Anticisco http://www.anticisco.ru/forum/ |
|
VPN с android или iphone http://www.anticisco.ru/forum/viewtopic.php?f=2&t=11217 |
Страница 1 из 1 |
Автор: | halt [ 25 дек 2019, 06:51 ] |
Заголовок сообщения: | VPN с android или iphone |
Привет. Стоит задача (точнее я ее сам себе поставил) подключения с android или iphone клиентов к 891, в общем организация VPN сервера c шифрованием. Перепробовал различные "рабочие" конфигурации найденные на просторах интернета - не подключается. Просил помощи у двух знакомых "цискарей", тоже не смогли решить проблему. Текущий конфиг прикладываю ниже, дебаг тоже. В чем ошибка - не знаю, я так понимаю не идет первая фаза, подключаюсь со своего телефона на android. Может быть: 1) кто-нибудь скажет в чем ошибка? 2) выложит свой рабочий конфиг? 3) за символические деньги на "пиво" удаленно поможет решить проблему? Код: Current configuration : 8534 bytes ! ! Last configuration change at 11:02:55 EKT Tue Dec 24 2019 by halt ! NVRAM config last updated at 11:01:26 EKT Tue Dec 24 2019 by halt ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service internal ! hostname halt ! boot-start-marker boot system flash:c890-universalk9-mz.154-3.M8.bin boot-end-marker ! ! logging buffered 51200 no logging rate-limit enable secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! aaa new-model ! ! aaa authentication login default local aaa authentication login local_list local ! ! ! ! ! aaa session-id common clock timezone EKT 5 0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! ip dhcp pool MYDHCP network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 213.234.192.8 85.21.192.3 ! ! ! ip domain name beeline.ru ip name-server 213.234.192.8 ip name-server 85.21.192.3 ip multicast-routing ip inspect WAAS flush-timeout 10 ip inspect name INSPECT ftp ip inspect name INSPECT h323 ip inspect name INSPECT icmp ip inspect name INSPECT netshow ip inspect name INSPECT rcmd ip inspect name INSPECT realaudio ip inspect name INSPECT rtsp ip inspect name INSPECT streamworks ip inspect name INSPECT tftp ip inspect name INSPECT udp ip inspect name INSPECT pptp ip inspect name INSPECT dns ip inspect name INSPECT tcp ip ddns update method DynDNS HTTP add http://XXXXXXXXX@mail.ru:XXXXXXXXX@dynupdate.no-ip.com/nic/update?system=dyndns&hostname=<h>&myip=<a> interval maximum 0 0 5 0 ! ip cef no ipv6 cef l2tp-class beeline-l2tp-class ! ! ! ! ! ! multilink bundle-name authenticated vpdn enable ! vpdn-group 1 request-dialin protocol pptp rotary-group 0 initiate-to ip 46.146.247.7 ! ! ! ! ! ! cts logging verbose license udi pid CISCO891-K9 sn FCZ171090L2 license accept end user agreement ! ! username halt privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXX username cisco password 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX username vpn privilege 0 password 0 XXXXXXXXXXXXXXXXXXXXXXXXX ! redundancy notification-timer 60000 ! ! ! ! ! pseudowire-class beeline-pseudowire-class encapsulation l2tpv2 protocol l2tpv2 beeline-l2tp-class ip local interface Vlan10 ! ! ! crypto isakmp policy 3 encr aes 256 hash sha256 authentication pre-share group 2 ! crypto isakmp policy 10 hash md5 authentication pre-share group 14 ! crypto isakmp policy 20 encr 3des hash md5 authentication pre-share group 14 ! crypto isakmp policy 30 encr 3des authentication pre-share group 14 ! crypto isakmp policy 40 authentication pre-share group 14 crypto isakmp key XXXXXXXXXXXXXXXX address 0.0.0.0 ! crypto isakmp client configuration group local_list key XXXXXXXXXXXXXXXX pool Remote-Pool acl 110 save-password netmask 255.255.255.0 ! ! crypto ipsec transform-set VTI-TS ah-sha-hmac esp-3des mode tunnel crypto ipsec transform-set VTI-TS1 ah-sha-hmac esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set VTI-TS2 ah-sha256-hmac esp-aes mode tunnel ! ! crypto ipsec profile test-vti1 set transform-set VTI-TS VTI-TS1 VTI-TS2 ! ! crypto dynamic-map dynmap 10 set transform-set VTI-TS VTI-TS1 VTI-TS2 reverse-route ! ! crypto map clientmap local-address Virtual-PPP1 crypto map clientmap client authentication list local_list crypto map clientmap isakmp authorization list local_list crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! ! interface Loopback0 ip address 172.16.23.1 255.255.255.0 ! interface FastEthernet0 description TV switchport access vlan 10 no ip address ! interface FastEthernet1 description Link2-PC no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 description WiFi-ASUS no ip address ! interface FastEthernet4 no ip address ! interface FastEthernet5 no ip address ! interface FastEthernet6 description Synology no ip address ! interface FastEthernet7 description WAN switchport access vlan 10 no ip address ! interface FastEthernet8 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0 no ip address shutdown duplex auto speed auto ! interface Virtual-PPP1 ip ddns update hostname XXXXXXXXXXXXXXXXXXXXXXXXX ip ddns update DynDNS ip address negotiated ip mtu 1460 ip nat outside ip virtual-reassembly in ip tcp adjust-mss 1400 no peer neighbor-route ppp chap hostname XXXXXXXXXXXXXXX ppp chap password 0 XXXXXXXXXXXXX no cdp enable pseudowire 89.179.75.139 10 encapsulation l2tpv2 pw-class beeline-pseudowire-class crypto map clientmap ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip igmp helper-address 10.189.84.121 ip igmp join-group 224.0.1.40 ip igmp mroute-proxy Vlan10 ! interface Vlan10 ip address dhcp ip pim dense-mode ! interface Vlan100 ip address 192.168.0.10 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Async1 no ip address encapsulation slip ! interface Dialer0 ip address 10.0.1.211 255.255.255.0 ip nat outside ip virtual-reassembly in encapsulation ppp dialer in-band dialer idle-timeout 0 dialer string 123 dialer vpdn dialer-group 1 no peer neighbor-route ppp pfc local request ppp pfc remote apply ppp encrypt mppe auto ppp chap hostname XXXXXXXXXXXXXX ppp chap password 0 XXXXXXXXXXXXXX no cdp enable ! ip local pool Remote-Pool 192.168.2.30 192.168.2.40 ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source static tcp 192.168.1.100 22 interface Virtual-PPP1 45002 ip nat inside source static tcp 192.168.1.100 5060 interface Virtual-PPP1 5060 ip nat inside source static udp 192.168.1.100 5060 interface Virtual-PPP1 5060 ip nat inside source static tcp 192.168.1.2 21 interface Virtual-PPP1 45003 ip nat inside source static tcp 192.168.1.20 3389 interface Virtual-PPP1 45001 ip nat inside source static tcp 192.168.1.50 3389 interface Virtual-PPP1 45004 ip nat inside source route-map NAT_TO_Dialler interface Dialer0 overload ip nat inside source route-map NAT_TO_ISP interface Virtual-PPP1 overload ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 ip route 192.168.88.0 255.255.255.0 172.16.1.1 ip route 89.179.75.139 255.255.255.255 dhcp ip route 89.179.75.138 255.255.255.255 dhcp ip route 85.21.31.39 255.255.255.255 dhcp ip route 78.107.196.21 255.255.255.255 dhcp ip route 78.107.196.10 255.255.255.255 dhcp ip route 78.107.196.14 255.255.255.255 dhcp ip route 85.21.0.1 255.255.255.255 dhcp ! ip access-list standard Internet-In deny 192.168.1.0 0.0.0.255 permit any ! ip access-list extended OUTSIDE-IN deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any permit icmp any any permit tcp any any eq 22 telnet permit gre any any permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp ip access-list extended TO_Dialler deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 permit icmp 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 ip access-list extended TO_ISP deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 deny icmp 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any ip access-list extended vlan1-in deny ip host 192.168.1.20 host 10.0.1.210 permit ip any any ! dialer-list 1 protocol ip permit ! route-map NAT_TO_ISP permit 10 match ip address TO_ISP match interface Virtual-PPP1 ! route-map NAT_TO_Dialler permit 10 match ip address TO_Dialler ! ! access-list 100 permit ip any host 10.0.1.210 access-list 100 permit ip host 10.0.1.210 any access-list 101 permit ip host 192.168.1.1 host 10.0.1.210 access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ! ! control-plane ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! ! vstack alias exec sa sh ip access-list alias exec sir sh ip ro alias exec tn term no mon ! line con 0 line 1 modem InOut speed 115200 flowcontrol hardware line aux 0 line vty 0 4 logging synchronous transport input ssh ! ntp server ntp1.stratum2.ru ! end Тип подключения в android клиенте - IPSEC Xauth PSK DEBUG Код: Dec 25 03:48:41.523: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (N) NEW SA Dec 25 03:48:41.523: ISAKMP: Created a peer struct for 89.30.112.34, peer port 500 Dec 25 03:48:41.523: ISAKMP: New peer created peer = 0x8F7F5E18 peer_handle = 0x8000001E Dec 25 03:48:41.523: ISAKMP: Locking peer struct 0x8F7F5E18, refcount 1 for crypto_isakmp_process_block Dec 25 03:48:41.523: ISAKMP:(0):Setting client config settings 8F72E75C Dec 25 03:48:41.523: ISAKMP:(0):(Re)Setting client xauth list and state Dec 25 03:48:41.523: ISAKMP/xauth: initializing AAA request Dec 25 03:48:41.523: ISAKMP: local port 500, remote port 500 Dec 25 03:48:41.523: ISAKMP:(0):insert sa successfully sa = 90205E80 Dec 25 03:48:41.523: ISAKMP:(0): processing SA payload. message ID = 0 Dec 25 03:48:41.523: ISAKMP:(0): processing ID payload. message ID = 0 Dec 25 03:48:41.523: ISAKMP (0): ID payload next-payload : 13 type : 11 group id : local_list1 protocol : 0 port : 0 length : 19 Dec 25 03:48:41.523: ISAKMP:(0):: peer matches *none* of the profiles Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload Dec 25 03:48:41.523: ISAKMP:(0): processing IKE frag vendor id payload Dec 25 03:48:41.523: ISAKMP:(0):Support for IKE Fragmentation not enabled Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch Dec 25 03:48:41.523: ISAKMP (0): vendor ID is NAT-T RFC 3947 Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is NAT-T v2 Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload Dec 25 03:48:41.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is XAUTH Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is Unity Dec 25 03:48:41.523: ISAKMP:(0): processing vendor id payload Dec 25 03:48:41.523: ISAKMP:(0): vendor ID is DPD Dec 25 03:48:41.523: ISAKMP:(0): Authentication by xauth preshared Dec 25 03:48:41.523: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3 policy Dec 25 03:48:41.523: ISAKMP: life type in seconds Dec 25 03:48:41.523: ISAKMP: life duration (basic) of 28800 Dec 25 03:48:41.523: ISAKMP: encryption AES-CBC Dec 25 03:48:41.523: ISAKMP: keylength of 256 Dec 25 03:48:41.523: ISAKMP: auth XAUTHInitPreShared Dec 25 03:48:41.523: ISAKMP: hash SHA384 Dec 25 03:48:41.523: ISAKMP: default group 2 Dec 25 03:48:41.523: ISAKMP:(0):Hash algorithm offered does not match policy! Dec 25 03:48:41.523: ISAKMP:(0):atts are not acceptable. Next payload is 3 Dec 25 03:48:41.523: ISAKMP:(0):Checking ISAKMP transform 2 against priority 3 policy Dec 25 03:48:41.523: ISAKMP: life type in seconds Dec 25 03:48:41.523: ISAKMP: life duration (basic) of 28800 Dec 25 03:48:41.523: ISAKMP: encryption AES-CBC Dec 25 03:48:41.523: ISAKMP: keylength of 256 Dec 25 03:48:41.523: ISAKMP: auth XAUTHInitPreShared Dec 25 03:48:41.523: ISAKMP: hash SHA256 Dec 25 03:48:41.523: ISAKMP: default group 2 Dec 25 03:48:41.523: ISAKMP:(0):atts are acceptable. Next payload is 3 Dec 25 03:48:41.523: ISAKMP:(0):Acceptable atts:actual life: 86400 Dec 25 03:48:41.523: ISAKMP:(0):Acceptable atts:life: 0 Dec 25 03:48:41.523: ISAKMP:(0):Basic life_in_seconds:28800 Dec 25 03:48:41.523: ISAKMP:(0):Returning Actual lifetime: 28800 Dec 25 03:48:41.523: ISAKMP:(0)::Started lifetime timer: 28800. Dec 25 03:48:41.523: ISAKMP:(0): processing KE payload. message ID = 0 Dec 25 03:48:41.543: ISAKMP:(0): processing NONCE payload. message ID = 0 Dec 25 03:48:41.543: ISAKMP (0): vendor ID is NAT-T RFC 3947 Dec 25 03:48:41.547: ISAKMP:(0): vendor ID is NAT-T v2 Dec 25 03:48:41.547: ISAKMP:(0):peer does not do paranoid keepalives. Dec 25 03:48:41.547: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 89.30.112.34) Dec 25 03:48:41.547: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY Dec 25 03:48:41.547: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Dec 25 03:48:41.547: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY Dec 25 03:48:41.547: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 89.30.112.34 halt# Dec 25 03:48:41.547: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 89.30.112.34) Dec 25 03:48:41.547: ISAKMP: Unlocking peer struct 0x8F7F5E18 for isadb_mark_sa_deleted(), count 0 Dec 25 03:48:41.547: ISAKMP: Deleting peer node by peer_reap for 89.30.112.34: 8F7F5E18 Dec 25 03:48:41.547: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Dec 25 03:48:41.547: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA Dec 25 03:48:41.547: IPSEC(key_engine): got a queue event with 1 KMI message(s) halt# Dec 25 03:48:44.539: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE halt# Dec 25 03:48:47.531: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE halt# Dec 25 03:48:50.539: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE halt# Dec 25 03:48:53.551: ISAKMP (0): received packet from 89.30.112.34 dport 500 sport 500 Global (R) MM_NO_STATE halt# Dec 25 03:49:41.550: ISAKMP:(0):purging SA., sa=90205E80, delme=90205E80 |
Автор: | Maxische [ 25 дек 2019, 12:45 ] |
Заголовок сообщения: | Re: VPN с android или iphone |
Я не то чтобы гуру по цискам, сам здесь (и не только) частенько вопросы задаю, но - Вам, скорее всего, следует развернуть на маршрутизаторе Anyconnect. Т.е., настроить сервер, сертификаты, залить образы под нужные ОС на флеш. Мануалов по настройке этого добра на роутерах хватает, ну вот, например https://jakondo.ru/nastrojka-webvpn-any ... o-2911-k9/ |
Автор: | Silent_D [ 26 дек 2019, 03:20 ] |
Заголовок сообщения: | Re: VPN с android или iphone |
halt писал(а): Стоит задача (точнее я ее сам себе поставил) подключения с android или iphone клиентов к 891 Вы хотите халявы или разобраться "как оно работает"? Если второе, то для начала разберитесь, чем отличается aaa authentication от aaa authorization. halt писал(а): Перепробовал различные "рабочие" конфигурации найденные на просторах интернета - не подключается. Она не хочет! Метод "мартышка и очки" очень редко с Cisco прокатывает. А так, действительно, попробуйте лучше настроить AnyConnect или IKEv2, (сначала из Винды, это нагляднее). По ним наверное проще найти "рабочие конфиги", и меньше букаф. А IPSec XAuth - это уже legacy, причем довольно сложное в настройке. |
Автор: | halt [ 29 дек 2019, 15:34 ] |
Заголовок сообщения: | Re: VPN с android или iphone |
Спасибо! Запустил anyconnect, усё поднялось. |
Страница 1 из 1 | Часовой пояс: UTC + 3 часа |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |