Chi mi aiuta a "debuggare" una connessione iphone<--->877 ??

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
digitel
Cisco fan
Messaggi: 62
Iscritto il: lun 09 feb , 2009 8:21 am

Ciao
Sto sclerando per connettere il client nativo cisco dell'iphone4S (ipsec) con un cisco 877 (ma anche un 2811 non ha esito positivo).

Il client VPN Cisco per Windows si connette che e' una meraviglia, l'iphone no !

Questo l'estratto saliente della cfg dell'877 :

aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
aaa session-id common
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENT-VPN
key XXXXXXXXX
dns 172.16.XXX.XXX
pool VPN-Pool
acl 120
max-users 5
!
!
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
ip local pool VPN-Pool 172.16.xxx.yyy 172.16.xxx.zzz
!
access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip any any


La Phase1 viene passata in quanto iphone mi chiede user e pass , ma una volta inseriti mi dice :
Negoziazione con il server VPN non riuscita.

Questo un debug crypto isakmp dopo l'inserzione di user e pass dal client vpn :

*May 20 03:47:53.579: ISAKMP (0:2005): received packet from 109.119.205.199 dpor
t 4500 sport 4500 Global (R) CONF_XAUTH
*May 20 03:47:53.579: ISAKMP:(2005):processing transaction payload from 109.119.
205.199. message ID = 790501643
*May 20 03:47:53.579: ISAKMP: Config payload REPLY
*May 20 03:47:53.579: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*May 20 03:47:53.579: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*May 20 03:47:53.579: ISAKMP:(2005):deleting node 790501643 error FALSE reason "
Done with xauth request/reply exchange"
*May 20 03:47:53.579: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*May 20 03:47:53.579: ISAKMP:(2005):Old State = IKE_XAUTH_REQ_SENT New State =
IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

*May 20 03:47:53.591: ISAKMP: set new node 2067157823 to CONF_XAUTH
*May 20 03:47:53.591: ISAKMP:(2005): initiating peer config to 109.119.205.199.
ID = 2067157823
*May 20 03:47:53.591: ISAKMP:(2005): sending packet to 109.119.205.199 my_port 4
500 peer_port 4500 (R) CONF_XAUTH
*May 20 03:47:53.591: ISAKMP:(2005):Sending an IKE IPv4 Packet.
*May 20 03:47:53.591: ISAKMP:(2005):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGI
N
*May 20 03:47:53.591: ISAKMP:(2005):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
New State = IKE_XAUTH_SET_SENT

*May 20 03:47:53.751: ISAKMP (0:2005): received packet from 109.119.205.199 dpor
t 4500 sport 4500 Global (R) CONF_XAUTH
*May 20 03:47:53.751: ISAKMP:(2005):processing transaction payload from 109.119.
205.199. message ID = 2067157823
*May 20 03:47:53.755: ISAKMP: Config payload ACK
*May 20 03:47:53.755: ISAKMP:(2005): XAUTH ACK Processed
*May 20 03:47:53.755: ISAKMP:(2005):deleting node 2067157823 error FALSE reason
"Transaction mode done"
*May 20 03:47:53.755: ISAKMP:(2005):Talking to a Unity Client
*May 20 03:47:53.755: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
*May 20 03:47:53.755: ISAKMP:(2005):Old State = IKE_XAUTH_SET_SENT New State =
IKE_P1_COMPLETE

*May 20 03:47:53.755: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLE
TE
*May 20 03:47:53.755: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE
_P1_COMPLETE

*May 20 03:47:53.767: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLE
TE
*May 20 03:47:53.767: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE
_P1_COMPLETE

*May 20 03:47:53.783: ISAKMP (0:2005): received packet from 109.119.205.199 dpor
t 4500 sport 4500 Global (R) QM_IDLE
*May 20 03:47:53.787: ISAKMP: set new node 513958391 to QM_IDLE
*May 20 03:47:53.787: ISAKMP:(2005):processing transaction payload from 109.119.
205.199. message ID = 513958391
*May 20 03:47:53.787: ISAKMP: Config payload REQUEST
*May 20 03:47:53.787: ISAKMP:(2005):checking request:
*May 20 03:47:53.787: ISAKMP: IP4_ADDRESS
*May 20 03:47:53.787: ISAKMP: IP4_NETMASK
*May 20 03:47:53.787: ISAKMP: IP4_DNS
*May 20 03:47:53.787: ISAKMP: IP4_NBNS
*May 20 03:47:53.787: ISAKMP: ADDRESS_EXPIRY
*May 20 03:47:53.787: ISAKMP: APPLICATION_VERSION
*May 20 03:47:53.787: ISAKMP: MODECFG_BANNER
*May 20 03:47:53.787: ISAKMP: DEFAULT_DOMAIN
*May 20 03:47:53.787: ISAKMP: SPLIT_DNS
*May 20 03:47:53.787: ISAKMP: SPLIT_INCLUDE
*May 20 03:47:53.787: ISAKMP: INCLUDE_LOCAL_LAN
*May 20 03:47:53.787: ISAKMP: PFS
*May 20 03:47:53.787: ISAKMP: MODECFG_SAVEPWD
*May 20 03:47:53.787: ISAKMP: FW_RECORD
*May 20 03:47:53.787: ISAKMP: BACKUP_SERVER
*May 20 03:47:53.787: ISAKMP: MODECFG_BROWSER_PROXY
*May 20 03:47:53.787: ISAKMP/author: Author request for group CCLIENT-VPNsuccess
fully sent to AAA
*May 20 03:47:53.791: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*May 20 03:47:53.791: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE
_CONFIG_AUTHOR_AAA_AWAIT

*May 20 03:47:53.791: ISAKMP:(2005):attributes sent in message:
*May 20 03:47:53.791: Address: 0.2.0.0
*May 20 03:47:53.791: ISAKMP:(2005):allocating address 172.16.217.224
*May 20 03:47:53.791: ISAKMP: Sending private address: 172.16.217.224
*May 20 03:47:53.791: ISAKMP: Sending subnet mask: 255.255.255.0
*May 20 03:47:53.791: ISAKMP: Sending IP4_DNS server address: 172.16.217.1
*May 20 03:47:53.791: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the add
ress: 3556
*May 20 03:47:53.795: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Soft
ware, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T9, RELEASE SOFTWA
RE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 29-Apr-09 05:52 by prod_rel_team
*May 20 03:47:53.795: ISAKMP: Sending split include name 120 network 0.0.0.0 mas
k 0.0.0.0 protocol 0, src port 0, dst port 0

*May 20 03:47:53.795: ISAKMP: Sending save password reply value 0
*May 20 03:47:53.795: ISAKMP:(2005): responding to peer config from 109.119.205.
199. ID = 513958391
*May 20 03:47:53.795: ISAKMP: Marking node 513958391 for late deletion
*May 20 03:47:53.795: ISAKMP:(2005): sending packet to 109.119.205.199 my_port 4
500 peer_port 4500 (R) CONF_ADDR
*May 20 03:47:53.795: ISAKMP:(2005):Sending an IKE IPv4 Packet.
*May 20 03:47:53.795: ISAKMP:(2005):Talking to a Unity Client
*May 20 03:47:53.795: ISAKMP:(2005):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATT
R
*May 20 03:47:53.795: ISAKMP:(2005):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New
State = IKE_P1_COMPLETE

*May 20 03:47:53.799: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLE
TE
*May 20 03:47:53.799: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE
_P1_COMPLETE

*May 20 03:48:08.795: ISAKMP:(2005): retransmitting phase 2 QM_IDLE 513958
391 ...
*May 20 03:48:08.795: ISAKMP (0:2005): incrementing error counter on node, attem
pt 1 of 5: retransmit phase 2
*May 20 03:48:08.795: ISAKMP (0:2005): incrementing error counter on sa, attempt
1 of 5: retransmit phase 2
*May 20 03:48:08.795: ISAKMP:(2005): retransmitting phase 2 513958391 QM_IDLE

*May 20 03:48:08.795: ISAKMP:(2005): sending packet to 109.119.205.199 my_port 4
500 peer_port 4500 (R) QM_IDLE
*May 20 03:48:08.795: ISAKMP:(2005):Sending an IKE IPv4 Packet.
*May 20 03:48:10.671: ISAKMP (0:2005): received packet from 109.119.205.199 dpor
t 4500 sport 4500 Global (R) QM_IDLE
*May 20 03:48:10.671: ISAKMP: set new node -119083693 to QM_IDLE
*May 20 03:48:10.671: ISAKMP:(2005): processing HASH payload. message ID = -1190
83693
*May 20 03:48:10.671: ISAKMP:(2005): processing DELETE payload. message ID = -11
9083693
*May 20 03:48:10.671: ISAKMP:(2005):peer does not do paranoid keepalives.

*May 20 03:48:10.671: ISAKMP:(2005):peer does not do paranoid keepalives.

*May 20 03:48:10.671: ISAKMP:(2005):deleting SA reason "No reason" state (R) QM_
IDLE (peer 109.119.205.199)
*May 20 03:48:10.671: ISAKMP:(2005):deleting node -119083693 error FALSE reason
"Informational (in) state 1"
*May 20 03:48:10.671: ISAKMP: set new node -1311707618 to QM_IDLE
*May 20 03:48:10.675: ISAKMP:(2005): sending packet to 109.119.205.199 my_port 4
500 peer_port 4500 (R) QM_IDLE
*May 20 03:48:10.675: ISAKMP:(2005):Sending an IKE IPv4 Packet.
*May 20 03:48:10.675: ISAKMP:(2005):purging node -1311707618
*May 20 03:48:10.675: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May 20 03:48:10.675: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE
_DEST_SA

*May 20 03:48:10.675: ISAKMP:(2005):deleting SA reason "No reason" state (R) QM_
IDLE (peer 109.119.205.199)
*May 20 03:48:10.675: ISAKMP:(0):Can't decrement IKE Call Admission Control stat
incoming_active since it's already 0.
*May 20 03:48:10.675: ISAKMP (0:2005): returning address 172.16.217.224 to pool
*May 20 03:48:10.675: ISAKMP: Unlocking peer struct 0x84428478 for isadb_mark_sa
_deleted(), count 0
*May 20 03:48:10.679: ISAKMP: returning address 172.16.217.224 to pool
*May 20 03:48:10.679: ISAKMP: Deleting peer node by peer_reap for 109.119.205.19
9: 84428478
*May 20 03:48:10.679: ISAKMP: returning address 172.16.217.224 to pool
*May 20 03:48:10.679: ISAKMP:(2005):deleting node 790501643 error FALSE reason "
IKE deleted"
*May 20 03:48:10.679: ISAKMP:(2005):deleting node 2067157823 error FALSE reason
"IKE deleted"
*May 20 03:48:10.679: ISAKMP:(2005):deleting node -119083693 error FALSE reason
"IKE deleted"
*May 20 03:48:10.679: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 20 03:48:10.679: ISAKMP:(2005):Old State = IKE_DEST_SA New State = IKE_DES
T_SA



Qualche buon'anima paziente puo' suggerirmi qualcosa ???
GRAZIE !!!
digitel
Cisco fan
Messaggi: 62
Iscritto il: lun 09 feb , 2009 8:21 am

Mi rispondo da solo , prova e riprova dopo settimane ho scoperto l'arcano (meglio tardi che mai):

La configurazione del gruppo recita cosi' :

crypto isakmp client configuration group CCLIENT-VPN
key XXXXXXXXX
dns 172.16.217.80
pool VPN-Pool
acl 120
max-users 5

e la access-list :

access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip any any



ebbene, impostando la acl in :

access-list 120 permit ip 172.16.217.0 0.0.0.255 any
(invece che any any)

viene conclusa anche la fase 2 e il tunnel VPN viene stabilito correttamente

Strano che con il client vpn per windows il problema non si ponga....

Se qualcuno mi spiegasse cos'ha la acl con any any che non va , farebbe cosa molto gradita.....

Spero che cio' possa aiutare chi eventualmente si fosse trovato a tribolare con lo stesso problema.
Rizio
Messianic Network master
Messaggi: 1158
Iscritto il: ven 12 ott , 2007 2:48 pm
Contatta:

Purtroppo non ti sò rispondere però io cercherei in giro tra i vari bug della tua versione di ios semmai ce ne fosse uno simile. E' l'unica cosa che mi viene da pensare.
Oppure, il problema può essere dato dal fatto che è un'acl di selezione e DEVE avere un indirizzo, perciò ANY non và bene...... ma è solo un'ipotesi.

Intanto grazie per la condivisione.

Rizio
Si vis pacem para bellum
Rispondi