Upload File

configuración de l2tp sobre ipsec entre pix firewall y ... · clientes de xp a un sitio...

  • Home
  • Documents
  • Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows
29
Configuración de L2TP sobre IPSec entre PIX Firewall y Windows 2000 PC con certificados Contenido Introducción prerrequisitos Requisitos Componentes Utilizados Convenciones Antecedentes Configurar Diagrama de la red Configure al cliente de Microsoft L2TP Consiga los Certificados para el firewall PIX Configuración de Firewall de PIX Verificación Troubleshooting Comandos para resolución de problemas Ejemplo de resultado del comando debug Depuración correcta para registro con CA Depuración incorrecta para registro con CA Información Relacionada Introducción El Layer 2 Tunneling Protocol (L2TP) a través de IPSec se soporta en la versión 6.x o posterior de Cisco Secure PIX Firewall Software. Los usuarios con Windows 2000 pueden utilizar el cliente de IPSec nativo y el cliente de L2TP para establecer un túnel L2TP hasta el firewall PIX. El tráfico pasa por el túnel L2TP cifrado mediante Asociaciones de Seguridad IPSec (SA). Nota: Usted no puede utilizar al cliente IPSec para Telnet del Windows 2000 L2TP al PIX. Nota: La tunelización dividida no está disponible con el L2TP en el PIX. Para configurar el L2TP sobre el IPSec de Microsoft Windows remoto 2000/2003 y los clientes de XP a una oficina corporativa del dispositivo de seguridad del PIX/ASA usando las claves previamente compartidas con un servidor de RADIUS del Internet Authentication Service de Microsoft Windows 2003 (IAS) para la autenticación de usuario, refiera al L2TP sobre el IPSec entre Windows 2000/XP PC y PIX/ASA 7.2 usando el ejemplo de configuración de la clave previamente compartida. Para configurar el L2TP sobre la seguridad IP (IPSec) del Microsoft Windows 2000 remoto y a los

Upload: others

Post on 15-May-2020

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

Configuración de L2TP sobre IPSec entre PIXFirewall y Windows 2000 PC con certificados

Contenido

IntroducciónprerrequisitosRequisitosComponentes UtilizadosConvencionesAntecedentesConfigurarDiagrama de la redConfigure al cliente de Microsoft L2TPConsiga los Certificados para el firewall PIXConfiguración de Firewall de PIXVerificaciónTroubleshootingComandos para resolución de problemasEjemplo de resultado del comando debugDepuración correcta para registro con CADepuración incorrecta para registro con CAInformación Relacionada

Introducción

El Layer 2 Tunneling Protocol (L2TP) a través de IPSec se soporta en la versión 6.x o posterior deCisco Secure PIX Firewall Software. Los usuarios con Windows 2000 pueden utilizar el cliente deIPSec nativo y el cliente de L2TP para establecer un túnel L2TP hasta el firewall PIX. El tráficopasa por el túnel L2TP cifrado mediante Asociaciones de Seguridad IPSec (SA).

Nota: Usted no puede utilizar al cliente IPSec para Telnet del Windows 2000 L2TP al PIX.

Nota: La tunelización dividida no está disponible con el L2TP en el PIX.

Para configurar el L2TP sobre el IPSec de Microsoft Windows remoto 2000/2003 y los clientes deXP a una oficina corporativa del dispositivo de seguridad del PIX/ASA usando las clavespreviamente compartidas con un servidor de RADIUS del Internet Authentication Service deMicrosoft Windows 2003 (IAS) para la autenticación de usuario, refiera al L2TP sobre el IPSecentre Windows 2000/XP PC y PIX/ASA 7.2 usando el ejemplo de configuración de la clavepreviamente compartida.

Para configurar el L2TP sobre la seguridad IP (IPSec) del Microsoft Windows 2000 remoto y a los

//www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml
//www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml
//www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml
Page 2: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobreel IPSec de un Windows 2000 o de un cliente de XP a un concentrador del Cisco VPN de la serie3000 usando las claves previamente compartidas.

prerrequisitos

Requisitos

No hay requisitos específicos para este documento.

Componentes Utilizados

La información en este documento se aplica a estas versiones de software y hardware:

Software PIX versión 6.3(3)●

Windows 2000 con o sin el SP2 (véase la recomendación de Microsoft Q276360 para lainformación sobre el SP1.)

La información que contiene este documento se creó a partir de los dispositivos en un ambientede laboratorio específico. Todos los dispositivos que se utilizan en este documento se pusieron enfuncionamiento con una configuración verificada (predeterminada). Si la red está funcionando,asegúrese de haber comprendido el impacto que puede tener cualquier comando.

Convenciones

Consulte Convenciones de Consejos TécnicosCisco para obtener más información sobre lasconvenciones del documento.

Antecedentes

El Soporte de certificado en las versiones incluye 6.x del Secure PIX de Cisco o más adelanteBaltimore, Microsoft, Verisign, y confía los servidores. Actualmente, el PIX no valida las peticionesL2TP fuera protección IPSec.

Este ejemplo muestra cómo configurar el firewall PIX para el escenario mencionado anterior eneste documento. La autenticación del Internet Key Exchange (IKE) utiliza el comando rsa-sig(Certificados). En este ejemplo, la autenticación es hecha por un servidor de RADIUS.

Las opciones menos vinculadas para las conexiones cliente cifradas al PIX son mencionadas enel Cisco Hardware y los clientes VPN que soportan IPSec/PPTP/L2TP.

Configurar

En esta sección encontrará la información para configurar las funciones descritas en estedocumento.

Nota: Use la herramienta Command Lookup Tool (clientes registrados solamente) para encontrarmás información sobre los comandos usados en este documento.

//www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094aca.shtml
//www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094aca.shtml
//www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094aca.shtml
http://support.microsoft.com/default.aspx?scid=kb;en-us;276360
//www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml
//www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094e6d.shtml
//tools.cisco.com/Support/CLILookup/cltSearchAction.do
//tools.cisco.com/RPF/register/register.do
Page 3: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

Diagrama de la red

En este documento, se utiliza esta configuración de red:

Configure al cliente de Microsoft L2TP

La información sobre cómo configurar al cliente de Microsoft L2TP se encuentra en el guía paso apaso de Microsoft a la seguridad de protocolos en Internet .

Como se apunta en el guía paso a paso referido de Microsoft, los soportes de cliente variosservidores probados del Certificate Authority (CA). La información sobre cómo configurarMicrosoft CA se encuentra en el guía paso a paso de Microsoft a configurar un CertificateAuthority .

Consiga los Certificados para el firewall PIX

Refiera a los ejemplos de configuración de CA para los detalles en cómo configurar el PIX para laInteroperabilidad con los Certificados de Verisign, confíelos, Baltimore, y Microsoft.

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp
http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp
//www.cisco.com/en/US/docs/security/pix/pix53/ipsec/configuration/guide/ExCAs.html
Page 4: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

Configuración de Firewall de PIX

Este documento utiliza esta configuración.

Firewall PIX

PIX Version 6.3(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX-506-2

domain-name sjvpn.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

!--- Access Control List (ACL) configured to bypass !---

Network Address Translation (NAT) for the L2TP IP pool.

access-list nonat permit ip 20.1.1.0 255.255.255.0

50.1.1.0 255.255.255.0

!--- ACL configured to permit L2TP traffic (UDP port

1701). access-list l2tp permit udp host 171.68.9.57 any

eq 1701

no pager

logging on

logging console debugging

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 171.68.9.57 255.255.255.0

ip address inside 20.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

!--- Pool for L2TP address assignment. ip local pool

l2tp 50.1.1.1-50.1.1.5

pdm history enable

arp timeout 14400

!--- NAT configuration that matches previously defined

!--- ACL for the L2TP IP pool. nat (inside) 0 access-

list nonat

route outside 0.0.0.0 0.0.0.0 171.68.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc

0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

!--- AAA (RADIUS) server configuration. aaa-server

RADIUS (inside) host 20.1.1.2 cisco timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

Page 5: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

floodguard enable

!--- sysopt command entry to permit L2TP !--- traffic,

while bypassing all ACLs.

sysopt connection permit-l2tp

no sysopt route dnat

!--- The IPsec configuration. crypto ipsec transform-set

l2tp esp-des esp-md5-hmac

!--- Only transport mode is supported. crypto ipsec

transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

!--- The IKE configuration. isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ca identity sjvpn 171.68.9.149:/certsrv/mscep/mscep.dll

ca configure sjvpn ra 1 20 crloptional

telnet 171.68.9.0 255.255.255.0 inside

telnet 20.1.1.2 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

!--- The L2TP configuration parameters. vpdn group

l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local

l2tp

vpdn group l2tpipsec client configuration dns 20.1.1.250

20.1.1.251

vpdn group l2tpipsec client configuration wins

20.1.1.250

vpdn group l2tpipsec client authentication aaa RADIUS

vpdn group l2tpipsec client accounting RADIUS

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn enable outside

terminal width 80

Cryptochecksum:06a53009d1e9f04740256d9f0fb82837

: end

[OK]

Verificación

Use esta sección para confirmar que su configuración funciona correctamente.

La herramienta Output Interpreter Tool (clientes registrados solamente) (OIT) soporta ciertoscomandos show. Utilice la OIT para ver un análisis del resultado del comando show.

show crypto ca cert — Visualiza la información sobre su certificado, el certificado de CA, ycualquier Certificados del registration authority (RA).PIX Version 6.3(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl
//tools.cisco.com/RPF/register/register.do
Page 6: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX-506-2

domain-name sjvpn.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

!--- Access Control List (ACL) configured to bypass !--- Network Address Translation (NAT)

for the L2TP IP pool. access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0

255.255.255.0

!--- ACL configured to permit L2TP traffic (UDP port 1701). access-list l2tp permit udp host

171.68.9.57 any eq 1701

no pager

logging on

logging console debugging

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 171.68.9.57 255.255.255.0

ip address inside 20.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

!--- Pool for L2TP address assignment. ip local pool l2tp 50.1.1.1-50.1.1.5

pdm history enable

arp timeout 14400

!--- NAT configuration that matches previously defined !--- ACL for the L2TP IP pool. nat

(inside) 0 access-list nonat

route outside 0.0.0.0 0.0.0.0 171.68.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

!--- AAA (RADIUS) server configuration. aaa-server RADIUS (inside) host 20.1.1.2 cisco

timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!--- sysopt command entry to permit L2TP !--- traffic, while bypassing all ACLs.

sysopt connection permit-l2tp

no sysopt route dnat

!--- The IPsec configuration. crypto ipsec transform-set l2tp esp-des esp-md5-hmac

!--- Only transport mode is supported. crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

!--- The IKE configuration. isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

Page 7: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ca identity sjvpn 171.68.9.149:/certsrv/mscep/mscep.dll

ca configure sjvpn ra 1 20 crloptional

telnet 171.68.9.0 255.255.255.0 inside

telnet 20.1.1.2 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

!--- The L2TP configuration parameters. vpdn group l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local l2tp

vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251

vpdn group l2tpipsec client configuration wins 20.1.1.250

vpdn group l2tpipsec client authentication aaa RADIUS

vpdn group l2tpipsec client accounting RADIUS

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn enable outside

terminal width 80

Cryptochecksum:06a53009d1e9f04740256d9f0fb82837

: end

[OK]

show crypto isakmp sa — Muestra todas las asociaciones actuales de seguridad (SA) IKE deun par.PIX Version 6.3(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX-506-2

domain-name sjvpn.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

!--- Access Control List (ACL) configured to bypass !--- Network Address Translation (NAT)

for the L2TP IP pool. access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0

255.255.255.0

!--- ACL configured to permit L2TP traffic (UDP port 1701). access-list l2tp permit udp host

171.68.9.57 any eq 1701

no pager

logging on

logging console debugging

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 171.68.9.57 255.255.255.0

ip address inside 20.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

!--- Pool for L2TP address assignment. ip local pool l2tp 50.1.1.1-50.1.1.5

pdm history enable

arp timeout 14400

!--- NAT configuration that matches previously defined !--- ACL for the L2TP IP pool. nat

(inside) 0 access-list nonat

route outside 0.0.0.0 0.0.0.0 171.68.9.1 1

Page 8: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

!--- AAA (RADIUS) server configuration. aaa-server RADIUS (inside) host 20.1.1.2 cisco

timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!--- sysopt command entry to permit L2TP !--- traffic, while bypassing all ACLs.

sysopt connection permit-l2tp

no sysopt route dnat

!--- The IPsec configuration. crypto ipsec transform-set l2tp esp-des esp-md5-hmac

!--- Only transport mode is supported. crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

!--- The IKE configuration. isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ca identity sjvpn 171.68.9.149:/certsrv/mscep/mscep.dll

ca configure sjvpn ra 1 20 crloptional

telnet 171.68.9.0 255.255.255.0 inside

telnet 20.1.1.2 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

!--- The L2TP configuration parameters. vpdn group l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local l2tp

vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251

vpdn group l2tpipsec client configuration wins 20.1.1.250

vpdn group l2tpipsec client authentication aaa RADIUS

vpdn group l2tpipsec client accounting RADIUS

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn enable outside

terminal width 80

Cryptochecksum:06a53009d1e9f04740256d9f0fb82837

: end

[OK]

show crypto ipsec sa — Muestra la configuración actual utilizada por las SA actualesPIX Version 6.3(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX-506-2

domain-name sjvpn.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

Page 9: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

!--- Access Control List (ACL) configured to bypass !--- Network Address Translation (NAT)

for the L2TP IP pool. access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0

255.255.255.0

!--- ACL configured to permit L2TP traffic (UDP port 1701). access-list l2tp permit udp host

171.68.9.57 any eq 1701

no pager

logging on

logging console debugging

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 171.68.9.57 255.255.255.0

ip address inside 20.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

!--- Pool for L2TP address assignment. ip local pool l2tp 50.1.1.1-50.1.1.5

pdm history enable

arp timeout 14400

!--- NAT configuration that matches previously defined !--- ACL for the L2TP IP pool. nat

(inside) 0 access-list nonat

route outside 0.0.0.0 0.0.0.0 171.68.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

!--- AAA (RADIUS) server configuration. aaa-server RADIUS (inside) host 20.1.1.2 cisco

timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!--- sysopt command entry to permit L2TP !--- traffic, while bypassing all ACLs.

sysopt connection permit-l2tp

no sysopt route dnat

!--- The IPsec configuration. crypto ipsec transform-set l2tp esp-des esp-md5-hmac

!--- Only transport mode is supported. crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

!--- The IKE configuration. isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ca identity sjvpn 171.68.9.149:/certsrv/mscep/mscep.dll

ca configure sjvpn ra 1 20 crloptional

telnet 171.68.9.0 255.255.255.0 inside

telnet 20.1.1.2 255.255.255.255 inside

telnet timeout 60

Page 10: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ssh timeout 5

!--- The L2TP configuration parameters. vpdn group l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local l2tp

vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251

vpdn group l2tpipsec client configuration wins 20.1.1.250

vpdn group l2tpipsec client authentication aaa RADIUS

vpdn group l2tpipsec client accounting RADIUS

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn enable outside

terminal width 80

Cryptochecksum:06a53009d1e9f04740256d9f0fb82837

: end

[OK]

muestre el túnel del vpdn — La información de las visualizaciones sobre L2TP activo o elLevel 2 Forwarding (L2F) hace un túnel en un Virtual Private Dialup Network (VPDN).PIX Version 6.3(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX-506-2

domain-name sjvpn.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

!--- Access Control List (ACL) configured to bypass !--- Network Address Translation (NAT)

for the L2TP IP pool. access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0

255.255.255.0

!--- ACL configured to permit L2TP traffic (UDP port 1701). access-list l2tp permit udp host

171.68.9.57 any eq 1701

no pager

logging on

logging console debugging

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 171.68.9.57 255.255.255.0

ip address inside 20.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

!--- Pool for L2TP address assignment. ip local pool l2tp 50.1.1.1-50.1.1.5

pdm history enable

arp timeout 14400

!--- NAT configuration that matches previously defined !--- ACL for the L2TP IP pool. nat

(inside) 0 access-list nonat

route outside 0.0.0.0 0.0.0.0 171.68.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

!--- AAA (RADIUS) server configuration. aaa-server RADIUS (inside) host 20.1.1.2 cisco

Page 11: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!--- sysopt command entry to permit L2TP !--- traffic, while bypassing all ACLs.

sysopt connection permit-l2tp

no sysopt route dnat

!--- The IPsec configuration. crypto ipsec transform-set l2tp esp-des esp-md5-hmac

!--- Only transport mode is supported. crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

!--- The IKE configuration. isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ca identity sjvpn 171.68.9.149:/certsrv/mscep/mscep.dll

ca configure sjvpn ra 1 20 crloptional

telnet 171.68.9.0 255.255.255.0 inside

telnet 20.1.1.2 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

!--- The L2TP configuration parameters. vpdn group l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local l2tp

vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251

vpdn group l2tpipsec client configuration wins 20.1.1.250

vpdn group l2tpipsec client authentication aaa RADIUS

vpdn group l2tpipsec client accounting RADIUS

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn enable outside

terminal width 80

Cryptochecksum:06a53009d1e9f04740256d9f0fb82837

: end

[OK]

muestre la sesión del vpdn — Información de las visualizaciones sobre las sesiones activasL2TP o L2F en un VPDN.PIX Version 6.3(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX-506-2

domain-name sjvpn.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

!--- Access Control List (ACL) configured to bypass !--- Network Address Translation (NAT)

Page 12: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

for the L2TP IP pool. access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0

255.255.255.0

!--- ACL configured to permit L2TP traffic (UDP port 1701). access-list l2tp permit udp host

171.68.9.57 any eq 1701

no pager

logging on

logging console debugging

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 171.68.9.57 255.255.255.0

ip address inside 20.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

!--- Pool for L2TP address assignment. ip local pool l2tp 50.1.1.1-50.1.1.5

pdm history enable

arp timeout 14400

!--- NAT configuration that matches previously defined !--- ACL for the L2TP IP pool. nat

(inside) 0 access-list nonat

route outside 0.0.0.0 0.0.0.0 171.68.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

!--- AAA (RADIUS) server configuration. aaa-server RADIUS (inside) host 20.1.1.2 cisco

timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!--- sysopt command entry to permit L2TP !--- traffic, while bypassing all ACLs.

sysopt connection permit-l2tp

no sysopt route dnat

!--- The IPsec configuration. crypto ipsec transform-set l2tp esp-des esp-md5-hmac

!--- Only transport mode is supported. crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

!--- The IKE configuration. isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ca identity sjvpn 171.68.9.149:/certsrv/mscep/mscep.dll

ca configure sjvpn ra 1 20 crloptional

telnet 171.68.9.0 255.255.255.0 inside

telnet 20.1.1.2 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

!--- The L2TP configuration parameters. vpdn group l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local l2tp

vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251

Page 13: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

vpdn group l2tpipsec client configuration wins 20.1.1.250

vpdn group l2tpipsec client authentication aaa RADIUS

vpdn group l2tpipsec client accounting RADIUS

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn enable outside

terminal width 80

Cryptochecksum:06a53009d1e9f04740256d9f0fb82837

: end

[OK]

muestre el pppinterface del vpdn — Visualiza el estatus y las estadísticas de la interfaz virtualPPP que fue creada para el túnel PPTP por el valor de identificación de la interfaz delcomando show vpdn session.PIX Version 6.3(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX-506-2

domain-name sjvpn.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

!--- Access Control List (ACL) configured to bypass !--- Network Address Translation (NAT)

for the L2TP IP pool. access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0

255.255.255.0

!--- ACL configured to permit L2TP traffic (UDP port 1701). access-list l2tp permit udp host

171.68.9.57 any eq 1701

no pager

logging on

logging console debugging

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 171.68.9.57 255.255.255.0

ip address inside 20.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

!--- Pool for L2TP address assignment. ip local pool l2tp 50.1.1.1-50.1.1.5

pdm history enable

arp timeout 14400

!--- NAT configuration that matches previously defined !--- ACL for the L2TP IP pool. nat

(inside) 0 access-list nonat

route outside 0.0.0.0 0.0.0.0 171.68.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

!--- AAA (RADIUS) server configuration. aaa-server RADIUS (inside) host 20.1.1.2 cisco

timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

Page 14: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

floodguard enable

!--- sysopt command entry to permit L2TP !--- traffic, while bypassing all ACLs.

sysopt connection permit-l2tp

no sysopt route dnat

!--- The IPsec configuration. crypto ipsec transform-set l2tp esp-des esp-md5-hmac

!--- Only transport mode is supported. crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

!--- The IKE configuration. isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ca identity sjvpn 171.68.9.149:/certsrv/mscep/mscep.dll

ca configure sjvpn ra 1 20 crloptional

telnet 171.68.9.0 255.255.255.0 inside

telnet 20.1.1.2 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

!--- The L2TP configuration parameters. vpdn group l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local l2tp

vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251

vpdn group l2tpipsec client configuration wins 20.1.1.250

vpdn group l2tpipsec client authentication aaa RADIUS

vpdn group l2tpipsec client accounting RADIUS

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn enable outside

terminal width 80

Cryptochecksum:06a53009d1e9f04740256d9f0fb82837

: end

[OK]

uauth de la demostración — Visualiza la información de autenticación y autorización delUsuario usuario actual.PIX Version 6.3(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX-506-2

domain-name sjvpn.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

!--- Access Control List (ACL) configured to bypass !--- Network Address Translation (NAT)

for the L2TP IP pool. access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0

255.255.255.0

!--- ACL configured to permit L2TP traffic (UDP port 1701). access-list l2tp permit udp host

171.68.9.57 any eq 1701

no pager

Page 15: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

logging on

logging console debugging

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 171.68.9.57 255.255.255.0

ip address inside 20.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

!--- Pool for L2TP address assignment. ip local pool l2tp 50.1.1.1-50.1.1.5

pdm history enable

arp timeout 14400

!--- NAT configuration that matches previously defined !--- ACL for the L2TP IP pool. nat

(inside) 0 access-list nonat

route outside 0.0.0.0 0.0.0.0 171.68.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

!--- AAA (RADIUS) server configuration. aaa-server RADIUS (inside) host 20.1.1.2 cisco

timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!--- sysopt command entry to permit L2TP !--- traffic, while bypassing all ACLs.

sysopt connection permit-l2tp

no sysopt route dnat

!--- The IPsec configuration. crypto ipsec transform-set l2tp esp-des esp-md5-hmac

!--- Only transport mode is supported. crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

!--- The IKE configuration. isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

ca identity sjvpn 171.68.9.149:/certsrv/mscep/mscep.dll

ca configure sjvpn ra 1 20 crloptional

telnet 171.68.9.0 255.255.255.0 inside

telnet 20.1.1.2 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

!--- The L2TP configuration parameters. vpdn group l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local l2tp

vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251

vpdn group l2tpipsec client configuration wins 20.1.1.250

vpdn group l2tpipsec client authentication aaa RADIUS

vpdn group l2tpipsec client accounting RADIUS

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn enable outside

Page 16: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

terminal width 80

Cryptochecksum:06a53009d1e9f04740256d9f0fb82837

: end

[OK]

Troubleshooting

En esta sección encontrará información que puede utilizar para solucionar problemas deconfiguración.

Comandos para resolución de problemas

La herramienta Output Interpreter Tool (clientes registrados solamente) (OIT) soporta ciertoscomandos show. Utilice la OIT para ver un análisis del resultado del comando show.

Nota: Consulte Información Importante sobre Comandos de Debug antes de usar un comandodebug.

IPSec del debug crypto — Eventos del IPSec de las visualizaciones.●

debug crypto isakmp — Muestra mensajes acerca de eventos IKE.●

motor del debug crypto — Mensajes del debug de las visualizaciones sobre los motores decriptografía, que realizan el cifrado y el desciframiento.

debug ppp io — Muestra la información de paquete para la interfaz virtual PPTP PPP.●

debug crypto ca — Mensajes del debug de las visualizaciones intercambiados por CA.●

debug ppp error — Muestra los errores de protocolo y las estadísticas de error relacionadascon la negociación y operación de conexiones PPP.

debug vpdn error — Muestra errores que evitan que se establezca un túnel PPP o erroresque provocan que un túnel establecido se cierre.

debug vpdn packet - Muestra errores L2TP y eventos que son una parte del establecimientonormal de túneles o apagado para las VPDN.

debug vpdn event — Visualiza los mensajes sobre los eventos que son establecimiento deltúnel normal de la parte de PPP o apagan.

debug ppp uauth - Muestra los mensajes de depuración de autenticación de usuario de AAAde la interfaz virtual de PPTP PPP.

Ejemplo de resultado del comando debug

Esto es una muestra de un debug correcta en el firewall PIX.

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

ISAKMP: Created a peer node for 171.68.9.149

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are acceptable. Next payload is 0

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl
//tools.cisco.com/RPF/register/register.do
//www.cisco.com/en/US/tech/tk801/tk379/technologies_tech_note09186a008017874c.shtml
Page 17: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing RSA signature authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

CRYPTO_PKI: status = 0: crl check ignored

PKI: key process suspended and continued

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found

while selecting CRL

CRYPTO_PKI: cert revocation status unknown.

ISAKMP (0): cert approved with warning

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 6

type : 2

protocol : 17

port : 500

length : 23

ISAKMP (0): Total payload length: 27

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3800855889

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0x3 0x84

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x1 0x86 0xa0

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/255.255.255.255/17/1701 (type=1),

src_proxy= 171.68.9.149/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

ISAKMP (0): processing NONCE payload. message ID = 3800855889

Page 18: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR src 171.68.9.149 prot 17 port 1701

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR dst 171.68.9.57 prot 17 port 1701IPSEC(key_engine):

got a queue event...

IPSEC(spi_response): getting spi 0xfbc9db43(4224310083) for SA

from 171.68.9.149 to 171.68.9.57 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 171.68.9.149 to 171.68.9.57 (proxy 171.68.9.149 to 171.68.9.57)

has spi 4224310083 and conn_id 1 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytes

outbound SA from 171.68.9.57 to 171.68.9.149 (proxy 171.68.9.57 to 171.68.9.149)

has spi 2831503048 and conn_id 2 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

src_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xfbc9db43(4224310083), conn_id= 1, keysize= 0, flags= 0x0

IPSEC(initialize_sas): ,

(key eng. msg.) src= 171.68.9.57, dest= 171.68.9.149,

src_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

dest_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xa8c54ec8(2831503048), conn_id= 2, keysize= 0, flags= 0x0

return status is IKMP_NO_ERROR

show log

603102: PPP virtual interface 1 - user: vpnclient aaa authentication started

603103: PPP virtual interface 1 - user: vpnclient aaa authentication succeed

109011: Authen Session Start: user 'vpnclient', sid 0

603106: L2TP Tunnel created, tunnel_id is 1, remote_peer_ip is 171.68.9.149

ppp_virtual_interface_id is 1, client_dynamic_ip is 50.1.1.1

username is vpnclient

Depuración correcta para registro con CA

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

ISAKMP: Created a peer node for 171.68.9.149

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

Page 19: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing RSA signature authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

CRYPTO_PKI: status = 0: crl check ignored

PKI: key process suspended and continued

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found

while selecting CRL

CRYPTO_PKI: cert revocation status unknown.

ISAKMP (0): cert approved with warning

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 6

type : 2

protocol : 17

port : 500

length : 23

ISAKMP (0): Total payload length: 27

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3800855889

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0x3 0x84

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x1 0x86 0xa0

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/255.255.255.255/17/1701 (type=1),

src_proxy= 171.68.9.149/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Page 20: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP (0): processing NONCE payload. message ID = 3800855889

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR src 171.68.9.149 prot 17 port 1701

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR dst 171.68.9.57 prot 17 port 1701IPSEC(key_engine):

got a queue event...

IPSEC(spi_response): getting spi 0xfbc9db43(4224310083) for SA

from 171.68.9.149 to 171.68.9.57 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 171.68.9.149 to 171.68.9.57 (proxy 171.68.9.149 to 171.68.9.57)

has spi 4224310083 and conn_id 1 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytes

outbound SA from 171.68.9.57 to 171.68.9.149 (proxy 171.68.9.57 to 171.68.9.149)

has spi 2831503048 and conn_id 2 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

src_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xfbc9db43(4224310083), conn_id= 1, keysize= 0, flags= 0x0

IPSEC(initialize_sas): ,

(key eng. msg.) src= 171.68.9.57, dest= 171.68.9.149,

src_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

dest_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xa8c54ec8(2831503048), conn_id= 2, keysize= 0, flags= 0x0

return status is IKMP_NO_ERROR

show log

603102: PPP virtual interface 1 - user: vpnclient aaa authentication started

603103: PPP virtual interface 1 - user: vpnclient aaa authentication succeed

109011: Authen Session Start: user 'vpnclient', sid 0

603106: L2TP Tunnel created, tunnel_id is 1, remote_peer_ip is 171.68.9.149

ppp_virtual_interface_id is 1, client_dynamic_ip is 50.1.1.1

username is vpnclient

Depuración incorrecta para registro con CA

En este ejemplo, la sintaxis de URL incorrecta fue utilizada en el comando ca identity:

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

ISAKMP: Created a peer node for 171.68.9.149

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption DES-CBC

Page 21: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing RSA signature authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

CRYPTO_PKI: status = 0: crl check ignored

PKI: key process suspended and continued

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found

while selecting CRL

CRYPTO_PKI: cert revocation status unknown.

ISAKMP (0): cert approved with warning

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 6

type : 2

protocol : 17

port : 500

length : 23

ISAKMP (0): Total payload length: 27

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3800855889

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0x3 0x84

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x1 0x86 0xa0

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/255.255.255.255/17/1701 (type=1),

Page 22: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

src_proxy= 171.68.9.149/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

ISAKMP (0): processing NONCE payload. message ID = 3800855889

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR src 171.68.9.149 prot 17 port 1701

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR dst 171.68.9.57 prot 17 port 1701IPSEC(key_engine):

got a queue event...

IPSEC(spi_response): getting spi 0xfbc9db43(4224310083) for SA

from 171.68.9.149 to 171.68.9.57 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 171.68.9.149 to 171.68.9.57 (proxy 171.68.9.149 to 171.68.9.57)

has spi 4224310083 and conn_id 1 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytes

outbound SA from 171.68.9.57 to 171.68.9.149 (proxy 171.68.9.57 to 171.68.9.149)

has spi 2831503048 and conn_id 2 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

src_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xfbc9db43(4224310083), conn_id= 1, keysize= 0, flags= 0x0

IPSEC(initialize_sas): ,

(key eng. msg.) src= 171.68.9.57, dest= 171.68.9.149,

src_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

dest_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xa8c54ec8(2831503048), conn_id= 2, keysize= 0, flags= 0x0

return status is IKMP_NO_ERROR

show log

603102: PPP virtual interface 1 - user: vpnclient aaa authentication started

603103: PPP virtual interface 1 - user: vpnclient aaa authentication succeed

109011: Authen Session Start: user 'vpnclient', sid 0

603106: L2TP Tunnel created, tunnel_id is 1, remote_peer_ip is 171.68.9.149

ppp_virtual_interface_id is 1, client_dynamic_ip is 50.1.1.1

username is vpnclient

Si el modo de la inscripción fue especificado como CA en vez como de RA, después ustedconsigue este debug:

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

ISAKMP: Created a peer node for 171.68.9.149

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

Page 23: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing RSA signature authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

CRYPTO_PKI: status = 0: crl check ignored

PKI: key process suspended and continued

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found

while selecting CRL

CRYPTO_PKI: cert revocation status unknown.

ISAKMP (0): cert approved with warning

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 6

type : 2

protocol : 17

port : 500

length : 23

ISAKMP (0): Total payload length: 27

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3800855889

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0x3 0x84

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x1 0x86 0xa0

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

Page 24: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/255.255.255.255/17/1701 (type=1),

src_proxy= 171.68.9.149/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

ISAKMP (0): processing NONCE payload. message ID = 3800855889

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR src 171.68.9.149 prot 17 port 1701

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR dst 171.68.9.57 prot 17 port 1701IPSEC(key_engine):

got a queue event...

IPSEC(spi_response): getting spi 0xfbc9db43(4224310083) for SA

from 171.68.9.149 to 171.68.9.57 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 171.68.9.149 to 171.68.9.57 (proxy 171.68.9.149 to 171.68.9.57)

has spi 4224310083 and conn_id 1 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytes

outbound SA from 171.68.9.57 to 171.68.9.149 (proxy 171.68.9.57 to 171.68.9.149)

has spi 2831503048 and conn_id 2 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

src_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xfbc9db43(4224310083), conn_id= 1, keysize= 0, flags= 0x0

IPSEC(initialize_sas): ,

(key eng. msg.) src= 171.68.9.57, dest= 171.68.9.149,

src_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

dest_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xa8c54ec8(2831503048), conn_id= 2, keysize= 0, flags= 0x0

return status is IKMP_NO_ERROR

show log

603102: PPP virtual interface 1 - user: vpnclient aaa authentication started

603103: PPP virtual interface 1 - user: vpnclient aaa authentication succeed

109011: Authen Session Start: user 'vpnclient', sid 0

603106: L2TP Tunnel created, tunnel_id is 1, remote_peer_ip is 171.68.9.149

ppp_virtual_interface_id is 1, client_dynamic_ip is 50.1.1.1

username is vpnclient

En este ejemplo, el comando mode transport falta:

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

ISAKMP: Created a peer node for 171.68.9.149

OAK_MM exchange

Page 25: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing RSA signature authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

CRYPTO_PKI: status = 0: crl check ignored

PKI: key process suspended and continued

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found

while selecting CRL

CRYPTO_PKI: cert revocation status unknown.

ISAKMP (0): cert approved with warning

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 6

type : 2

protocol : 17

port : 500

length : 23

ISAKMP (0): Total payload length: 27

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3800855889

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0x3 0x84

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x1 0x86 0xa0

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

Page 26: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/255.255.255.255/17/1701 (type=1),

src_proxy= 171.68.9.149/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

ISAKMP (0): processing NONCE payload. message ID = 3800855889

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR src 171.68.9.149 prot 17 port 1701

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR dst 171.68.9.57 prot 17 port 1701IPSEC(key_engine):

got a queue event...

IPSEC(spi_response): getting spi 0xfbc9db43(4224310083) for SA

from 171.68.9.149 to 171.68.9.57 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 171.68.9.149 to 171.68.9.57 (proxy 171.68.9.149 to 171.68.9.57)

has spi 4224310083 and conn_id 1 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytes

outbound SA from 171.68.9.57 to 171.68.9.149 (proxy 171.68.9.57 to 171.68.9.149)

has spi 2831503048 and conn_id 2 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

src_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xfbc9db43(4224310083), conn_id= 1, keysize= 0, flags= 0x0

IPSEC(initialize_sas): ,

(key eng. msg.) src= 171.68.9.57, dest= 171.68.9.149,

src_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

dest_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xa8c54ec8(2831503048), conn_id= 2, keysize= 0, flags= 0x0

return status is IKMP_NO_ERROR

show log

603102: PPP virtual interface 1 - user: vpnclient aaa authentication started

603103: PPP virtual interface 1 - user: vpnclient aaa authentication succeed

109011: Authen Session Start: user 'vpnclient', sid 0

603106: L2TP Tunnel created, tunnel_id is 1, remote_peer_ip is 171.68.9.149

ppp_virtual_interface_id is 1, client_dynamic_ip is 50.1.1.1

username is vpnclient

En esta salida, el comando crypto map mymap 10 ipsec-isakmp dynamic dyna falta, y estemensaje puede aparecer en el debug:

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

Page 27: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP: Created a peer node for 171.68.9.149

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing RSA signature authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

CRYPTO_PKI: status = 0: crl check ignored

PKI: key process suspended and continued

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found

while selecting CRL

CRYPTO_PKI: cert revocation status unknown.

ISAKMP (0): cert approved with warning

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 6

type : 2

protocol : 17

port : 500

length : 23

ISAKMP (0): Total payload length: 27

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3800855889

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0x3 0x84

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x1 0x86 0xa0

Page 28: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/255.255.255.255/17/1701 (type=1),

src_proxy= 171.68.9.149/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

ISAKMP (0): processing NONCE payload. message ID = 3800855889

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR src 171.68.9.149 prot 17 port 1701

ISAKMP (0): processing ID payload. message ID = 3800855889

ISAKMP (0): ID_IPV4_ADDR dst 171.68.9.57 prot 17 port 1701IPSEC(key_engine):

got a queue event...

IPSEC(spi_response): getting spi 0xfbc9db43(4224310083) for SA

from 171.68.9.149 to 171.68.9.57 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 171.68.9.149, dest 171.68.9.57

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 171.68.9.149 to 171.68.9.57 (proxy 171.68.9.149 to 171.68.9.57)

has spi 4224310083 and conn_id 1 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytes

outbound SA from 171.68.9.57 to 171.68.9.149 (proxy 171.68.9.57 to 171.68.9.149)

has spi 2831503048 and conn_id 2 and flags 0

lifetime of 900 seconds

lifetime of 100000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 171.68.9.57, src= 171.68.9.149,

dest_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

src_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xfbc9db43(4224310083), conn_id= 1, keysize= 0, flags= 0x0

IPSEC(initialize_sas): ,

(key eng. msg.) src= 171.68.9.57, dest= 171.68.9.149,

src_proxy= 171.68.9.57/0.0.0.0/17/1701 (type=1),

dest_proxy= 171.68.9.149/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 900s and 100000kb,

spi= 0xa8c54ec8(2831503048), conn_id= 2, keysize= 0, flags= 0x0

return status is IKMP_NO_ERROR

show log

603102: PPP virtual interface 1 - user: vpnclient aaa authentication started

603103: PPP virtual interface 1 - user: vpnclient aaa authentication succeed

109011: Authen Session Start: user 'vpnclient', sid 0

603106: L2TP Tunnel created, tunnel_id is 1, remote_peer_ip is 171.68.9.149

ppp_virtual_interface_id is 1, client_dynamic_ip is 50.1.1.1

username is vpnclient

Información Relacionada

Page 29: Configuración de L2TP sobre IPSec entre PIX Firewall y ... · clientes de XP a un sitio corporativo usando un método cifrado, refiera a configurar el L2TP sobre el IPSec de un Windows

Páginas de soporte de tecnología RADIUS●

Referencia de Comandos PIX●

Página de Soporte de PIX●

Página de Soporte de IPSec Negotiation/IKE Protocols●

Solicitudes de Comentarios (RFC)●

//www.cisco.com/en/US/tech/tk583/tk547/tsd_technology_support_sub-protocol_home.html?referring_site=bodynav
//www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094885.shtml?referring_site=bodynav
//www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html?referring_site=bodynav
//www.cisco.com/en/US/products/ps8775/tsd_products_support_series_home.html?referring_site=bodynav
http://www.ietf.org/rfc.html?referring_site=bodynav

Configuring a FortiGate unit as an L2TP/IPsec server · Remote Windows 7 L2TP Client ... Configuring a FortiGate unit as an ... For the tunnel to work you must configure a remote

Configure a Client-to-Site VPN Using L2TP over IPsec ... · PDF fileConfigure a Client-to-Site VPN Using L2TP over IPsec (Routing Mode) Lab 4 Objectives ... Remote ID IP address—0.0.0.0

Configuração de túnel VPN L2TP-IPSec Based - … · Marque as opções Allow DHCP over IPsec from single-host clients e Dynamically add route to the remote network when a tunnel

[MS-L2TPIE]: Layer 2 Tunneling Protocol (L2TP) IPsec ... · Layer 2 Tunneling Protocol (L2TP) IPsec Extensions ... available standard specifications and ... as well as non-standard

L2TP/IPSec VPN Client ˚˜ !# $% &'()*(+,%-. /!!-0! Windows 7net.psu.ac.th/images/phocadownload/VPN/Manual/L2TP Win7.pdf · 4 4.6. N Z˝?˙ ^Type the Internet address to connect to`

VPN, MPLS, L2TP, IPsec - rti.etf.bg.ac.rsrti.etf.bg.ac.rs/rti/ir4roi/Prezentacije/02 - VPN, MPLS, IPsec.pdf · VPN, MPLS, L2TP, IPsec ... NetA, L3 NetA, L1 NetA, L4 NetA, L2 28 Na

Konfigurasi L2TP-ipsec

The Difference Impact on QoS Parameters between the IPSEC and L2TP

VPN connection between Shrew IPSEC Client … connection between Shrew IPSEC Client ... L2TP VPN Dynamic VPNGVV show 50 ... different contents here You can also use IP, With IP addresses

VPN, IPsec and TLS - rg.net · PDF fileVPN, IPsec and TLS ... – IP over PPP over GRE ... – IP over PPP over L2TP over UDP over ESP • IPsec – IP over ESP

Astaro Security Gateway V8 · Astaro Security Gateway V8 Remote Access via L2TP over IPSec ... the Astaro Security Gateway by using L2TP over IPSec. L2TP over IPSec is a combination

Configure a Client-to-Site VPN Using L2TP over IPsec ... · Configure a Client-to-Site VPN Using L2TP over IPsec (Routing Mode) Rev. 9.11 L4 – 17 Note The DNS value is used simply

L2TP Over IPsec Between Windows 2000/XP PC and … · L2TP Over IPsec Between Windows 2000/XP PC and PIX/ASA 7.2 Using Pre-shared Key Configuration Example Contents Introduction

Configure a Client-to-Site VPN Using L2TP over IPsec ... · PDF fileRev. 9.11 L4 – 1 Configure a Client-to-Site VPN Using L2TP over IPsec (Routing Mode) Lab 4 Objectives After completing

L2TP over IPsec - Cisco · L2TPwithIPsecontheASAallowstheLNStointeroperatewithnativeVPNclientsintegratedinsuch operatingsystemsasWindows,MACOSX,Android,andCiscoIOS.OnlyL2TPwithIPsecissupported

Internet Protocol Security (IPSec) · Internet Protocol Security (IPSec) IPSec provides secure protection of IPv4, IPv6, GRE, L2TP/PPP traffic (by using IPSec in transport mode) that

ZYWALL USG: VPN L2TP OVER IPSEC Zywall USG …Inseriamo l’ ip pubblico del nostro USG che farà da server L2TP e selezioniamo “Non stabilire la connessione ora.” Inseriamo le

L2TP/IPsec VPN On Windows Server 2016 · VPN clients will contact the DHCP server to obtain our internal TCP/IP configuration so they can ... L2TP/IPsec VPN On Windows Server 2016

Innhold i /DrayTek/ Sheets/Vigor2110... · 2009. 8. 3. · support of 2 simultaneous VPN connection. You can establish remote access or LAN-to-LAN session by utilizing IPSec/PPTP/L2TP/L2TP

 · support of 2 simultaneous VPN connection. You can establish remote access or LAN-to-LAN session by utilizing IPSec/PPTP/L2TP/L2TP over IPSec with AES/DES/3DES for encryption and

[email protected] · 2020. 1. 23. · L2TP es en realidad una variación de un protocolo de encapsulamiento IP. Un túnel L2TP se crea encapsulando una trama L2TP en un paquete UDP,

L2TP Configuration wo IPSec - Juniper Networks · Application Note L2TP Configuration without IPSec Version 1.0 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089

IPSEC over L2tp between Debian as server and Mikrotik as client · 2019-10-01 · IPSEC over L2tp between Debian as server and Mikrotik as client By Ehsan Aminian (Certified Trainer

Plugin-L2TP Configuration Wo IPSec

Configuring Windows Server 2003-Based Isa Server Firewall VPN Server to Accept Inbound Nat-T l2Tp Ipsec Calls

Wireless Data Privacy Guide - whp-aus1.cold.extweb.hp.comwhp-aus1.cold.extweb.hp.com/pub/networking/software/59908810.pdf · IPSec vs. L2TP+IPSec The primary advantage of an IPSEC

モバイル接続サービス開通ガイド - ntt-east.co.jp...ipsec ike nat-traversal 5 on ipsec ike pre-shared-key 5 text test123 ipsec ike remote address 5 any l2tp tunnel disconnect

Remote Access via L2TP over IPSec - Sophos · L2TP over IPSec is a combination of the Layer 2 Tunneling ... from the administration PC. ... For the Remote Access via L2TP over IPSec

VPN - auch ohne IPsec! - DFN-CERT: Forschung, … Lösungen Standardisierte Lösungen IPsec Level-2 Tunneling Protocol (L2TP) Point-to-Point Tunneling Protocol (PPTP) Proprietäre

Cisco - L2TP Over IPsec Between Windows 2000/XP PC and …ipmanager.ir/r/Ebook/l2tp-w2kxp-pix72-pre_ebook.ipmanager.ir.pdf · Client to a Cisco VPN 3000 Series Concentrator Using

Autenticacao Wifi l2tp Ipsec

ZyWALL USG L2TP VPN over IPSec - misc.nybergh.netmisc.nybergh.net/.../zyxel-usg-docs/USG-L2TP-VPN_D.pdf · aktivieren und einen Benutzer und einen IP-Pool mit einem neuen (über Create

Cisco Small Business 100- 300 Series Routers€¦ · IPSec/PPTP/L2TP/GRE /Cisco SSL VPN/Cisco IPSec/IKEv2 VPN enable secure remote access Cisco PnP Support for zero touch- provisioning

How to Configure l2tp Over Ipsec

[MS-L2TPIE]: Layer 2 Tunneling Protocol (L2TP) IPsec Extensions · 2018. 9. 11. · In this document LAC (L2TP Access Concentrator) and client are used interchangeably, similarly