forum.opennet.ru - "l2tp vpn ipsec client pptp client" (6)

форумы

помощь

поиск

регистрация

майллист

вход/выход

слежка

"l2tp vpn ipsec client pptp client"

Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[ Отслеживать ]

"l2tp vpn ipsec client pptp client"	+/–
Сообщение от mshejh (ok) on 09-Янв-13, 13:50
Приветствую! Прошу помощи. С cisco общаюсь на ВЫ, то есть опыта в настройке нет. Маршрутизатор подключен к провайдеру через pptp. Схема следующая: (10.17.0.186)[gi0/0/0]cisco2911[gi0/1](10.30.xxx.yyy)[dialer1](81.25.xxx.yyy)----internet Далее хочу подключиться к vpn l2tp серверу. Это сервак головной организации. В случае выхода из строя основного канала до головной организации пустить трафик через vnp l2tp. Есть IP 193.104.xxx.xxx, логин, пароль, ключ. Но vpn не поднимается. На винде все работает. Заранее благодарен!! Сейчас конфиг такой: version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service internal ! hostname c2911_route ! boot-start-marker boot system flash:/c2900-universalk9-mz.SPA.151-4.M.bin boot-end-marker ! ! logging buffered 51200 warnings ! no aaa new-model ! ! no ipv6 cef ip source-route no ip gratuitous-arps ip cef ! ! ! ip multicast-routing ! ! ip domain name local.local ip name-server 81.25.xxx.yyy ip name-server 10.7.xxx.yyy ip inspect WAAS flush-timeout 10 l2tp-class DEFAULT-L2TP-CLASS ! ! multilink bundle-name authenticated ! vpdn enable ! vpdn-group 1 request-dialin protocol pptp rotary-group 1 initiate-to ip 10.30.xxx.yyy ! pseudowire-class PW-L2TP encapsulation l2tpv2 protocol l2tpv2 DEFAULT-L2TP-CLASS ip local interface Dialer1 ! ! ! crypto isakmp policy 100 encr 3des hash md5 authentication pre-share group 2 lifetime 28000 crypto isakmp key avoccod8 address 193.104.xxx.yyy ! crypto ipsec transform-set L2TP esp-3des esp-md5-hmac mode transport ! crypto map L2TP 10 ipsec-isakmp set peer 193.104.xxx.yyy set transform-set L2TP match address L2TP_SA_DIALER1 ! interface Loopback1 no ip address ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/1 ip address 10.30.xxx.yyy 255.255.255.0 no ip proxy-arp duplex auto speed auto ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/0/0 no ip address ! interface GigabitEthernet0/0/1 no ip address shutdown ! interface GigabitEthernet0/0/2 no ip address shutdown ! interface GigabitEthernet0/0/3 no ip address shutdown ! interface Virtual-PPP1 ip address negotiated ppp authentication ms-chap-v2 ppp chap hostname name ppp chap password 0 pass pseudowire 193.104.xxx.yyy 10 pw-class PW-L2TP ! interface Vlan1 description $ES_LAN$ ip address 10.17.0.186 255.255.255.0 ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1410 ! interface Dialer1 mtu 1450 ip address negotiated ip pim dense-mode ip nat outside ip virtual-reassembly in encapsulation ppp dialer in-band dialer idle-timeout 0 dialer string 123 dialer vpdn dialer-group 1 ppp chap hostname name ppp chap password 0 pass no cdp enable crypto map L2TP ! ! ip forward-protocol nd ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip dns server ip nat inside source list 1 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.30.xxx.yyy 255.255.255.255 GigabitEthernet0/1 ! ip access-list extended INPUT_ACL permit ip host 193.104.xxx.yyy host 81.25.xxx.yyy ip access-list extended L2TP_SA_DIALER1 permit udp host 81.25.xxx.yyy eq 1701 host 193.104.xxx.yyy eq 1701 ! logging esm config access-list 1 permit 10.17.0.0 0.0.0.255 dialer-list 1 protocol ip permit
Ответить \| Правка \| Cообщить модератору

Оглавление

l2tp vpn ipsec client pptp client, spiegel, 17:21 , 09-Янв-13, (1)

l2tp vpn ipsec client pptp client, mshejh, 17:52 , 09-Янв-13, (2)

l2tp vpn ipsec client pptp client, mshejh, 17:54 , 09-Янв-13, (3)

l2tp vpn ipsec client pptp client, spiegel, 18:43 , 09-Янв-13, (4)

l2tp vpn ipsec client pptp client, mshejh, 09:35 , 10-Янв-13, (5)

l2tp vpn ipsec client pptp client, spiegel, 12:58 , 10-Янв-13, (6)

Сообщения по теме [Сортировка по времени | RSS]

1. "l2tp vpn ipsec client pptp client" +/–

Сообщение от spiegel (ok) on 09-Янв-13, 17:21

Добавьте
> interface Virtual-PPP1
>   ip mtu 1400
проверьте, что покажет debug ppp author

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

2. "l2tp vpn ipsec client pptp client" +/–

Сообщение от mshejh (ok) on 09-Янв-13, 17:52

Добавил mtu, debug ppp author ничего не показывает.
deb cry isakmp, deb cry ipsec:

*Jan  9 13:43:25.399: ISAKMP:(0): SA request profile is (NULL)
*Jan  9 13:43:25.399: ISAKMP: Created a peer struct for 193.104.149.253, peer port 500
*Jan  9 13:43:25.399: ISAKMP: New peer created peer = 0x313EEFF8 peer_handle = 0x80000089
*Jan  9 13:43:25.399: ISAKMP: Locking peer struct 0x313EEFF8, refcount 1 for isakmp_initiator
*Jan  9 13:43:25.399: ISAKMP: local port 500, remote port 500
*Jan  9 13:43:25.399: ISAKMP: set new node 0 to QM_IDLE
*Jan  9 13:43:25.399: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 314E1C4C
*Jan  9 13:43:25.399: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan  9 13:43:25.399: ISAKMP:(0):found peer pre-shared key matching 193.104.149.253
*Jan  9 13:43:25.399: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan  9 13:43:25.399: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan  9 13:43:25.399: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan  9 13:43:25.399: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan  9 13:43:25.399: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan  9 13:43:25.399: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
*Jan  9 13:43:25.399: ISAKMP:(0): beginning Main Mode exchange
*Jan  9 13:43:25.399: ISAKMP:(0): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan  9 13:43:25.399: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan  9 13:43:25.403: ISAKMP (0): received packet from 193.104.149.253 dport 500 sport 500 Global (I) MM_NO_STATE
*Jan  9 13:43:25.403: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan  9 13:43:25.403: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
*Jan  9 13:43:25.403: ISAKMP:(0): processing SA payload. message ID = 0
*Jan  9 13:43:25.403: ISAKMP:(0): processing vendor id payload
*Jan  9 13:43:25.403: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan  9 13:43:25.403: ISAKMP:(0): vendor ID is NAT-T v2
*Jan  9 13:43:25.403: ISAKMP:(0): processing vendor id payload
*Jan  9 13:43:25.403: ISAKMP:(0): processing IKE frag vendor id payload
*Jan  9 13:43:25.403: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jan  9 13:43:25.403: ISAKMP:(0):found peer pre-shared key matching 193.104.149.253
*Jan  9 13:43:25.403: ISAKMP:(0): local preshared key found
*Jan  9 13:43:25.403: ISAKMP : Scanning profiles for xauth ...
*Jan  9 13:43:25.403: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*Jan  9 13:43:25.403: ISAKMP:      encryption 3DES-CBC
*Jan  9 13:43:25.403: ISAKMP:      hash MD5
*Jan  9 13:43:25.403: ISAKMP:      default group 2
*Jan  9 13:43:25.403: ISAKMP:      auth pre-share
*Jan  9 13:43:25.403: ISAKMP:      life type in seconds
*Jan  9 13:43:25.403: ISAKMP:      life duration (basic) of 28000
*Jan  9 13:43:25.403: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan  9 13:43:25.403: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan  9 13:43:25.403: ISAKMP:(0):Acceptable atts:life: 0
*Jan  9 13:43:25.403: ISAKMP:(0):Basic life_in_seconds:28000
*Jan  9 13:43:25.407: ISAKMP:(0):Returning Actual lifetime: 28000
*Jan  9 13:43:25.407: ISAKMP:(0)::Started lifetime timer: 28000.
*Jan  9 13:43:25.407: ISAKMP:(0): processing vendor id payload
*Jan  9 13:43:25.407: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan  9 13:43:25.407: ISAKMP:(0): vendor ID is NAT-T v2
*Jan  9 13:43:25.407: ISAKMP:(0): processing vendor id payload
*Jan  9 13:43:25.407: ISAKMP:(0): processing IKE frag vendor id payload
*Jan  9 13:43:25.407: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jan  9 13:43:25.407: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan  9 13:43:25.407: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
*Jan  9 13:43:25.407: ISAKMP:(0): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jan  9 13:43:25.407: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan  9 13:43:25.407: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan  9 13:43:25.407: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
*Jan  9 13:43:25.411: ISAKMP (0): received packet from 193.104.149.253 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jan  9 13:43:25.411: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan  9 13:43:25.411: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
*Jan  9 13:43:25.411: ISAKMP:(0): processing KE payload. message ID = 0
*Jan  9 13:43:25.435: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan  9 13:43:25.435: ISAKMP:(0):found peer pre-shared key matching 193.104.149.253
*Jan  9 13:43:25.435: ISAKMP:(1120): processing vendor id payload
*Jan  9 13:43:25.435: ISAKMP:(1120): vendor ID is Unity
*Jan  9 13:43:25.435: ISAKMP:(1120): processing vendor id payload
*Jan  9 13:43:25.439: ISAKMP:(1120): vendor ID seems Unity/DPD but major 20 mismatch
*Jan  9 13:43:25.439: ISAKMP:(1120): vendor ID is XAUTH
*Jan  9 13:43:25.439: ISAKMP:(1120): processing vendor id payload
*Jan  9 13:43:25.439: ISAKMP:(1120): speaking to another IOS box!
*Jan  9 13:43:25.439: ISAKMP:(1120): processing vendor id payload
*Jan  9 13:43:25.439: ISAKMP:(1120):vendor ID seems Unity/DPD but hash mismatch
*Jan  9 13:43:25.439: ISAKMP:received payload type 20
*Jan  9 13:43:25.439: ISAKMP (1120): His hash no match - this node outside NAT
*Jan  9 13:43:25.439: ISAKMP:received payload type 20
*Jan  9 13:43:25.439: ISAKMP (1120): No NAT Found for self or peer
*Jan  9 13:43:25.439: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan  9 13:43:25.439: ISAKMP:(1120):Old State = IKE_I_MM4  New State = IKE_I_MM4
*Jan  9 13:43:25.439: ISAKMP:(1120):Send initial contact
*Jan  9 13:43:25.439: ISAKMP:(1120):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan  9 13:43:25.439: ISAKMP (1120): ID payload
        next-payload : 8
        type         : 1
        address      : 81.25.57.189
        protocol     : 17
        port         : 500
        length       : 12
*Jan  9 13:43:25.439: ISAKMP:(1120):Total payload length: 12
*Jan  9 13:43:25.439: ISAKMP:(1120): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan  9 13:43:25.439: ISAKMP:(1120):Sending an IKE IPv4 Packet.
*Jan  9 13:43:25.439: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan  9 13:43:25.439: ISAKMP:(1120):Old State = IKE_I_MM4  New State = IKE_I_MM5
*Jan  9 13:43:25.443: ISAKMP (1120): received packet from 193.104.149.253 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan  9 13:43:25.443: ISAKMP:(1120): processing ID payload. message ID = 0
*Jan  9 13:43:25.443: ISAKMP (1120): ID payload
        next-payload : 8
        type         : 1
        address      : 193.104.149.253
        protocol     : 17
        port         : 0
        length       : 12
*Jan  9 13:43:25.443: ISAKMP:(0):: peer matches *none* of the profiles
*Jan  9 13:43:25.443: ISAKMP:(1120): processing HASH payload. message ID = 0
*Jan  9 13:43:25.443: ISAKMP:received payload type 17
*Jan  9 13:43:25.443: ISAKMP:(1120): processing vendor id payload
*Jan  9 13:43:25.443: ISAKMP:(1120): vendor ID is DPD
*Jan  9 13:43:25.443: ISAKMP:(1120):SA authentication status:
        authenticated
*Jan  9 13:43:25.443: ISAKMP:(1120):SA has been authenticated with 193.104.149.253
*Jan  9 13:43:25.443: ISAKMP: Trying to insert a peer 81.25.57.189/193.104.149.253/500/,  and inserted successfully 313EEFF8.
*Jan  9 13:43:25.443: ISAKMP:(1120):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan  9 13:43:25.443: ISAKMP:(1120):Old State = IKE_I_MM5  New State = IKE_I_MM6
*Jan  9 13:43:25.443: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan  9 13:43:25.443: ISAKMP:(1120):Old State = IKE_I_MM6  New State = IKE_I_MM6
*Jan  9 13:43:25.443: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan  9 13:43:25.443: ISAKMP:(1120):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
*Jan  9 13:43:25.443: ISAKMP:(1120):beginning Quick Mode exchange, M-ID of 2712072553
*Jan  9 13:43:25.443: ISAKMP:(1120):QM Initiator gets spi
*Jan  9 13:43:25.443: ISAKMP:(1120): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) QM_IDLE
*Jan  9 13:43:25.443: ISAKMP:(1120):Sending an IKE IPv4 Packet.
*Jan  9 13:43:25.443: ISAKMP:(1120):Node 2712072553, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jan  9 13:43:25.443: ISAKMP:(1120):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Jan  9 13:43:25.443: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan  9 13:43:25.443: ISAKMP:(1120):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Jan  9 13:43:25.451: ISAKMP (1120): received packet from 193.104.149.253 dport 500 sport 500 Global (I) QM_IDLE
*Jan  9 13:43:25.451: ISAKMP: set new node -361918668 to QM_IDLE
*Jan  9 13:43:25.451: ISAKMP:(1120): processing HASH payload. message ID = 3933048628
*Jan  9 13:43:25.451: ISAKMP:(1120): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = 3933048628, sa = 0x314E1C4C
*Jan  9 13:43:25.451: ISAKMP:(1120):deleting node -361918668 error FALSE reason "Informational (in) state 1"
*Jan  9 13:43:25.451: ISAKMP:(1120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jan  9 13:43:25.451: ISAKMP:(1120):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Jan  9 13:43:25.451: ISAKMP (1120): received packet from 193.104.149.253 dport 500 sport 500 Global (I) QM_IDLE
*Jan  9 13:43:25.451: ISAKMP: set new node 1260810866 to QM_IDLE
*Jan  9 13:43:25.451: ISAKMP:(1120): processing HASH payload. message ID = 1260810866
*Jan  9 13:43:25.451: ISAKMP:(1120): processing DELETE payload. message ID = 1260810866
*Jan  9 13:43:25.451: ISAKMP:(1120):peer does not do paranoid keepalives.
*Jan  9 13:43:25.451: ISAKMP:(1120):deleting SA reason "No reason" state (I) QM_IDLE       (peer 193.104.149.253)
*Jan  9 13:43:25.451: ISAKMP:(1120):deleting node 1260810866 error FALSE reason "Informational (in) state 1"
*Jan  9 13:43:25.451: ISAKMP: set new node -735100589 to QM_IDLE
*Jan  9 13:43:25.451: ISAKMP:(1120): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) QM_IDLE
*Jan  9 13:43:25.451: ISAKMP:(1120):Sending an IKE IPv4 Packet.
*Jan  9 13:43:25.451: ISAKMP:(1120):purging node -735100589
*Jan  9 13:43:25.451: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan  9 13:43:25.451: ISAKMP:(1120):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
*Jan  9 13:43:25.451: ISAKMP:(1120):deleting SA reason "No reason" state (I) QM_IDLE       (peer 193.104.149.253)
*Jan  9 13:43:25.451: ISAKMP: Unlocking peer struct 0x313EEFF8 for isadb_mark_sa_deleted(), count 0
*Jan  9 13:43:25.451: ISAKMP: Deleting peer node by peer_reap for 193.104.149.253: 313EEFF8
*Jan  9 13:43:25.451: ISAKMP:(1120):deleting node -1582894743 error FALSE reason "IKE deleted"
*Jan  9 13:43:25.451: ISAKMP:(1120):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan  9 13:43:25.451: ISAKMP:(1120):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
*Jan  9 13:43:25.451: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan  9 13:43:43.371: ISAKMP:(1119):purging node 422040271
*Jan  9 13:43:43.371: ISAKMP:(1119):purging node 736202911
*Jan  9 13:43:43.371: ISAKMP:(1119):purging node 849488443
*Jan  9 13:43:53.371: ISAKMP:(1119):purging SA., sa=3138E0BC, delme=3138E0BC
*Jan  9 13:43:55.399: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 81.25.57.189:0, remote= 193.104.149.253:0,
    local_proxy= 81.25.57.189/255.255.255.255/17/1701 (type=1),
    remote_proxy= 193.104.149.253/255.255.255.255/17/1701 (type=1)
*Jan  9 13:43:55.399: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 81.25.57.189:500, remote= 193.104.149.253:500,
    local_proxy= 81.25.57.189/255.255.255.255/17/1701 (type=1),
    remote_proxy= 193.104.149.253/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Transport),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору

3. "l2tp vpn ipsec client pptp client" +/–

Сообщение от mshejh (ok) on 09-Янв-13, 17:54

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
193.104.149.253 81.25.57.189    MM_NO_STATE       1134 ACTIVE (deleted)

sh crypto ipsec sa
interface: Dialer1
    Crypto map tag: L2TP, local addr 81.25.57.189
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (81.25.57.189/255.255.255.255/17/1701)
   remote ident (addr/mask/prot/port): (193.104.149.253/255.255.255.255/17/1701)
   current_peer 193.104.149.253 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 143, #recv errors 0
     local crypto endpt.: 81.25.57.189, remote crypto endpt.: 193.104.149.253
     path mtu 1450, ip mtu 1450, ip mtu idb Dialer1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
interface: Virtual-Access1
    Crypto map tag: L2TP, local addr 0.0.0.0
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (81.25.57.189/255.255.255.255/17/1701)
   remote ident (addr/mask/prot/port): (193.104.149.253/255.255.255.255/17/1701)
   current_peer 193.104.149.253 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 0.0.0.0, remote crypto endpt.: 193.104.149.253
     path mtu 1450, ip mtu 1450, ip mtu idb Virtual-Access1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:

Ответить | Правка | ^ к родителю #2 | Наверх | Cообщить модератору

4. "l2tp vpn ipsec client pptp client" +/–

Сообщение от spiegel (ok) on 09-Янв-13, 18:43

>*Jan  9 13:43:25.451: ISAKMP:(1120): processing NOTIFY PROPOSAL_NOT_CHOSEN
Фаза 2 не поднимается, покажите debug crypto ipsec  и еще попробуйте
ip access-list extended L2TP_SA_DIALER1
permit ip host 81.25.xxx.yyy  host 193.104.xxx.yyy

Ответить | Правка | ^ к родителю #3 | Наверх | Cообщить модератору

5. "l2tp vpn ipsec client pptp client" +/–

Сообщение от mshejh (ok) on 10-Янв-13, 09:35

>>*Jan  9 13:43:25.451: ISAKMP:(1120): processing NOTIFY PROPOSAL_NOT_CHOSEN
> Фаза 2 не поднимается, покажите debug crypto ipsec  и еще попробуйте
> ip access-list extended L2TP_SA_DIALER1
> permit ip host 81.25.xxx.yyy  host 193.104.xxx.yyy
c2911_route#deb cry ips
Crypto IPSEC debugging is on
c2911_route#
*Jan 10 04:48:39.003: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 81.25.57.189:0, remote= 193.104.149.253:0,
    local_proxy= 81.25.57.189/255.255.255.255/0/0 (type=1),
    remote_proxy= 193.104.149.253/255.255.255.255/0/0 (type=1)
*Jan 10 04:48:40.763: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 81.25.57.189:500, remote= 193.104.149.253:500,
    local_proxy= 81.25.57.189/255.255.255.255/0/0 (type=1),
    remote_proxy= 193.104.149.253/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Transport),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan 10 04:48:50.811: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Пробовал permit ip host 81.25.xxx.yyy  host 193.104.xxx.yyy. Ничего не меняется :(

Ответить | Правка | ^ к родителю #4 | Наверх | Cообщить модератору

6. "l2tp vpn ipsec client pptp client" +/–

Сообщение от spiegel (ok) on 10-Янв-13, 12:58

похоже access-list не правильный:
>crypto map L2TP 10 ipsec-isakmp
>match address L2TP_SA_DIALER1
>ip access-list extended L2TP_SA_DIALER1
>permit udp host 81.25.xxx.yyy eq 1701 host 193.104.xxx.yyy eq 1701
в теории access-list должен указывать, какой трафик мы хотим шифровать. А тут попытка шифровать интерфейсы.

Ответить | Правка | ^ к родителю #5 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "l2tp vpn ipsec client pptp client"	+/–
Сообщение от spiegel (ok) on 09-Янв-13, 17:21
Добавьте > interface Virtual-PPP1 > ip mtu 1400 проверьте, что покажет debug ppp author
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору


	2. "l2tp vpn ipsec client pptp client"	+/–
	Сообщение от mshejh (ok) on 09-Янв-13, 17:52
	Добавил mtu, debug ppp author ничего не показывает. deb cry isakmp, deb cry ipsec: Jan 9 13:43:25.399: ISAKMP:(0): SA request profile is (NULL) Jan 9 13:43:25.399: ISAKMP: Created a peer struct for 193.104.149.253, peer port 500 Jan 9 13:43:25.399: ISAKMP: New peer created peer = 0x313EEFF8 peer_handle = 0x80000089 Jan 9 13:43:25.399: ISAKMP: Locking peer struct 0x313EEFF8, refcount 1 for isakmp_initiator Jan 9 13:43:25.399: ISAKMP: local port 500, remote port 500 Jan 9 13:43:25.399: ISAKMP: set new node 0 to QM_IDLE Jan 9 13:43:25.399: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 314E1C4C Jan 9 13:43:25.399: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. Jan 9 13:43:25.399: ISAKMP:(0):found peer pre-shared key matching 193.104.149.253 Jan 9 13:43:25.399: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID Jan 9 13:43:25.399: ISAKMP:(0): constructed NAT-T vendor-07 ID Jan 9 13:43:25.399: ISAKMP:(0): constructed NAT-T vendor-03 ID Jan 9 13:43:25.399: ISAKMP:(0): constructed NAT-T vendor-02 ID Jan 9 13:43:25.399: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Jan 9 13:43:25.399: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 Jan 9 13:43:25.399: ISAKMP:(0): beginning Main Mode exchange Jan 9 13:43:25.399: ISAKMP:(0): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) MM_NO_STATE Jan 9 13:43:25.399: ISAKMP:(0):Sending an IKE IPv4 Packet. Jan 9 13:43:25.403: ISAKMP (0): received packet from 193.104.149.253 dport 500 sport 500 Global (I) MM_NO_STATE Jan 9 13:43:25.403: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 9 13:43:25.403: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 Jan 9 13:43:25.403: ISAKMP:(0): processing SA payload. message ID = 0 Jan 9 13:43:25.403: ISAKMP:(0): processing vendor id payload Jan 9 13:43:25.403: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 9 13:43:25.403: ISAKMP:(0): vendor ID is NAT-T v2 Jan 9 13:43:25.403: ISAKMP:(0): processing vendor id payload Jan 9 13:43:25.403: ISAKMP:(0): processing IKE frag vendor id payload Jan 9 13:43:25.403: ISAKMP:(0):Support for IKE Fragmentation not enabled Jan 9 13:43:25.403: ISAKMP:(0):found peer pre-shared key matching 193.104.149.253 Jan 9 13:43:25.403: ISAKMP:(0): local preshared key found Jan 9 13:43:25.403: ISAKMP : Scanning profiles for xauth ... Jan 9 13:43:25.403: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy Jan 9 13:43:25.403: ISAKMP: encryption 3DES-CBC Jan 9 13:43:25.403: ISAKMP: hash MD5 Jan 9 13:43:25.403: ISAKMP: default group 2 Jan 9 13:43:25.403: ISAKMP: auth pre-share Jan 9 13:43:25.403: ISAKMP: life type in seconds Jan 9 13:43:25.403: ISAKMP: life duration (basic) of 28000 Jan 9 13:43:25.403: ISAKMP:(0):atts are acceptable. Next payload is 0 Jan 9 13:43:25.403: ISAKMP:(0):Acceptable atts:actual life: 0 Jan 9 13:43:25.403: ISAKMP:(0):Acceptable atts:life: 0 Jan 9 13:43:25.403: ISAKMP:(0):Basic life_in_seconds:28000 Jan 9 13:43:25.407: ISAKMP:(0):Returning Actual lifetime: 28000 Jan 9 13:43:25.407: ISAKMP:(0)::Started lifetime timer: 28000. Jan 9 13:43:25.407: ISAKMP:(0): processing vendor id payload Jan 9 13:43:25.407: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jan 9 13:43:25.407: ISAKMP:(0): vendor ID is NAT-T v2 Jan 9 13:43:25.407: ISAKMP:(0): processing vendor id payload Jan 9 13:43:25.407: ISAKMP:(0): processing IKE frag vendor id payload Jan 9 13:43:25.407: ISAKMP:(0):Support for IKE Fragmentation not enabled Jan 9 13:43:25.407: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 9 13:43:25.407: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 Jan 9 13:43:25.407: ISAKMP:(0): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) MM_SA_SETUP Jan 9 13:43:25.407: ISAKMP:(0):Sending an IKE IPv4 Packet. Jan 9 13:43:25.407: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jan 9 13:43:25.407: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 Jan 9 13:43:25.411: ISAKMP (0): received packet from 193.104.149.253 dport 500 sport 500 Global (I) MM_SA_SETUP Jan 9 13:43:25.411: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 9 13:43:25.411: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 Jan 9 13:43:25.411: ISAKMP:(0): processing KE payload. message ID = 0 Jan 9 13:43:25.435: ISAKMP:(0): processing NONCE payload. message ID = 0 Jan 9 13:43:25.435: ISAKMP:(0):found peer pre-shared key matching 193.104.149.253 Jan 9 13:43:25.435: ISAKMP:(1120): processing vendor id payload Jan 9 13:43:25.435: ISAKMP:(1120): vendor ID is Unity Jan 9 13:43:25.435: ISAKMP:(1120): processing vendor id payload Jan 9 13:43:25.439: ISAKMP:(1120): vendor ID seems Unity/DPD but major 20 mismatch Jan 9 13:43:25.439: ISAKMP:(1120): vendor ID is XAUTH Jan 9 13:43:25.439: ISAKMP:(1120): processing vendor id payload Jan 9 13:43:25.439: ISAKMP:(1120): speaking to another IOS box! Jan 9 13:43:25.439: ISAKMP:(1120): processing vendor id payload Jan 9 13:43:25.439: ISAKMP:(1120):vendor ID seems Unity/DPD but hash mismatch Jan 9 13:43:25.439: ISAKMP:received payload type 20 Jan 9 13:43:25.439: ISAKMP (1120): His hash no match - this node outside NAT Jan 9 13:43:25.439: ISAKMP:received payload type 20 Jan 9 13:43:25.439: ISAKMP (1120): No NAT Found for self or peer Jan 9 13:43:25.439: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 9 13:43:25.439: ISAKMP:(1120):Old State = IKE_I_MM4 New State = IKE_I_MM4 Jan 9 13:43:25.439: ISAKMP:(1120):Send initial contact Jan 9 13:43:25.439: ISAKMP:(1120):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR Jan 9 13:43:25.439: ISAKMP (1120): ID payload next-payload : 8 type : 1 address : 81.25.57.189 protocol : 17 port : 500 length : 12 Jan 9 13:43:25.439: ISAKMP:(1120):Total payload length: 12 Jan 9 13:43:25.439: ISAKMP:(1120): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) MM_KEY_EXCH Jan 9 13:43:25.439: ISAKMP:(1120):Sending an IKE IPv4 Packet. Jan 9 13:43:25.439: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jan 9 13:43:25.439: ISAKMP:(1120):Old State = IKE_I_MM4 New State = IKE_I_MM5 Jan 9 13:43:25.443: ISAKMP (1120): received packet from 193.104.149.253 dport 500 sport 500 Global (I) MM_KEY_EXCH Jan 9 13:43:25.443: ISAKMP:(1120): processing ID payload. message ID = 0 Jan 9 13:43:25.443: ISAKMP (1120): ID payload next-payload : 8 type : 1 address : 193.104.149.253 protocol : 17 port : 0 length : 12 Jan 9 13:43:25.443: ISAKMP:(0):: peer matches none* of the profiles Jan 9 13:43:25.443: ISAKMP:(1120): processing HASH payload. message ID = 0 Jan 9 13:43:25.443: ISAKMP:received payload type 17 Jan 9 13:43:25.443: ISAKMP:(1120): processing vendor id payload Jan 9 13:43:25.443: ISAKMP:(1120): vendor ID is DPD Jan 9 13:43:25.443: ISAKMP:(1120):SA authentication status: authenticated Jan 9 13:43:25.443: ISAKMP:(1120):SA has been authenticated with 193.104.149.253 Jan 9 13:43:25.443: ISAKMP: Trying to insert a peer 81.25.57.189/193.104.149.253/500/, and inserted successfully 313EEFF8. Jan 9 13:43:25.443: ISAKMP:(1120):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 9 13:43:25.443: ISAKMP:(1120):Old State = IKE_I_MM5 New State = IKE_I_MM6 Jan 9 13:43:25.443: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jan 9 13:43:25.443: ISAKMP:(1120):Old State = IKE_I_MM6 New State = IKE_I_MM6 Jan 9 13:43:25.443: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Jan 9 13:43:25.443: ISAKMP:(1120):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Jan 9 13:43:25.443: ISAKMP:(1120):beginning Quick Mode exchange, M-ID of 2712072553 Jan 9 13:43:25.443: ISAKMP:(1120):QM Initiator gets spi Jan 9 13:43:25.443: ISAKMP:(1120): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) QM_IDLE Jan 9 13:43:25.443: ISAKMP:(1120):Sending an IKE IPv4 Packet. Jan 9 13:43:25.443: ISAKMP:(1120):Node 2712072553, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Jan 9 13:43:25.443: ISAKMP:(1120):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Jan 9 13:43:25.443: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Jan 9 13:43:25.443: ISAKMP:(1120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jan 9 13:43:25.451: ISAKMP (1120): received packet from 193.104.149.253 dport 500 sport 500 Global (I) QM_IDLE Jan 9 13:43:25.451: ISAKMP: set new node -361918668 to QM_IDLE Jan 9 13:43:25.451: ISAKMP:(1120): processing HASH payload. message ID = 3933048628 Jan 9 13:43:25.451: ISAKMP:(1120): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 0, message ID = 3933048628, sa = 0x314E1C4C Jan 9 13:43:25.451: ISAKMP:(1120):deleting node -361918668 error FALSE reason "Informational (in) state 1" Jan 9 13:43:25.451: ISAKMP:(1120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jan 9 13:43:25.451: ISAKMP:(1120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jan 9 13:43:25.451: ISAKMP (1120): received packet from 193.104.149.253 dport 500 sport 500 Global (I) QM_IDLE Jan 9 13:43:25.451: ISAKMP: set new node 1260810866 to QM_IDLE Jan 9 13:43:25.451: ISAKMP:(1120): processing HASH payload. message ID = 1260810866 Jan 9 13:43:25.451: ISAKMP:(1120): processing DELETE payload. message ID = 1260810866 Jan 9 13:43:25.451: ISAKMP:(1120):peer does not do paranoid keepalives. Jan 9 13:43:25.451: ISAKMP:(1120):deleting SA reason "No reason" state (I) QM_IDLE (peer 193.104.149.253) Jan 9 13:43:25.451: ISAKMP:(1120):deleting node 1260810866 error FALSE reason "Informational (in) state 1" Jan 9 13:43:25.451: ISAKMP: set new node -735100589 to QM_IDLE Jan 9 13:43:25.451: ISAKMP:(1120): sending packet to 193.104.149.253 my_port 500 peer_port 500 (I) QM_IDLE Jan 9 13:43:25.451: ISAKMP:(1120):Sending an IKE IPv4 Packet. Jan 9 13:43:25.451: ISAKMP:(1120):purging node -735100589 Jan 9 13:43:25.451: ISAKMP:(1120):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Jan 9 13:43:25.451: ISAKMP:(1120):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA Jan 9 13:43:25.451: ISAKMP:(1120):deleting SA reason "No reason" state (I) QM_IDLE (peer 193.104.149.253) Jan 9 13:43:25.451: ISAKMP: Unlocking peer struct 0x313EEFF8 for isadb_mark_sa_deleted(), count 0 Jan 9 13:43:25.451: ISAKMP: Deleting peer node by peer_reap for 193.104.149.253: 313EEFF8 Jan 9 13:43:25.451: ISAKMP:(1120):deleting node -1582894743 error FALSE reason "IKE deleted" Jan 9 13:43:25.451: ISAKMP:(1120):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jan 9 13:43:25.451: ISAKMP:(1120):Old State = IKE_DEST_SA New State = IKE_DEST_SA Jan 9 13:43:25.451: IPSEC(key_engine): got a queue event with 1 KMI message(s) Jan 9 13:43:43.371: ISAKMP:(1119):purging node 422040271 Jan 9 13:43:43.371: ISAKMP:(1119):purging node 736202911 Jan 9 13:43:43.371: ISAKMP:(1119):purging node 849488443 Jan 9 13:43:53.371: ISAKMP:(1119):purging SA., sa=3138E0BC, delme=3138E0BC Jan 9 13:43:55.399: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 81.25.57.189:0, remote= 193.104.149.253:0, local_proxy= 81.25.57.189/255.255.255.255/17/1701 (type=1), remote_proxy= 193.104.149.253/255.255.255.255/17/1701 (type=1) Jan 9 13:43:55.399: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 81.25.57.189:500, remote= 193.104.149.253:500, local_proxy= 81.25.57.189/255.255.255.255/17/1701 (type=1), remote_proxy= 193.104.149.253/255.255.255.255/17/1701 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Transport), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
	Ответить \| Правка \| ^ к родителю #1 \| Наверх \| Cообщить модератору


	3. "l2tp vpn ipsec client pptp client"	+/–
	Сообщение от mshejh (ok) on 09-Янв-13, 17:54
	IPv4 Crypto ISAKMP SA dst src state conn-id status 193.104.149.253 81.25.57.189 MM_NO_STATE 1134 ACTIVE (deleted) sh crypto ipsec sa interface: Dialer1 Crypto map tag: L2TP, local addr 81.25.57.189 protected vrf: (none) local ident (addr/mask/prot/port): (81.25.57.189/255.255.255.255/17/1701) remote ident (addr/mask/prot/port): (193.104.149.253/255.255.255.255/17/1701) current_peer 193.104.149.253 port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 143, #recv errors 0 local crypto endpt.: 81.25.57.189, remote crypto endpt.: 193.104.149.253 path mtu 1450, ip mtu 1450, ip mtu idb Dialer1 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: interface: Virtual-Access1 Crypto map tag: L2TP, local addr 0.0.0.0 protected vrf: (none) local ident (addr/mask/prot/port): (81.25.57.189/255.255.255.255/17/1701) remote ident (addr/mask/prot/port): (193.104.149.253/255.255.255.255/17/1701) current_peer 193.104.149.253 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 0.0.0.0, remote crypto endpt.: 193.104.149.253 path mtu 1450, ip mtu 1450, ip mtu idb Virtual-Access1 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:
	Ответить \| Правка \| ^ к родителю #2 \| Наверх \| Cообщить модератору


	4. "l2tp vpn ipsec client pptp client"	+/–
	Сообщение от spiegel (ok) on 09-Янв-13, 18:43
	>*Jan 9 13:43:25.451: ISAKMP:(1120): processing NOTIFY PROPOSAL_NOT_CHOSEN Фаза 2 не поднимается, покажите debug crypto ipsec и еще попробуйте ip access-list extended L2TP_SA_DIALER1 permit ip host 81.25.xxx.yyy host 193.104.xxx.yyy
	Ответить \| Правка \| ^ к родителю #3 \| Наверх \| Cообщить модератору


	5. "l2tp vpn ipsec client pptp client"	+/–
	Сообщение от mshejh (ok) on 10-Янв-13, 09:35
	>>Jan 9 13:43:25.451: ISAKMP:(1120): processing NOTIFY PROPOSAL_NOT_CHOSEN > Фаза 2 не поднимается, покажите debug crypto ipsec и еще попробуйте > ip access-list extended L2TP_SA_DIALER1 > permit ip host 81.25.xxx.yyy host 193.104.xxx.yyy c2911_route#deb cry ips Crypto IPSEC debugging is on c2911_route# Jan 10 04:48:39.003: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 81.25.57.189:0, remote= 193.104.149.253:0, local_proxy= 81.25.57.189/255.255.255.255/0/0 (type=1), remote_proxy= 193.104.149.253/255.255.255.255/0/0 (type=1) Jan 10 04:48:40.763: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 81.25.57.189:500, remote= 193.104.149.253:500, local_proxy= 81.25.57.189/255.255.255.255/0/0 (type=1), remote_proxy= 193.104.149.253/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Transport), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 Jan 10 04:48:50.811: IPSEC(key_engine): got a queue event with 1 KMI message(s) Пробовал permit ip host 81.25.xxx.yyy host 193.104.xxx.yyy. Ничего не меняется :(
	Ответить \| Правка \| ^ к родителю #4 \| Наверх \| Cообщить модератору


	6. "l2tp vpn ipsec client pptp client"	+/–
	Сообщение от spiegel (ok) on 10-Янв-13, 12:58
	похоже access-list не правильный: >crypto map L2TP 10 ipsec-isakmp >match address L2TP_SA_DIALER1 >ip access-list extended L2TP_SA_DIALER1 >permit udp host 81.25.xxx.yyy eq 1701 host 193.104.xxx.yyy eq 1701 в теории access-list должен указывать, какой трафик мы хотим шифровать. А тут попытка шифровать интерфейсы.
	Ответить \| Правка \| ^ к родителю #5 \| Наверх \| Cообщить модератору