Здравствуйте все!
Есть маршрутизатор доступа AS5400XM, к которому подключаются пользователи с клиентом cisco vpn clients. При подключении клиента через интернет никаких проблем нет. А через dial-up ничего не получается. После дозвона соединение устанавливается, а cisco vpn client валится на ipsec isakmp sa phase 1.Конфиг:
Current configuration : 6739 bytes
!
!
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname sar-5400XM-1i
!
boot-start-marker
boot system flash c5400-jk9s-mz.124-24.T2.bin
no boot startup-test
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$se4X$U.0fsDxwCU.uLFD120OdV0
!
!
!
resource-pool disable
aaa new-model
!
!
aaa authentication login userauthen group radius local
aaa authentication login adminauthen local
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa authorization network groupauthor local
aaa accounting network default
action-type start-stop
group radius
!
aaa accounting network useracct
action-type start-stop
group radius
!
aaa accounting connection useracct
action-type start-stop
group radius
!
!
!
aaa session-id common
clock timezone Moscow 3
clock summer-time Moscow recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
spe call-record modem
!
spe default-firmware spe-firmware-1
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ipv6 cef
multilink bundle-name authenticated
isdn switch-type primary-net5
!
!
username xxxxx privilege 15 secret 5 xxxxxxxx
username xxxxx privilege 15 secret 5 xxxxxxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group BC_CLIENTS
key cisco
domain test.ru
pool vpnpool209
acl 102
!
crypto ipsec transform-set VEB esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set security-association lifetime seconds 1800
set transform-set VEB
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap client accounting list useracct
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
controller E1 7/0
pri-group timeslots 1-31
!
controller E1 7/1
!
ip tcp synwait-time 10
!
!
!
interface Loopback0
ip address 192.168.209.1 255.255.255.0
!
interface GigabitEthernet0/0
description TO INTERNET
ip address x.x.x.x 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
negotiation auto
crypto map clientmap
!
interface GigabitEthernet0/1
description TO ACS
ip address 192.168.208.249 255.255.255.0
duplex auto
speed auto
negotiation auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
no fair-queue
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial7/0:15
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no peer default ip address
no fair-queue
no cdp enable
!
interface Async1/33
no ip address
encapsulation slip
!...
!
!
!...
interface Async1/59
no ip address
encapsulation slip
!
interface Dialer1
ip unnumbered Loopback0
encapsulation ppp
no ip mroute-cache
dialer in-band
dialer idle-timeout 300
dialer-group 1
peer default ip address pool vpnpool209
no fair-queue
no cdp enable
ppp authentication chap pap callin
ppp multilink
!
interface Group-Async0
no ip address
encapsulation slip
no group-range
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
no ip mroute-cache
async mode dedicated
peer default ip address pool vpnpool209
ppp authentication chap pap callin
group-range 1/00 1/32
!
router eigrp 208
redistribute static
network 192.168.208.0
auto-summary
!
ip local pool vpnpool209 192.168.209.2 192.168.209.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 194.186.206.254
ip route 192.168.1.0 255.255.255.0 192.168.208.1
ip route 192.168.4.0 255.255.252.0 192.168.208.1
!
no ip http server
no ip http secure-server
!
!
access-list 101 permit ahp any host x.x.x.x
access-list 101 permit esp any host x.x.x.x
access-list 101 permit udp any host x.x.x.x eq isakmp
access-list 101 permit udp any host x.x.x.x eq non500-isakmp
access-list 101 permit icmp x.x.x.0 0.0.0.255 host x.x.x.x echo
access-list 101 permit icmp x.x.x.0 0.0.0.255 host x.x.x.x echo-reply
access-list 101 permit icmp x.x.x.0 0.0.0.255 host x.x.x.x unreachable
access-list 101 deny ip any any log
access-list 102 permit ip host 192.168.208.250 192.168.209.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
radius-server host 192.168.4.246 auth-port 1645 acct-port 1646
radius-server key 7 044D1B085A751C1E3134
!
!
voice-port 7/0:D
!
!
!
!
!
ss7 mtp2-variant Bellcore 0
ss7 mtp2-variant Bellcore 1
ss7 mtp2-variant Bellcore 2
ss7 mtp2-variant Bellcore 3
!
line con 0
login authentication adminauthen
line aux 0
line vty 0 4
login authentication adminauthen
transport input none
line 1/00 1/32
no flush-at-activation
modem InOut
transport input all
line 1/33 1/59
modem InOut
!
ntp server 192.168.208.250
endЛог с клиента:
1 17:28:09.890 12/10/09 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)2 17:28:09.890 12/10/09 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)Лог с маршрутизатора (debug crypto isakmp):
000694: Dec 10 17:35:02: ISAKMP (0): received packet from 192.168.209.3 dport 500 sport 3899 Global (N) NEW SA
000695: Dec 10 17:35:02: ISAKMP: Created a peer struct for 192.168.209.3, peer port 3899
000696: Dec 10 17:35:02: ISAKMP: New peer created peer = 0x6506BFF8 peer_handle = 0x80000017
000697: Dec 10 17:35:02: ISAKMP: Locking peer struct 0x6506BFF8, refcount 1 for crypto_isakmp_process_block
000698: Dec 10 17:35:02: ISAKMP: local port 500, remote port 3899
000699: Dec 10 17:35:02: ISAKMP:(0):insert sa successfully sa = 687614D8
000700: Dec 10 17:35:02: ISAKMP:(0): processing SA payload. message ID = 0
000701: Dec 10 17:35:02: ISAKMP:(0): processing ID payload. message ID = 0
000702: Dec 10 17:35:02: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : BC_CLIENTS
protocol : 17
port : 500
length : 18
000703: Dec 10 17:35:02: ISAKMP:(0):: peer matches *none* of the profiles
000704: Dec 10 17:35:02: ISAKMP:(0): processing vendor id payload
000705: Dec 10 17:35:02: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
000706: Dec 10 17:35:02: ISAKMP:(0): vendor ID is XAUTH
000707: Dec 10 17:35:02: ISAKMP:(0): processing vendor id payload
000708: Dec 10 17:35:02: ISAKMP:(0): vendor ID is DPD
000709: Dec 10 17:35:02: ISAKMP:(0): processing vendor id payload
000710: Dec 10 17:35:02: ISAKMP:(0): processing IKE frag vendor id payload
000711: Dec 10 17:35:02: ISAKMP:(0): vendor ID is IKE Fragmentation
000712: Dec 10 17:35:02: ISAKMP:(0): MM Fragmentation supported
000713: Dec 10 17:35:02: ISAKMP:(0): processing vendor id payload
000714: Dec 10 17:35:02: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000715: Dec 10 17:35:02: ISAKMP:(0): vendor ID is NAT-T v2
000716: Dec 10 17:35:02: ISAKMP:(0): processing vendor id payload
000717: Dec 10 17:35:02: ISAKMP:(0): vendor ID is Unity
000718: Dec 10 17:35:02: ISAKMP : Scanning profiles for xauth ...
000719: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
000720: Dec 10 17:35:02: ISAKMP: encryption AES-CBC
000721: Dec 10 17:35:02: ISAKMP: hash SHA
000722: Dec 10 17:35:02: ISAKMP: default group 2
000723: Dec 10 17:35:02: ISAKMP: auth XAUTHInitPreShared
000724: Dec 10 17:35:02: ISAKMP: life type in seconds
000725: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000726: Dec 10 17:35:02: ISAKMP: keylength of 256
000727: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000728: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000729: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
000730: Dec 10 17:35:02: ISAKMP: encryption AES-CBC
000731: Dec 10 17:35:02: ISAKMP: hash MD5
000732: Dec 10 17:35:02: ISAKMP: default group 2
000733: Dec 10 17:35:02: ISAKMP: auth XAUTHInitPreShared
000734: Dec 10 17:35:02: ISAKMP: life type in seconds
000735: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000736: Dec 10 17:35:02: ISAKMP: keylength of 256
000737: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000738: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000739: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
000740: Dec 10 17:35:02: ISAKMP: encryption AES-CBC
000741: Dec 10 17:35:02: ISAKMP: hash SHA
000742: Dec 10 17:35:02: ISAKMP: default group 2
000743: Dec 10 17:35:02: ISAKMP: auth pre-share
000744: Dec 10 17:35:02: ISAKMP: life type in seconds
000745: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000746: Dec 10 17:35:02: ISAKMP: keylength of 256
000747: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000748: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000749: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
000750: Dec 10 17:35:02: ISAKMP: encryption AES-CBC
000751: Dec 10 17:35:02: ISAKMP: hash MD5
000752: Dec 10 17:35:02: ISAKMP: default group 2
000753: Dec 10 17:35:02: ISAKMP: auth pre-share
000754: Dec 10 17:35:02: ISAKMP: life type in seconds
000755: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000756: Dec 10 17:35:02: ISAKMP: keylength of 256
000757: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000758: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000759: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
000760: Dec 10 17:35:02: ISAKMP: encryption AES-CBC
000761: Dec 10 17:35:02: ISAKMP: hash SHA
000762: Dec 10 17:35:02: ISAKMP: default group 2
000763: Dec 10 17:35:02: ISAKMP: auth XAUTHInitPreShared
000764: Dec 10 17:35:02: ISAKMP: life type in seconds
000765: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000766: Dec 10 17:35:02: ISAKMP: keylength of 128
000767: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000768: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000769: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
000770: Dec 10 17:35:02: ISAKMP: encryption AES-CBC
000771: Dec 10 17:35:02: ISAKMP: hash MD5
000772: Dec 10 17:35:02: ISAKMP: default group 2
000773: Dec 10 17:35:02: ISAKMP: auth XAUTHInitPreShared
000774: Dec 10 17:35:02: ISAKMP: life type in seconds
000775: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000776: Dec 10 17:35:02: ISAKMP: keylength of 128
000777: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000778: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000779: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
000780: Dec 10 17:35:02: ISAKMP: encryption AES-CBC
000781: Dec 10 17:35:02: ISAKMP: hash SHA
000782: Dec 10 17:35:02: ISAKMP: default group 2
000783: Dec 10 17:35:02: ISAKMP: auth pre-share
000784: Dec 10 17:35:02: ISAKMP: life type in seconds
000785: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000786: Dec 10 17:35:02: ISAKMP: keylength of 128
000787: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000788: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000789: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
000790: Dec 10 17:35:02: ISAKMP: encryption AES-CBC
000791: Dec 10 17:35:02: ISAKMP: hash MD5
000792: Dec 10 17:35:02: ISAKMP: default group 2
000793: Dec 10 17:35:02: ISAKMP: auth pre-share
000794: Dec 10 17:35:02: ISAKMP: life type in seconds
000795: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000796: Dec 10 17:35:02: ISAKMP: keylength of 128
000797: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000798: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000799: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
000800: Dec 10 17:35:02: ISAKMP: encryption 3DES-CBC
000801: Dec 10 17:35:02: ISAKMP: hash SHA
000802: Dec 10 17:35:02: ISAKMP: default group 2
000803: Dec 10 17:35:02: ISAKMP: auth XAUTHInitPreShared
000804: Dec 10 17:35:02: ISAKMP: life type in seconds
000805: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000806: Dec 10 17:35:02: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
000807: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000808: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
000809: Dec 10 17:35:02: ISAKMP: encryption 3DES-CBC
000810: Dec 10 17:35:02: ISAKMP: hash MD5
000811: Dec 10 17:35:02: ISAKMP: default group 2
000812: Dec 10 17:35:02: ISAKMP: auth XAUTHInitPreShared
000813: Dec 10 17:35:02: ISAKMP: life type in seconds
000814: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000815: Dec 10 17:35:02: ISAKMP:(0):Hash algorithm offered does not match policy!
000816: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000817: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
000818: Dec 10 17:35:02: ISAKMP: encryption 3DES-CBC
000819: Dec 10 17:35:02: ISAKMP: hash SHA
000820: Dec 10 17:35:02: ISAKMP: default group 2
000821: Dec 10 17:35:02: ISAKMP: auth pre-share
000822: Dec 10 17:35:02: ISAKMP: life type in seconds
000823: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000824: Dec 10 17:35:02: ISAKMP:(0):Preshared authentication offered but does not match policy!
000825: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000826: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
000827: Dec 10 17:35:02: ISAKMP: encryption 3DES-CBC
000828: Dec 10 17:35:02: ISAKMP: hash MD5
000829: Dec 10 17:35:02: ISAKMP: default group 2
000830: Dec 10 17:35:02: ISAKMP: auth pre-share
000831: Dec 10 17:35:02: ISAKMP: life type in seconds
000832: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000833: Dec 10 17:35:02: ISAKMP:(0):Hash algorithm offered does not match policy!
000834: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000835: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
000836: Dec 10 17:35:02: ISAKMP: encryption DES-CBC
000837: Dec 10 17:35:02: ISAKMP: hash MD5
000838: Dec 10 17:35:02: ISAKMP: default group 2
000839: Dec 10 17:35:02: ISAKMP: auth XAUTHInitPreShared
000840: Dec 10 17:35:02: ISAKMP: life type in seconds
000841: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000842: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000843: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 3
000844: Dec 10 17:35:02: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
000845: Dec 10 17:35:02: ISAKMP: encryption DES-CBC
000846: Dec 10 17:35:02: ISAKMP: hash MD5
000847: Dec 10 17:35:02: ISAKMP: default group 2
000848: Dec 10 17:35:02: ISAKMP: auth pre-share
000849: Dec 10 17:35:02: ISAKMP: life type in seconds
000850: Dec 10 17:35:02: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000851: Dec 10 17:35:02: ISAKMP:(0):Encryption algorithm offered does not match policy!
000852: Dec 10 17:35:02: ISAKMP:(0):atts are not acceptable. Next payload is 0
000853: Dec 10 17:35:02: ISAKMP:(0):no offers accepted!
000854: Dec 10 17:35:02: ISAKMP:(0): phase 1 SA policy not acceptable! (local 194.186.206.238 remote 192.168.209.3)
000855: Dec 10 17:35:02: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
000856: Dec 10 17:35:02: ISAKMP:(0): Failed to construct AG informational message.
000857: Dec 10 17:35:02: ISAKMP:(0): sending packet to 192.168.209.3 my_port 500 peer_port 3899 (R) AG_NO_STATE
000858: Dec 10 17:35:02: ISAKMP:(0):Sending an IKE IPv4 Packet.
000859: Dec 10 17:35:02: ISAKMP:(0):peer does not do paranoid keepalives.000860: Dec 10 17:35:02: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.
209.3)
000861: Dec 10 17:35:02: ISAKMP:(0): processing KE payload. message ID = 0
000862: Dec 10 17:35:02: ISAKMP:(0): group size changed! Should be 0, is 128
000863: Dec 10 17:35:02: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
000864: Dec 10 17:35:02: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
000865: Dec 10 17:35:02: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
000866: Dec 10 17:35:02: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY000867: Dec 10 17:35:02: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.209.3
000868: Dec 10 17:35:02: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.
209.3)
000869: Dec 10 17:35:02: ISAKMP: Unlocking peer struct 0x6506BFF8 for isadb_mark_sa_deleted(), count 0
000870: Dec 10 17:35:02: ISAKMP: Deleting peer node by peer_reap for 192.168.209.3: 6506BFF8
000871: Dec 10 17:35:02: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000872: Dec 10 17:35:02: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA000873: Dec 10 17:35:07: ISAKMP (0): received packet from 192.168.209.3 dport 500 sport 3899 Global (R) MM_NO_STATE
000874: Dec 10 17:35:12: ISAKMP (0): received packet from 192.168.209.3 dport 500 sport 3899 Global (R) MM_NO_STATEМожет кто чего-нибудь подскажет.
Заранее спасибо.
>interface Group-Async1
> ip unnumbered Loopback0
> encapsulation ppp
> no ip mroute-cache
> async mode dedicated
> peer default ip address pool vpnpool209
> ppp authentication chap pap callin
> group-range 1/00 1/32crypto map clientmap
>[оверквотинг удален]
>>interface Group-Async1
>> ip unnumbered Loopback0
>> encapsulation ppp
>> no ip mroute-cache
>> async mode dedicated
>> peer default ip address pool vpnpool209
>> ppp authentication chap pap callin
>> group-range 1/00 1/32
>
>crypto map clientmapСпасибо,ВОЛК. Все заработало.