Cisco 和 XP 之间的 IPsec 隧道,路由器启动时快速模式失败

Cisco 和 XP 之间的 IPsec 隧道,路由器启动时快速模式失败

我一直在尝试在路由器和我的 Windows XP 机器之间建立 IPsec 隧道。路由器的地址是 192.168.254.30,XP 机器的地址是 192.168.254.128。但是,我似乎无法让隧道正常工作。我已将隧道设置为应用 ICMP,但两边的 ping 都不起作用。在 Windows 端,我可以看到它正在应用,因为我得到了“协商 IP 安全性”。

IOS配置

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN_TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$3p0B$h21M/3z9dR0n3gnJPWjBm/
enable password test1
!
aaa new-model
!
!
aaa authentication ppp default group radius local
aaa authorization network default group radius 
aaa session-id common
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 l2tp security crypto-profile l2tpprof
 no l2tp tunnel authentication
!
async-bootp dns-server 192.168.254.253
!
!
!
!
!
!
!
!
!
!
!
!
username atestuser password 0 atestuser
!
!
! 
!
crypto isakmp policy 1
 authentication pre-share
!
crypto isakmp policy 2
 authentication pre-share
crypto isakmp key testvpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set l2tptrans esp-3des esp-md5-hmac 
 mode transport
crypto ipsec transform-set radius-trans-set esp-des esp-md5-hmac 
!
crypto map l2tpmap 2 ipsec-isakmp 
 set peer 192.168.254.128
 set transform-set radius-trans-set 
 match address for_radius
crypto map l2tpmap 10 ipsec-isakmp profile l2tpprof 
 set transform-set l2tptrans 
!
!
!
!
interface Loopback0
 ip address 172.16.7.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.6.1 255.255.255.0
 speed auto
 half-duplex
!
interface FastEthernet1/0
 ip address 192.168.254.30 255.255.255.0
 duplex auto
 speed auto
 crypto map l2tpmap
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip access-group vpn-in in
 peer default ip address pool RA_VPN_pool
 ppp authentication ms-chap-v2
!
ip local pool RA_VPN_pool 10.20.10.1 10.20.10.100
ip http server
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
!
!
ip access-list extended for_radius
 permit udp any host 192.168.254.128
 permit icmp any host 192.168.254.128
ip access-list extended vpn-in
 permit ip any 192.168.254.0 0.0.0.255
 permit ip any 172.16.6.0 0.0.0.255
!
radius-server host 192.168.254.253 auth-port 1645 acct-port 1646 key ciscosecret
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password test
!
!
end

在 Windows 方面
我已创建了一个 IPsec 策略。该 IPsec 策略有两个 IP 筛选器。每个方向各一个,如中所述这个文件

路由器上的错误:
当我尝试从路由器 ping 时,我在 7 上使用 IPsec 和 isakmp 调试获得以下信息:

VPN_TEST#ping 192.168.254.128 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.254.128, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
VPN_TEST#show log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled
    Buffer logging: level debugging, 3513 messages logged, xml disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 85 message lines logged

Log Buffer (4096 bytes):
I_MM4 

*Mar  2 01:26:59.829: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar  2 01:26:59.845: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar  2 01:26:59.845: ISAKMP: Looking for a matching key for 192.168.254.128 in default : success
*Mar  2 01:26:59.845: ISAKMP (0:1): found peer pre-shared key matching 192.168.254.128
*Mar  2 01:26:59.849: ISAKMP (0:1): SKEYID state generated
*Mar  2 01:26:59.849: ISAKMP:received payload type 20
*Mar  2 01:26:59.849: ISAKMP:received payload type 20
*Mar  2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4 

*Mar  2 01:26:59.849: ISAKMP (0:1): Send initial contact
*Mar  2 01:26:59.849: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  2 01:26:59.849: ISAKMP (0:1): ID payload 
    next-payload : 8
        type         : 1 
    address      : 192.168.254.30 
    protocol     : 17 
    port         : 500 
    length       : 12
*Mar  2 01:26:59.849: ISAKMP (1): Total payload length: 12
*Mar  2 01:26:59.849: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5 

*Mar  2 01:26:59.853: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  2 01:26:59.853: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar  2 01:26:59.853: ISAKMP (0:1): ID payload 
    next-payload : 8
    type         : 1 
    address      : 192.168.254.128 
    protocol     : 0 
    port         : 0 
    length       : 12
*Mar  2 01:26:59.853: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar  2 01:26:59.853: ISAKMP (0:1): SA authentication status: 
    authenticated
*Mar  2 01:26:59.853: ISAKMP (0:1): SA has been authenticated with 192.168.254.128
*Mar  2 01:26:59.853: ISAKMP (0:1): peer matches *none* of the profiles
*Mar  2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6 

*Mar  2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6 

*Mar  2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

*Mar  2 01:26:59.857: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -952376679
*Mar  2 01:26:59.857: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) QM_IDLE      
*Mar  2 01:26:59.857: ISAKMP (0:1): Node -952376679, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  2 01:26:59.857: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  2 01:26:59.857: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  2 01:26:59.857: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Mar  2 01:26:59.865: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) QM_IDLE      
*Mar  2 01:26:59.865: ISAKMP: set new node -1887423582 to QM_IDLE      
*Mar  2 01:26:59.865: ISAKMP (0:1): processing HASH payload. message ID = -1887423582
*Mar  2 01:26:59.865: ISAKMP (0:1): processing NOTIFY INVALID_ID_INFO protocol 3
    spi 0, message ID = -1887423582, sa = 62F606C8
*Mar  2 01:26:59.865: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar  2 01:26:59.865: ISAKMP (0:1): deleting node -1887423582 error FALSE reason "informational (in) state 1"
*Mar  2 01:26:59.865: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  2 01:26:59.865: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Mar  2 01:26:59.865: IPSEC(key_engine): got a queue event...
*Mar  2 01:26:59.865: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Mar  2 01:26:59.865: IPSEC(key_engine_delete_sas): delete all SAs shared with 192.168.254.128:500

编辑:

我让它工作了,但前提是 Windows 端启动隧道。因此,如果我尝试从路由器 ping 到 Windows 服务器,除非我最近已经从 Windows ping 过它,否则它不起作用。在 Windows 中,我收到以下审计日志:

Event Type: Failure Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   547
Date:       11/13/2009
Time:       8:59:21 AM
User:       NT AUTHORITY\NETWORK SERVICE
Computer:   BRANDT-VM
Description:
IKE security association negotiation failed.
 Mode: 
Data Protection Mode (Quick Mode)

 Filter: 
Source IP Address 192.168.254.128
Source IP Address Mask 0.0.0.0
Destination IP Address 0.0.0.0
Destination IP Address Mask 255.255.255.255
Protocol 1
Source Port 0
Destination Port 0
IKE Local Addr 192.168.254.128
IKE Peer Addr 192.168.254.30
 Peer Identity: 
Preshared key ID.
Peer IP Address: 192.168.254.30
  Failure Point: 
Me
 Failure Reason: 
No policy configured
 Extra Status: 
0x0 0x0

答案1

路由器端的转换集与 ESP 完整性的过滤器操作“协商安全方法”设置不匹配(SHA 而不是 MD5)。

编辑:
但实际上,现在它只在 Windows 发起连接时才起作用。因此,如果我在路由器上尝试 ping Windows 服务器,clear crypto sa它会不是可以工作。但是,如果我先从 Windows ping,然后从路由器 ping,它就可以工作。因此,出于某种原因,看起来 Cisco 路由器不允许建立隧道。

相关内容