Srew Soft VPN. Mikrotik не применяет настройки IPSec.

Обсуждение оборудования и его настройки
Ответить
doomind
Сообщения: 2
Зарегистрирован: 20 июл 2014, 12:53

Доброго времени суток.
Пытаюсь настроить IPSec VPN связку между Shrew Soft VPN Client и Mikrotik. Настройку производил по этой статье. И, вроде, мне это удалось, но счастье длилось недолго - спустя день VPN клиент перестал подключаться. Логи мне подсказали, что Mikrotik пытается устанавливать соединение не с теми настройками, которые мы можем видеть в конфигурации.
В процессе конфигурации оперируем следющими сетями:
192.168.88.0/24 – локальная сеть, к которой должен иметь доступ «RoadWarrior»;
192.168.100.32/27 – диапазон, выделенный для «RoadWarriors».

В конфигах и логах красным я выделил настройки, которые Mikrotik меняет по свему разумению, зеленым – соответствующие настроки Shrew Soft VPN Client.
Собственно конфигурация Mikrotik:

 
[vishnevsky@RT_DC] /ip ipsec> peer print
Flags: X - disabled
0 ;;; For Shrew Soft VPN clients
address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500 auth-method=pre-shared-key-xauth secret="длинныйключ" generate-policy=port-strict policy-group=SREW_VPN_USERS_POLICY_GROUP exchange-mode=main mode-config=SREW_VPN_USERS_CONFIG send-initial-contact=no nat-traversal=yes proposal-check=exact hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

[vishnevsky@RT_DC] /ip ipsec> policy group print
Flags: * - default
# NAME
0 * default
1 SREW_VPN_USERS_POLICY_GROUP

[vishnevsky@RT_DC] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
0 T group=SREW_VPN_USERS_POLICY_GROUP src-address=192.168.88.0/24 dst-address=192.168.100.32/27 protocol=all proposal=SREW_VPN_USERS_PROPOSAL template=yes

1 T group=SREW_VPN_USERS_POLICY_GROUP src-address=192.168.100.32/27 dst-address=192.168.88.0/24 protocol=all proposal=SREW_VPN_USERS_PROPOSAL template=yes

[vishnevsky@RT_DC] /ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024

1 name="SREW_VPN_USERS_PROPOSAL" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024

[vishnevsky@RT_DC] /ip ipsec> mode-config print
Flags: * - default
0 * name="request-only" send-dns=yes

1 name="SREW_VPN_USERS_CONFIG" send-dns=yes address-pool=VPN_USERS_POOL address-prefix-length=27 split-include=192.168.88.0/24

[vishnevsky@RT_DC] /ip> pool print
# NAME RANGES
0 DHCP_POOL 92.168.88.20-192.168.88.60
1 VPN_USERS_POOL 192.168.100.33-92.168.100.62


Конфигурация Shrew Soft VPN Client:

 
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:0
n:network-notify-enable:0
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:1
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:1800
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:1
n:client-addr-auto:1
n:client-dns-suffix-auto:1
n:phase1-keylen:128
n:phase2-keylen:128
s:network-host:144.76.80.124
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:force-rfc
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:длинныйключ
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:require


Вывод лога при попытке подключения:

 
16:03:47 ipsec,debug,packet ==========
16:03:47 ipsec,debug,packet 268 bytes message received from 79.120.12.193[500] to 144.76.80.124[500]
16:03:47 ipsec,debug,packet 77a09928 505c83f1 00000000 00000000 01100200 00000000 0000010c 0d00003c
16:03:47 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080
16:03:47 ipsec,debug,packet 80020002 80040002 8003fde9 800b0001 000c0004 00015180 0d00000c 09002689
16:03:47 ipsec,debug,packet dfd6b712 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 7d9419a6
16:03:47 ipsec,debug,packet 5310ca6f 2c179d92 15529d56 0d000014 4a131c81 07035845 5c5728f2 0e95452f
16:03:47 ipsec,debug,packet 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 f14b94b7
16:03:47 ipsec,debug,packet bff1fef0 2773b8c4 9feded26 0d000018 166f932d 55eb64d8 e4df4fd3 7e2313f0
16:03:47 ipsec,debug,packet d0fd8451 0d000014 8404adf9 cda05760 b2ca292e 4bff537b 00000014 12f5f28c
16:03:47 ipsec,debug,packet 457168a9 702d9fe2 74cc0100
16:03:47 ipsec,debug,packet ===
16:03:47 ipsec respond new phase 1 negotiation: 144.76.80.124[500]<=>79.120.12.193[500]
16:03:47 ipsec begin Identity Protection mode.
16:03:47 ipsec,debug,packet begin.
16:03:47 ipsec,debug,packet seen nptype=1(sa)
16:03:47 ipsec,debug,packet seen nptype=13(vid)
16:03:47 ipsec,debug,packet seen nptype=13(vid)
16:03:47 ipsec,debug,packet seen nptype=13(vid)
16:03:47 ipsec,debug,packet seen nptype=13(vid)
16:03:47 ipsec,debug,packet seen nptype=13(vid)
16:03:47 ipsec,debug,packet seen nptype=13(vid)
16:03:47 ipsec,debug,packet seen nptype=13(vid)
16:03:47 ipsec,debug,packet seen nptype=13(vid)
16:03:47 ipsec,debug,packet seen nptype=13(vid)
16:03:47 ipsec,debug,packet succeed.
16:03:47 ipsec,debug received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
16:03:47 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
16:03:47 ipsec,debug
16:03:47 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
16:03:47 ipsec,debug received Vendor ID: RFC 3947
16:03:47 ipsec,debug received broken Microsoft ID: FRAGMENTATION
16:03:47 ipsec,debug,packet received unknown Vendor ID
16:03:47 ipsec,debug,packet received unknown Vendor ID
16:03:47 ipsec,debug,packet received unknown Vendor ID
16:03:47 ipsec,debug received Vendor ID: CISCO-UNITY
16:03:47 ipsec,debug Selected NAT-T version: RFC 3947
16:03:47 ipsec,debug,packet total SA len=56
16:03:47 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080
16:03:47 ipsec,debug,packet 80020002 80040002 8003fde9 800b0001 000c0004 00015180
16:03:47 ipsec,debug,packet begin.
16:03:47 ipsec,debug,packet seen nptype=2(prop)
16:03:47 ipsec,debug,packet succeed.
16:03:47 ipsec,debug,packet proposal #1 len=48
16:03:47 ipsec,debug,packet begin.
16:03:47 ipsec,debug,packet seen nptype=3(trns)
16:03:47 ipsec,debug,packet succeed.
16:03:47 ipsec,debug,packet transform #1 len=40
16:03:47 ipsec,debug,packet type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
16:03:47 ipsec,debug,packet encryption(aes)
16:03:47 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=128
16:03:47 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=SHA
16:03:47 ipsec,debug,packet hash(sha1)
16:03:47 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
16:03:47 ipsec,debug,packet dh(modp1024)
16:03:47 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=GSS-API on Kerberos 5
16:03:47 ipsec,debug,packet type=Life Type, flag=0x8000, lorv=seconds
16:03:47 ipsec,debug,packet type=Life Duration, flag=0x0000, lorv=4
16:03:47 ipsec,debug,packet pair 1:
16:03:47 ipsec,debug,packet 0x80a4060: next=(nil) tnext=(nil)
16:03:47 ipsec,debug,packet proposal #1: 1 transform
16:03:47 ipsec,debug,packet prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
16:03:47 ipsec,debug,packet trns#=1, trns-id=IKE
16:03:47 ipsec,debug,packet type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
16:03:47 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=128
16:03:47 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=SHA
16:03:47 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
16:03:47 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=GSS-API on Kerberos 5
16:03:47 ipsec,debug,packet type=Life Type, flag=0x8000, lorv=seconds
16:03:47 ipsec,debug,packet type=Life Duration, flag=0x0000, lorv=4
16:03:47 ipsec,debug,packet Compared: Local:Peer
16:03:47 ipsec,debug,packet (lifetime = 3600:86400)
16:03:47 ipsec,debug,packet (lifebyte = 0:0)
16:03:47 ipsec,debug,packet enctype = 3DES-CBC:AES-CBC
16:03:47 ipsec,debug,packet (encklen = 0:128)
16:03:47 ipsec,debug,packet hashtype = SHA:SHA
16:03:47 ipsec,debug,packet authmethod = pre-shared key:GSS-API on Kerberos 5
16:03:47 ipsec,debug,packet dh_group = 1024-bit MODP group:1024-bit MODP group
16:03:47 ipsec,debug,packet type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
16:03:47 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=128
16:03:47 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=SHA
16:03:47 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
16:03:47 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=GSS-API on Kerberos 5
16:03:47 ipsec,debug,packet type=Life Type, flag=0x8000, lorv=seconds
16:03:47 ipsec,debug,packet type=Life Duration, flag=0x0000, lorv=4
16:03:47 ipsec,debug rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 3DES-CBC:AES-CBC
16:03:47 ipsec,debug rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = pre-shared key:GSS-API on Kerberos 5
16:03:47 ipsec,debug no suitable proposal found.
16:03:47 ipsec,debug failed to get valid proposal.
16:03:47 ipsec,debug failed to pre-process ph1 packet (side: 1, status 1).
16:03:47 ipsec,debug phase1 negotiation failed.
16:03:52 ipsec,debug,packet ==========
16:03:52 ipsec,debug,packet 268 bytes message received from 79.120.12.193[500] to 144.76.80.124[500]
16:03:52 ipsec,debug,packet 77a09928 505c83f1 00000000 00000000 01100200 00000000 0000010c 0d00003c
16:03:52 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080
16:03:52 ipsec,debug,packet 80020002 80040002 8003fde9 800b0001 000c0004 00015180 0d00000c 09002689
16:03:52 ipsec,debug,packet dfd6b712 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 7d9419a6
16:03:52 ipsec,debug,packet 5310ca6f 2c179d92 15529d56 0d000014 4a131c81 07035845 5c5728f2 0e95452f
16:03:52 ipsec,debug,packet 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 f14b94b7
16:03:52 ipsec,debug,packet bff1fef0 2773b8c4 9feded26 0d000018 166f932d 55eb64d8 e4df4fd3 7e2313f0
16:03:52 ipsec,debug,packet d0fd8451 0d000014 8404adf9 cda05760 b2ca292e 4bff537b 00000014 12f5f28c
16:03:52 ipsec,debug,packet 457168a9 702d9fe2 74cc0100
16:03:52 ipsec,debug,packet ===
16:03:52 ipsec respond new phase 1 negotiation: 144.76.80.124[500]<=>79.120.12.193[500]
16:03:52 ipsec begin Identity Protection mode.
16:03:52 ipsec,debug,packet begin.
16:03:52 ipsec,debug,packet seen nptype=1(sa)
16:03:52 ipsec,debug,packet seen nptype=13(vid)
16:03:52 ipsec,debug,packet seen nptype=13(vid)
16:03:52 ipsec,debug,packet seen nptype=13(vid)
16:03:52 ipsec,debug,packet seen nptype=13(vid)
16:03:52 ipsec,debug,packet seen nptype=13(vid)
16:03:52 ipsec,debug,packet seen nptype=13(vid)
16:03:52 ipsec,debug,packet seen nptype=13(vid)
16:03:52 ipsec,debug,packet seen nptype=13(vid)
16:03:52 ipsec,debug,packet seen nptype=13(vid)
16:03:52 ipsec,debug,packet succeed.
16:03:52 ipsec,debug received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
16:03:52 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
16:03:52 ipsec,debug
16:03:52 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
16:03:52 ipsec,debug received Vendor ID: RFC 3947
16:03:52 ipsec,debug received broken Microsoft ID: FRAGMENTATION
16:03:52 ipsec,debug,packet received unknown Vendor ID
16:03:52 ipsec,debug,packet received unknown Vendor ID
16:03:52 ipsec,debug,packet received unknown Vendor ID
16:03:52 ipsec,debug received Vendor ID: CISCO-UNITY
16:03:52 ipsec,debug Selected NAT-T version: RFC 3947
16:03:52 ipsec,debug,packet total SA len=56
16:03:52 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080
16:03:52 ipsec,debug,packet 80020002 80040002 8003fde9 800b0001 000c0004 00015180
16:03:52 ipsec,debug,packet begin.
16:03:52 ipsec,debug,packet seen nptype=2(prop)
16:03:52 ipsec,debug,packet succeed.
16:03:52 ipsec,debug,packet proposal #1 len=48
16:03:52 ipsec,debug,packet begin.
16:03:52 ipsec,debug,packet seen nptype=3(trns)
16:03:52 ipsec,debug,packet succeed.
16:03:52 ipsec,debug,packet transform #1 len=40
16:03:52 ipsec,debug,packet type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
16:03:52 ipsec,debug,packet encryption(aes)
16:03:52 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=128
16:03:52 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=SHA
16:03:52 ipsec,debug,packet hash(sha1)
16:03:52 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
16:03:52 ipsec,debug,packet dh(modp1024)
16:03:52 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=GSS-API on Kerberos 5
16:03:52 ipsec,debug,packet type=Life Type, flag=0x8000, lorv=seconds
16:03:52 ipsec,debug,packet type=Life Duration, flag=0x0000, lorv=4
16:03:52 ipsec,debug,packet pair 1:
16:03:52 ipsec,debug,packet 0x80a3b88: next=(nil) tnext=(nil)
16:03:52 ipsec,debug,packet proposal #1: 1 transform
16:03:52 ipsec,debug,packet prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
16:03:52 ipsec,debug,packet trns#=1, trns-id=IKE
16:03:52 ipsec,debug,packet type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
16:03:52 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=128
16:03:52 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=SHA
16:03:52 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
16:03:52 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=GSS-API on Kerberos 5
16:03:52 ipsec,debug,packet type=Life Type, flag=0x8000, lorv=seconds
16:03:52 ipsec,debug,packet type=Life Duration, flag=0x0000, lorv=4
16:03:52 ipsec,debug,packet Compared: Local:Peer
16:03:52 ipsec,debug,packet (lifetime = 3600:86400)
16:03:52 ipsec,debug,packet (lifebyte = 0:0)
16:03:52 ipsec,debug,packet enctype = 3DES-CBC:AES-CBC
16:03:52 ipsec,debug,packet (encklen = 0:128)
16:03:52 ipsec,debug,packet hashtype = SHA:SHA
16:03:52 ipsec,debug,packet authmethod = pre-shared key:GSS-API on Kerberos 5
16:03:52 ipsec,debug,packet dh_group = 1024-bit MODP group:1024-bit MODP group
16:03:52 ipsec,debug,packet type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
16:03:52 ipsec,debug,packet type=Key Length, flag=0x8000, lorv=128
16:03:52 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=SHA
16:03:52 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
16:03:52 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=GSS-API on Kerberos 5
16:03:52 ipsec,debug,packet type=Life Type, flag=0x8000, lorv=seconds
16:03:52 ipsec,debug,packet type=Life Duration, flag=0x0000, lorv=4
16:03:52 ipsec,debug rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 3DES-CBC:AES-CBC
16:03:52 ipsec,debug rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = pre-shared key:GSS-API on Kerberos 5
16:03:52 ipsec,debug no suitable proposal found.
16:03:52 ipsec,debug failed to get valid proposal.
16:03:52 ipsec,debug failed to pre-process ph1 packet (side: 1, status 1).
16:03:52 ipsec,debug phase1 negotiation failed.


Версия: RouterOS4 version 6.15.


doomind
Сообщения: 2
Зарегистрирован: 20 июл 2014, 12:53

Проблема решена. Mikrotik пытался соединиться с настройками пиры, заведенной для L2TP/IPSec пользователей.


Ответить