Сообщения без ответов | Активные темы Текущее время: 28 мар 2024, 22:07



Ответить на тему  [ Сообщений: 27 ]  На страницу Пред.  1, 2
L2tp over IPSec 
Автор Сообщение

Зарегистрирован: 19 окт 2016, 17:12
Сообщения: 17
Благодарю всех принявших участие в решении моей проблемы, я нашел решение!
Для потомков у меня cisco ISR c892FSP Версия IOS "Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(3)M6a.
Во всех конфигах при настройке динамической карты указывали set nat demux:
Код:
crypto dynamic-map dyn-map 10
 set nat demux
 set transform-set L2TP-Set2


При такой настройке с моей топологией сети, не поднимался тунель.
Как только я удалил параметр НАТа, все мгновенно заработало.
Код:
crypto dynamic-map dyn-map 10
 set transform-set L2TP-Set2


решение нашел тут https://supportforums.cisco.com/discussion/12034801/l2tpipsec-cisco-ios-15


05 ноя 2016, 14:54
Профиль

Зарегистрирован: 06 апр 2020, 10:00
Сообщения: 2
Коллеги приветствую, столкнулся с такой же проблемой на Cisco 2921, при этом конфигурация была рабочей несколько месяцев, и в один прекрасный карантинный день все упало.
Перепрошил роутер на свежую прошивку, пробовал различные конфигурации L2tp over Ipsec, ничего не помогает сохраняется ошибка:
ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
Прочитал также всю данную тему, пробовал и различные варианты указанные в данной теме, буду рад любой помощи.
Моя конфигурация l2tp:
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group g-l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set L2TP esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map SFC-IPSEC 4
set nat demux
set transform-set L2TP
reverse-route
!
crypto map SFC-IPSEC 4 ipsec-isakmp dynamic SFC-IPSEC
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
peer default ip address dhcp-pool vpn_access
ppp authentication ms-chap-v2
!

Логи:
*Apr 7 08:45:12.639: KMI: IPSEC key engine sending message KEY_ENG_NOTIFY_INCR_COUNT to Crypto IKMP.
*Apr 7 08:45:12.639: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Static keyword or dynamic SA create for 128.68.46.111
*Apr 7 08:45:12.639: ISAKMP: (1093):Received IPSec Install callback... proceeding with the negotiation
*Apr 7 08:45:12.639: ISAKMP: (1093):Successfully installed IPSEC SA (SPI:0xC0F8076A) on GigabitEthernet0/0
*Apr 7 08:45:12.639: KMI: Crypto IKMP received message KEY_ENG_NOTIFY_QOS_GROUP from IPSEC key engine.
*Apr 7 08:45:12.639: KMI: Crypto IKMP received message KEY_ENG_NOTIFY_INCR_COUNT from IPSEC key engine.
*Apr 7 08:45:12.639: ISAKMP-PAK: (1093):sending packet to 128.68.46.111 my_port 4500 peer_port 4500 (R) QM_IDLE
*Apr 7 08:45:12.639: ISAKMP: (1093):Sending an IKE IPv4 Packet.
*Apr 7 08:45:12.639: ISAKMP: (1093):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Apr 7 08:45:12.639: ISAKMP: (1093):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Apr 7 08:45:12.643: ISAKMP-PAK: (1093):received packet from 128.68.46.111 dport 4500 sport 4500 Global (R) QM_IDLE
*Apr 7 08:45:12.647: KMI: Crypto IKMP sending message KEY_MGR_SA_ENABLE_OUTBOUND to IPSEC key engine.
*Apr 7 08:45:12.647: ISAKMP: (1093):deleting node 1 error FALSE reason "QM done (await)"
*Apr 7 08:45:12.647: ISAKMP: (1093):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Apr 7 08:45:12.647: ISAKMP: (1093):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Apr 7 08:45:12.647: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 7 08:45:12.647: KMI: IPSEC key engine received message KEY_MGR_SA_ENABLE_OUTBOUND from Crypto IKMP.
*Apr 7 08:45:12.647: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Apr 7 08:45:12.647: IPSEC: Expand action denied, notify RP
*Apr 7 08:45:12.743: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Apr 7 08:45:12.743: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Apr 7 08:45:12.787: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Apr 7 08:45:12.791: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Apr 7 08:45:12.791: ISAKMP-PAK: (1093):received packet from 128.68.46.111 dport 4500 sport 4500 Global (R) QM_IDLE
*Apr 7 08:45:12.791: ISAKMP: (1093):set new node 1564495810 to QM_IDLE
*Apr 7 08:45:12.791: ISAKMP: (1093):processing HASH payload. message ID = 1564495810
*Apr 7 08:45:12.791: ISAKMP: (1093):processing DELETE payload. message ID = 1564495810
*Apr 7 08:45:12.791: ISAKMP: (1093):peer does not do paranoid keepalives.
*Apr 7 08:45:12.791: KMI: Crypto IKMP sending message KEY_MGR_DELETE_SAS to IPSEC key engine.
*Apr 7 08:45:12.791: ISAKMP: (1093):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x688FE5B8)
*Apr 7 08:45:12.791: ISAKMP: (1093):deleting node 1564495810 error FALSE reason "Informational (in) state 1"
*Apr 7 08:45:12.791: ISAKMP-PAK: (1093):received packet from 128.68.46.111 dport 4500 sport 4500 Global (R) QM_IDLE
*Apr 7 08:45:12.791: ISAKMP: (1093):set new node -1054206116 to QM_IDLE
*Apr 7 08:45:12.791: ISAKMP: (1093):processing HASH payload. message ID = 3240761180
*Apr 7 08:45:12.791: ISAKMP: (1093):processing DELETE payload. message ID = 3240761180
*Apr 7 08:45:12.791: ISAKMP: (1093):peer does not do paranoid keepalives.
*Apr 7 08:45:12.791: ISAKMP: (1093):deleting SA reason "No reason" state (R) QM_IDLE (peer 128.68.46.111)
*Apr 7 08:45:12.791: ISAKMP: (1093):deleting node -1054206116 error FALSE reason "Informational (in) state 1"
*Apr 7 08:45:12.795: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 7 08:45:12.795: KMI: IPSEC key engine received message KEY_MGR_DELETE_SAS from Crypto IKMP.
*Apr 7 08:45:12.795: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5502
*Apr 7 08:45:12.795: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Apr 7 08:45:12.795: IPSEC: still in use sa: 0x245BB174
*Apr 7 08:45:12.795: IPSEC(key_engine_delete_sas): delete SA with spi 0x688FE5B8 proto 50 for 128.68.46.111
*Apr 7 08:45:12.795: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 212.8.239.182, sa_proto= 50,
sa_spi= 0xC0F8076A(3237480298),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2263
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 1.1.1.1:0, remote= 128.68.46.111:0,
local_proxy= 1.1.1.1/255.255.255.255/17/1701,
remote_proxy= 128.68.46.111/255.255.255.255/17/4500
*Apr 7 08:45:12.795: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 128.68.46.111, sa_proto= 50,
sa_spi= 0x688FE5B8(1754260920),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2264
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 1.1.1.1:0, remote= 128.68.46.111:0,
local_proxy= 1.1.1.1/255.255.255.255/17/1701,
remote_proxy= 128.68.46.111/255.255.255.255/17/4500
*Apr 7 08:45:12.795: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
*Apr 7 08:45:12.795: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Apr 7 08:45:12.795: ISAKMP: (1093):set new node -622858762 to QM_IDLE
*Apr 7 08:45:12.799: ISAKMP-PAK: (1093):sending packet to 128.68.46.111 my_port 4500 peer_port 4500 (R) QM_IDLE
*Apr 7 08:45:12.799: ISAKMP: (1093):Sending an IKE IPv4 Packet.
*Apr 7 08:45:12.799: ISAKMP: (1093):purging node -622858762
*Apr 7 08:45:12.799: ISAKMP: (1093):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 7 08:45:12.799: ISAKMP: (1093):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Apr 7 08:45:12.799: ISAKMP: (1093):deleting SA reason "No reason" state (R) QM_IDLE (peer 128.68.46.111)
*Apr 7 08:45:12.799: ISAKMP: (0):Unlocking peer struct 0x3E100348 for isadb_mark_sa_deleted(), count 0
*Apr 7 08:45:12.799: ISAKMP: (1093):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 7 08:45:12.799: ISAKMP: (1093):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Apr 7 08:45:12.807: KMI: IPSEC key engine sending message KEY_ENG_NOTIFY_DECR_COUNT to Crypto IKMP.
*Apr 7 08:45:12.807: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS
*Apr 7 08:45:12.807: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x22A61EDC ikmp handle 0x80000056
IPSEC IKMP peer index 0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x34000107,peer index 0

*Apr 7 08:45:12.807: KMI: Crypto IKMP received message KEY_ENG_NOTIFY_DECR_COUNT from IPSEC key engine.
*Apr 7 08:45:12.807: KMI: Crypto IKMP sending message KEY_MGR_SESSION_CLOSED to IPSEC key engine.
*Apr 7 08:45:12.807: ISAKMP: (0):Deleting peer node by peer_reap for 128.68.46.111: 3E100348
*Apr 7 08:45:12.807: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 7 08:45:12.807: KMI: IPSEC key engine received message KEY_MGR_SESSION_CLOSED from Crypto IKMP.


07 апр 2020, 11:54
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ Сообщений: 27 ]  На страницу Пред.  1, 2

Кто сейчас на конференции

Сейчас этот форум просматривают: Google [Bot] и гости: 79


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB