Всем доброго времени суток.
Есть проблема с пониманием что делаю не так, разъясните где зарыта истина.
Есть тестовая 892 кошка с иосом c890-universalk9-mz.152-4.M5.bin - вроде на сайте циски идет как стабильная. Я , как и многие, столкнулся с кучей типов шифрования.
Пока работает только Windows 7, XP и linux не работают.
Конфиг в части IPSEC, валится у меня на второй фазе, судя по дебагам.
Для XP и Win7 добавил в реестр AssumeUDPEncapsulationContextOnSendRule = 2, так как клиенты за NAT.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key test_key address 0.0.0.0 no-xauth
crypto isakmp nat keepalive 1800
crypto isakmp client configuration address-pool local L2TP
!
!
crypto ipsec transform-set W7 esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set XP esp-null esp-md5-hmac (в идеале здесь использовать esp-3des esp-sha-hmac но тоже не работает, так как такая же политика есть ниже)
mode transport
crypto ipsec transform-set LIN esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map DYN-W7 1
set nat demux
set transform-set W7
!
crypto dynamic-map DYN-XP 2
set nat demux
set transform-set XP
!
crypto dynamic-map DYN-LIN 3
set nat demux
set transform-set LIN
!
!
crypto map CRYPTOMAP client configuration address respond
crypto map CRYPTOMAP 1 ipsec-isakmp dynamic DYN-W7
crypto map CRYPTOMAP 2 ipsec-isakmp dynamic DYN-XP
crypto map CRYPTOMAP 3 ipsec-isakmp dynamic DYN-LIN
XP согласно этой доке должна работать http://support.microsoft.com/kb/325158, так как вроде все правильно...
Вот что прилетает от XP
Jan 28 06:19:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-null esp-md5-hmac }
Jan 28 06:19:35.555: ISAKMP:(2043): IPSec policy invalidated proposal with error 256Jan 28 06:19:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-null esp-sha-hmac }
Jan 28 06:19:35.555: ISAKMP:(2043): IPSec policy invalidated proposal with error 256
Jan 28 06:19:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-des esp-sha-hmac }
Jan 28 06:19:35.555: ISAKMP:(2043): IPSec policy invalidated proposal with error 256
Jan 28 06:19:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }
Jan 28 06:19:35.555: ISAKMP:(2043): IPSec policy invalidated proposal with error 256
Собственно какое именно ей шифрование надо, если я все уже перепробовал... Помогите, так как от курения манов циски и windows довело меня до мысли: все настроено правильно, но ведь не работает...
Теперь по линукс...
В общем повлиять на настройки ipsec в Gnome3 NetworkManager - не удается даже с помощью жертв и бубна. Городить XL2TP+STRONGSWAN лень, так как хочется что бы работала удобная кнопочка в соединениях.
Вот что отдает на кривенький плагин
[root@nb intelligent]# cat /run/nm-ipsec-l2tp.9281/ipsec.conf
version 2.0
config setup
nat_traversal=yes
force_keepalive=yes
protostack=netkey
keep_alive=60conn nm-ipsec-l2tpd-9281
auto=add
type=transport
auth=esp
pfs=no
authby=secret
keyingtries=0
left=чfaultroute
right=1.1.1.1 (изменил из соображений безопасности)
esp=3des-sha1
keyexchange=ike
ike=3des-sha1-modp1024
aggrmode=no
forceencaps=yes
Вот что отдает ike-scan
[root@nb intelligent]# ike-scan 1.1.1.1
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
1.1.1.1 Main Mode Handshake returned HDR=(CKY-R=e47a3f4eb9f69b3e) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
Опять происходит проблема с согласованием во второй фазе :-(
Jan 28 06:49:15.557: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.1.1.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/256/0,
remote_proxy= 2.2.2.2/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jan 28 06:49:15.557: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }
Вот отрывок лога из линя
Jan 28 10:49:15 nb NetworkManager[526]: <info> Starting VPN service 'l2tp'...
Jan 28 10:49:15 nb NetworkManager[526]: <info> VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 9991
Jan 28 10:49:15 nb NetworkManager[526]: <info> VPN service 'l2tp' appeared; activating connections
Jan 28 10:49:15 nb NetworkManager[526]: <info> VPN plugin state changed: starting (3)
Jan 28 10:49:15 nb NetworkManager[526]: Redirecting to: systemctl stop+start ipsec.service
Jan 28 10:49:15 nb systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jan 28 10:49:15 nb whack[10005]: 002 shutting down
Jan 28 10:49:15 nb systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jan 28 10:49:15 nb systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jan 28 10:49:15 nb systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jan 28 10:49:15 nb NetworkManager[526]: 002 forgetting secrets
Jan 28 10:49:15 nb NetworkManager[526]: 002 loading secrets from "/etc/ipsec.secrets"
Jan 28 10:49:15 nb ipsec_starter[10146]: Warning: ignored obsolete keyword 'force_keepalive'
Jan 28 10:49:15 nb NetworkManager[526]: opening file: /var/run/nm-ipsec-l2tp.9991/ipsec.conf
Jan 28 10:49:15 nb NetworkManager[526]: loading named conns: nm-ipsec-l2tpd-9991
Jan 28 10:49:15 nb NetworkManager[526]: parse_src = 1, parse_gateway = 0, has_dst = 1
Jan 28 10:49:15 nb NetworkManager[526]: dst 1.1.1.1 via 192.168.0.244 dev enp0s25 src 192.168.0.111
Jan 28 10:49:15 nb NetworkManager[526]: set addr: 192.168.0.111
Jan 28 10:49:40 nb NetworkManager[526]: <info> VPN connection 'ALEXHOME L2TP' (Connect) reply received.
Jan 28 10:49:40 nb NetworkManager[526]: <warn> VPN connection 'ALEXHOME L2TP' failed to connect: 'Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.'.
Jan 28 10:49:40 nb NetworkManager[526]: <info> Policy set 'DHCP' (enp0s25) as default for IPv4 routing and DNS.
Jan 28 10:50:05 nb NetworkManager[526]: <warn> error disconnecting VPN: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Jan 28 10:50:07 nb NetworkManager[526]: <info> VPN service 'l2tp' disappeared
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: initiating Main Mode
Jan 28 10:50:25 nb NetworkManager[526]: 104 "nm-ipsec-l2tpd-9991" #1: STATE_MAIN_I1: initiate
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: received Vendor ID payload [RFC 3947]
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 28 10:50:25 nb NetworkManager[526]: 106 "nm-ipsec-l2tpd-9991" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: received Vendor ID payload [Cisco-Unity]
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: received Vendor ID payload [Dead Peer Detection]
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: ignoring unknown Vendor ID payload [11bd9853cfcd52f8eaf31e68c34ac086]
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: received Vendor ID payload [XAUTH]
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: Not sending INITIAL_CONTACT
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 28 10:50:25 nb NetworkManager[526]: 108 "nm-ipsec-l2tpd-9991" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: Main mode peer ID is ID_IPV4_ADDR: '1.1.1.1'
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 28 10:50:25 nb NetworkManager[526]: 004 "nm-ipsec-l2tpd-9991" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEv2ALLOW+SAREFTRACK+IKE_FRAG {using isakmp#1 msgid:80e3f288 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}
Jan 28 10:50:25 nb NetworkManager[526]: 117 "nm-ipsec-l2tpd-9991" #2: STATE_QUICK_I1: initiate
Jan 28 10:50:25 nb NetworkManager[526]: 010 "nm-ipsec-l2tpd-9991" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
Jan 28 10:50:25 nb NetworkManager[526]: 010 "nm-ipsec-l2tpd-9991" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
Jan 28 10:50:25 nb NetworkManager[526]: 031 "nm-ipsec-l2tpd-9991" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 28 10:50:25 nb NetworkManager[526]: 000 "nm-ipsec-l2tpd-9991" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Jan 28 10:51:10 nb gnome-session[997]: [3386:3472:0128/105110:ERROR:download.cc(330)] PostClientToServerMessage() failed during GetUpdates
В общем выручайте, хорошие ссылки на маны приветствуются, но лучше указать на место где подправить конфиг или что конкретно не правильно настроено.
Вариант для распечатки
(ok) on 28-Янв-14, 11:03 
