L2TP / IPSec з Windows 7 до ASA 5520


9

Я намагаюся налаштувати L2TP / IPSec на наш ASA5520, щоб підтримувати облямівку для одного з наших розробників. Підсистема Windows VPN, очевидно, зберігає файл cooberos або cookie NTLM для входу під час використання вбудованої підсистеми vpn, а клієнт VPN Cisco та клієнт AnyConnect цього не роблять.

Коли я намагаюся підключитися до VPN через Windows 7, з'єднання не вдається:


%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713119: Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED
%ASA-3-713122: IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None)
%ASA-5-713257: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: UDP Tunnel(NAT-T)
%ASA-5-713904: Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
%ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x749f2490, mess id 0x1)!
%ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
%ASA-5-713259: Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch
%ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Зокрема, я думаю, що ця помилка має відношення:

Невідповідні типи атрибутів для класу Режим інкапсуляції: Rcv'd: UDP Transport Cfg'd: тунель UDP (NAT-T)

Налагодження з драйверів криптовалют не дуже допомагає; нижче - рівень isakmp 127 та ipsec 100:


7|Apr 26 2012|02:10:38|713236|||||IP = 1.2.3.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload
7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 1
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
4|Apr 26 2012|02:10:30|113019|||||Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Apr 26 2012|02:10:30|713259|||||Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=3a0d0c58) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing IKE delete payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:30|715065|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE QM Responder FSM error history (struct &0x766c58e8)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x766c58e8, mess id 0x1)!
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=bf34e4e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ipsec notify payload for msg id 1
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending notify message
5|Apr 26 2012|02:10:30|713904|||||Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing IPSec SA payload
7|Apr 26 2012|02:10:30|713066|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: OUTSIDE_DYN_MAP
7|Apr 26 2012|02:10:30|715059|||||Group = DefaultRAGroup, IP = 1.2.3.4, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Apr 26 2012|02:10:30|713224|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map Check by-passed: Crypto map entry incomplete!
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 65499...
7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 20, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 20...
7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 10, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 10...
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload
7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending Phase 1 Rcv Delete message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, L2TP/IPSec session detected.
7|Apr 26 2012|02:10:30|713024|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received local Proxy Host data in ID Payload:  Address 64.34.119.71, Protocol 17, Port 1701
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|713025|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received remote Proxy Host data in ID Payload:  Address 10.65.3.237, Protocol 17, Port 1701
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing nonce payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 324
7|Apr 26 2012|02:10:30|714003|||||IP = 1.2.3.4, IKE Responder starting QM: msg id = 00000001
7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending New Phase 1 SA message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit
7|Apr 26 2012|02:10:30|715080|||||Group = DefaultRAGroup, IP = 1.2.3.4, Starting P1 rekey timer: 21600 seconds.
3|Apr 26 2012|02:10:30|713122|||||IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None)
7|Apr 26 2012|02:10:30|713121|||||IP = 1.2.3.4, Keep-alive type for this connection: None
5|Apr 26 2012|02:10:30|713119|||||Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing dpd vid payload
7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing hash payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup
6|Apr 26 2012|02:10:30|713172|||||Group = DefaultRAGroup, IP = 1.2.3.4, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, Generating keys for Responder...
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload
7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing VID payload
7|Apr 26 2012|02:10:30|715038|||||IP = 1.2.3.4, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send IOS VID
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing xauth V6 VID payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Cisco Unity VID payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing nonce payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ke payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing nonce payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ISA_KE payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ke payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 260
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload
7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 1
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
5|Apr 26 2012|02:10:21|111005|||||1.2.3.4 end configuration: OK
7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, IKE SA MM:b1f927e6 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
7|Apr 26 2012|02:10:16|715065|||||IP = 1.2.3.4, IKE MM Responder FSM error history (struct &0x76bd68f8)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
5|Apr 26 2012|02:10:16|111010|||||User 'pgrace', running 'CLI' from IP 1.2.3.4, executed 'logging asdm debugging'

Ось моя конфігурація:


ny-asa01# sh run crypto
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_DYN_MAP 10 set security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set reverse-route
crypto dynamic-map OUTSIDE_DYN_MAP 20 set ikev1 transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map OUTSIDE_DYN_MAP 20 set nat-t-disable
crypto dynamic-map L2TP_MAP 10 set ikev1 transform-set TRANS_ESP_3DES_MD5
crypto map vpnmap 10 match address A_to_B_vpn
crypto map vpnmap 10 set pfs
crypto map vpnmap 10 set peer 9.8.7.6
crypto map vpnmap 10 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 20 match address B_TO_C_vpn
crypto map vpnmap 20 set pfs
crypto map vpnmap 20 set peer 5.4.3.2
crypto map vpnmap 20 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 65500 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp nat-traversal 300
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

 tunnel-group DefaultRAGroup general-attributes
 address-pool stackvpn_pool
 authentication-server-group RADIUS_SERVER
 accounting-server-group RADIUS_SERVER
 default-group-policy stackvpn_l2tp
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap

group-policy stackvpn_l2tp internal
group-policy stackvpn_l2tp attributes
 dns-server value 5.6.7.8 9.10.11.12
 vpn-tunnel-protocol l2tp-ipsec
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT_TUNNEL
 address-pools value stackvpn_pool

Очевидно, що невідповідність фази 2 зазвичай вирішується зміною пропозицій, але, на жаль, виявляється, що Windows 7 взагалі не дозволяє вам заплутуватися з налаштуваннями пропозицій. У налаштуваннях Win7 явно не можна включити NAT-T.

Отже, моє запитання таке: чи моя конфігурація гнучка? Хтось має L2TP, що працює належним чином з Windows 7 на ASA з завантаженою 8.4?


1
Phase1 виходить з ладу, оскільки ви не налаштували клієнта на використання Diffie-Helman групи 2. І все-таки сервер цього вимагає.
topdog

Відповіді:


0

У мене IPSEC працює в режимі "lan-to-lan" між Windows 7 та ASA з 8.3 (2) 13 (сертифіковано FIPS).

Я повністю впевнений, що ви маєте рацію щодо помилки - якщо вона не може домовитись про SA, ви хочете.

Я б спробував позбутися "NAT Traversal". Звичайно, у вас можуть застрягти спроби перейти NAT, і в цьому випадку це може знадобитися. Але це точно виглядає як причина вашої проблеми.

Я думаю, ваш інший варіант - розібратися, як змусити Windows 7 зробити тип nat-traversal SA. Ви можете спробувати розібратися з netsh advfirewall consecWindows.

Ось посилання на це, я я зробив закладки. http://technet.microsoft.com/en-us/library/dd736198(v=ws.10).aspx .

Одна примітка - Документація Windows розповідає про те, як важливо регулярно повторно клавішувати з'єднання. Однак якщо ви повторно клавішіте занадто часто, ASA приймає дамп і перериває з'єднання. Переконайтеся, що ви не повторно клавішіть частіше, ніж кожні 2 хвилини. Використання рекомендованого MS значення # байтів для rekey змусило його знизитись за 2 хвилини.

Коли ми відкрили справу з підтримкою, M $ насправді не міг дати реальних причин для їхньої рекомендації. Хоча вони надіслали нам великий жировий рахунок.


1
га, щойно помітив дату в питанні. о добре, можливо, комусь це стане в нагоді ...
Dan Pritts

-1

Для всіх, хто заходить сюди:

Виправлення неполадок Cisco: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution14

Якщо статичні та динамічні однорангові налаштовані на одній криптовалюті, порядок записів криптовалюти є дуже важливим. Послідовний номер запису динамічної криптовалюти повинен бути більшим, ніж у всіх інших записів статичної криптовалюти.

Використовуючи наш веб-сайт, ви визнаєте, що прочитали та зрозуміли наші Політику щодо файлів cookie та Політику конфіденційності.
Licensed under cc by-sa 3.0 with attribution required.