Problem z L2TP

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)

Moderatorzy: mikrobi, aron, garfield, gangrena, Seba, Wojtachinho

Wiadomość
Autor
Gizmo
wannabe
wannabe
Posty: 181
Rejestracja: 28 sty 2008, 21:55

Problem z L2TP

#1

#1 Post autor: Gizmo » 21 lis 2018, 10:03

Cześć,

Może, ktoś, coś naprowadzi. Skonfigurowałem na ISR4331 połaczenie L2TP/IPSec. Niby wszystko działa, tj. połaczenie się zestawia, widzę, że ruch przychodzi, że ruter zestawia pakiet z odpowiedzią. Uprzedzając, że dlaczego na ISR i dlaczego L2TP, a nie jakiś FW. Niestety tylko to mogę podziałać, taki mam sprzęt i to on potrafi. Nie zależy to ode mnie. Tak wygląda debug ip packet dla 1 pakietu icmp z windows.

Kod: Zaznacz cały

*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, input feature, Virtual Fragment Reassembly(38), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, input feature, iEdge(97), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, input feature, MCI Check(108), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, input feature, TCP Adjust MSS(110), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, rcvd 2
*Nov 21 08:45:13.602: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, stop process pak for forus packet
*Nov 21 08:45:13.602: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129, len 60, local feature, feature skipped, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.602: IP: tableid=0, s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), routed via FIB
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), len 60, sending
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), len 60, output feature, feature skipped, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), len 60, output feature, feature skipped, iEdge(16), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), len 60, output feature, feature skipped, TCP Adjust MSS(58), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Tu widać zestawione połączenie i ipsec.

Kod: Zaznacz cały

ROUTER#sho users
<...>
  Interface    User               Mode         Idle     Peer Address
  Vi2.1        test         PPPoVPDN     -        10.127.255.129

ROUTER#sho l2tp tunnel
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID   RemTunID   Remote Name   State  Remote Address  Sessn L2TP Class/
                                                           Count VPDN Group
2693       1          8MAN.LAB.local est    192.168.1.62   1     1

ROUTER#sho crypto ipsec sa

interface: GigabitEthernet0/0/0
    Crypto map tag: L2TP, local addr 193.17.203.241

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/17/1701)
   remote ident (addr/mask/prot/port): (192.168.1.62/255.255.255.255/17/57543)
   current_peer 192.168.1.62 port 57543
     PERMIT, flags={}
    #pkts encaps: 141, #pkts encrypt: 141, #pkts digest: 141
    #pkts decaps: 514, #pkts decrypt: 514, #pkts verify: 514
Niestety, nie widać np. na pingach, odpowiedzi, nie działa SSH czy inny protokół. W L2TP nie widać, by wychodziły pakiety. Tu na outpucie troszeczkę pakietów, ale dla mnie wygląda to na jakieś keepalive niż na ruch produkcyjny. Pomiędzy pierwszym a drugim wpisem poszedł standartowy ping w Windows (5 pakietów), input przyrósł o 6 (OK) ale output o 2.

Kod: Zaznacz cały

ROUTER#sho l2tp session packets

L2TP Session Information Total tunnels 1 sessions 1

LocID      RemID      TunID      Pkts-In    Pkts-Out   Bytes-In   Bytes-Out
23770      1          2693       545        167        33722      2681

ROUTER#sho l2tp session packets

L2TP Session Information Total tunnels 1 sessions 1

LocID      RemID      TunID      Pkts-In    Pkts-Out   Bytes-In   Bytes-Out
23770      1          2693       551        169        34010      2713

Konfiguracja

Kod: Zaznacz cały

crypto keyring UserVPN
  pre-shared-key address 0.0.0.0 0.0.0.0 key <---jakiś tam key --->
crypto logging session
crypto logging ezvpn
crypto logging ikev2
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 20
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
 mode transport
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
 mode transport
crypto dynamic-map USERVPN 10
 set nat demux
 set transform-set AES-SHA 3DES-SHA
 reverse-route
crypto map L2TP 10 ipsec-isakmp dynamic USERVPN
 crypto map L2TP
 
 interface Loopback12
 description - tmp 4 test -
 ip address 10.127.80.10 255.255.255.0
 ip nat inside

interface Loopback100
 description -- Lo for L2TP --
 ip address 10.127.255.255 255.255.255.255
 ip nat inside

 interface GigabitEthernet0/0/0
 ip address 1.1.1.1 255.255.255.240
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip nbar protocol-discovery
 load-interval 30
 negotiation auto
 no cdp enable
 no lldp transmit
 no lldp receive
 crypto map L2TP
 ip virtual-reassembly

interface Virtual-Template1
 ip unnumbered Loopback100
 ip mtu 1392
 ip nat inside
 ip tcp adjust-mss 1352
 peer default ip address pool L2TP-POOL
 ppp authentication ms-chap pap L2TP-PPP
 ppp ipcp dns 8.8.4.4 8.8.8.8

ip local pool L2TP-POOL 10.127.255.129 10.127.255.190
ip nat pool NAT_1 1.1.1.1 1.1.1.1 prefix-length 28
ip nat inside source list ACL_NAT_1 pool NAT_1 overload extended

ip access-list extended ACL_NAT_1
 deny   ip 10.127.80.0 0.0.0.255 10.127.255.0 0.0.0.255
 permit ip 10.127.255.128 0.0.0.63 any
 permit ip host 10.127.255.255 any
 deny   ip any any
 
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 1.1.1.2
ip route 10.127.255.128 255.255.255.192 1.1.1.2

Pozdrawiam,
“Two possibilities exist: either we are alone in the Universe or we are not. Both are equally terrifying.” - A.C.Clark

ODPOWIEDZ