Задать вопрос

Remote-access VPN с сертификатами

добрый день!
возникла необходимость сделать доступ сотрудниками из любой точки в корпоративную сеть.
например, пользователь заливает сертификат на устройство ( ноутбук, iphone ), ставится туннель с роутером, роутер через радиус проверяет подлинность и дает добро. так?
но на практике что-то не получается…
вот кусок конфига
вот кусок конфига
aaa new-model
!
!
aaa authentication login authlist group radius local
aaa authorization network authlist group radius local 

username xxx privilege 15 secret 5 xxx

crypto isakmp policy 20
 encr 3des
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp client configuration address-pool local VPN_POOL
!
crypto isakmp client configuration group VPN_group
 key cisco
 pool VPN_POOL
 netmask 255.255.255.0
!

crypto ipsec transform-set TS esp-aes esp-sha-hmac 
!

!
!
crypto dynamic-map DM 10
 set transform-set TS 
 reverse-route
!
!
!
!
crypto map stat-map client authentication list authlist
crypto map stat-map isakmp authorization list authlist
crypto map stat-map client configuration address respond
crypto map stat-map 10 ipsec-isakmp dynamic DM 
!
!
!
ip ssh version 2
!
!
!
!
interface Loopback0
 ip address 10.0.1.42 255.255.255.255
 ip flow ingress
!
interface Loopback10
  descr for VPN_users
 ip address 10.11.180.254 255.255.255.0
!
interface GigabitEthernet0/0
 ip address xxx.26 255.255.255.224
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map stat-map
!

!
ip local pool VPN_POOL 10.11.180.1 10.11.180.5

!
ip nat inside source route-map nat interface GigabitEthernet0/0 overload




вот еще дебаг :)
*May  6 13:35:01: ISAKMP:(0):Authentication method offered does not match policy!
*May  6 13:35:01: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May  6 13:35:01: ISAKMP:(0):no offers accepted!
*May  6 13:35:01: ISAKMP:(0): phase 1 SA policy not acceptable! (local 91.221.16.26 remote 95.215.103.14)
*May  6 13:35:01: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*May  6 13:35:01: ISAKMP:(0): Failed to construct AG informational message.
*May  6 13:35:01: ISAKMP:(0): sending packet to 95.215.103.14 my_port 500 peer_port 500 (R) MM_NO_STATE
*May  6 13:35:01: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May  6 13:35:01: ISAKMP:(0):peer does not do paranoid keepalives.

*May  6 13:35:01: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (pee                                          r 95.215.103.14)
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID is DPD
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*May  6 13:35:01: ISAKMP:(0): vendor ID is NAT-T v2
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*May  6 13:35:01: ISAKMP:(0): vendor ID is NAT-T v3
*May  6 13:35:01: ISAKMP (0): FSM action returned error: 2
*May  6 13:35:01: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May  6 13:35:01: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*May  6 13:35:01: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (pee                                          r 95.215.103.14)
*May  6 13:35:01: ISAKMP: Unlocking peer struct 0x4A5A6F50 for isadb_mark_sa_deleted(), count 0
*May  6 13:35:01: ISAKMP: Deleting peer node by peer_reap for 95.215.103.14: 4A5A6F50
*May  6 13:35:01: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May  6 13:35:01: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

*May  6 13:35:01: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May  6 13:35:01: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 95.215.103.14)
*May  6 13:35:01: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*May  6 13:35:01: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*May  6 13:35:03: ISAKMP:(0):purging SA., sa=4A50FC40, delme=4A50FC40
*May  6 13:35:05: ISAKMP (0): received packet from 195.128.57.86 dport 500 sport 500 Global (R) MM_NO_STATE
*May  6 13:35:05: ISAKMP (0): received packet from 94.159.0.74 dport 500 sport 500 Global (N) NEW SA
*May  6 13:35:05: ISAKMP: Created a peer struct for 94.159.0.74, peer port 500
*May  6 13:35:05: ISAKMP: New peer created peer = 0x4A5A6F50 peer_handle = 0x8000156D
*May  6 13:35:05: ISAKMP: Locking peer struct 0x4A5A6F50, refcount 1 for crypto_isakmp_process_block
*May  6 13:35:05: ISAKMP:(0):Setting client config settings 4A913714
*May  6 13:35:05: ISAKMP:(0):(Re)Setting client xauth list  and state
*May  6 13:35:05: ISAKMP/xauth: initializing AAA request
*May  6 13:35:05: ISAKMP: local port 500, remote port 500
*May  6 13:35:05: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A5247A4
*May  6 13:35:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May  6 13:35:05: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*May  6 13:35:05: ISAKMP:(0): processing SA payload. message ID = 0
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID is DPD
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*May  6 13:35:05: ISAKMP:(0): vendor ID is NAT-T v2
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*May  6 13:35:05: ISAKMP:(0): vendor ID is NAT-T v3
*May  6 13:35:05: ISAKMP:(0): Authentication by xauth preshared
*May  6 13:35:05: ISAKMP:(0):Checking ISAKMP transform 0 against priority 20 policy
*May  6 13:35:05: ISAKMP:      encryption 3DES-CBC
*May  6 13:35:05: ISAKMP:      hash SHA
*May  6 13:35:05: ISAKMP:      auth pre-share
*May  6 13:35:05: ISAKMP:      default group 2
*May  6 13:35:05: ISAKMP:      life type in seconds
*May  6 13:35:05: ISAKMP:      life duration (basic) of 28800
*May  6 13:35:05: ISAKMP:(0):Authentication method offered does not match policy!
*May  6 13:35:05: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May  6 13:35:05: ISAKMP:(0):no offers accepted!
*May  6 13:35:05: ISAKMP:(0): phase 1 SA policy not acceptable! (local 91.221.16.26 remote 94.159.0.74)
*May  6 13:35:05: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*May  6 13:35:05: ISAKMP:(0): Failed to construct AG informational message.
*May  6 13:35:05: ISAKMP:(0): sending packet to 94.159.0.74 my_port 500 peer_port 500 (R) MM_NO_STATE
*May  6 13:35:05: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May  6 13:35:05: ISAKMP:(0):peer does not do paranoid keepalives.

  • Вопрос задан
  • 4215 просмотров
Подписаться 5 Оценить Комментировать
Пригласить эксперта
Ответы на вопрос 5
Maximus43
@Maximus43
Вам надо на циске настроить аутентификацию по паре имя-пароль, xauth preshared. Эти данные передаются в профиле клиенту в дополнение к сертификатам.
Ответ написан
Комментировать
@rdntw Автор вопроса
итак же используются
Ответ написан
Комментировать
@JDima
crypto isakmp policy 20
authentication rsa-sig

Не сработает — новый дебаг.
Ответ написан
@kbool
А в качестве VPN клиента что выступает?
Ответ написан
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы