3

Я успешно настроил свой маршрутизатор Cisco для создания VPN-туннеля к Azure. Это работает нормально. Сейчас я пытаюсь добавить VPN удаленного доступа для клиентов. Я хочу использовать IPsec, а не PPTP.

Я не сетевой парень, но из того, что я прочитал, вам нужно добавить динамическую криптокарту для VPN с удаленным доступом к криптокарте на внешнем интерфейсе (в данном случае AzureCryptoMap). Я читал, что динамическая криптокарта должна применяться после нединамических карт.

Проблема в том, что VPN-клиенты не могут успешно согласовать фазу 1. Это почти как маршрутизатор не пытается динамическую карту. Я попытался указать его, чтобы опередить политику статической криптографической карты, но это ничего не меняет. Вот некоторые результаты отладки ipsec и isakmp:

murasaki#
*Oct  6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct  6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct  6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct  6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct  6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct  6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct  6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct  6 08:06:43: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Oct  6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct  6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct  6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is Unity
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
*Oct  6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is DPD
*Oct  6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
*Oct  6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct  6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  6 08:06:43: ISAKMP:(0):no offers accepted!
*Oct  6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
*Oct  6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct  6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
*Oct  6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
*Oct  6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct  6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.

*Oct  6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct  6 08:06:43: ISAKMP (0): FSM action returned error: 2
*Oct  6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct  6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Oct  6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct  6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
*Oct  6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
*Oct  6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct  6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

*Oct  6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
*Oct  6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct  6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct  6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct  6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct  6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct  6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct  6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct  6 08:06:43: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

Если я укажу свой ключ как VPN-ключ типа «сайт-сайт», вот так:

crypto isakmp key xxx address 0.0.0.0

Затем он делает полную фазу 1 (а затем не удается найти конфигурацию клиента). Это говорит мне о том, что динамическая карта не испытывается.

Конфигурация:

!
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname murasaki
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login client_vpn_authentication local
aaa authorization network default local 
aaa authorization network client_vpn_authorization local 
!
!
!
!
!
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
!
!
!
!
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
!
!
crypto pki trustpoint TP-self-signed-591984024
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-591984024
 revocation-check none
 rsakeypair TP-self-signed-591984024
!
crypto pki trustpoint TP-self-signed-4045734018
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4045734018
 revocation-check none
 rsakeypair TP-self-signed-4045734018
!
!
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
!
!
object-group network CLOUD_SUBNETS 
 description Azure subnet
 172.16.0.0 255.252.0.0
!
object-group network INTERNAL_LAN 
 description All Internal subnets which should be allowed out to the Internet
 192.168.1.0 255.255.255.0
 192.168.20.0 255.255.255.0
!
username timothy privilege 15 secret 5 xxx
!
!
controller VDSL 0
!
ip ssh version 2
! 
!
!
!
no crypto isakmp default policy
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxx address xxxx   no-xauth
!
crypto isakmp client configuration group VPN_CLIENTS
 key xxx
 dns 192.168.1.24 192.168.1.20
 domain xxx
 pool Client-VPN-Pool
 acl CLIENT_VPN
crypto isakmp profile Client-VPN
   description Remote Client IPSec VPN
   match identity group VPN_CLIENTS
   client authentication list client_vpn_authentication
   isakmp authorization list client_vpn_authorization
   client configuration address respond
!
!
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac 
 mode tunnel
!
!
!
crypto dynamic-map ClientVPNCryptoMap 1
 set transform-set TRANS_3DES_SHA 
 set isakmp-profile Client-VPN
 reverse-route
 qos pre-classify
!
!
!
crypto map AzureCryptoMap 12 ipsec-isakmp 
 set peer xxxx
 set security-association lifetime kilobytes 102400000
 set transform-set AzureIPSec 
 match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap 
!
bridge irb
!
!
!
!
interface ATM0
 mtu 1492
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 switchport mode trunk
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
!
interface GigabitEthernet0
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 description Main LAN
 ip address 192.168.1.97 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip access-group PORTS_ALLOWED_IN in
 ip flow ingress
 ip inspect normal_traffic out
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1350
 dialer pool 1
 dialer-group 1
 ipv6 address autoconfig
 ipv6 enable
 ppp chap hostname xxx
 ppp chap password 7 xxx
 ppp ipcp route default
 no cdp enable
 crypto map AzureCryptoMap
!
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
!
ip access-list extended AzureEastUS
 permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
 permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
 remark List of ports which are allowed IN
 permit gre any any
 permit esp any any
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit tcp any any eq 55663
 permit udp any any eq 55663
 permit tcp any any eq 22
 permit tcp any any eq 5723
 permit tcp any any eq 1723
 permit tcp any any eq 443
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit icmp any any port-unreachable
 permit icmp any any time-exceeded
 deny   ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
 deny   tcp object-group INTERNAL_LAN any eq smtp
 deny   ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
 permit tcp object-group INTERNAL_LAN any
 permit udp object-group INTERNAL_LAN any
 permit icmp object-group INTERNAL_LAN any
 deny   ip any any
!
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
!
route-map NoNAT permit 10
 match ip address AzureEastUS CLIENT_VPN
!
route-map NoNAT permit 15
!
!
!
banner motd Welcome to Murasaki
!
line con 0
 privilege level 15
 no modem enable
line aux 0
line vty 0
 privilege level 15
 no activation-character
 transport preferred none
 transport input ssh
line vty 1 4
 privilege level 15
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
!
end

1 ответ1

1

Хорошо, это немного стыдно, но я указывал неверное имя группы в моем клиенте!

Это немного раздражает, что журнал на самом деле не говорит вам об этом :(

Всё ещё ищете ответ? Посмотрите другие вопросы с метками .