Może, ktoś, coś naprowadzi. Skonfigurowałem na ISR4331 połaczenie L2TP/IPSec. Niby wszystko działa, tj. połaczenie się zestawia, widzę, że ruch przychodzi, że ruter zestawia pakiet z odpowiedzią. Uprzedzając, że dlaczego na ISR i dlaczego L2TP, a nie jakiś FW. Niestety tylko to mogę podziałać, taki mam sprzęt i to on potrafi. Nie zależy to ode mnie. Tak wygląda debug ip packet dla 1 pakietu icmp z windows.
Kod: Zaznacz cały
*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, input feature, Virtual Fragment Reassembly(38), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, input feature, iEdge(97), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, input feature, MCI Check(108), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, input feature, TCP Adjust MSS(110), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.601: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, rcvd 2
*Nov 21 08:45:13.602: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, stop process pak for forus packet
*Nov 21 08:45:13.602: IP: s=10.127.255.129 (Virtual-Access2.1), d=10.127.80.10, len 60, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129, len 60, local feature, feature skipped, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.602: IP: tableid=0, s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), routed via FIB
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), len 60, sending
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), len 60, output feature, feature skipped, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), len 60, output feature, feature skipped, iEdge(16), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 21 08:45:13.602: IP: s=10.127.80.10 (local), d=10.127.255.129 (Virtual-Access2.1), len 60, output feature, feature skipped, TCP Adjust MSS(58), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Kod: Zaznacz cały
ROUTER#sho users
<...>
Interface User Mode Idle Peer Address
Vi2.1 test PPPoVPDN - 10.127.255.129
ROUTER#sho l2tp tunnel
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
2693 1 8MAN.LAB.local est 192.168.1.62 1 1
ROUTER#sho crypto ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: L2TP, local addr 193.17.203.241
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (192.168.1.62/255.255.255.255/17/57543)
current_peer 192.168.1.62 port 57543
PERMIT, flags={}
#pkts encaps: 141, #pkts encrypt: 141, #pkts digest: 141
#pkts decaps: 514, #pkts decrypt: 514, #pkts verify: 514
Kod: Zaznacz cały
ROUTER#sho l2tp session packets
L2TP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Pkts-In Pkts-Out Bytes-In Bytes-Out
23770 1 2693 545 167 33722 2681
ROUTER#sho l2tp session packets
L2TP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Pkts-In Pkts-Out Bytes-In Bytes-Out
23770 1 2693 551 169 34010 2713
Kod: Zaznacz cały
crypto keyring UserVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key <---jakiś tam key --->
crypto logging session
crypto logging ezvpn
crypto logging ikev2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 20
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto dynamic-map USERVPN 10
set nat demux
set transform-set AES-SHA 3DES-SHA
reverse-route
crypto map L2TP 10 ipsec-isakmp dynamic USERVPN
crypto map L2TP
interface Loopback12
description - tmp 4 test -
ip address 10.127.80.10 255.255.255.0
ip nat inside
interface Loopback100
description -- Lo for L2TP --
ip address 10.127.255.255 255.255.255.255
ip nat inside
interface GigabitEthernet0/0/0
ip address 1.1.1.1 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat outside
ip nbar protocol-discovery
load-interval 30
negotiation auto
no cdp enable
no lldp transmit
no lldp receive
crypto map L2TP
ip virtual-reassembly
interface Virtual-Template1
ip unnumbered Loopback100
ip mtu 1392
ip nat inside
ip tcp adjust-mss 1352
peer default ip address pool L2TP-POOL
ppp authentication ms-chap pap L2TP-PPP
ppp ipcp dns 8.8.4.4 8.8.8.8
ip local pool L2TP-POOL 10.127.255.129 10.127.255.190
ip nat pool NAT_1 1.1.1.1 1.1.1.1 prefix-length 28
ip nat inside source list ACL_NAT_1 pool NAT_1 overload extended
ip access-list extended ACL_NAT_1
deny ip 10.127.80.0 0.0.0.255 10.127.255.0 0.0.0.255
permit ip 10.127.255.128 0.0.0.63 any
permit ip host 10.127.255.255 any
deny ip any any
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 1.1.1.2
ip route 10.127.255.128 255.255.255.192 1.1.1.2
Pozdrawiam,