Windows

Cisco 和 XP 之間的 IPsec 隧道,路由器啟動時快速模式失敗

  • July 3, 2014

我一直在嘗試在路由器和我的 Windows XP 機器之間建立一個 IPsec 隧道。路由器是192.168.254.30,XP機器是192.168.254.128。但是,我似乎無法讓隧道正常工作。我已將隧道設置為應用 ICMP,並且 ping 從任何一側都不起作用。在 Windows 端,我可以看到它正在被應用,因為我得到“協商 IP 安全”。

IOS配置

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN_TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$3p0B$h21M/3z9dR0n3gnJPWjBm/
enable password test1
!
aaa new-model
!
!
aaa authentication ppp default group radius local
aaa authorization network default group radius 
aaa session-id common
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
 protocol l2tp
 virtual-template 1
l2tp security crypto-profile l2tpprof
no l2tp tunnel authentication
!
async-bootp dns-server 192.168.254.253
!
!
!
!
!
!
!
!
!
!
!
!
username atestuser password 0 atestuser
!
!
! 
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key testvpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set l2tptrans esp-3des esp-md5-hmac 
mode transport
crypto ipsec transform-set radius-trans-set esp-des esp-md5-hmac 
!
crypto map l2tpmap 2 ipsec-isakmp 
set peer 192.168.254.128
set transform-set radius-trans-set 
match address for_radius
crypto map l2tpmap 10 ipsec-isakmp profile l2tpprof 
set transform-set l2tptrans 
!
!
!
!
interface Loopback0
ip address 172.16.7.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.6.1 255.255.255.0
speed auto
half-duplex
!
interface FastEthernet1/0
ip address 192.168.254.30 255.255.255.0
duplex auto
speed auto
crypto map l2tpmap
!
interface Virtual-Template1
ip unnumbered Loopback0
ip access-group vpn-in in
peer default ip address pool RA_VPN_pool
ppp authentication ms-chap-v2
!
ip local pool RA_VPN_pool 10.20.10.1 10.20.10.100
ip http server
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
!
!
ip access-list extended for_radius
permit udp any host 192.168.254.128
permit icmp any host 192.168.254.128
ip access-list extended vpn-in
permit ip any 192.168.254.0 0.0.0.255
permit ip any 172.16.6.0 0.0.0.255
!
radius-server host 192.168.254.253 auth-port 1645 acct-port 1646 key ciscosecret
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password test
!
!
end

在 Windows 端
我創建了一個 IPsec 策略。該 IPsec 策略有兩個 IP 過濾器。如本文件中所述,每個方向一個。

路由器上的錯誤:

當我嘗試從路由器 ping 時,我在 7 上通過 IPsec 和 isakmp 調試得到以下資訊:

VPN_TEST#ping 192.168.254.128 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.254.128, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
VPN_TEST#show log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
   Console logging: disabled
   Monitor logging: level debugging, 0 messages logged, xml disabled
   Buffer logging: level debugging, 3513 messages logged, xml disabled
   Logging Exception size (4096 bytes)
   Count and timestamp logging messages: disabled
   Trap logging: level informational, 85 message lines logged

Log Buffer (4096 bytes):
I_MM4 

*Mar  2 01:26:59.829: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar  2 01:26:59.845: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar  2 01:26:59.845: ISAKMP: Looking for a matching key for 192.168.254.128 in default : success
*Mar  2 01:26:59.845: ISAKMP (0:1): found peer pre-shared key matching 192.168.254.128
*Mar  2 01:26:59.849: ISAKMP (0:1): SKEYID state generated
*Mar  2 01:26:59.849: ISAKMP:received payload type 20
*Mar  2 01:26:59.849: ISAKMP:received payload type 20
*Mar  2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4 

*Mar  2 01:26:59.849: ISAKMP (0:1): Send initial contact
*Mar  2 01:26:59.849: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  2 01:26:59.849: ISAKMP (0:1): ID payload 
   next-payload : 8
       type         : 1 
   address      : 192.168.254.30 
   protocol     : 17 
   port         : 500 
   length       : 12
*Mar  2 01:26:59.849: ISAKMP (1): Total payload length: 12
*Mar  2 01:26:59.849: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5 

*Mar  2 01:26:59.853: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  2 01:26:59.853: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar  2 01:26:59.853: ISAKMP (0:1): ID payload 
   next-payload : 8
   type         : 1 
   address      : 192.168.254.128 
   protocol     : 0 
   port         : 0 
   length       : 12
*Mar  2 01:26:59.853: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar  2 01:26:59.853: ISAKMP (0:1): SA authentication status: 
   authenticated
*Mar  2 01:26:59.853: ISAKMP (0:1): SA has been authenticated with 192.168.254.128
*Mar  2 01:26:59.853: ISAKMP (0:1): peer matches *none* of the profiles
*Mar  2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6 

*Mar  2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6 

*Mar  2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

*Mar  2 01:26:59.857: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -952376679
*Mar  2 01:26:59.857: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) QM_IDLE      
*Mar  2 01:26:59.857: ISAKMP (0:1): Node -952376679, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  2 01:26:59.857: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  2 01:26:59.857: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  2 01:26:59.857: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Mar  2 01:26:59.865: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) QM_IDLE      
*Mar  2 01:26:59.865: ISAKMP: set new node -1887423582 to QM_IDLE      
*Mar  2 01:26:59.865: ISAKMP (0:1): processing HASH payload. message ID = -1887423582
*Mar  2 01:26:59.865: ISAKMP (0:1): processing NOTIFY INVALID_ID_INFO protocol 3
   spi 0, message ID = -1887423582, sa = 62F606C8
*Mar  2 01:26:59.865: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar  2 01:26:59.865: ISAKMP (0:1): deleting node -1887423582 error FALSE reason "informational (in) state 1"
*Mar  2 01:26:59.865: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  2 01:26:59.865: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Mar  2 01:26:59.865: IPSEC(key_engine): got a queue event...
*Mar  2 01:26:59.865: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Mar  2 01:26:59.865: IPSEC(key_engine_delete_sas): delete all SAs shared with 192.168.254.128:500

編輯:

我讓它工作,但前提是 Windows 端啟動隧道。因此,如果我嘗試從路由器 ping 到 windows 伺服器,除非我最近已經從 windows ping 它,否則它不起作用。在 Windows 中,我得到以下審計日誌:

Event Type: Failure Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   547
Date:       11/13/2009
Time:       8:59:21 AM
User:       NT AUTHORITY\NETWORK SERVICE
Computer:   BRANDT-VM
Description:
IKE security association negotiation failed.
Mode: 
Data Protection Mode (Quick Mode)

Filter: 
Source IP Address 192.168.254.128
Source IP Address Mask 0.0.0.0
Destination IP Address 0.0.0.0
Destination IP Address Mask 255.255.255.255
Protocol 1
Source Port 0
Destination Port 0
IKE Local Addr 192.168.254.128
IKE Peer Addr 192.168.254.30
Peer Identity: 
Preshared key ID.
Peer IP Address: 192.168.254.30
 Failure Point: 
Me
Failure Reason: 
No policy configured
Extra Status: 
0x0 0x0

我在路由器端的轉換集與 ESP 完整性的過濾器操作“協商安全方法”設置之間存在不匹配(SHA 而不是 MD5)。

編輯: 但實際上,現在它僅在 Windows 啟動連接時才有效。因此,如果我在之後嘗試從路由器 ping Windows 伺服器,clear crypto sa不起作用。但是,如果我先從 Windows ping,然後從路由器 ping,它可以工作。因此,由於某種原因,似乎不允許 Cisco 路由器建立隧道。

引用自:https://serverfault.com/questions/84119