大家好,我在Cisco路由器2911的L2TP / IPSecconfiguration有问题。 我不能通过Windows 7,8.1,10build立在VPN客户端。
aaa new-model aaa authentication ppp L2TP-LOGIN local username l2tpuser password cisco ! vpdn enable vpdn-group L2TP-GR description L2TP over IPSec accept-dialin protocol l2tp virtual-template 2 exit no l2tp tunnel authentication session-limit 20 exit ! ip local pool L2TP-POOL 172.16.23.100 172.16.23.200 interface Virtual-Template2 description L2TP over IPSec Template ip unnumbered FastEthernet0/1 peer default ip address pool L2TP-POOL no keepalive ppp authentication ms-chap-v2 L2TP-LOGIN ppp mtu adaptive exit ! crypto isakmp enable crypto logging session crypto isakmp invalid-spi-recovery ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 hash md5 exit ! crypto keyring L2TP-KEY pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123cisco exit ! crypto isakmp profile L2TP-PROF keyring L2TP-KEY match identity address 0.0.0.0 exit ! crypto ipsec transform-set L2TP-TRSET esp-3des esp-md5-hmac mode transport exit ! crypto dynamic-map DYN-L2TP-MAP 10 set isakmp-profile L2TP-PROF set transform-set L2TP-TRSET set nat demux exit ! crypto map L2TP-MAP 65535 ipsec-isakmp dynamic DYN-L2TP-MAP ! interface gi0/0 description WAN crypto map L2TP-MAP exit ! 有什么问题? 我错在哪里?
.Apr 3 08:16:16.610: ISAKMP (1070): received packet from 192.168.7.92 dport 500 sport 500 Global (R) QM_IDLE .Apr 3 08:16:16.610: ISAKMP: set new node -1169728138 to QM_IDLE .Apr 3 08:16:16.610: crypto_engine: Decrypt IKE packet .Apr 3 08:16:16.610: crypto_engine: Generate IKE hash .Apr 3 08:16:16.610: ISAKMP:(1070): processing HASH payload. message ID = 3125239158 .Apr 3 08:16:16.610: ISAKMP:(1070): processing DELETE payload. message ID = 3125239158 .Apr 3 08:16:16.610: ISAKMP:(1070):peer does not do paranoid keepalives. .Apr 3 08:16:16.610: ISAKMP:(1070):deleting node -1169728138 error FALSE reason "Informational (in) state 1" .Apr 3 08:16:16.610: ISAKMP (1070): received packet from 192.168.7.92 dport 500 sport 500 Global (R) QM_IDLE .Apr 3 08:16:16.610: ISAKMP: set new node -1213364179 to QM_IDLE .Apr 3 08:16:16.610: crypto_engine: Decrypt IKE packet .Apr 3 08:16:16.610: crypto_engine: Generate IKE hash .Apr 3 08:16:16.610: ISAKMP:(1070): processing HASH payload. message ID = 3081603117 .Apr 3 08:16:16.614: ISAKMP:(1070): processing DELETE payload. message ID = 3081603117 .Apr 3 08:16:16.614: ISAKMP:(1070):peer does not do paranoid keepalives. .Apr 3 08:16:16.614: ISAKMP:(1070):deleting SA reason "No reason" state (R) QM_IDLE (peer 192.168.7.92) .Apr 3 08:16:16.614: ISAKMP:(1070):deleting node -1213364179 error FALSE reason "Informational (in) state 1" .Apr 3 08:16:16.618: IPSEC(key_engine): got a queue event with 1 KMI message(s) .Apr 3 08:16:16.618: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP .Apr 3 08:16:16.618: IPSEC(key_engine_delete_sas): delete SA with spi 0x3D3ED559 proto 50 for 192.168.7.92 .Apr 3 08:16:16.618: crypto_engine: Pull flow statistics .Apr 3 08:16:16.618: crypto_engine_ipsec_flow_pull_statistics: calling driver .Apr 3 08:16:16.618: ISAKMP: set new node -1561337744 to QM_IDLE .Apr 3 08:16:16.618: crypto_engine: Generate IKE hash .Apr 3 08:16:16.618: crypto_engine: Encrypt IKE packet .Apr 3 08:16:16.618: ISAKMP:(1070): sending packet to 192.168.7.92 my_port 500 peer_port 500 (R) QM_IDLE .Apr 3 08:16:16.618: ISAKMP:(1070):Sending an IKE IPv4 Packet. .Apr 3 08:16:16.618: ISAKMP:(1070):purging node -1561337744 .Apr 3 08:16:16.618: ISAKMP:(1070):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL .Apr 3 08:16:16.618: ISAKMP:(1070):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA .Apr 3 08:16:16.618: ISAKMP:(1070):deleting SA reason "No reason" state (R) QM_IDLE (peer 192.168.7.92) .Apr 3 08:16:16.618: ISAKMP: Unlocking peer struct 0x3DB5A12C for isadb_mark_sa_deleted(), count 0 .Apr 3 08:16:16.622: crypto engine: deleting IKE SA SW:70 .Apr 3 08:16:16.622: crypto_engine: Delete IKE SA .Apr 3 08:16:16.622: IKE HA: Removing one interface using VIP 0.0.0.0 .Apr 3 08:16:16.622: IKE HA: No database for VIP 0.0.0.0. Cannot delete .Apr 3 08:16:16.622: IPSec HA: Removing one interface using VIP 0.0.0.0 .Apr 3 08:16:16.622: IPSec HA: No database for VIP 0.0.0.0. Cannot delete .Apr 3 08:16:16.622: ISAKMP:(1070):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH .Apr 3 08:16:16.622: ISAKMP:(1070):Old State = IKE_DEST_SA New State = IKE_DEST_SA .Apr 3 08:16:16.622: crypto_engine: Pull sadb-ivrf statistics .Apr 3 08:16:16.622: crypto_engine_ipsec_sadb_ivrf_pull_statistics: call driver .Apr 3 08:16:16.622: crypto_engine: Pull sadb-ivrf statistics, got error unsupported operation .Apr 3 08:16:16.622: ISAKMP: Failed to find peer index node to update peer_info_list .Apr 3 08:16:16.622: IPSEC(update_current_outbound_sa): updated peer 192.168.7.92 current outbound sa to SPI 3D3ED559 .Apr 3 08:16:16.622: IPSEC(delete_sa): deleting SA, (sa) sa_dest= XX, sa_proto= 50, sa_spi= 0x6D6766BE(1835493054), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2109 sa_lifetime(k/sec)= (250000/3600), (identity) local= XX:0, remote= 192.168.7.92:0, local_proxy= XX/ 255.255.255.255/17/1701, remote_proxy= 192.168.7.92/255.255.255.255/17/1701 .Apr 3 08:16:16.622: IPSEC(update_current_outbound_sa): updated peer 192.168.7.92 current outbound sa to SPI 3D3ED559 .Apr 3 08:16:16.622: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 192.168.7.92, sa_proto= 50, sa_spi= 0x3D3ED559(1027528025), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2110 sa_lifetime(k/sec)= (250000/3600),
(identity)local = XX:0,remote = 192.168.7.92:0,local_proxy = XX / 255.255.255.255 / 17/1701,remote_proxy = 192.168.7.92/255.255.255.255/17/1701 .Apr 3 08:16:16.622 :encryption引擎:删除IPSec SA板载VPN:109 .Apr 3 08:16:16.626:crypto_engine:删除IPSec SA.Apr 3 08:16:16.626:encryption引擎:删除IPSec SA板载VPN:110 .Apr 3 08:16 :16.630:crypto_engine:删除IPSec SA.Apr 3 08:16:16.634:%CRYPTO-5-SESSION_STATUS:encryption隧道是closures的。 Peer 192.168.7.92:500 Id:192.168.7.92 ATVRouter#.Apr 3 08:16:16.634:ISAKMP:peer_reap for 192.168.7.92:3DB5A12C .Apr 3 08:16:16.634删除对等节点:IPSEC(key_engine):得到(0):来自192.168.7.92的接收分组dport 500 sport 500 Global(N)NEW SA.Apr 3 08:16:20.082 :ISAKMP:为192.168.7.92,对等端口500 .Apr 3 08:16:20.082创build一个对等结构:ISAKMP:新对等创build对等= 0x23781594 peer_handle = 0x80000065。三月08 08:16:20.082:ISAKMP:locking对等结构0x23781594 ,refcount 1 for crypto_isakmp_process_block .Apr 3 08:16:20.082:ISAKMP:local port 500,remote port 500.Apr 3 08:16:20.082:ISAKMP:在调用isadb_insert sa = 3DA06FE8 .Apr期间在avl树中查找dup sa 3 08:16:20.082:ISAKMP:(0):input= IKE_MESG_FROM_PEER,IKE_MM_EXCH .Apr 3 08:16:20.082:ISAKMP:(0):旧状态= IKE_READY新状态= IKE_R_MM1
.Apr 3 08:16:20.082:ISAKMP:(0):处理SA有效载荷。 消息ID = 0 .Apr 3 08:16:20.082:ISAKMP:(0):处理供应商id有效内容.Apr 3 08:16:20.082:ISAKMP:(0):处理IKE frag供应商id有效内容.Apr 3 08:16 :20.082:ISAKMP:(0):支持IKE Fragmentation未启用.Apr 3 08:16:20.082:ISAKMP:(0):处理供应商ID有效负载.Apr 3 08:16:20.086:ISAKMP:(0):vendor ID似乎是Unity / DPD,但主要69不匹配。3月8日08:16:20.086:ISAKMP(0):供应商ID是NAT-T RFC 3947.Apr 3 08:16:20.086:ISAKMP:(0):处理vendor id .Apr 3 08:16:20.086:ISAKMP:(0):供应商ID似乎Unity / DPD但主要123不匹配.Apr 3 08:16:20.086:ISAKMP:(0):供应商ID是NAT-T v2 .Apr 3 08:16:20.086:ISAKMP:(0):处理供应商ID有效负载.Apr 3 08:16:20.086:ISAKMP:(0):供应商ID似乎Unity / DPD,但主要194不匹配.Apr 3 08:16:20.086: ISAKMP:(0):处理供应商ID有效负载.Apr 3 08:16:20.086:ISAKMP:(0):供应商ID似乎Unity / DPD但主要241不匹配.Apr 3 08:16:20.086:ISAKMP:(0)处理供应商ID有效载荷.Apr 3 08:16:20.086:ISAK MP:(0):供应商ID似乎Unity / DPD但主要184不匹配.Apr 3 08:16:20.086:ISAKMP:(0):处理供应商id有效内容.Apr 3 08:16:20.086:ISAKMP:(0) (0):发现对等预共享密钥匹配192.168.7.92 .Apr 3 08:16:20.086:ISAKMP:(0):本地预共享密钥found.Apr 3 08:16:20.086:ISAKMP:xauth扫描configuration文件… .Apr 3 08:16:20.086:ISAKMP:(0):检查ISAKMP转换1对优先级1策略.Apr 3 08: 16:20.086:ISAKMP:encryption AES-CBC .Apr 3 08:16:20.086:ISAKMP:keylength 256.Apr 3 08:16:20.086:ISAKMP:hash SHA .Apr 3 08:16:20.086:ISAKMP:默认组20三月08:16:20.086:ISAKMP:auth预共享.Apr 3 08:16:20.086:ISAKMP:生活types以秒为单位.Apr 3 08:16:20.086:ISAKMP:生命持续时间(VPI)0x0 0x0 0x70 0x80 .Apr 3 08:16:20.086:ISAKMP:(0):提供的encryptionalgorithm不匹配策略! .Apr 3 08:16:20.086:ISAKMP:(0):atts是不可接受的。 下一个有效载荷是3。3月3日08:16:20.086:ISAKMP:(0):检查ISAKMP转换2对优先级1策略.Apr 3 08:16:20.086:ISAKMP:encryptionAES-CBC .Apr 3 08:16:20.086 :ISAKMP:keylength of 128.Apr 3 08:16:20.086:ISAKMP:hash SHA .Apr 3 08:16:20.086:ISAKMP:default group 19.Apr 3 08:16:20.086:ISAKMP:auth pre-share .Apr 3 08:16:20.086:ISAKMP:生命types以秒为单位.Apr 3 08:16:20.086:ISAKMP:0x0的生命期(VPI)0x0 0x70 0x80 .Apr 3 08:16:20.086:ISAKMP:(0):Encryption提供的algorithm不符合策略! .Apr 3 08:16:20.086:ISAKMP:(0):atts是不可接受的。 下一个有效载荷是3。3月3日08:16:20.086:ISAKMP:(0):检查ISAKMP转换3对优先级1策略.Apr 3 08:16:20.086:ISAKMP:encryptionAES-CBC .Apr 3 08:16:20.086 :ISAKMP:keylength 256.Apr 3 08:16:20.086:ISAKMP:hash SHA .Apr 3 08:16:20.086:ISAKMP:default group 14.Apr 3 08:16:20.086:ISAKMP:auth pre-share .Apr 3 08:16:20.086:ISAKMP:以秒为单位的生命types.Apr 3 08:16:20.086:ISAKMP:0x0的生存期(VPI)0x0 0x70 0x80 .Apr 3 08:16:20.090:ISAKMP:(0):Encryption提供的algorithm不符合策略! .Apr 3 08:16:20.090:ISAKMP:(0):atts是不能接受的。 下一个有效载荷是3。3月3日08:16:20.090:ISAKMP:(0):检查ISAKMP转换4对优先级1策略.Apr 3 08:16:20.090:ISAKMP:encryption3DES-CBC .Apr 3 08:16:20.090 :ISAKMP:hash SHA .Apr 3 08:16:20.090:ISAKMP:默认组14 .Apr 3 08:16:20.090:ISAKMP:auth预共享.Apr 3 08:16:20.090:ISAKMP:生命types
.Apr 3 08:16:20.090:ISAKMP:0x0的生命期(VPI)0x0 0x70 0x80
.Apr 3 08:16:20.090:ISAKMP:(0):Diffie-Hellman组提供的不匹配
政策! .Apr 3 08:16:20.090:ISAKMP:(0):atts是不能接受的。 下一个有效载荷是3
.Apr 3 08:16:20.090:ISAKMP:(0):检查ISAKMP转换5对优先级1
政策。3月3日08:16:20.090:ISAKMP:encryption3DES-CBC
.Apr 3 08:16:20.090:ISAKMP:哈希SHA
.Apr 3 08:16:20.090:ISAKMP:默认组2
.Apr 3 08:16:20.090:ISAKMP:auth pre-share
.Apr 3 08:16:20.090:ISAKMP:以秒为单位的生活types
.Apr 3 08:16:20.090:ISAKMP:0x0的生命期(VPI)0x0 0x70 0x80
.Apr 3 08:16:20.090:ISAKMP:(0):atts是可以接受的。 下一个有效载荷是0
.Apr 3 08:16:20.090:ISAKMP:(0):可接受atts:实际生活:0
.Apr 3 08:16:20.090:ISAKMP:(0):可接受的atts:life:0
.Apr 3 08:16:20.090:ISAKMP:(0):填入at vpi_length:4
.Apr 3 08:16:20.090:ISAKMP:(0):填写atts in sa life_in_seconds:28800
.Apr 3 08:16:20.090:ISAKMP:(0):返回实际生命周期:28800
.Apr 3 08:16:20.090:ISAKMP:(0)::已启动的生存期计时器:28800。
.Apr 3 08:16:20.090:ISAKMP:(0):处理供应商ID有效负载
.Apr 3 08:16:20.090:ISAKMP:(0):处理IKE分段的厂商ID有效载荷
.Apr 3 08:16:20.090:ISAKMP:(0):支持未启用IKE碎片
.Apr 3 08:16:20.090:ISAKMP:(0):处理供应商ID有效负载
.Apr 3 08:16:20.094:ISAKMP:(0):供应商ID似乎是Unity / DPD,但是主要是69
不匹配
.Apr 3 08:16:20.094:ISAKMP(0):供应商ID是NAT-T RFC 3947
.Apr 3 08:16:20.094:ISAKMP:(0):处理供应商ID有效负载
.Apr 3 08:16:20.094:ISAKMP:(0):供应商ID似乎是Unity / DPD,但是主要的123
不匹配
.Apr 3 08:16:20.094:ISAKMP:(0):厂商ID是NAT-T v2
.Apr 3 08:16:20.094:ISAKMP:(0):处理供应商ID有效负载
.Apr 3 08:16:20.094:ISAKMP:(0):供应商ID似乎是Unity / DPD,但主要是194
不匹配
.Apr 3 08:16:20.094:ISAKMP:(0):处理供应商ID有效负载
.Apr 3 08:16:20.094:ISAKMP:(0):vendor ID似乎是Unity / DPD,但是主要的241
不匹配
.Apr 3 08:16:20.094:ISAKMP:(0):处理供应商ID有效负载
.Apr 3 08:16:20.094:ISAKMP:(0):供应商ID似乎Unity / DPD,但主要184
不匹配
.Apr 3 08:16:20.094:ISAKMP:(0):处理供应商ID有效负载
.Apr 3 08:16:20.094:ISAKMP:(0):供应商ID似乎是Unity / DPD,但是134
不匹配
.Apr 3 08:16:20.094:ISAKMP:(0):input= IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
.Apr 3 08:16:20.094:ISAKMP:(0):旧状态= IKE_R_MM1新状态= IKE_R_MM1
.Apr 3 08:16:20.094:ISAKMP:(0):构造的NAT-T vendor-rfc3947 ID
.Apr 3 08:16:20.094:ISAKMP:(0):发送数据包到192.168.7.92 my_port 500 peer_port 500(R)MM_SA_SETUP
.Apr 3 08:16:20.094:ISAKMP:(0):发送一个IKE IPv4数据包。
.Apr 3 08:16:20.098:ISAKMP:(0):input= IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE
.Apr 3 08:16:20.098:ISAKMP:(0):旧状态= IKE_R_MM1新状态= IKE_R_MM2
.Apr 3 08:16:20.106:ISAKMP(0):从192.168.7.92接收数据包dport 500
运动500 Global(R)MM_SA_SETUP
.Apr 3 08:16:20.106:ISAKMP:(0):input= IKE_MESG_FROM_PEER,IKE_MM_EXCH
.Apr 3 08:16:20.106:ISAKMP:(0):旧状态= IKE_R_MM2新状态= IKE_R_MM3
.Apr 3 08:16:20.106:ISAKMP:(0):处理KE有效载荷。 消息ID = 0
.Apr 3 08:16:20.106:crypto_engine:创buildDH共享密钥
.Apr 3 08:16:20.162:ISAKMP:(0):处理NONCE有效负载。 消息ID = 0
.Apr 3 08:16:20.162:ISAKMP:(0):find与192.168.7.92匹配的对等体预共享密钥
.Apr 3 08:16:20.162:crypto_engine:创buildIKE SA
。3月3日08:16:20.162:encryption引擎:删除DH阶段2 SW:75
.Apr 3 08:16:20.162:crypto_engine:删除DH共享密钥
.Apr 3 08:16:20.162:ISAKMP:收到有效载荷types20
.Apr 3 08:16:20.162:ISAKMP(1071):他的哈希不匹配 – 这个节点在NAT之外
.Apr 3 08:16:20.162:ISAKMP:收到有效载荷types20
.Apr 3 08:16:20.162:ISAKMP(1071):没有NATfind自己或对等
.Apr 3 08:16:20.162:ISAKMP:(1071):input= IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
.Apr 3 08:16:20.162:ISAKMP:(1071):旧状态= IKE_R_MM3新状态= IKE_R_MM3
.Apr 3 08:16:20.162:ISAKMP:(1071):发送数据包到192.168.7.92 my_port 500
peer_port 500(R)MM_KEY_EXCH
.Apr 3 08:16:20.162:ISAKMP:(1071):发送IKE IPv4数据包。
.Apr 3 08:16:20.166:ISAKMP:(1071):input= IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
.Apr 3 08:16:20.166:ISAKMP:(1071):旧状态= IKE_R_MM3新状态= IKE_R_MM4
.Apr 3 08:16:20.166:ISAKMP(1071):从192.168.7.92接收数据包dport 500
运动500 Global(R)MM_KEY_EXCH
.Apr 3 08:16:20.166:crypto_engine:解密IKE数据包
.Apr 3 08:16:20.166:ISAKMP:(1071):input= IKE_MESG_FROM_PEER,IKE_MM_EXCH
.Apr 3 08:16:20.166:ISAKMP:(1071):旧状态= IKE_R_MM4新状态= IKE_R_MM5
.Apr 3 08:16:20.170:ISAKMP:(1071):处理ID有效负载。 消息ID = 0
.Apr 3 08:16:20.170:ISAKMP(1071):ID有效载荷
next-payload : 8 type : 1 address : 192.168.7.92 protocol : 0 port : 0 length : 12
.Apr 3 08:16:20.170:ISAKMP:(0):: peer不匹配任何configuration文件
.Apr 3 08:16:20.170:ISAKMP:(1071):处理HASH有效载荷。 消息ID = 0
.Apr 3 08:16:20.170:crypto_engine:生成IKE哈希
.Apr 3 08:16:20.170:ISAKMP:(1071):SA身份validation状态:
authenticated
.Apr 3 08:16:20.170:ISAKMP:(1071):SA已通过validation192.168.7.92
.Apr 3 08:16:20.170:ISAKMP:试图插入一个对等体
XX / 192.168.7.92 / 500 /,并成功插入23781594。
.Apr 3 08:16:20.170:ISAKMP:(1071):input= IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE .Apr 3 08:16:20.170:ISAKMP:(1071):旧状态= IKE_R_MM5新状态= IKE_R_MM5
.Apr 3 08:16:20.170:ISAKMP:(1071):SA使用IDtypesID_IPV4_ADDR .Apr 3 08:16:20.170:ISAKMP(1071)进行预共享密钥身份validation:ID有效负载next-payload:8types: 1地址:XX协议:17端口:500长度:12。4月3日08:16:20.170:ISAKMP:(1071):总有效负载长度:12。3月8日08:16:20.170:crypto_engine:生成IKE散列。 08:16:20.170:crypto_engine:Encrypt IKE packet .Apr 3 08:16:20.170:ISAKMP:(1071):send packet to 192.168.7.92 my_port 500 peer_port 500(R)MM_KEY_EXCH .Apr 3 08:16:20.170:ISAKMP :(1071):发送IKE IPv4数据包。 .Apr 3 08:16:20.170:ISAKMP:(1071):input= IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE .Apr 3 08:16:20.170:ISAKMP:(1071):旧状态= IKE_R_MM5新状态= IKE_P1_COMPLETE
.Apr 3 08:16:20.170:ISAKMP:(1071):Input = IKE_MESG_INTERNAL,IKE_PHASE1_COMPLETE .Apr 3 08:16:20.170:ISAKMP:(1071):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
.Apr 3 08:16:20.170:ISAKMP(1071):从192.168.7.92接收数据包dport 500 sport 500 Global(R)QM_IDLE .Apr 3 08:16:20.170:ISAKMP:set new node 1 to QM_IDLE .Apr 3 08 :16:20.170:crypto_engine:Decrypt IKE包.Apr 3 08:16:20.174:crypto_engine:生成IKE哈希.Apr 3 08:16:20.174:ISAKMP:(1071):处理HASH有效负载。 消息ID = 1。3月3日08:16:20.174:ISAKMP:(1071):处理SA有效载荷。 消息ID = 1 .Apr 3 08:16:20.174:ISAKMP:(1071):检查IPSec提议1。3月08:16:20.174:ISAKMP:变换1,ESP_AES .Apr 3 08:16:20.174:ISAKMP:属性in transform:.Apr 3 08:16:20.174:ISAKMP:encapsulation is 2(Transport).Apr 3 08:16:20.174:ISAKMP:key length is 128.Apr 3 08:16:20.174:ISAKMP:authenticator is HMAC- SHA .Apr 3 08:16:20.174:ISAKMP:SA生命types以秒为单位.Apr 3 08:16:20.174:ISAKMP:SA生存期(VPI)0x0 0x0 0xE 0x10 .Apr 3 08:16:20.174:ISAKMP: SA生命types以千字节为单位.Apr 3 08:16:20.174:ISAKMP:SA生存期(VPI)0x0 0x3 0xD0 0x90 .Apr 3 08:16:20.174:ISAKMP:(1071):atts是可以接受的。 .Apr 3 08:16:20.174:IPSEC(validate_proposal_request):proposal part#1 .Apr 3 08:16:20.174:IPSEC(validate_proposal_request):proposal part#1,(key eng。msg。)INBOUND local = XX:0 ,remote = 192.168.7.92:0,local_proxy = XX / 255.255.255.255 / 17/1701,remote_proxy = 192.168.7.92/255.255.255.255/17/1701,protocol = ESP,transform = NONE(Transport),lifedur = 0s和0,spi = 0x0(0),conn_id = 0,keysize = 128,flags = 0x0.Apr 3 08:16:20.174:IPSEC(ipsec_process_proposal):转换提议不支持身份:{esp-aes esp-sha-hmac } .Apr 3 08:16:20.174:ISAKMP:(1071):IPSec策略无效提案,错误256 .Apr 3 08:16:20.174:ISAKMP:(1071):检查IPSec提议2 .Apr 3 08:16:20.174 :ISAKMP:transform 1,ESP_3DES .Apr 3 08:16:20.174:ISAKMP:属性在转换:.Apr 3 08:16:20.174:ISAKMP:封装是2(Transport).Apr 3 08:16:20.174:ISAKMP: ISAKMP:SA寿命types(以秒为单位).Apr 3 08:16:20.174:ISAKMP:SA寿命期限(VPI) 0x0 0x0 0xE 0x10 .Apr 3 08:16:20.174:ISAKMP:SA生命types,以千字节为单位.Apr 3 08:16:20.174:ISAKMP:SA生存期(VPI)0x0 0x3 0xD0 0x90 .Apr 3 08:16: 20.174:ISAKMP:(1071):atts是可以接受的。 .Apr 3 08:16:20.174:IPSEC(validate_proposal_request):proposal part#1 .Apr 3 08:16:20.174:IPSEC(validate_proposal_request):proposal part#1,(key eng。msg。)INBOUND local = XX:0 ,remote = 192.168.7.92:0,local_proxy = XX / 255.255.255.255 / 17/1701,remote_proxy = 192.168.7.92/255.255.255.255/17/1701,protocol = ESP,transform = NONE(Transport),lifedur = 0s和0kb,spi = 0x0(0),conn_id = 0,keysize = 0,flags = 0x0.Apr 3 08:16:20.174:ISAKMP:(1071):处理NONCE有效载荷。 消息ID = 1 .Apr 3 08:16:20.174:ISAKMP:(1071):处理ID有效负载。 消息ID = 1 .Apr 3 08:16:20.174:ISAKMP:(1071):处理ID有效负载。 消息ID = 1 .Apr 3 08:16:20.174:ISAKMP:(1071):QM响应程序获取spi.Apr 3 08:16:20.174:ISAKMP:(1071):节点1,input= IKE_MESG_FROM_PEER,IKE_QM_EXCH .Apr 3 08 :16:20.174:ISAKMP:(1071):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE .Apr 3 08:16:20.174:crypto_engine:生成IKE哈希.Apr 3 08:16:20.174:ISAKMP:(1071) ,input= IKE_MESG_INTERNAL,IKE_GOT_SPI .Apr 3 08:16:20.174:ISAKMP:(1071):旧状态= IKE_QM_SPI_STARVE新状态= IKE_QM_IPSEC_INSTALL_AWAIT .Apr 3 08:16:20.174:IPSEC(key_engine):获得1个KMI消息(s).Apr 3 08:16:20.174:IPSEC(crypto_ipsec_create_ipsec_sas):映射find的dyn-map .Apr 3 08:16:20.174:crypto_engine:生成IKE QM键.Apr 3 08:16:20.174:crypto_engine:Create IPSec SA(通过密钥).Apr 3 08:16:20.174:crypto_engine:生成IKE QM密钥.Apr 3 08:16:20.174:crypto_engine:通过密钥创buildIPSec SA.Apr 3 08:16:20.178:IPSEC create_sa):sa创build,(sa)sa_dest = XX,sa_proto = 50,sa_spi = 0x7315891C(1930791196),sa_tr ans = esp-3des esp-sha-hmac,sa_conn_id = 2111 sa_lifetime(k / sec)=(250000/3600).Apr 3 08:16:20.178:IPSEC(create_sa):sa created,(sa)sa_dest = 192.168。 (ks / sec)=(250000/3600)。3月8日08:16:20.178:ISAKMP:sa_proto = 50 sa_spi = 0x8F7085B8(2406516152),sa_trans = esp-3des esp- sha- hmac,sa_conn_id = 2112。无法find对等索引节点来更新peer_info_list。3月8日08:16:20.178:ISAKMP:(1071):收到IPSec安装callback…继续谈判.Apr 3 08:16:20.178:%CRYPTO-5-SESSION_STATUS :encryption隧道是UP的。 Peer 192.168.7.92:500 Id:192.168.7.92 ATVRouter#.Apr 3 08:16:20.178:crypto_engine:encryptionIKE数据包.Apr 3 08:16:20.178:ISAKMP:(1071):发送数据包到192.168.7.92 my_port 500 (1071):发送IKE IPv4分组。 .Apr 3 08:16:20.178:ISAKMP:(1071):节点1,input= IKE_MESG_FROM_IPSEC,IPSEC_INSTALL_DONE.Apr 3 08:16:20.178:ISAKMP:(1071):旧状态= IKE_QM_IPSEC_INSTALL_AWAIT新状态= IKE_QM_R_QM2 .Apr 3 08 :16:20.902:解密之前:0E9A1710:4500 00B02F21 E..0 /! 0E9A1720:00007F32 8DA7C0A8 075C5584 60CB7315 … 2。@(。\ Ks. 0E9A1730: 891C0000 0001EFA6 247AF2C7 3279C1E2 ......o&$zrG2yAb 0E9A1740: A511DBA4 AC053704 024C %.[$,.7..L ... .Apr 3 08:16:20.902: After decryption: 0E9A1720: 4500 00912F21 E.../! 0E9A1730: 00007F11 8DE7C0A8 075C5584 60CB06A5 .....g@(.\U. U。K.%0E9A1740:06A5007D 3DAEC802 00750000 00000000。%。} =。H..u …… 0E9A1750:00008008 00000000 0001 ………. … .Apr 3 08:16:21.034:ISAKMP(1071): crypto_engine:Decrypt IKE包.Apr 3 08:16:21.034:crypto_engine:生成IKE哈希.Apr 3 08:16:收到的包来自192.168.7.92 dport 500 sport 500 Global(R)QM_IDLE .Apr 3 08:16:21.034:crypto_engine: 21.034:ISAKMP:(1071):删除节点1错误FALSE原因“QM done(await)”.Apr 3 08:16:21.034:ISAKMP:(1071):节点1,input= IKE_MESG_FROM_PEER,IKE_QM_EXCH .Apr 3 08:16 :21.034:ISAKMP:(1071):旧状态= IKE_QM_R_QM2新状态= IKE_QM_PHASE2_COMPLETE .Apr 3 08:16:21.034:IPSEC(key_engine):获得1个KMI消息的队列事件.Apr 3 08:16:21.03 4:IPSEC(key_engine_enable_outbound):rec'd启用ISAKMP通知。08年3月8日:21:0334:encryption引擎:更新IPSec SA的MTU大小板载VPN:112.Apr 3 08:16:21.034:crypto_engine:设置IPSec MTU .Apr 3 08:16:21.034:IPSEC:展开操作被拒绝,通知RP。4月3日08:16:21.370:在解密之前:ATVRouter#0E77EF10:4500 00B02F36 E..0 / 6 0E77EF20:00007F32 8D92C0A8 075C5584 60CB7315 … 2 .. @(\Ú。 Ks. 0E77EF30: 891C0000 00024D72 BFA1217C F028FDAC ......Mr?!!|p(}, 0E77EF40: 126D1317 154D99D9 FE1D .m...MY~. ... .Apr 3 08:16:21.370: After decryption: 0E77EF20: 4500 00912F36 E.../6 0E77EF30: 00007F11 8DD2C0A8 075C5584 60CB06A5 .....R@(.\U. Ks. 0E77EF30: 891C0000 00024D72 BFA1217C F028FDAC ......Mr?!!|p(}, 0E77EF40: 126D1317 154D99D9 FE1D .m...MY~. ... .Apr 3 08:16:21.370: After decryption: 0E77EF20: 4500 00912F36 E.../6 0E77EF30: 00007F11 8DD2C0A8 075C5584 60CB06A5 .....R@(.\U. U。K.%0E77EF40:06A5007D 3DAEC802 00750000 00000000。%。} =。H..u …. … 0E77EF50:00008008 00000000 0001 ………… ATVRouter#.Apr 3 08:16:23.182:解密前:0E872A90:4500 00B02F46 E..0 / F 0E872AA0:00007F32 8D82C0A8 075C5584 60CB7315 … 2。@(。\ Ks. 0E872AB0: 891C0000 000388AF CB251180 AD8DF624 ......./K%..-.v$ 0E872AC0: 3E41D021 E42A3957 AB10 >AP!d*9W+. ... .Apr 3 08:16:23.182: After decryption: 0E872AA0: 4500 00912F46 E.../F 0E872AB0: 00007F11 8DC2C0A8 075C5584 60CB06A5 .....B@(.\U. %)0E872AC0:06A5007D 3DAEC802 00750000 00000000 %。} =。H..u …… 0E872AD0:00008008 00000000 0001 ………. … ATVRouter#.Apr 3 08:16:27.181:解密前:0E85BE90: 4500 00B02F4D E..0 / M 0E85BEA0:00007F32 8D7BC0A8 075C5584 60CB7315 … 2。{@(。\ U。Ks。0 Ks. 0E85BEB0: 891C0000 00048C24 1EF1EE86 85AD43A7 .......$.qn..-C' 0E85BEC0: ACE56CC9 A3603B72 C3B7 ,elI# ; rC7 … .Apr 3 08:16:27.181:解密后:0E85BEA0:4500 00912F4D E … / M 0E85BEB0:00007F11 8DBBC0A8 075C5584 60CB06A5 …..; @(。\ U。 K.% 0E85BEC0: 06A5007D 3DAEC802 00750000 00000000 .%.}=.H..u...... 0E85BED0: 00008008 00000000 0001 .......... ... ATVRouter# .Apr 3 08:16:35.181: Before decryption: 0E87C490: 4500 00B02F55 E..0/U 0E87C4A0: 00007F32 8D73C0A8 075C5584 60CB7315 ...2.s@(.\U. U.Ks.0E87C4B0:891C0000 000506C7 E739688F C70DF4DB ……. Gg9h.Gt [0E87C4C0:94F2096C 79CE037A B69C.r.lyN.z6。… .Apr 3 08:16:35.181:解密后:0E87C4A0:4500 00912F55 E … / U 0E87C4B0:00007F11 8DB3C0A8 075C5584 60CB06A5 … .3 @(。\ U.`。%0E87C4C0:06A5007D 3DAEC802 00750000 00000000。%。} =。H..u …… 0E87C4D0:00008008 00000000 0001 ………. …
debugging显示IPSec的两个阶段是成功的,但是我仍然不能通过Windows内置的vpn客户端连接。
看来你的哈希algorithm之间有一个错误的configuration:
你的路由器的conf:
... crypto isakmp policy 20 encr 3des authentication pre-share group 2 hash md5 ...
在ISAKMP nego期间,您的路由器会收到一个只有SHA作为签名algorithm的提议:
Mar 31 11:22:27.869: ISAKMP:(0):Hash algorithm offered does not match policy! Mar 31 11:22:27.869: ISAKMP:(0):atts are not acceptable. Next payload is 0 Mar 31 11:22:27.869: ISAKMP:(0):no offers accepted! Mar 31 11:22:27.869: ISAKMP:(0): phase 1 SA policy not acceptable! (local 85.132.96.203 remote 192.168.3.242)
你的设备必须有ISAKMP协议的通用algorithm。
请提供您尝试将Windows系统与思科网关连接时出现的错误(例如build议未select,authentication失败等)。 还请提供ISAKMP消息以进行更详细的debugging。
Windows方面显示这个错误:
错误789:L2TP连接尝试失败,因为安全层在与远程计算机进行初始协商期间遇到处理错误。
在思科方面:
3月31日11:22:27.865:ISAKMP(0):接收数据包从192.168.3.242 dport 500 sport 500全局(N)新SA
Mar 31 11:22:27.865:ISAKMP:为192.168.3.242,对等端口500创build一个对等结构
Mar 31 11:22:27.865:ISAKMP:新的对等创build对等= 0x3C770598 peer_handle = 0x8000001A
Mar 31 11:22:27.865:ISAKMP:locking对等结构0x3C770598,refcount 1为crypto_isakmp_process_block
Mar 31 11:22:27.865:ISAKMP:本地端口500,远程端口500
Mar 31 11:22:27.865:ISAKMP:(0):插入sa成功sa = 3D862750
Mar 31 11:22:27.865:ISAKMP:(0):input= IKE_MESG_FROM_PEER,IKE_MM_EXCH
Mar 31 11:22:27.865:ISAKMP:(0):旧状态= IKE_READY新状态= IKE_R_MM1
Mar 31 11:22:27.865:ISAKMP:(0):处理SA有效载荷。 消息ID = 0
3月31日11:22:27.865:ISAKMP:(0):处理供应商id有效载荷
3月31日11:22:27.865:ISAKMP:(0):处理IKE frag供应商id有效载荷
3月31 11:22:27.865:ISAKMP:(0):支持IKE分段未启用Mar 31 11:22:27.865:ISAKMP:(0):处理供应商id有效内容
Mar 31 11:22:27.865:ISAKMP:(0):供应商ID似乎Unity / DPD但主要69不匹配3月31 11:22:27.865:ISAKMP(0):供应商ID是NAT-T RFC 3947
3月31日11:22:27.865:ISAKMP:(0):处理供应商id有效载荷
3月31日11:22:27.865:ISAKMP:(0):供应商ID似乎统一/ DPD但主要123不匹配
Mar 31 11:22:27.865:ISAKMP:(0):供应商ID是NAT-T v2
3月31日11:22:27.865:ISAKMP:(0):处理供应商id有效载荷
Mar 31 11:22:27.865:ISAKMP:(0):供应商ID似乎统一/ DPD但主要194不匹配
3月31日11:22:27.865:ISAKMP:(0):处理供应商id有效载荷
Mar 31 11:22:27.865:ISAKMP:(0):供应商ID似乎统一/ DPD但主要241不匹配
3月31日11:22:27.865:ISAKMP:(0):处理供应商id有效载荷
Mar 31 11:22:27.865:ISAKMP:(0):供应商ID似乎Unity / DPD但主要184不匹配
3月31日11:22:27.865:ISAKMP:(0):处理供应商id有效载荷
Mar 31 11:22:27.865:ISAKMP:(0):供应商ID似乎统一/ DPD但主要134不匹配
Mar 31 11:22:27.865:ISAKMP:(0):find匹配的对等体预共享密钥192.168.3.242
3月31日11:22:27.865:ISAKMP:(0):本地预共享密钥find
Mar 31 11:22:27.865:ISAKMP:xauth扫描configuration文件… L2TP-PROF
Mar 31 11:22:27.865:ISAKMP:(0):检查ISAKMP转换1对优先级20策略
3月31日11:22:27.865:ISAKMP:encryptionAES-CBC
Mar 31 11:22:27.865:ISAKMP:keylength 256
Mar 31 11:22:27.865:ISAKMP:哈希SHA
Mar 31 11:22:27.865:ISAKMP:默认组20
3月31日11:22:27.865:ISAKMP:授权前共享
Mar 31 11:22:27.865:ISAKMP:以秒为单位的生活types
Mar 31 11:22:27.865:ISAKMP:0x0 0x0 0x70 0x80的生命期(VPI)
Mar 31 11:22:27.865:ISAKMP:(0):encryptionalgorithm提供不符合策略!
Mar 31 11:22:27.865:ISAKMP:(0):atts是不能接受的。 下一个有效载荷是3
Mar 31 11:22:27.865:ISAKMP:(0):检查ISAKMP转换2对优先级20策略
3月31日11:22:27.865:ISAKMP:encryptionAES-CBC
Mar 31 11:22:27.865:ISAKMP:128的键长
Mar 31 11:22:27.865:ISAKMP:哈希SHA
Mar 31 11:22:27.865:ISAKMP:默认组19
3月31日11:22:27.865:ISAKMP:授权前共享
Mar 31 11:22:27.865:ISAKMP:以秒为单位的生活types
Mar 31 11:22:27.865:ISAKMP:0x0 0x0 0x70 0x80的生命期(VPI)
Mar 31 11:22:27.865:ISAKMP:(0):encryptionalgorithm提供不符合策略!
Mar 31 11:22:27.865:ISAKMP:(0):atts是不能接受的。 下一个有效载荷是3
Mar 31 11:22:27.865:ISAKMP:(0):检查ISAKMP转换3对优先级20策略
3月31日11:22:27.865:ISAKMP:encryptionAES-CBC
Mar 31 11:22:27.865:ISAKMP:keylength 256
Mar 31 11:22:27.865:ISAKMP:哈希SHA
Mar 31 11:22:27.865:ISAKMP:默认组14
3月31日11:22:27.865:ISAKMP:授权前共享
Mar 31 11:22:27.865:ISAKMP:以秒为单位的生活types
Mar 31 11:22:27.865:ISAKMP:0x0 0x0 0x70 0x80的生命期(VPI)
Mar 31 11:22:27.865:ISAKMP:(0):encryptionalgorithm提供不符合策略!
Mar 31 11:22:27.865:ISAKMP:(0):atts是不能接受的。 下一个有效载荷是3
Mar 31 11:22:27.865:ISAKMP:(0):检查ISAKMP转换4对优先级20策略
3月31日11:22:27.865:ISAKMP:encryption3DES-CBC
Mar 31 11:22:27.865:ISAKMP:哈希SHA
Mar 31 11:22:27.865:ISAKMP:默认组14
3月31日11:22:27.865:ISAKMP:授权前共享
Mar 31 11:22:27.865:ISAKMP:以秒为单位的生活types
Mar 31 11:22:27.865:ISAKMP:0x0 0x0 0x70 0x80的生命期(VPI)
Mar 31 11:22:27.869:ISAKMP:(0):提供的散列algorithm不符合策略!
Mar 31 11:22:27.869:ISAKMP:(0):atts是不能接受的。 下一个有效载荷是3月31日11:22:27.869:ISAKMP:(0):检查ISAKMP转换5对优先级20策略
Mar 31 11:22:27.869:ISAKMP:encryption3DES-CBC
Mar 31 11:22:27.869:ISAKMP:哈希SHA
Mar 31 11:22:27.869:ISAKMP:默认组2
3月31日11:22:27.869:ISAKMP:validation预共享
Mar 31 11:22:27.869:ISAKMP:以秒为单位的生活types
Mar 31 11:22:27.869:ISAKMP:0x0 0x0 0x70 0x80的生命期(VPI)
Mar 31 11:22:27.869:ISAKMP:(0):提供的散列algorithm不符合策略!
Mar 31 11:22:27.869:ISAKMP:(0):atts是不能接受的。 下一个有效载荷是0
3月31日11:22:27.869:ISAKMP:(0):无提议接受!
3月31日11:22:27.869:ISAKMP:(0):阶段1 SA政策不可接受! (当地85.132.96.203远程192.168.3.242)
3月31日11:22:27.869:ISAKMP(0):在sa上递增错误计数器,尝试5之一:construct_fail_ag_init
3月31日11:22:27.869:ISAKMP:(0):无法构buildAG信息消息。
Mar 31 11:22:27.869:ISAKMP:(0):发送数据包到192.168.3.242 my_port 500 peer_port 500(R)MM_NO_STATE
3月31日11:22:27.869:ISAKMP:(0):发送一个IKE IPv4数据包。
3月31日11:22:27.869:ISAKMP:(0):同行不偏执keepalives。
3月31日11:22:27.869:ISAKMP:(0):删除SA原因“阶段1南非政策提议不接受”状态(R)MM_NO_STATE(同级192.168.3.242)
3月31日11:22:27.869:ISAKMP:(0):处理供应商id有效载荷
3月31日11:22:27.869:ISAKMP:(0):处理IKE碎片供应商id有效载荷
Mar 31 11:22:27.869:ISAKMP:(0):支持未启用IKE碎片
3月31日11:22:27.869:ISAKMP:(0):处理供应商id有效载荷
Mar 31 11:22:27.869:ISAKMP:(0):供应商ID似乎Unity / DPD但主要69不匹配
Mar 31 11:22:27.869:ISAKMP(0):供应商ID是NAT-T RFC 3947
3月31日11:22:27.869:ISAKMP:(0):处理供应商id有效载荷
Mar 31 11:22:27.869:ISAKMP:(0):供应商ID似乎Unity / DPD但主要123不匹配
Mar 31 11:22:27.869:ISAKMP:(0):厂商ID是NAT-T v2
3月31日11:22:27.869:ISAKMP:(0):处理供应商id有效载荷
Mar 31 11:22:27.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Mar 31 11:22:27.869: ISAKMP:(0): processing vendor id payload
Mar 31 11:22:27.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
Mar 31 11:22:27.869: ISAKMP:(0): processing vendor id payload
Mar 31 11:22:27.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
Mar 31 11:22:27.869: ISAKMP:(0): processing vendor id payload
Mar 31 11:22:27.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
Mar 31 11:22:27.869: ISAKMP (0): FSM action returned error: 2
Mar 31 11:22:27.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 31 11:22:27.869: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Mar 31 11:22:27.869: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.3.242)
Mar 31 11:22:27.869: ISAKMP: Unlocking peer struct 0x3C770598 for isadb_mark_sa_deleted(), count 0
Mar 31 11:22:27.869: ISAKMP: Deleting peer node by peer_reap for 192.168.3.242: 3C770598
Mar 31 11:22:27.869: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:192.168.3.242 local_id:192.168.3.242 remote:85.132.96.203
remote_id:85.132.96.203 IKE profile:None fvrf:None fail_reason:Proposal failure fail_class_cnt:1
Mar 31 11:22:27.869: IKE HA: Removing one interface using VIP 0.0.0.0
Mar 31 11:22:27.869: IKE HA: No database for VIP 0.0.0.0. Cannot delete
Mar 31 11:22:27.869: IPSec HA: Removing one interface using VIP 0.0.0.0
Mar 31 11:22:27.869: IPSec HA: No database for VIP 0.0.0.0. Cannot delete
Mar 31 11:22:27.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 31 11:22:27.869: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA