lan-to-lan vpn: mpd5 <-> ms isa 2006 не работает

Настройка сетевых служб, маршрутизации, фаерволлов. Проблемы с сетевым оборудованием.
Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
uruno
проходил мимо

lan-to-lan vpn: mpd5 <-> ms isa 2006 не работает

Непрочитанное сообщение uruno » 2009-05-24 1:16:52

Необходимо поднять впн-туннель между двумя офисами, т.е. LAN-to-LAN, чтобы компьютеры одной локалки видели компьютеры другой. На роутере первой сети freebsd 7.2-release, на роутере второй - win2003+ISA 2006. Локалка за фрёй 192.168.23.0/24, локалка за виндой - 192.168.13.0/24. На винде создано впн-подключение site-to-site, на фре mpd5. Подключения не происходит, лог такой:

Код: Выделить всё

process 1980 started, version 5.3 (root@spb-router 21:09 23-May-2009)
CONSOLE: listening on 127.0.0.1 5005
web: listening on 0.0.0.0 5006
[B1] Bundle: Interface ng0 created
PPTP: waiting for connection on 1.2.3.4 1723
[L1] [L1] Link: OPEN event
[L1] LCP: Open event
[L1] LCP: state change Initial --> Starting
[L1] LCP: LayerStart
[L1] PPTP call successful
[L1] Link: UP event
[L1] LCP: Up event
[L1] LCP: state change Starting --> Req-Sent
[L1] LCP: SendConfigReq #1
[L1]   ACFCOMP
[L1]   PROTOCOMP
[L1]   ACCMAP 0x000a0000
[L1]   MRU 1500
[L1]   MAGICNUM 005c65ec
[L1]   AUTHPROTO CHAP MSOFTv2
[...еще 9 таких попыток...]
[L1] LCP: SendConfigReq #10
[L1]   ACFCOMP
[L1]   PROTOCOMP
[L1]   ACCMAP 0x000a0000
[L1]   MRU 1500
[L1]   MAGICNUM 005c65ec
[L1]   AUTHPROTO CHAP MSOFTv2
[L1] LCP: parameter negotiation failed
[L1] LCP: state change Req-Sent --> Stopped
[L1] LCP: LayerFinish
[L1] PPTP call terminated
[L1] Link: DOWN event
[L1] LCP: Down event
[L1] LCP: state change Stopped --> Starting
[L1] LCP: LayerStart
[L1] Link: reconnection attempt 1 in 2 seconds
mpd.conf:

Код: Выделить всё

startup:
        # configure mpd users
        set user foo bar admin
        set user foo1 bar1
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load pptp_vpn

common:
        set link enable multilink
        set link action bundle B
        set link disable chap pap
        set link accept chap pap
        set auth authname MyLogin
        set link max-redial 0

pptp_vpn:
        create bundle static B1
        set ipcp ranges 192.168.23.1/32 192.168.13.3/32
        set iface route 192.168.13.0/24

        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set bundle enable crypt-reqd
        set mppc yes stateless

        create link static L1 pptp
        set link action bundle B1

        set link no pap
        set link yes chap
        set link enable chap-msv1
        set link enable chap-msv2
        set auth authname "username"
        set auth password "passw0rd"
        set link mtu 1460
        set link keep-alive 10 75
        set link max-redial 0

        set pptp self 1.2.3.4    # тут внешний IP фри
        set pptp peer 5.6.7.8   # тут внешний IP винды
        set link enable incoming
        open
ipfw на фре настроен на allow all from 5.6.7.8, файрвол на винде таким же образом.
Где косяк? Вообще, доводилось ли кому-то настраивать подобный туннель между freebsd и win2003?

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

paradox
проходил мимо
Сообщения: 11620
Зарегистрирован: 2008-02-21 18:15:41

Re: lan-to-lan vpn: mpd5 <-> ms isa 2006 не работает

Непрочитанное сообщение paradox » 2009-05-24 1:26:19

gre закрыт или на фаере одно из двух
либо по пути между этими двумя компами

uruno
проходил мимо

Re: lan-to-lan vpn: mpd5 <-> ms isa 2006 не работает

Непрочитанное сообщение uruno » 2009-05-24 1:32:36

По пути он закрыт быть не может, ибо до этого на месте фряхи стояла тоже вин2003, и все работало.
На фаерах, как я уже сказал, открыто все для соотв. айпишников.

paradox
проходил мимо
Сообщения: 11620
Зарегистрирован: 2008-02-21 18:15:41

Re: lan-to-lan vpn: mpd5 <-> ms isa 2006 не работает

Непрочитанное сообщение paradox » 2009-05-24 1:44:19

я вам говорю то что есть
gre закрыт он не проходит
об этом говорит лог mpd

а уж где закрыто вам виднее

uruno
проходил мимо

Re: lan-to-lan vpn: mpd5 <-> ms isa 2006 не работает

Непрочитанное сообщение uruno » 2009-05-24 1:51:04

мм... ок, какая строчка в логе об этом говорит? и как определить, где именно режется gre?

uruno
проходил мимо

Re: lan-to-lan vpn: mpd5 <-> ms isa 2006 не работает

Непрочитанное сообщение uruno » 2009-05-24 2:00:50

так, разрешил gre явно на фряхе.
теперь такая ситуация:

Код: Выделить всё

Multi-link PPP daemon for FreeBSD

process 2275 started, version 5.3 (root@spb-router 21:09 23-May-2009)
CONSOLE: listening on 127.0.0.1 5005
web: listening on 0.0.0.0 5006
[B1] Bundle: Interface ng0 created
PPTP: waiting for connection on 80.249.176.162 1723
[L1] [L1] Link: OPEN event
[L1] LCP: Open event
[L1] LCP: state change Initial --> Starting
[L1] LCP: LayerStart
[L1] PPTP call successful
[L1] Link: UP event
[L1] LCP: Up event
[L1] LCP: state change Starting --> Req-Sent
[L1] LCP: SendConfigReq #1
[L1]   ACFCOMP
[L1]   PROTOCOMP
[L1]   ACCMAP 0x000a0000
[L1]   MRU 1500
[L1]   MAGICNUM d582b63b
[L1]   AUTHPROTO CHAP MSOFTv2
[L1] LCP: rec'd Configure Request #0 (Req-Sent)
[L1]   MRU 1400
[L1]   AUTHPROTO CHAP MSOFTv2
[L1]   MAGICNUM 7de44fea
[L1]   PROTOCOMP
[L1]   ACFCOMP
[L1]   CALLBACK 6
[L1]   MP MRRU 1614
[L1]   ENDPOINTDISC [LOCAL] a3 6f 2f ae 61 96 4d fe bb 7a bd d4 af f4 47 77 00 00 0
[L1]   BACP
[L1]     Not supported
[L1] LCP: SendConfigRej #0
[L1]   CALLBACK 6
[L1]   MP MRRU 1614
[L1]   BACP
[L1] LCP: rec'd Configure Ack #1 (Req-Sent)
[L1]   ACFCOMP
[L1]   PROTOCOMP
[L1]   ACCMAP 0x000a0000
[L1]   MRU 1500
[L1]   MAGICNUM d582b63b
[L1]   AUTHPROTO CHAP MSOFTv2
[L1] LCP: state change Req-Sent --> Ack-Rcvd
[L1] LCP: rec'd Configure Request #1 (Ack-Rcvd)
[L1]   MRU 1400
[L1]   AUTHPROTO CHAP MSOFTv2
[L1]   MAGICNUM 7de44fea
[L1]   PROTOCOMP
[L1]   ACFCOMP
[L1]   ENDPOINTDISC [LOCAL] a3 6f 2f ae 61 96 4d fe bb 7a bd d4 af f4 47 77 00 00 0
[L1] LCP: SendConfigAck #1
[L1]   MRU 1400
[L1]   AUTHPROTO CHAP MSOFTv2
[L1]   MAGICNUM 7de44fea
[L1]   PROTOCOMP
[L1]   ACFCOMP
[L1]   ENDPOINTDISC [LOCAL] a3 6f 2f ae 61 96 4d fe bb 7a bd d4 af f4 47 77 00 00 0
[L1] LCP: state change Ack-Rcvd --> Opened
[L1] LCP: auth: peer wants CHAP, I want CHAP
[L1] CHAP: sending CHALLENGE #1 len: 31
[L1] LCP: LayerUp
[L1] CHAP: rec'd CHALLENGE #0 len: 28
[L1]   Name: "MOS-ISA"
[L1] CHAP: Using authname "spb-router"
[L1] CHAP: sending RESPONSE #0 len: 64
[L1] CHAP: rec'd SUCCESS #0 len: 46
[L1]   MESG: S=0546D6BCA7B4C92DD08A982240F1529DFF726C0E
[L1] CHAP: sending CHALLENGE #2 len: 31
[L1] CHAP: rec'd RESPONSE #2 len: 61
[L1]   Name: "mos-isa"
[L1] AUTH: Trying INTERNAL
[L1] AUTH: INTERNAL returned: undefined
[L1] CHAP: Auth return status: undefined
[L1] CHAP: Response is valid
[L1] CHAP: Reply message: S=1D925CF7D06F019D8E18AE436357D248714C4483
[L1] CHAP: sending SUCCESS #2 len: 46
[L1] LCP: authorization successful
[L1] Link: Matched action 'bundle "B1" ""'
[L1] Link: Join bundle "B1"
[B1] Bundle: Status update: up 1 link, total bandwidth 64000 bps
[B1] IPCP: Open event
[B1] IPCP: state change Initial --> Starting
[B1] IPCP: LayerStart
[B1] CCP: Open event
[B1] CCP: state change Initial --> Starting
[B1] CCP: LayerStart
[B1] IPCP: Up event
[B1] IPCP: state change Starting --> Req-Sent
[B1] IPCP: SendConfigReq #1
[B1]   IPADDR 192.168.23.1
[B1]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[B1] CCP: Up event
[B1] CCP: state change Starting --> Req-Sent
[B1] CCP: SendConfigReq #1
[B1]   MPPC
[B1]     0x01000060:MPPE(40, 128 bits), stateless
[B1] CCP: rec'd Configure Request #3 (Req-Sent)
[B1]   MPPC
[B1]     0x01000001:MPPC, stateless
[B1] CCP: SendConfigNak #3
[B1]   MPPC
[B1]     0x01000060:MPPE(40, 128 bits), stateless
[B1] IPCP: rec'd Configure Request #4 (Req-Sent)
[B1]   IPADDR 0.0.0.0
[B1]     NAKing with 192.168.13.3
[B1] IPCP: SendConfigNak #4
[B1]   IPADDR 192.168.13.3
[B1] CCP: rec'd Configure Request #5 (Req-Sent)
[B1]   MPPC
[B1]     0x01000040:MPPE(128 bits), stateless
[B1] CCP: SendConfigAck #5
[B1]   MPPC
[B1]     0x01000040:MPPE(128 bits), stateless
[B1] CCP: state change Req-Sent --> Ack-Sent
[B1] IPCP: rec'd Configure Request #6 (Req-Sent)
[B1]   IPADDR 192.168.13.3
[B1]     192.168.13.3 is OK
[B1] IPCP: SendConfigAck #6
[B1]   IPADDR 192.168.13.3
[B1] IPCP: state change Req-Sent --> Ack-Sent
[B1] CCP: SendConfigReq #2
[B1]   MPPC
[B1]     0x01000060:MPPE(40, 128 bits), stateless
[B1] IPCP: SendConfigReq #2
[B1]   IPADDR 192.168.23.1
[B1]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[B1] CCP: rec'd Configure Nak #2 (Ack-Sent)
[B1]   MPPC
[B1]     0x01000040:MPPE(128 bits), stateless
[B1] CCP: SendConfigReq #3
[B1]   MPPC
[B1]     0x01000040:MPPE(128 bits), stateless
[B1] IPCP: rec'd Configure Reject #2 (Ack-Sent)
[B1]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[B1] IPCP: SendConfigReq #3
[B1]   IPADDR 192.168.23.1
[B1] CCP: rec'd Configure Ack #3 (Ack-Sent)
[B1]   MPPC
[B1]     0x01000040:MPPE(128 bits), stateless
[B1] CCP: state change Ack-Sent --> Opened
[B1] CCP: LayerUp
[B1] CCP: Compress using: mppc (MPPE(128 bits), stateless)
[B1] CCP: Decompress using: mppc (MPPE(128 bits), stateless)
[B1] IPCP: rec'd Configure Ack #3 (Ack-Sent)
[B1]   IPADDR 192.168.23.1
[B1] IPCP: state change Ack-Sent --> Opened
[B1] IPCP: LayerUp
[B1]   192.168.23.1 -> 192.168.13.3
[B1] IFACE: Up event
[B1] IPCP: rec'd Terminate Request #7 (Opened)
[B1] IPCP: state change Opened --> Stopping
[B1] IPCP: SendTerminateAck #4
[B1] IPCP: LayerDown
[B1] IFACE: Down event
[B1] IPCP: rec'd Terminate Request #8 (Stopping)
[B1] IPCP: SendTerminateAck #5
[B1] IPCP: state change Stopping --> Stopped
[B1] IPCP: LayerFinish
[B1] Bundle: No NCPs left. Closing links...
[B1] Bundle: closing link "L1"...
[L1] Link: CLOSE event
[L1] LCP: Close event
[L1] LCP: state change Opened --> Closing
[L1] Link: Leave bundle "B1"
[B1] Bundle: Status update: up 0 links, total bandwidth 9600 bps
[B1] IPCP: Close event
[B1] IPCP: state change Stopped --> Closed
[B1] CCP: Close event
[B1] CCP: state change Opened --> Closing
[B1] CCP: SendTerminateReq #4
[B1] CCP: LayerDown
[B1] IPCP: Down event
[B1] IPCP: state change Closed --> Initial
[B1] CCP: Down event
[B1] CCP: LayerFinish
[B1] CCP: state change Closing --> Initial
[L1] LCP: SendTerminateReq #2
[L1] LCP: LayerDown
[L1] LCP: rec'd Terminate Ack #2 (Closing)
[L1] LCP: state change Closing --> Closed
[L1] LCP: LayerFinish
[L1] PPTP call terminated
[L1] Link: DOWN event
[L1] LCP: Down event
[L1] LCP: state change Closed --> Initial
ifconfig:

Код: Выделить всё

ng0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
соотв. тоже не работает, хотя коннект вроде как есть.
это тоже следствие зарубленного еще где-то gre?

paradox
проходил мимо
Сообщения: 11620
Зарегистрирован: 2008-02-21 18:15:41

Re: lan-to-lan vpn: mpd5 <-> ms isa 2006 не работает

Непрочитанное сообщение paradox » 2009-05-24 2:03:13

нет это уже не gre
щас буду смотреть

paradox
проходил мимо
Сообщения: 11620
Зарегистрирован: 2008-02-21 18:15:41

Re: lan-to-lan vpn: mpd5 <-> ms isa 2006 не работает

Непрочитанное сообщение paradox » 2009-05-24 2:11:11

B1] IPCP: rec'd Terminate Request #7 (Opened)
винда тебя отключила

убери назначение айпи под mpd исделай там нули
а все айпикоторый должны выдаваться оставь на винде
и смотри логи там
почему она отфутболивает