L2TP – LAC客户端测试分析

0

Topology

PC—-ISP—-[f0/0]LNS[ server]
本篇仅关注测试,LAC客户端的更多内容,可以看上一篇简述《L2TP两种部署方法简述

你在用PC的L2TP客户端拨号时,要注意Ipsec加密,默认需要修改注册表以关闭Ipsec加密。可以参考官方信息:《Disabling IPSEC Policy Used with L2TP》。如果关闭了Ipsec,那么PC会直接发出L2TP的SCCRQ,但这时如果LNS上配置“l2tp security crypto-profile CCIE”,报以下下错误后断开连接:
“Ignoring SCCRQ, tunnel from “frank” requires security, however the SCCRQ was received unprotected”去掉Ipsec配置后,PC能正常拨入并获得地址,配置跟LAC独立客户端里的LNS差不多。另外在PC上既然已经通过注册表关闭了Ipsec,那么在PC的L2TP拨号的属性配置中,关于Ipsec的相关认证就没有用了,可以忽略掉。如果不修改注册表,那么PC用L2TP拨号时会先协商Ipsec,Ipsec tunnel建立后,再协商L2TP。本文主要测试当PC不修改注册表,也就是开启L2TP/Ipsec时的L2TP拨号过程。我的测试系统是Windows8,其他系统是否默认开启L2TP/Ipsec,请自行确认。另外思科设备跟windows启动L2TP/Ipsec时,仅支持透明模式通道。下面是最初配置,后面跟着TS过程及最终配置,希望能帮助其他人解决问题。

LNS最初配置

hostname R2LNS
!
aaa new-model
aaa authentication ppp default local
!
vpdn enable
!
vpdn-group 1
 accept-dialin
  protocol l2tp
  virtual-template 1
 terminate-from hostname frank
!---用PC的名称来选择Tunnel,在accept-dialin中没有用domain的配置
 local name R2LNS
 lcp renegotiation on-mismatch
 l2tp security crypto-profile CCIE
 no l2tp tunnel authentication
!---PC只有用户名和密码,因此Tunnel认证在这种情况下就不用了
!
username a@cisco.com password 0 111111
username test password 0 test
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 123 address 12.1.1.1
!
crypto ipsec transform-set CCNP esp-3des esp-md5-hmac
 mode transport
!
crypto map vpn 10 ipsec-isakmp profile CCIE
 set transform-set CCNP
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 12.1.1.2 255.255.255.0
 duplex half
 crypto map vpn
!
interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool l2tp
 ppp authentication ms-chap-v2
!
ip local pool l2tp 33.33.33.1 33.33.33.254
ip route 0.0.0.0 0.0.0.0 12.1.1.1

1. 在PC端建立L2TP拨号,目的地址为2.2.2.2发现如下报错:

*Oct 11 11:35:10.831: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 11 11:35:10.831: ISAKMP: encryption 3DES-CBC
*Oct 11 11:35:10.831: ISAKMP: hash SHA
*Oct 11 11:35:10.831: ISAKMP: default group 2
*Oct 11 11:35:10.831: ISAKMP: auth pre-share
*Oct 11 11:35:10.831: ISAKMP: life type in seconds
*Oct 11 11:35:10.831: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Oct 11 11:35:10.831: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 11 11:35:10.831: ISAKMP:(0):atts are not acceptable. Next payload is 0
......
*Oct 11 11:35:10.839: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 12.1.1.1)

2. 根据debug信息,PC携带的Phase1加密属性中没有支持“hash md5”的,仅接受SHA hash,把hash改成SHA, 发现下面报错:

*Oct 11 11:53:09.855: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 11 11:53:09.855: ISAKMP: encryption 3DES-CBC
*Oct 11 11:53:09.855: ISAKMP: hash SHA
*Oct 11 11:53:09.855: ISAKMP: default group 2*Oct 11 11:53:09.855: ISAKMP: auth pre-share
*Oct 11 11:53:09.855: ISAKMP: life type in seconds
*Oct 11 11:53:09.855: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Oct 11 11:53:09.855: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*Oct 11 11:53:09.855: ISAKMP:(0):atts are not acceptable. Next payload is 0
......
*Oct 11 11:53:09.859: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 12.1.1.1)

3. 查找后,Ipsec下的group跟PC的不匹配会导致这个报错,根据PC抓包发现,PC的“exchange type”是“identity protection(main mode)”,而路由器发出的isakmp “exchange type” 是 “information”。思科默认应该是group 5,修改成group 2后,发现match了:

*Oct 11 12:00:06.443: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 11 12:00:06.443: ISAKMP: encryption 3DES-CBC
*Oct 11 12:00:06.443: ISAKMP: hash SHA
*Oct 11 12:00:06.443: ISAKMP: default group 2
*Oct 11 12:00:06.443: ISAKMP: auth pre-share
*Oct 11 12:00:06.443: ISAKMP: life type in seconds
*Oct 11 12:00:06.443: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Oct 11 12:00:06.443: ISAKMP:(0):atts are acceptable. Next payload is 0

4. isakmp的group问题解决后,又发现“invalid local address”:

*Oct 12 08:35:42.099: ISAKMP:(1001):atts are acceptable.
*Oct 12 08:35:42.099: IPSEC(validate_proposal_request): proposal part #1
*Oct 12 08:35:42.099: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 2.2.2.2, remote= 12.1.1.1,
    local_proxy= 2.2.2.2/255.255.255.255/17/1701 (type=1),
    remote_proxy= 12.1.1.1/255.255.255.255/17/1701 (type=1),
    protocol= AH, transform= NONE  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 12 08:35:42.099: IPSEC(ipsec_process_proposal): invalid local address 2.2.2.2
*Oct 12 08:35:42.099: ISAKMP:(1001): IPSec policy invalidated proposal with error 8
*Oct 12 08:35:42.099: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 2.2.2.2 remote 12.1.1.1)

5. 经同事提醒,问题可能出在环回地址上,crypto配置在f0/0上,但PC拨的是环回口,因此可能需要配置:crypto map vpn local-address Loopback0
配置完后再拨号,“invalid local address”没有了,又出下面报错:

*Oct 12 09:45:01.079: ISAKMP:(1005):Checking IPSec proposal 5
*Oct 12 09:45:01.079: ISAKMP: transform 1, AH_SHA
*Oct 12 09:45:01.079: ISAKMP: attributes in transform:
*Oct 12 09:45:01.079: ISAKMP: encaps is 2 (Transport)
*Oct 12 09:45:01.079: ISAKMP: authenticator is HMAC-SHA
*Oct 12 09:45:01.079: ISAKMP: SA life type in seconds
*Oct 12 09:45:01.079: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Oct 12 09:45:01.079: ISAKMP: SA life type in kilobytes
*Oct 12 09:45:01.079: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Oct 12 09:45:01.079: ISAKMP:(1005):atts are acceptable.
*Oct 12 09:45:01.079: IPSEC(validate_proposal_request): proposal part #1
*Oct 12 09:45:01.079: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 2.2.2.2, remote= 12.1.1.1,
    local_proxy= 2.2.2.2/255.255.255.255/17/1701 (type=1),
    remote_proxy= 12.1.1.1/255.255.255.255/17/1701 (type=1),
    protocol= AH, transform= NONE  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 12 09:45:01.079: map_db_find_best did not find matching map
*Oct 12 09:45:01.079: IPSEC(ipsec_process_proposal): proxy identities not supported
*Oct 12 09:45:01.079: ISAKMP:(1005): IPSec policy invalidated proposal with error 32
*Oct 12 09:45:01.079: ISAKMP:(1005): phase 2 SA policy not acceptable! (local 2.2.2.2 remote 12.1.1.1)

6. 经过topic,发现有人把transform-set设错了,导致出现这个错误,看上面的错误,transform attributes里是HMAC-SHA,而我设置的是esp-md5-hmac,跟这个有关系么?先改了再说“crypto ipsec transform-set CCNP esp-3des esp-sha-hmac”,再次拨号,哈哈,终于通了,看到了久违的L2TP的SCCRQ了~~再去看wireshark抓到的包,所有L2TP的包都被ESP加密了。至此搞定l2tp/ipsec!

LNS最终配置

由于l2tp的配置没动,所以仅贴出最终Ipsec部分的配置
crypto isakmp policy 10
!—Phase1认证相关信息
encr 3des
!—配置完sha后不显示在配置中
authentication pre-share
group 2
!—这个配置可以跟windows系统匹配
crypto isakmp key cisco address 12.1.1.1
!—这个密码要跟PC上l2tp拨号里的那个密码一致,否则不能通过Phase1,如下图
l2tp ipsec key for pc
!
crypto ipsec transform-set CCNP esp-3des esp-md5-hmac
mode transport
!
crypto map vpn local-address Loopback0
crypto map vpn 10 ipsec-isakmp profile CCIE
set transform-set CCNP

PC信息

C:\Windows\system32>ipconfig /all
PPP 适配器 VPN 连接:
   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : VPN 连接
   物理地址. . . . . . . . . . . . . :
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
   IPv4 地址 . . . . . . . . . . . . : 33.33.33.1(首选)
   子网掩码  . . . . . . . . . . . . : 255.255.255.255
   默认网关. . . . . . . . . . . . . : 0.0.0.0
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用

以太网适配器 以太网 3:
   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : Microsoft KM-TEST 环回适配器
   物理地址. . . . . . . . . . . . . : 02-00-4C-4F-4F-50
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
   IPv4 地址 . . . . . . . . . . . . : 12.1.1.1(首选)
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 12.1.1.2
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用

以太网适配器 以太网:
   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : Intel(R) 82574L 千兆网络连接

C:\Windows\system32>route print
===========================================================================
接口列表
 47...........................VPN 连接
 31...02 00 4c 4f 4f 50 ......Microsoft KM-TEST 环回适配器
 12...00 25 90 27 5b 07 ......Intel(R) 82574L 千兆网络连接
===========================================================================
IPv4 路由表
===========================================================================
活动路由:
网络目标        网络掩码          网关       接口   跃点数
          0.0.0.0          0.0.0.0         12.1.1.2         12.1.1.1   4491
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2   4245
          0.0.0.0          0.0.0.0          在链路上      33.33.33.1     11

相关信息

Implementing L2TP Voluntary/Client-Initiated Tunnel Mode Remote Access VPNs – PC跟LNS拨号,有详细的配置解释
Access VPDN Dial-in Using IPSec Over L2TP – ISP用ipsec加密,非客户端起ipsec,里面有些很好的图例
Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec – LAC和LNS起ipsec加密,配置实例
Cisco Hardware and VPN Clients Supporting IPSec/PPTP/L2TP – 硬件支持信息
ISAKMP/IKE Phase 2 Connections – Phase2 失败的几种情况

本文出自 Frank's Blog

版权声明:


本文链接:L2TP – LAC客户端测试分析
版权声明:本文为原创文章,仅代表个人观点,版权归 Frank Zhao 所有,转载时请注明本文出处及文章链接
你可以留言,或者trackback 从你的网站

No Responses to “L2TP – LAC客户端测试分析”

  1. flyship163说道:

    你好,请问能不能把你的拓朴给出来一下啊,谢谢!

    0
  2. frank说道:

    最上面不是有TOPOLOGY么?就是PC直连路由器,哪里不清楚么?

    0

留言哦

blonde teen swallows load.xxx videos