Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Cấu hình IPsec VPN không hoạt động ...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cấu hình IPsec VPN không hoạt động ...

    Chào các bạn,

    Mình đang xem phần IPsec trong quyển CCNP ISCW Official exam Certification Guide của Cisco Press. Trong đó có phần hướng dẫn các bước để cấu hình một VPN dựa trên IPsec. Mình sử dụng dynamips và bộ simple lab với 2 con 7200 để thực hành. Tuy nhiên, sau khi cấu hình xong theo các bước hướng dẫn và thực hiện lệnh ping để kích hoạt kênh VPN thì không thực hiện được.

    Trên một router mình thấy có message này:
    Code:
    *Oct 21 23:55:39.027: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode faied with peer at 10.0.0.1
    Còn đây là output của lệnh debug khi quá trình thương thuyết xảy ra:
    Code:
    *Oct 21 23:55:38.059: ISAKMP: received ke message (1/1)
    *Oct 21 23:55:38.063: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
    *Oct 21 23:55:38.067: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
    *Oct 21 23:55:38.067: ISAKMP: New peer created peer = 0x658FDD34 peer_handle =
    x80000005
    *Oct 21 23:55:38.071: ISAKMP: Locking peer struct 0x658FDD34, IKE refcount 1 fo
     isakmp_initiator
    *Oct 21 23:55:38.071: ISAKMP: local port 500, remote port 500
    *Oct 21 23:55:38.075: ISAKMP: set new node 0 to QM_IDLE
    *Oct 21 23:55:38.075: insert sa successfully sa = 6474C438
    *Oct 21 23:55:38.079: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying
    ain mode.
    *Oct 21 23:55:38.079: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.
    .0.2
    *Oct 21 23:55:38.087: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
    *Oct 21 23:55:38.087: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
    *Oct 21 23:55:38.091: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
    *Oct 21 23:55:38.091: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_RE
    _MM
    *Oct 21 23:55:38.095: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE
    I_MM1
    
    *Oct 21 23:55:38.095: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
    *Oct 21 23:55:38.099: ISAKMP:(0:0:N/A:0): sending packet to 10.0.0.2 my_port 50
     peer_port 500 (I) MM_NO_STATE
    *Oct 21 23:55:38.271: ISAKMP (0:0): received packet from 10.0.0.2 dport 500 spo
    t 500 Global (I) MM_NO_STATE
    *Oct 21 23:55:38.279: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXC
    *Oct 21 23:55:38.279: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE
    I_MM2
    
    *Oct 21 23:55:38.287: ISAKMP:(0:0:N/A:0): process.ing SA payload. message ID =
    *Oct 21 23:55:38.291: ISAKMP:(0:0:N/A:0): processing vendor id payload
    *Oct 21 23:55:38.295: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 2
    5 mismatch
    *Oct 21 23:55:38.295: ISAKMP (0:0): vendor ID is NAT-T v7
    *Oct 21 23:55:38.299: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.
    .0.2
    *Oct 21 23:55:38.299: ISAKMP:(0:0:N/A:0): local preshared key found
    *Oct 21 23:55:38.303: ISAKMP : Scanning profiles for xauth ...
    *Oct 21 23:55:38.303: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pr
    ority 10 policy
    *Oct 21 23:55:38.307: ISAKMP:      encryption DES-CBC
    *Oct 21 23:55:38.307: ISAKMP:      hash MD5
    *Oct 21 23:55:38.307: ISAKMP:      default group 1
    *Oct 21 23:55:38.311: ISAKMP:      auth pre-share
    *Oct 21 23:55:38.311: ISAKMP:      life type in seconds
    *Oct 21 23:55:38.311: ISAKMP:      life duration (basic) of 3600
    *Oct 21 23:55:38.315: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
    *Oct 21 23:55:38.407: ISAKMP:(0:1:SW:1): processing vendor id payload
    *Oct 21 23:55:38.407: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 24
     mismatch
    *Oct 21 23:55:38.407: ISAKMP (0:134217729): vendor ID is NAT-T v7
    *Oct 21 23:55:38.411: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
    AIN_MODE
    *Oct 21 23:55:38.411: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_
    _MM2
    
    *Oct 21 23:55:38.435: ISAKMP:(0:1:SW:1): sending packet to 10.0.0.2 my_port 500
    peer_port 500 (I) MM_SA_SETUP
    *Oct 21 23:55:38.435: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
    OMPLETE
    *Oct 21 23:55:38.439: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_
    _MM3
    
    *Oct 21 23:55:38.555: ISAKMP (0:134217729): received packet from 10.0.0.2 dport
    500 sport 500 Global (I) MM_SA_SETUP
    *Oct 21 23:55:38.563: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Oct 21 23:55:38.563: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_
    _MM4
    
    *Oct 21 23:55:38.575: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =
    0
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 10.0
    0.2
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1):SKEYID state generated
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): processing vendor id payload
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): vendor ID is Unity
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): processing vendor id payload
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): vendor ID is DPD
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): processing vendor id payload
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1): speaking to another IOS box!
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
    AIN_MODE
    *Oct 21 23:55:38.667: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_
    _MM4
    
    *Oct 21 23:55:38.679: ISAKMP:(0:1:SW:1):Send initial contact
    *Oct 21 23:55:38.679: ISAKMP:(0:1:SW:1):SA is doin.g pre-shared key authenticat
    on using id type ID_IPV4_ADDR
    *Oct 21 23:55:38.679: ISAKMP (0:134217729): ID payload
            next-payload : 8
            type         : 1
            address      : 10.0.0.1
            protocol     : 17
            port         : 500
            length       : 12
    *Oct 21 23:55:38.679: ISAKMP:(0:1:SW:1):Total payload length: 12
    *Oct 21 23:55:38.683: ISAKMP:(0:1:SW:1): sending packet to 10.0.0.2 my_port 500
    peer_port 500 (I) MM_KEY_EXCH
    *Oct 21 23:55:38.683: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
    OMPLETE
    *Oct 21 23:55:38.687: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_
    _MM5
    
    *Oct 21 23:55:38.779: ISAKMP (0:134217729): received packet from 10.0.0.2 dport
    500 sport 500 Global (I) MM_KEY_EXCH
    *Oct 21 23:55:38.787: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
    *Oct 21 23:55:38.787: ISAKMP (0:134217729): ID payload
            next-payload : 8
            type         : 1
            address      : 10.0.0.2
            protocol     : 17
            port         : 500
            length       : 12
    *Oct 21 23:55:38.791: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
    *Oct 21 23:55:38.795: ISAKMP:(0:1:SW:1): processing HASH payload. message ID =
    *Oct 21 23:55:38.799: ISAKMP:(0:1:SW:1):SA authentication status:
            authenticated
    *Oct 21 23:55:38.803: ISAKMP:(0:1:SW:1):SA has been authenticated with 10.0.0.2
    *Oct 21 23:55:38.803: ISAKMP: Trying to insert a peer 10.0.0.1/10.0.0.2/500/,
    nd inserted successfully 658FDD34.
    *Oct 21 23:55:38.807: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Oct 21 23:55:38.811: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_
    _MM6
    
    *Oct 21 23:55:38.823: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
    AIN_MODE
    *Oct 21 23:55:38.827: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_
    _MM6
    
    *Oct 21 23:55:38.835: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
    OMPLETE
    *Oct 21 23:55:38.839: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_
    1_COMPLETE
    
    *Oct 21 23:55:38.847: ISAKMP:(0:1:SW:1).:beginning Quick Mode exchange, M-ID of
    2129377162
    *Oct 21 23:55:38.863: ISAKMP:(0:1:SW:1): sending packet to 10.0.0.2 my_port 500
    peer_port 500 (I) QM_IDLE
    *Oct 21 23:55:38.867: ISAKMP:(0:1:SW:1):Node 2129377162, Input = IKE_MESG_INTER
    AL, IKE_INIT_QM
    *Oct 21 23:55:38.867: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = I
    E_QM_I_QM1
    *Oct 21 23:55:38.871: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_C
    MPLETE
    *Oct 21 23:55:38.875: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State
     IKE_P1_COMPLETE
    
    *Oct 21 23:55:38.991: ISAKMP (0:134217729): received packet from 10.0.0.2 dport
    500 sport 500 Global (I) QM_IDLE
    *Oct 21 23:55:38.995: ISAKMP: set new node -1729125882 to QM_IDLE
    *Oct 21 23:55:39.003: ISAKMP:(0:1:SW:1): processing HASH payload. message ID =
    1729125882
    *Oct 21 23:55:39.007: ISAKMP:(0:1:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN
    rotocol 3
            spi 3080322591, message ID = -1729125882, sa = 6474C438
    *Oct 21 23:55:39.011: ISAKMP:(0:1:SW:1): deleting spi 3080322591 message ID = 2
    29377162
    *Oct 21 23:55:39.011: ISAKMP:(0:1:SW:1):deleting node 2129377162 error TRUE rea
    on "Delete Larval"
    *Oct 21 23:55:39.015: ISAKMP:(0:1:SW:1):deleting node -1729125882 error FALSE r
    ason "Informational (in) state 1"
    *Oct 21 23:55:39.019: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NO
    IFY
    *Oct 21 23:55:39.019: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State
     IKE_P1_COMPLETE
    Không biết có bạn nào đã gặp trường hợp tương tự hay chưa? Nếu đã gặp hoặc biết nguyên nhân của vấn đề, xin hướng dẫn mình giúp. Xin cảm ơn.

    Thành.

  • #2
    Còn đây là cấu hình của 2 con router:

    Code:
    *Oct 22 00:09:02.255: %SYS-5-CONFIG_I: Configured from console by consorun
    Building configuration...
    
    Current configuration : 1545 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname RemoteOffice
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    !
    ip cef
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 10
     hash md5
     authentication pre-share
     lifetime 3600
    crypto isakmp key TOPsecret address 10.0.0.2
    !
    crypto ipsec security-association lifetime seconds 1800
    !
    crypto ipsec transform-set set-1 esp-3des esp-sha-hmac
    !
    crypto map to-central 1 ipsec-isakmp
     set peer 10.0.0.2
     set transform-set set-1
     match address 170
    !
    !
    !
    !
    interface FastEthernet0/0
     no ip address
     shutdown
     duplex half
    !
    interface Serial1/0
     ip address 10.0.0.1 255.0.0.0
     serial restart-delay 0
     clock rate 128000
     crypto map to-central
    !
    interface Serial1/1
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/2
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/3
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/4
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/5
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/6
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/7
     no ip address
     shutdown
     serial restart-delay 0
    !
    ip route 192.168.1.0 255.255.255.0 10.0.0.2
    !
    no ip http server
    no ip http secure-server
    !
    !
    access-list 170 permit ip any 192.168.1.0 0.0.0.255
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    gatekeeper
     shutdown
    !
    !
    line con 0
     stopbits 1
    line aux 0
    line vty 0 4
    !
    !
    end

    Code:
    Building configuration...
    
    Current configuration : 1544 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname CentralOffice
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    !
    ip cef
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 25
     hash md5
     authentication pre-share
     lifetime 3600
    crypto isakmp key TOPsecret address 10.0.0.1
    !
    crypto ipsec security-association lifetime seconds 1800
    !
    crypto ipsec transform-set set-1 esp-3des esp-sha-hmac
    !
    crypto map to-remote 1 ipsec-isakmp
     set peer 10.0.0.1
     set transform-set set-1
     match address 170
    !
    !
    !
    !
    interface FastEthernet0/0
     no ip address
     shutdown
     duplex half
    !
    interface Serial1/0
     ip address 10.0.0.2 255.0.0.0
     serial restart-delay 0
     clock rate 128000
     crypto map to-remote
    !
    interface Serial1/1
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/2
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/3
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/4
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/5
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/6
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial1/7
     no ip address
     shutdown
     serial restart-delay 0
    !
    ip route 192.168.0.0 255.255.255.0 10.0.0.1
    !
    no ip http server
    no ip http secure-server
    !
    !
    access-list 170 permit ip any 192.168.0.0 0.0.0.255
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    gatekeeper
     shutdown
    !
    !
    line con 0
     stopbits 1
    line aux 0
    line vty 0 4
    !
    !
    end
    Mong được các bạn hướng dẫn giúp.
    Cảm ơn.
    Thành.

    Comment


    • #3
      Weir, neu 2 routers noi theo voi nhau theo dang back to back: tai sao 2 cai serial interfaces cung la DCE (voi clock rate) ma routers khong bao loi?
      Rieng ve phan IPsec thi neu khong co pc hoac thiet bi gi noi vao routers thi can phai cai dat interface loopback de dai dien (represent) cho 2 cai network 192.168.0.0/24 va 192.168.1.0/24 va phai dung extended ping tu dia chi cua loopback. Day co the la nguyen nhan?
      Last edited by them huyen; 30-12-2007, 06:31 AM.
      Work all day, sleep all night.

      Comment


      • #4
        Trong phần crypto isakmp policy
        Bạn nên thêm encryption 3des là 3des hay des xem sao

        Comment


        • #5
          cấu hình của bạn chỉ thiếu có 2 network 192.168.1.0 va 192.168.0.0 thôi. cấu hình 2 network đó đi bảo dảm chạy
          Nguyễn Quốc Lễ, CCNP CCSP
          Email: nguyenquocle@wimaxpro.org

          Viet Professionals Co. Ltd. VnPro ®
          ---------------------------------------
          149/1D Ung Văn Khiêm P25 Q.Bình thạnh TPHCM
          Tel: (08) 35124257
          Fax: (08) 5124314
          Support Forum : http://www. vnpro.org
          Live Chat http://vnpro.org/forum/image.php?u=2...ine=1233770177 : http://www.vnpro.vn/support
          Blog VnPro : http://www.vnpro.org/blog
          Cộng Đồng Mạng Không Dây Việt Nam

          Comment

          Working...
          X