отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
Объявления
Добро пожаловать в Сообщество Технической поддержки Cisco. Мы рады получить обратную связь .
New Member

Проблема с NAT в L2TP over IPSec

Добрый день.

Помогите разобраться с проблемой, которая возникает при инициации маршрутизатором L2TP over IPSec соединения с Windows Server 2003.

Схема следующая: Cisco 2911 через Cellular 0/1/0 подключен к интернету. Навстречу к интернету подключен Wi-Fi роутер Asus WL520gc с белым IP-адресом. За ним Win7 с VBox Windows Server 2003 на которой развернут штатный VPN-сервер. На роутере проброшены UDP порты 50,1701,500,4500 до VBox.

Настраиваю клиент L2TP over IPSec на iPhone - все работает.

Настроиваю Cisco следующим образом:

Building configuration...


Current configuration : 9289 bytes
!
! Last configuration change at 01:24:15 kld Tue Aug 26 1902 by admin
! NVRAM config last updated at 17:12:05 kld Fri Jan 22 2016 by admin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname 2911
!
boot-start-marker
boot system flash0 c2900-universalk9-mz.SPA.155-3.M.bin
boot-end-marker
!
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect WAAS flush-timeout 10
ip cef
l2tp-class LC01
!
l2tp-class LC02
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group lltp
request-dialin
protocol l2tp
pool-member 1
initiate-to ip 200.0.0.8
!
!
!
!chat-script hspa-R7 "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
!
!controller Cellular 0/1
!
pseudowire-class PC01
encapsulation l2tpv2
protocol l2tpv2 LC01
ip local interface GigabitEthernet0/1
!
pseudowire-class PC02
encapsulation l2tpv2
protocol l2tpv2 LC02
ip local interface Dialer30
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password address 200.0.0.8
crypto isakmp key vpn address 211.46.17.120
crypto isakmp key xxx address WIN_2003_VPN_SERVER
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TS01 esp-3des esp-sha-hmac
mode transport
!
!
!
!
!
!
crypto map CM01 10 ipsec-isakmp
set peer 200.0.0.8
set transform-set TS01
match address AL01
!
crypto map CM02 local-address Dialer30
crypto map CM02 10 ipsec-isakmp
set peer WIN_2003_VPN_SERVER
set transform-set TS01
match address AL02
!
crypto map CM03 10 ipsec-isakmp
set peer 211.46.17.120
set transform-set TS01
match address AL03
!
interface GigabitEthernet0/1
ip address 200.0.0.200 255.255.255.0
duplex auto
speed auto
!
interface Cellular0/1/0
ip address negotiated
encapsulation slip
dialer in-band
dialer pool-member 30
crypto map CM02
!
interface Cellular0/1/1
no ip address
encapsulation slip
shutdown
!
interface Virtual-PPP1
ip address negotiated
ppp chap hostname kaa
ppp chap password 0 kaa123
pseudowire 200.0.0.8 10 encapsulation l2tpv2 pw-class PC01
!
interface Virtual-PPP2
ip address negotiated
ppp chap hostname user02
ppp chap password 0 erher
pseudowire WIN_2003_VPN_SERVER 10 encapsulation l2tpv2 pw-class PC02
!
interface Dialer30
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer pool 30
dialer idle-timeout 0
dialer string hspa-R7
dialer caller 687423589723 callback
dialer-group 20
crypto map CM02
!
!
ip forward-protocol nd
!

ip route 8.8.8.8 255.255.255.255 Dialer30
ip route WIN_2003_VPN_SERVER 255.255.255.255 Dialer30
ip route 211.46.17.120 255.255.255.255 Dialer30
!
ip access-list extended AL01
permit udp host 200.0.0.200 eq 1701 host 200.0.0.8 eq 1701
ip access-list extended AL02
permit udp host 172.29.204.12 eq 1701 host WIN_2003_VPN_SERVER eq 1701
ip access-list extended AL03
permit udp host 172.29.244.74 eq 1701 host 211.46.17.120 eq 1701
ip access-list extended AL04
!
logging trap debugging
dialer-list 1 protocol ip permit
dialer-list 20 protocol ip permit
!
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 200.0.0.0 0.0.0.255
!
control-plane
!
bridge 1 protocol ieee
bridge 2 protocol ieee
!

результат debug crypto isakmp, debug crypto ipsec:

Jan 22 19:14:13.439: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.29.204.12:500, remote= WIN_2003_VPN_SERVER:500,
local_proxy= 172.29.204.12/255.255.255.255/17/1701,
remote_proxy= WIN_2003_VPN_SERVER/255.255.255.255/17/1701,
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jan 22 19:14:13.439: ISAKMP: (0):SA request profile is (NULL)
Jan 22 19:14:13.439: ISAKMP: (0):Created a peer struct for WIN_2003_VPN_SERVER, peer port 500
Jan 22 19:14:13.439: ISAKMP: (0):New peer created peer = 0x233B9E50 peer_handle = 0x80000314
Jan 22 19:14:13.439: ISAKMP: (0):Locking peer struct 0x233B9E50, refcount 1 for isakmp_initiator
Jan 22 19:14:13.439: ISAKMP: (0):local port 500, remote port 500
Jan 22 19:14:13.439: ISAKMP: (0):set new node 0 to QM_IDLE
Jan 22 19:14:13.439: ISAKMP: (0):insert sa successfully sa = 26132910
Jan 22 19:14:13.439: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
Jan 22 19:14:13.439: ISAKMP: (0):found peer pre-shared key matching WIN_2003_VPN_SERVER
Jan 22 19:14:13.439: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
Jan 22 19:14:13.439: ISAKMP: (0):constructed NAT-T vendor-07 ID
Jan 22 19:14:13.439: ISAKMP: (0):constructed NAT-T vendor-03 ID
Jan 22 19:14:13.439: ISAKMP: (0):constructed NAT-T vendor-02 ID
Jan 22 19:14:13.439: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jan 22 19:14:13.439: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

Jan 22 19:14:13.439: ISAKMP: (0):beginning Main Mode exchange
Jan 22 19:14:13.439: ISAKMP-PAK: (0):sending packet to WIN_2003_VPN_SERVER my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 22 19:14:13.439: ISAKMP: (0):Sending an IKE IPv4 Packet.
Jan 22 19:14:13.959: ISAKMP-PAK: (0):received packet from WIN_2003_VPN_SERVER dport 500 sport 500 Global (I) MM_NO_STATE
Jan 22 19:14:13.959: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 22 19:14:13.959: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM2

Jan 22 19:14:13.963: ISAKMP: (0):processing SA payload. message ID = 0
Jan 22 19:14:13.963: ISAKMP: (0):processing vendor id payload
Jan 22 19:14:13.963: ISAKMP: (0):processing IKE frag vendor id payload
Jan 22 19:14:13.963: ISAKMP: (0):Support for IKE Fragmentation not enabled
Jan 22 19:14:13.963: ISAKMP: (0):processing vendor id payload
Jan 22 19:14:13.963: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
Jan 22 19:14:13.963: ISAKMP: (0):processing vendor id payload
Jan 22 19:14:13.963: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 22 19:14:13.963: ISAKMP: (0):vendor ID is NAT-T v2
Jan 22 19:14:13.963: ISAKMP: (0):found peer pre-shared key matching WIN_2003_VPN_SERVER
Jan 22 19:14:13.963: ISAKMP: (0):local preshared key found
Jan 22 19:14:13.963: ISAKMP: (0):Scanning profiles for xauth ...
Jan 22 19:14:13.963: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
Jan 22 19:14:13.963: ISAKMP: (0): encryption 3DES-CBC
Jan 22 19:14:13.963: ISAKMP: (0): hash SHA
Jan 22 19:14:13.963: ISAKMP: (0): default group 2
Jan 22 19:14:13.963: ISAKMP: (0): auth pre-share
Jan 22 19:14:13.963: ISAKMP: (0): life type in seconds
Jan 22 19:14:13.963: ISAKMP: life duration (VPI) of 0x0 0x0 0xE 0x10
Jan 22 19:14:13.963: ISAKMP: (0):atts are acceptable. Next payload is 0
Jan 22 19:14:13.963: ISAKMP: (0):Acceptable atts:actual life: 0
Jan 22 19:14:13.963: ISAKMP: (0):Acceptable atts:life: 0
Jan 22 19:14:13.963: ISAKMP: (0):Fill atts in sa vpi_length:4
Jan 22 19:14:13.963: ISAKMP: (0):Fill atts in sa life_in_seconds:3600
Jan 22 19:14:13.963: ISAKMP: (0):Returning Actual lifetime: 3600
Jan 22 19:14:13.963: ISAKMP: (0):Started lifetime timer: 3600.

Jan 22 19:14:13.963: ISAKMP: (0):processing vendor id payload
Jan 22 19:14:13.963: ISAKMP: (0):processing IKE frag vendor id payload
Jan 22 19:14:13.963: ISAKMP: (0):Support for IKE Fragmentation not enabled
Jan 22 19:14:13.963: ISAKMP: (0):processing vendor id payload
Jan 22 19:14:13.963: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
Jan 22 19:14:13.963: ISAKMP: (0):processing vendor id payload
Jan 22 19:14:13.963: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
Jan 22 19:14:13.963: ISAKMP: (0):vendor ID is NAT-T v2
Jan 22 19:14:13.963: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 22 19:14:13.963: ISAKMP: (0):Old State = IKE_I_MM2 New State = IKE_I_MM2

Jan 22 19:14:13.963: ISAKMP-PAK: (0):sending packet to WIN_2003_VPN_SERVER my_port 500 peer_port 500 (I) MM_SA_SETUP
Jan 22 19:14:13.963: ISAKMP: (0):Sending an IKE IPv4 Packet.
Jan 22 19:14:13.963: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 22 19:14:13.963: ISAKMP: (0):Old State = IKE_I_MM2 New State = IKE_I_MM3

Jan 22 19:14:14.571: ISAKMP-PAK: (0):received packet from WIN_2003_VPN_SERVER dport 500 sport 500 Global (I) MM_SA_SETUP
Jan 22 19:14:14.571: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Jan 22 19:14:14.571: ISAKMP: (0):retransmission skipped for phase 1 (time since last transmission 608)
Jan 22 19:14:14.683: ISAKMP-PAK: (0):received packet from WIN_2003_VPN_SERVER dport 500 sport 500 Global (I) MM_SA_SETUP
Jan 22 19:14:14.683: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 22 19:14:14.683: ISAKMP: (0):Old State = IKE_I_MM3 New State = IKE_I_MM4

Jan 22 19:14:14.683: ISAKMP: (0):processing KE payload. message ID = 0
Jan 22 19:14:14.707: ISAKMP: (0):processing NONCE payload. message ID = 0
Jan 22 19:14:14.707: ISAKMP: (0):found peer pre-shared key matching WIN_2003_VPN_SERVER
Jan 22 19:14:14.707: ISAKMP: (1210):received payload type 20
Jan 22 19:14:14.707: ISAKMP: (1210):NAT found, both nodes inside NAT
Jan 22 19:14:14.707: ISAKMP: (1210):received payload type 20
Jan 22 19:14:14.707: ISAKMP: (1210):NAT found, both nodes inside NAT
Jan 22 19:14:14.707: ISAKMP: (1210):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 22 19:14:14.707: ISAKMP: (1210):Old State = IKE_I_MM4 New State = IKE_I_MM4

Jan 22 19:14:14.707: ISAKMP: (1210):Send initial contact
Jan 22 19:14:14.707: ISAKMP: (1210):SA is doing
Jan 22 19:14:14.707: ISAKMP: (1210):pre-shared key authentication using id type ID_IPV4_ADDR
Jan 22 19:14:14.707: ISAKMP: (1210):ID payload
next-payload : 8
type : 1
Jan 22 19:14:14.707: ISAKMP: (1210): address : 172.29.204.12
Jan 22 19:14:14.707: ISAKMP: (1210): protocol : 17
port : 0
length : 12
Jan 22 19:14:14.707: ISAKMP: (1210):Total payload length: 12
Jan 22 19:14:14.711: ISAKMP-PAK: (1210):sending packet to WIN_2003_VPN_SERVER my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jan 22 19:14:14.711: ISAKMP: (1210):Sending an IKE IPv4 Packet.
Jan 22 19:14:14.711: ISAKMP: (1210):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 22 19:14:14.711: ISAKMP: (1210):Old State = IKE_I_MM4 New State = IKE_I_MM5

Jan 22 19:14:14.831: ISAKMP-PAK: (1210):received packet from WIN_2003_VPN_SERVER dport 4500 sport 4500 Global (I) MM_KEY_EXCH
Jan 22 19:14:14.831: ISAKMP: (1210):processing ID payload. message ID = 0
Jan 22 19:14:14.831: ISAKMP: (1210):ID payload
next-payload : 8
type : 2
Jan 22 19:14:14.831: ISAKMP: (1210): FQDN name : vpn2003
Jan 22 19:14:14.831: ISAKMP: (1210): protocol : 0
port : 0
length : 15
Jan 22 19:14:14.831: ISAKMP: (0):peer matches *none* of the profiles
Jan 22 19:14:14.831: ISAKMP: (1210):processing HASH payload. message ID = 0
Jan 22 19:14:14.831: ISAKMP: (1210):SA authentication status:
authenticated
Jan 22 19:14:14.831: ISAKMP: (1210):SA has been authenticated with WIN_2003_VPN_SERVER
Jan 22 19:14:14.831: ISAKMP: (1210):Setting UDP ENC peer struct 0x255D6B30 sa= 0x26132910
Jan 22 19:14:14.831: ISAKMP: (0):Trying to insert a peer 172.29.204.12/WIN_2003_VPN_SERVER/4500/,
Jan 22 19:14:14.831: ISAKMP: (0): and inserted successfully 233B9E50.
Jan 22 19:14:14.831: ISAKMP: (1210):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 22 19:14:14.831: ISAKMP: (1210):Old State = IKE_I_MM5 New State = IKE_I_MM6

Jan 22 19:14:14.831: ISAKMP: (1210):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 22 19:14:14.831: ISAKMP: (1210):Old State = IKE_I_MM6 New State = IKE_I_MM6

Jan 22 19:14:14.831: ISAKMP: (1210):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 22 19:14:14.831: ISAKMP: (1210):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Jan 22 19:14:14.831: ISAKMP: (1210):beginning Quick Mode exchange, M-ID of 1993905705
Jan 22 19:14:14.831: ISAKMP: (1210):QM Initiator gets spi
Jan 22 19:14:14.835: ISAKMP-PAK: (1210):sending packet to WIN_2003_VPN_SERVER my_port 4500 peer_port 4500 (I) QM_IDLE
Jan 22 19:14:14.835: ISAKMP: (1210):Sending an IKE IPv4 Packet.
Jan 22 19:14:14.835: ISAKMP: (1210):Node 1993905705, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jan 22 19:14:14.835: ISAKMP: (1210):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jan 22 19:14:14.835: ISAKMP: (1210):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jan 22 19:14:14.835: ISAKMP: (1210):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jan 22 19:14:14.971: ISAKMP-PAK: (1210):received packet from WIN_2003_VPN_SERVER dport 4500 sport 4500 Global (I) QM_IDLE
Jan 22 19:14:14.971: ISAKMP: (1210):processing HASH payload. message ID = 1993905705
Jan 22 19:14:14.971: ISAKMP: (1210):processing SA payload. message ID = 1993905705
Jan 22 19:14:14.971: ISAKMP: (1210):Checking IPSec proposal 1
Jan 22 19:14:14.971: ISAKMP: (1210):transform 1, ESP_3DES
Jan 22 19:14:14.971: ISAKMP: (1210): attributes in transform:
Jan 22 19:14:14.971: ISAKMP: (1210): SA life type in seconds
Jan 22 19:14:14.971: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
Jan 22 19:14:14.975: ISAKMP: (1210): SA life type in kilobytes
Jan 22 19:14:14.975: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Jan 22 19:14:14.975: ISAKMP: (1210): encaps is 61444 (Transport-UDP)
Jan 22 19:14:14.975: ISAKMP: (1210): authenticator is HMAC-SHA
Jan 22 19:14:14.975: ISAKMP: (1210):atts are acceptable.
Jan 22 19:14:14.975: IPSEC(validate_proposal_request): proposal part #1
Jan 22 19:14:14.975: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.29.204.12:0, remote= WIN_2003_VPN_SERVER:0,
local_proxy= 217.66.159.73/255.255.255.255/17/1701,
remote_proxy= WIN_2003_VPN_SERVER/255.255.255.255/17/1701,
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jan 22 19:14:14.975: Crypto mapdb : proxy_match
src addr : 217.66.159.73
dst addr : WIN_2003_VPN_SERVER
protocol : 17
src port : 1701
dst port : 1701
Jan 22 19:14:14.975: Crypto mapdb : proxy_match
src addr : 217.66.159.73
dst addr : WIN_2003_VPN_SERVER
protocol : 17
src port : 1701
dst port : 1701
Jan 22 19:14:14.975: map_db_find_best did not find matching map
Jan 22 19:14:14.975: IPSEC(ipsec_process_proposal): proxy identities not supported
Jan 22 19:14:14.975: ISAKMP-ERROR: (1210):IPSec policy invalidated proposal with error 32
Jan 22 19:14:14.975: ISAKMP-ERROR: (1210):phase 2 SA policy not acceptable! (local 172.29.204.12 remote WIN_2003_VPN_SERVER)
Jan 22 19:14:14.975: ISAKMP: (1210):set new node 233440287 to QM_IDLE
Jan 22 19:14:14.975: ISAKMP: (1210):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 592090520, message ID = 233440287
Jan 22 19:14:14.975: ISAKMP-PAK: (1210):sending packet to WIN_2003_VPN_SERVER my_port 4500 peer_port 4500 (I) QM_IDLE
Jan 22 19:14:14.975: ISAKMP: (1210):Sending an IKE IPv4 Packet.
Jan 22 19:14:14.975: ISAKMP: (1210):purging node 233440287
Jan 22 19:14:14.975: ISAKMP-ERROR: (1210):deleting node 1993905705 error TRUE reason "QM rejected"
Jan 22 19:14:14.979: ISAKMP: (1210):Node 1993905705, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jan 22 19:14:14.979: ISAKMP: (1210):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1
Jan 22 19:14:15.531: ISAKMP-PAK: (1210):received packet from WIN_2003_VPN_SERVER dport 4500 sport 4500 Global (I) QM_IDLE
Jan 22 19:14:15.535: ISAKMP: (1210):phase 2 packet is a duplicate of a previous packet.
Jan 22 19:14:15.535: ISAKMP: (1210):retransmitting due to retransmit phase 2
Jan 22 19:14:15.535: ISAKMP: (1210):retransmitting phase 2 QM_IDLE 1993905705 ...
Jan 22 19:14:16.035: ISAKMP: (1210):retransmitting phase 2 QM_IDLE 1993905705 ...
Jan 22 19:14:16.035: ISAKMP: (1210):: incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Jan 22 19:14:16.035: ISAKMP: (1210):retransmitting phase 2 1993905705 QM_IDLE
Jan 22 19:14:16.035: ISAKMP-PAK: (1210):sending packet to WIN_2003_VPN_SERVER my_port 4500 peer_port 4500 (I) QM_IDLE
Jan 22 19:14:16.035: ISAKMP: (1210):Sending an IKE IPv4 Packet.
Jan 22 19:14:16.035: ISAKMP-ERROR: (1210):Node lost after packet send.
Jan 22 19:14:17.531: ISAKMP-PAK: (1210):received packet from WIN_2003_VPN_SERVER dport 4500 sport 4500 Global (I) QM_IDLE
Jan 22 19:14:17.535: ISAKMP: (1210):phase 2 packet is a duplicate of a previous packet.
Jan 22 19:14:17.535: ISAKMP: (1210):retransmitting due to retransmit phase 2
Jan 22 19:14:17.535: ISAKMP: (1210):retransmitting phase 2 QM_IDLE 1993905705 ...
Jan 22 19:14:18.035: ISAKMP: (1210):retransmitting phase 2 QM_IDLE 1993905705 ...
Jan 22 19:14:18.035: ISAKMP: (1210):: incrementing error counter on node, attempt 2 of 5: retransmit phase 2
Jan 22 19:14:18.035: ISAKMP: (1210):retransmitting phase 2 1993905705 QM_IDLE
Jan 22 19:14:18.035: ISAKMP-PAK: (1210):sending packet to WIN_2003_VPN_SERVER my_port 4500 peer_port 4500 (I) QM_IDLE
Jan 22 19:14:18.035: ISAKMP: (1210):Sending an IKE IPv4 Packet.
Jan 22 19:14:18.035: ISAKMP-ERROR: (1210):Node lost after packet send.
Jan 22 19:14:21.543: ISAKMP-PAK: (1210):received packet from WIN_2003_VPN_SERVER dport 4500 sport 4500 Global (I) QM_IDLE
Jan 22 19:14:21.543: ISAKMP: (1210):phase 2 packet is a duplicate of a previous packet.
Jan 22 19:14:21.543: ISAKMP: (1210):retransmitting due to retransmit phase 2
Jan 22 19:14:21.543: ISAKMP: (1210):retransmitting phase 2 QM_IDLE 1993905705 ...
Jan 22 19:14:22.043: ISAKMP: (1210):retransmitting phase 2 QM_IDLE 1993905705 ...
Jan 22 19:14:22.043: ISAKMP: (1210):: incrementing error counter on node, attempt 3 of 5: retransmit phase 2
Jan 22 19:14:22.043: ISAKMP: (1210):retransmitting phase 2 1993905705 QM_IDLE
Jan 22 19:14:22.043: ISAKMP-PAK: (1210):sending packet to WIN_2003_VPN_SERVER my_port 4500 peer_port 4500 (I) QM_IDLE
Jan 22 19:14:22.043: ISAKMP: (1210):Sending an IKE IPv4 Packet.
Jan 22 19:14:22.043: ISAKMP-ERROR: (1210):Node lost after packet send.

Во вложении, debug с VPN-сервера. Так же, во вложении успешный лог подключения к стороннему VPN-серверу.

Соображения: если сравнить с дебагом iPhone, то по нему видно, что роутер, будучи инициатором, по какой-то причине не отправляет NAT-OA пакеты в QM серверу (хотя определяет, что оба пира за NAT).

processing payload NATOA
1-21: 21:31:02:998:790 NatOA struct 83000c0001000000
1-21: 21:31:02:998:790 NatOA data 0abe5638
1-21: 21:31:02:998:790 processing payload NATOA
1-21: 21:31:02:998:790 NatOA struct 00000c0001000000
1-21: 21:31:02:998:790 NatOA data 53db95f1
1-21: 21:31:02:998:790 processing payload SA
1-21: 21:31:02:998:790 Negotiated Proxy ID: Src 10.190.86.56.55921 Dst WIN_2003_VPN_SERVER.1701

В итоге сервер предлагает политику, содержащую неверный адрес исходного пира. 

Есть еще данные с wireshark.

Теги (1)
1 ОТВЕТ
Cisco Employee

Точно не скажу. NAT-OAi, NAT

Точно не скажу. NAT-OAi, NAT-OAr должны быть в debug.

Это также м.б. проблема интероперабельности. В свое время на ASA было сделано исправление CSCso21063, чтобы IOS L2TP/IPsec-клиент мог подключиться к ASA, если клиент находится за NAT. До этого исправления ASA высылала такие proxy identities, которые удовлетворили бы Windows L2TP/IPsec-клиента, включая порт ноль в них. После исправления ASA стала различать Windows-клиентов и Cisco IOS - клиентов по Vendor-ID payload.

В порядке полного бреда можно еще попробовать в "crypto map" написать "set nat demux".

351
Просмотры
0
Полезный материал
1
Ответы
СоздатьДля создания публикации, пожалуйста в систему