ASR1002 VPN IPSEC/L2TP - problem

Problemy związane z routingiem
Wiadomość
Autor
averon91
fresh
fresh
Posty: 6
Rejestracja: 10 wrz 2019, 13:53

ASR1002 VPN IPSEC/L2TP - problem

#1

#1 Post autor: averon91 »

Witam wszystkich,
Mam problem z prawidłowym skonfigurowaniem ARS1002. Założenie jest takie by chodziły jednocześnie dwa VPN'y, IPSEC i L2TP.
IPSEC'owa sesja zestawia się bez problemu, jednak są problemy z L2TP. Sesja zestawia się na chwilę, jednak pod koniec nawiązywania połączenia na Windows'ie się wywala (jeśli dobrze pamiętam błąd 619). Podczas próby połączenia w "show l2tp session" - sesja jest zestawiona. Zaraz jednak znika. Gdy już się rozłącza mam takie logi:

Sep 9 20:47:07.115: L2TP tnl 0805A:000055A5:
Sep 9 20:47:07.115: L2TP 0000B:0805A:0000DB1F: Rx CDN, flg TLS, ver 2, len 38
Sep 9 20:47:07.115: L2TP 0000B:0805A:0000DB1F: IETF v2:
Sep 9 20:47:07.115: L2TP 0000B:0805A:0000DB1F: Result Code
Sep 9 20:47:07.115: L2TP 0000B:0805A:0000DB1F: Call disconnected for administrative reasons(3)
Sep 9 20:47:07.115: L2TP 0000B:0805A:0000DB1F: Error code
Sep 9 20:47:07.115: L2TP 0000B:0805A:0000DB1F: No error(0)
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: Assigned Call ID 0x00000001 (1)
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F:
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: Tx ZLB ACK to user.local 144/1
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F:
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: FSM-Sn ev Rx-CDN
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: FSM-Sn established->Idle
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: FSM-Sn do Rx-CDN
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: VPDN: process AVPs
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F:
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: Shutting down session
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: Result Code
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: Call disconnected for administrative reasons (3)
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: Error Code
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: No error (0)
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: Vendor Error
Sep 9 20:47:07.116: L2TP 0000B:0805A:0000DB1F: None (0)
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: Optional Message
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: "No disconnect reason given"
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F:
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: FSM-Sn ev Shut
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: FSM-Sn Idle->Dead
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: FSM-Sn do Destroy
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F:
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: APP<-L2TP: Disconnect
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: sock CD00000B
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: serv 0000805C
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F:
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: Session down
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: x.x.x.x<->y.y.y.y
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: Destroying session
Sep 9 20:47:07.117: L2TP 0000B:0805A:0000DB1F: Dataplane deallocated, segment 0
Sep 9 20:47:07.117: L2TP tnl 0805A:000055A5: FSM-CC ev Session-Disc
Sep 9 20:47:07.117: L2TP tnl 0805A:000055A5: FSM-CC in established
Sep 9 20:47:07.117: L2TP tnl 0805A:000055A5: FSM-CC do Session-Disc-Est
Sep 9 20:47:07.117: L2TP tnl 0805A:000055A5: Session count now 0
Sep 9 20:47:07.117: L2TP tnl 0805A:000055A5: VPDN Session count now 0
Sep 9 20:47:07.117: L2TP tnl 0805A:000055A5: FSM-CC ev No-Users
Sep 9 20:47:07.117: L2TP tnl 0805A:000055A5: FSM-CC established->Est-No-User
Sep 9 20:47:07.117: L2TP tnl 0805A:000055A5: FSM-CC do No-Users
Sep 9 20:47:07.117: L2TP tnl 0805A:000055A5: No more cc users, shutdown (likely) in 10 secs
Sep 9 20:47:07.117: L2TP 0000B:_____:________: Session detached
Sep 9 20:47:07.117: L2TP 0000B:_____:________: sending APP disconnect
Sep 9 20:47:07.118: L2TP 0000B:_____:________:
Sep 9 20:47:07.118: L2TP 0000B:_____:________: APP<-L2TP: Disconnect
Sep 9 20:47:07.118: L2TP 0000B:_____:________: sock CD00000B
Sep 9 20:47:07.118: L2TP 0000B:_____:________: serv 0000805C
Sep 9 20:47:07.118: L2TP 0000B:_____:________:
Sep 9 20:47:07.120: VPDN Failed to get session from socket handle CD00000B
Sep 9 20:47:07.121: L2X 0000B:_____:________: APP->L2TP: Destroy [11],
Sep 9 20:47:07.121: L2X 0000B:_____:________: sock CD00000B
Sep 9 20:47:07.121: L2X 0000B:_____:________: serv 0000805C
Sep 9 20:47:07.121: L2X 0000B:_____:________: data 440D9E74[277]
Sep 9 20:47:07.121: L2X 0000B:_____:________: replied on same socket
Sep 9 20:47:07.121: L2X 0000B:_____:________:
Sep 9 20:47:07.121: L2X 0000B:_____:________: L2TUN: remove sock CD00000B
Sep 9 20:47:07.121: L2X 0000B:_____:________: Destroying logical session
Sep 9 20:47:07.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
Sep 9 20:47:07.124: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
Sep 9 20:47:07.157: L2TP tnl 0805A:000055A5: StopCCN: skip authen, no nonce yet
Sep 9 20:47:07.157: L2TP tnl 0805A:000055A5:
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: Rx StopCCN, flg TLS, ver 2, len 38
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: IETF v2:
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: Result Code
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: Requestor is being shut down(6)
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: Error code
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: No error(0)
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: Assigned Tunnel I 0x00000090 (144)
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5:
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: Tx ZLB ACK to user.local tnl 144
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5:
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: FSM-CC ev Rx-StopCCN
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: FSM-CC in Est-No-User
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: FSM-CC do Rx-StopCCN
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5:
Sep 9 20:47:07.158: L2TP tnl 0805A:000055A5: Shutting down tunnel
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: Result Code
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: Requestor is being shut down
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: Error Code
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: No error
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: Vendor Error
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: None
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5:
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: FSM-CC ev Shut-Now
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: FSM-CC Est-No-User->Wt-STOPACK
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: FSM-CC do Shutnow
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: FSM-CC ev Shut-Comp
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: FSM-CC Wt-STOPACK->Dead
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: FSM-CC do Shutdown-Completed
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: Tunnel accounting send not possible - no mlist
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: Control channel down
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: x.x.x.x<->y.y.y.y
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: ADJ UP
Sep 9 20:47:07.159: L2TP tnl 0805A:000055A5: Destroying tunnel
Sep 9 20:47:07.159: L2X tnl 0805A:________: Destroying logical tunnel
Sep 9 20:47:07.159: L2X _____:________: class [AAA author, group "L2TP"]
Sep 9 20:47:07.159: L2X _____:________: Protocol unlocked 1->0
HQ-Lodz#
Sep 9 20:47:07.159: L2X _____:________: class[AAA author, group "L2TP"]
Sep 9 20:47:07.159: L2X _____:________: no more locks
Sep 9 20:47:07.159: L2X _____:________: class [AAA author, group "L2TP"]
Sep 9 20:47:07.160: L2X _____:________: deleted

Gdy robiłem sobie to na labie, nie u klienta, wszystko śmigało. U niego na C2901 też wszystko działa. Crypto mapy, polisy itd. wszystko próbowałem takie jak miałem u siebie i takie jakie są u niego na 2901. Jedna z konfiguracji:


vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication



crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key testtest456 address x.x.x.x y.y.y.y
crypto isakmp key testtest123 address 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set SET2 esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map DYN-MAPKA 12
set nat demux
set transform-set SET2
!
!
crypto map MAPKA 10 ipsec-isakmp
set peer x.x.x.x
set transform-set SET
match address VPN
crypto map MAPKA 12 ipsec-isakmp dynamic DYN-MAPKA




interface GigabitEthernet0/0/0
ip address x.x.x.x y.y.y.y
ip nat outside
negotiation auto
crypto map MAPKA
ip virtual-reassembly
!
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/0
ip nat inside
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH



Ta konfiguracja działa u mnie na labie, nie działa u klienta. Zmieniałem polisy, mapy itd. jednak, albo nie zestawia się wcale, albo wykrzacza na koniec połączenia. Firewall nic nie blokuje, na innym urządzeniu oba VPN'y działają.
Jakieś podpowiedzi co może być źle? Aktualnie nie będę miał możliwości sprawdzenia Waszych sugestii u klienta, sprawdzę jak tylko będę mógł.
Jestem nowy w temacie, proszę o wyrozumiałość :)
_____________________________________________________________________________________________
Averon91

ODPOWIEDZ