我使用以下设置将远程ASA连接到中央站点:
Phase 1 IKE: Encryption: DES Authentication: MD5 DH: DH2 Phase 2: Encryption: DES Authentication: MD5 我收到以下错误Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping和Information Exchange processing failed 。
然后,我删除了我的L2TP VPN策略的所有参考,并开始工作 – 看起来我不能让L2TP和Lan-2-Lan VPN同时播放。
现在Lan-2-Lan VPN正在工作,在我读了它之后,L2TP不再起作用(而在L2TP工作之前,但lan2lan不工作)。 我相信这与多个IKE策略有关。
我如何获得Lan2Lan和L2TP(对于Windows 7和Mac客户端)同时工作?
非常感谢。
我的configuration如下:
names name 192.168.40.0 othersite ! same-security-traffic permit intra-interface access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 othersite 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 192.168.30.192 255.255.255.192 access-list outside_1_cryptomap extended permit ip 192.168.30.0 255.255.255.0 othersite 255.255.255.0 access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.30.0 255.255.255.0 access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply ip local pool VPNLAN 192.168.30.210-192.168.30.240 mask 255.255.255.0 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.30.0 255.255.255.0 nat (outside) 1 192.168.30.0 255.255.255.0 access-group OUTSIDE_IN_ACL in interface outside dynamic-access-policy-record DfltAccessPolicy crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-3DES-MD5 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 95.97.2.218 crypto map outside_map 1 set transform-set ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 192.168.30.3 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1 group-policy DefaultRAGroup_1 internal group-policy DefaultRAGroup_1 attributes vpn-tunnel-protocol l2tp-ipsec tunnel-group DefaultRAGroup general-attributes address-pool VPNLAN default-group-policy DefaultRAGroup_1 tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 tunnel-group 45.27.21.7 type ipsec-l2l tunnel-group 45.27.21.7 ipsec-attributes pre-shared-key *****