Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
rdntw2013-05-06 17:18:20
Computer networks
rdntw, 2013-05-06 17:18:20

Remote-access VPN with certificates

good afternoon!
there was a need to make access by employees from anywhere to the corporate network.
for example, a user uploads a certificate to a device (laptop, iphone), a tunnel with a router is established, the router authenticates through the radius and gives the go-ahead. So?
but in practice something doesn't work...
here's a piece of the config

here is the config part
aaa new-model
!
!
aaa authentication login authlist group radius local
aaa authorization network authlist group radius local 

username xxx privilege 15 secret 5 xxx

crypto isakmp policy 20
 encr 3des
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp client configuration address-pool local VPN_POOL
!
crypto isakmp client configuration group VPN_group
 key cisco
 pool VPN_POOL
 netmask 255.255.255.0
!

crypto ipsec transform-set TS esp-aes esp-sha-hmac 
!

!
!
crypto dynamic-map DM 10
 set transform-set TS 
 reverse-route
!
!
!
!
crypto map stat-map client authentication list authlist
crypto map stat-map isakmp authorization list authlist
crypto map stat-map client configuration address respond
crypto map stat-map 10 ipsec-isakmp dynamic DM 
!
!
!
ip ssh version 2
!
!
!
!
interface Loopback0
 ip address 10.0.1.42 255.255.255.255
 ip flow ingress
!
interface Loopback10
  descr for VPN_users
 ip address 10.11.180.254 255.255.255.0
!
interface GigabitEthernet0/0
 ip address xxx.26 255.255.255.224
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map stat-map
!

!
ip local pool VPN_POOL 10.11.180.1 10.11.180.5

!
ip nat inside source route-map nat interface GigabitEthernet0/0 overload



here's another debug :)
*May  6 13:35:01: ISAKMP:(0):Authentication method offered does not match policy!
*May  6 13:35:01: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May  6 13:35:01: ISAKMP:(0):no offers accepted!
*May  6 13:35:01: ISAKMP:(0): phase 1 SA policy not acceptable! (local 91.221.16.26 remote 95.215.103.14)
*May  6 13:35:01: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*May  6 13:35:01: ISAKMP:(0): Failed to construct AG informational message.
*May  6 13:35:01: ISAKMP:(0): sending packet to 95.215.103.14 my_port 500 peer_port 500 (R) MM_NO_STATE
*May  6 13:35:01: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May  6 13:35:01: ISAKMP:(0):peer does not do paranoid keepalives.

*May  6 13:35:01: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (pee                                          r 95.215.103.14)
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID is DPD
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*May  6 13:35:01: ISAKMP:(0): vendor ID is NAT-T v2
*May  6 13:35:01: ISAKMP:(0): processing vendor id payload
*May  6 13:35:01: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*May  6 13:35:01: ISAKMP:(0): vendor ID is NAT-T v3
*May  6 13:35:01: ISAKMP (0): FSM action returned error: 2
*May  6 13:35:01: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May  6 13:35:01: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*May  6 13:35:01: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (pee                                          r 95.215.103.14)
*May  6 13:35:01: ISAKMP: Unlocking peer struct 0x4A5A6F50 for isadb_mark_sa_deleted(), count 0
*May  6 13:35:01: ISAKMP: Deleting peer node by peer_reap for 95.215.103.14: 4A5A6F50
*May  6 13:35:01: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May  6 13:35:01: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

*May  6 13:35:01: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May  6 13:35:01: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 95.215.103.14)
*May  6 13:35:01: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*May  6 13:35:01: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*May  6 13:35:03: ISAKMP:(0):purging SA., sa=4A50FC40, delme=4A50FC40
*May  6 13:35:05: ISAKMP (0): received packet from 195.128.57.86 dport 500 sport 500 Global (R) MM_NO_STATE
*May  6 13:35:05: ISAKMP (0): received packet from 94.159.0.74 dport 500 sport 500 Global (N) NEW SA
*May  6 13:35:05: ISAKMP: Created a peer struct for 94.159.0.74, peer port 500
*May  6 13:35:05: ISAKMP: New peer created peer = 0x4A5A6F50 peer_handle = 0x8000156D
*May  6 13:35:05: ISAKMP: Locking peer struct 0x4A5A6F50, refcount 1 for crypto_isakmp_process_block
*May  6 13:35:05: ISAKMP:(0):Setting client config settings 4A913714
*May  6 13:35:05: ISAKMP:(0):(Re)Setting client xauth list  and state
*May  6 13:35:05: ISAKMP/xauth: initializing AAA request
*May  6 13:35:05: ISAKMP: local port 500, remote port 500
*May  6 13:35:05: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A5247A4
*May  6 13:35:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May  6 13:35:05: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*May  6 13:35:05: ISAKMP:(0): processing SA payload. message ID = 0
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID is DPD
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*May  6 13:35:05: ISAKMP:(0): vendor ID is NAT-T v2
*May  6 13:35:05: ISAKMP:(0): processing vendor id payload
*May  6 13:35:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*May  6 13:35:05: ISAKMP:(0): vendor ID is NAT-T v3
*May  6 13:35:05: ISAKMP:(0): Authentication by xauth preshared
*May  6 13:35:05: ISAKMP:(0):Checking ISAKMP transform 0 against priority 20 policy
*May  6 13:35:05: ISAKMP:      encryption 3DES-CBC
*May  6 13:35:05: ISAKMP:      hash SHA
*May  6 13:35:05: ISAKMP:      auth pre-share
*May  6 13:35:05: ISAKMP:      default group 2
*May  6 13:35:05: ISAKMP:      life type in seconds
*May  6 13:35:05: ISAKMP:      life duration (basic) of 28800
*May  6 13:35:05: ISAKMP:(0):Authentication method offered does not match policy!
*May  6 13:35:05: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May  6 13:35:05: ISAKMP:(0):no offers accepted!
*May  6 13:35:05: ISAKMP:(0): phase 1 SA policy not acceptable! (local 91.221.16.26 remote 94.159.0.74)
*May  6 13:35:05: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*May  6 13:35:05: ISAKMP:(0): Failed to construct AG informational message.
*May  6 13:35:05: ISAKMP:(0): sending packet to 94.159.0.74 my_port 500 peer_port 500 (R) MM_NO_STATE
*May  6 13:35:05: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May  6 13:35:05: ISAKMP:(0):peer does not do paranoid keepalives.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
M
Maximus43, 2013-05-06
@Maximus43

You need to set up authentication on the cisco using the name-password pair, xauth preshared. This data is passed in the profile to the client in addition to the certificates.

Report
R
rdntw, 2013-05-06
@rdntw

are also used

Report
J
JDima, 2013-05-06
@JDima 

crypto isakmp policy 20
authentication rsa-sig

Doesn't work - new debug.

Report
K
kbool, 2013-05-07
@kbool

And what acts as a VPN client?

Similar questions
K
Kirill Ostrovsky2017-06-08 11:38:06
Parameter value in Google Analytics? 7Reply
B
batspot2015-05-19 02:19:51
What to do with bad internet in the suburbs? 1Reply
V
Viktor2019-10-04 23:36:11
Why does a wired home network only provide 100 Mbps, and how can I increase the speed to gigabit? 1Reply
J
J. Snow2019-10-06 10:23:46
Why isn't network discovery working on the new Windows 10? 2Reply
N
netrox2017-05-05 20:30:25
How to improve a simple client-server application? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question