *Mar 2 01:26:59.857: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) QM_IDLE *Mar 2 01:26:59.857: ISAKMP (0:1): Node -952376679, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Mar 2 01:26:59.857: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Mar 2 01:26:59.857: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Mar 2 01:26:59.857: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 2 01:26:59.865: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) QM_IDLE *Mar 2 01:26:59.865: ISAKMP: set new node -1887423582 to QM_IDLE *Mar 2 01:26:59.865: ISAKMP (0:1): processing HASH payload. message ID = -1887423582 *Mar 2 01:26:59.865: ISAKMP (0:1): processing NOTIFY INVALID_ID_INFO protocol 3 spi 0, message ID = -1887423582, sa = 62F606C8 *Mar 2 01:26:59.865: ISAKMP (0:1): peer does not do paranoid keepalives. *Mar 2 01:26:59.865: ISAKMP (0:1): deleting node -1887423582 error FALSE reason "informational (in) state 1" *Mar 2 01:26:59.865: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Mar 2 01:26:59.865: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 2 01:26:59.865: IPSEC(key_engine): got a queue event... *Mar 2 01:26:59.865: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Mar 2 01:26:59.865: IPSEC(key_engine_delete_sas): delete all SAs shared with 192.168.254.128:500
編輯:
我讓它工作,但前提是 Windows 端啟動隧道。因此,如果我嘗試從路由器 ping 到 windows 伺服器,除非我最近已經從 windows ping 它,否則它不起作用。在 Windows 中,我得到以下審計日誌:
Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 547 Date: 11/13/2009 Time: 8:59:21 AM User: NT AUTHORITY\NETWORK SERVICE Computer: BRANDT-VM Description: IKE security association negotiation failed. Mode: Data Protection Mode (Quick Mode) Filter: Source IP Address 192.168.254.128 Source IP Address Mask 0.0.0.0 Destination IP Address 0.0.0.0 Destination IP Address Mask 255.255.255.255 Protocol 1 Source Port 0 Destination Port 0 IKE Local Addr 192.168.254.128 IKE Peer Addr 192.168.254.30 Peer Identity: Preshared key ID. Peer IP Address: 192.168.254.30 Failure Point: Me Failure Reason: No policy configured Extra Status: 0x0 0x0
我在路由器端的轉換集與 ESP 完整性的過濾器操作“協商安全方法”設置之間存在不匹配(SHA 而不是 MD5)。
編輯: 但實際上,現在它僅在 Windows 啟動連接時才有效。因此,如果我在之後嘗試從路由器 ping Windows 伺服器,
clear crypto sa
它不起作用。但是,如果我先從 Windows ping,然後從路由器 ping,它可以工作。因此,由於某種原因,似乎不允許 Cisco 路由器建立隧道。