我一直在尝试在路由器和我的 Windows XP 机器之间建立 IPsec 隧道。路由器的地址是 192.168.254.30,XP 机器的地址是 192.168.254.128。但是,我似乎无法让隧道正常工作。我已将隧道设置为应用 ICMP,但两边的 ping 都不起作用。在 Windows 端,我可以看到它正在应用,因为我得到了“协商 IP 安全性”。
IOS配置:
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN_TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$3p0B$h21M/3z9dR0n3gnJPWjBm/
enable password test1
!
aaa new-model
!
!
aaa authentication ppp default group radius local
aaa authorization network default group radius
aaa session-id common
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
l2tp security crypto-profile l2tpprof
no l2tp tunnel authentication
!
async-bootp dns-server 192.168.254.253
!
!
!
!
!
!
!
!
!
!
!
!
username atestuser password 0 atestuser
!
!
!
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key testvpn address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set l2tptrans esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set radius-trans-set esp-des esp-md5-hmac
!
crypto map l2tpmap 2 ipsec-isakmp
set peer 192.168.254.128
set transform-set radius-trans-set
match address for_radius
crypto map l2tpmap 10 ipsec-isakmp profile l2tpprof
set transform-set l2tptrans
!
!
!
!
interface Loopback0
ip address 172.16.7.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.6.1 255.255.255.0
speed auto
half-duplex
!
interface FastEthernet1/0
ip address 192.168.254.30 255.255.255.0
duplex auto
speed auto
crypto map l2tpmap
!
interface Virtual-Template1
ip unnumbered Loopback0
ip access-group vpn-in in
peer default ip address pool RA_VPN_pool
ppp authentication ms-chap-v2
!
ip local pool RA_VPN_pool 10.20.10.1 10.20.10.100
ip http server
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
!
!
ip access-list extended for_radius
permit udp any host 192.168.254.128
permit icmp any host 192.168.254.128
ip access-list extended vpn-in
permit ip any 192.168.254.0 0.0.0.255
permit ip any 172.16.6.0 0.0.0.255
!
radius-server host 192.168.254.253 auth-port 1645 acct-port 1646 key ciscosecret
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password test
!
!
end
在 Windows 方面:
我已创建了一个 IPsec 策略。该 IPsec 策略有两个 IP 筛选器。每个方向各一个,如中所述这个文件。
路由器上的错误:
当我尝试从路由器 ping 时,我在 7 上使用 IPsec 和 isakmp 调试获得以下信息:
VPN_TEST#ping 192.168.254.128 rep 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.254.128, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
VPN_TEST#show log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled
Buffer logging: level debugging, 3513 messages logged, xml disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 85 message lines logged
Log Buffer (4096 bytes):
I_MM4
*Mar 2 01:26:59.829: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar 2 01:26:59.845: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar 2 01:26:59.845: ISAKMP: Looking for a matching key for 192.168.254.128 in default : success
*Mar 2 01:26:59.845: ISAKMP (0:1): found peer pre-shared key matching 192.168.254.128
*Mar 2 01:26:59.849: ISAKMP (0:1): SKEYID state generated
*Mar 2 01:26:59.849: ISAKMP:received payload type 20
*Mar 2 01:26:59.849: ISAKMP:received payload type 20
*Mar 2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 2 01:26:59.849: ISAKMP (0:1): Send initial contact
*Mar 2 01:26:59.849: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 2 01:26:59.849: ISAKMP (0:1): ID payload
next-payload : 8
type : 1
address : 192.168.254.30
protocol : 17
port : 500
length : 12
*Mar 2 01:26:59.849: ISAKMP (1): Total payload length: 12
*Mar 2 01:26:59.849: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 2 01:26:59.849: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 01:26:59.849: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 2 01:26:59.853: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 2 01:26:59.853: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 2 01:26:59.853: ISAKMP (0:1): ID payload
next-payload : 8
type : 1
address : 192.168.254.128
protocol : 0
port : 0
length : 12
*Mar 2 01:26:59.853: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar 2 01:26:59.853: ISAKMP (0:1): SA authentication status:
authenticated
*Mar 2 01:26:59.853: ISAKMP (0:1): SA has been authenticated with 192.168.254.128
*Mar 2 01:26:59.853: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 2 01:26:59.853: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 01:26:59.853: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 2 01:26:59.857: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -952376679
*Mar 2 01:26:59.857: ISAKMP (0:1): sending packet to 192.168.254.128 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 2 01:26:59.857: ISAKMP (0:1): Node -952376679, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 2 01:26:59.857: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 2 01:26:59.857: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 2 01:26:59.857: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 2 01:26:59.865: ISAKMP (0:1): received packet from 192.168.254.128 dport 500 sport 500 Global (I) QM_IDLE
*Mar 2 01:26:59.865: ISAKMP: set new node -1887423582 to QM_IDLE
*Mar 2 01:26:59.865: ISAKMP (0:1): processing HASH payload. message ID = -1887423582
*Mar 2 01:26:59.865: ISAKMP (0:1): processing NOTIFY INVALID_ID_INFO protocol 3
spi 0, message ID = -1887423582, sa = 62F606C8
*Mar 2 01:26:59.865: ISAKMP (0:1): peer does not do paranoid keepalives.
*Mar 2 01:26:59.865: ISAKMP (0:1): deleting node -1887423582 error FALSE reason "informational (in) state 1"
*Mar 2 01:26:59.865: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 2 01:26:59.865: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 2 01:26:59.865: IPSEC(key_engine): got a queue event...
*Mar 2 01:26:59.865: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Mar 2 01:26:59.865: IPSEC(key_engine_delete_sas): delete all SAs shared with 192.168.254.128:500
编辑:
我让它工作了,但前提是 Windows 端启动隧道。因此,如果我尝试从路由器 ping 到 Windows 服务器,除非我最近已经从 Windows ping 过它,否则它不起作用。在 Windows 中,我收到以下审计日志:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 11/13/2009
Time: 8:59:21 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: BRANDT-VM
Description:
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)
Filter:
Source IP Address 192.168.254.128
Source IP Address Mask 0.0.0.0
Destination IP Address 0.0.0.0
Destination IP Address Mask 255.255.255.255
Protocol 1
Source Port 0
Destination Port 0
IKE Local Addr 192.168.254.128
IKE Peer Addr 192.168.254.30
Peer Identity:
Preshared key ID.
Peer IP Address: 192.168.254.30
Failure Point:
Me
Failure Reason:
No policy configured
Extra Status:
0x0 0x0
答案1
路由器端的转换集与 ESP 完整性的过滤器操作“协商安全方法”设置不匹配(SHA 而不是 MD5)。
编辑:
但实际上,现在它只在 Windows 发起连接时才起作用。因此,如果我在路由器上尝试 ping Windows 服务器,clear crypto sa它会不是可以工作。但是,如果我先从 Windows ping,然后从路由器 ping,它就可以工作。因此,出于某种原因,看起来 Cisco 路由器不允许建立隧道。