我有一台Cisco 867VAE作为EzVPN NEM客户端连接到不能连接的ASA 5505服务器。 服务器ASA具有重复的消息:
4 Nov 01 2017 23:16:45 713903 Group = eznemgroup1, IP = 10.200.38.205, Information Exchange processing failed 5 Nov 01 2017 23:16:45 713904 Group = eznemgroup1, IP = 10.200.38.205, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping IOS客户端重复logging:
*Nov 1 23:19:23.395: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=eznemgroup1 Client_public_addr=10.200.38.205 Server_public_addr=10.200.38.167
我已经validation了客户端和服务器的用户名,密码和组精确匹配。
服务器ASAconfiguration:
hostname server domain-name demo.company.local enable password *** encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd *** encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 switchport access vlan 2 ! interface Ethernet0/3 switchport access vlan 2 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.210.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.200.38.167 255.255.255.0 ! ftp mode passive dns server-group DefaultDNS domain-name demo.company.local object network inside-net subnet 192.168.210.0 255.255.255.0 object network remote-net subnet 192.168.220.0 255.255.255.0 object network obj_any subnet 0.0.0.0 0.0.0.0 access-list ezvpn-demo-group-networks standard permit 192.168.210.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,any) source static inside-net inside-net destination static remote-net remote-net no-proxy-arp route-lookup ! object network obj_any nat (inside,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 10.200.38.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto dynamic-map outside_map0_dynamic 5 set ikev1 transform-set ESP-AES-256-SHA crypto map outside_map0 60 ipsec-isakmp dynamic outside_map0_dynamic crypto map outside_map0 interface outside crypto ca trustpool policy crypto isakmp identity hostname no crypto isakmp nat-traversal crypto ikev1 enable outside crypto ikev1 policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 60 ssh stricthostkeycheck ssh timeout 60 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside dhcpd lease 86400 dhcpd ping_timeout 2000 dhcpd domain demo.pharmacy.company.local ! dhcpd address 192.168.210.100-192.168.210.131 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy ezvpn-demo-group internal group-policy ezvpn-demo-group attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value ezvpn-demo-group-networks nem enable username eznemuser1 password g5QR2tIDHRQx.3ti encrypted tunnel-group ezvpn-demo-tunnelgroup type remote-access tunnel-group ezvpn-demo-tunnelgroup general-attributes default-group-policy ezvpn-demo-group tunnel-group ezvpn-demo-tunnelgroup ipsec-attributes ikev1 pre-shared-key ezvpn-demo-tunnelgrouppass ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email [email protected] destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily
客户端IOSconfiguration:
! ! Last configuration change at 17:17:37 GMT Wed Nov 1 2017 by version 15.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname demo-router ! boot-start-marker boot-end-marker ! ! logging buffered 51200 warnings ! aaa new-model ! ! aaa authentication login default local ! ! ! ! ! aaa session-id common wan mode ethernet clock timezone GMT -6 0 ! ! ! ! ! ip dhcp excluded-address 192.168.220.0 192.168.220.99 ip dhcp excluded-address 192.168.220.132 192.168.220.255 ! ip dhcp pool inside-pool network 192.168.220.0 255.255.255.0 default-router 192.168.220.1 domain-name demo.fac.company.local ! ! ! ip domain name demo.fac.company.local ip cef no ipv6 cef ! ! flow record nbar-appmon match ipv4 source address match ipv4 destination address match application name collect interface output collect counter bytes collect counter packets collect timestamp absolute first collect timestamp absolute last ! ! flow monitor application-mon cache timeout active 60 record nbar-appmon ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-2820013949 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2820013949 revocation-check none rsakeypair TP-self-signed-2820013949 ! ! crypto pki certificate chain TP-self-signed-2820013949 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32383230 30313339 3439301E 170D3137 30383133 31393434 32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38323030 31333934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009AA7 75A9F518 9CB7FADA 9CA6F337 0E2F824E 9D6C85DB 8728D5B7 7898B175 12596F7E 97D7D6DE A74CE16C 2BDC5412 CC22F868 32799501 E8665C14 50483DD6 C373E5DE E5813F8F 971C2C83 DD0D23DA 51765EBD 667F3187 50C04C73 238642A7 27AFD3B0 0D58A242 60CC316D 6083C289 5A3E08E0 822342D7 AB76D337 DB8B5A63 41CF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 1446E88F 2FE90577 93380B44 B79D10B4 40093F15 38301D06 03551D0E 04160414 46E88F2F E9057793 380B44B7 9D10B440 093F1538 300D0609 2A864886 F70D0101 05050003 8181007D 1A4A45FA 57354593 67FA4EBC D90685E5 306FB3E2 462E2B10 03769923 A50DD574 B2A68AC1 8B5537B7 02C23E65 E31C7A05 2A72D0F7 D9A86B99 6993623B 239EEE76 441749B7 502EC2B4 2CDD68CF 4745D575 A9569123 DEC09ACA EF674889 3182E6BA 41B2B1DD 3B9C51A8 42DFB2E7 799C7371 F542F5E8 3D858294 517C59BA BC9BBA quit ! ! object-group network inside-net 192.168.220.0 255.255.255.128 ! object-group network net-company 192.168.210.0 255.255.255.0 ! username cisco privilege 15 secret 5 *** ! ! controller VDSL 0 shutdown no cdp run ! ip ssh time-out 60 ip ssh version 2 zone security LAN zone security WAN zone security VPN zone security DMZ ! ! ! ! crypto ipsec client ezvpn ezvpn-demo-tunnelgroup connect auto group ezvpn-demo-tunnelgroup key ezvpn-demo-tunnelgrouppass mode network-extension peer 10.200.38.167 username eznemuser1 password eznemuser1pass xauth userid mode local ! ! ! ! ! ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0 no ip address shutdown ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet1 description PrimaryWANDesc_ ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto crypto ipsec client ezvpn ezvpn-demo-tunnelgroup ! interface Vlan1 description $ETH_LAN$ ip address 192.168.220.1 255.255.255.128 ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 crypto ipsec client ezvpn ezvpn-demo-tunnelgroup inside ! ip forward-protocol nd ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source list nat-list interface GigabitEthernet1 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 ! ip access-list extended customer-in remark Only allow access to Company permit ip object-group inside-net object-group net-company deny ip any any ip access-list extended nat-list deny ip object-group inside-net object-group net-company deny ip object-group net-company object-group inside-net permit ip object-group inside-net any deny ip any any ! ! ! ! ! line con 0 no modem enable line aux 0 line vty 0 4 privilege level 15 transport input telnet ssh ! scheduler allocate 60000 1000 ! end
客户端debug ipsec isakmp输出:
*Nov 1 23:17:52.851: ISAKMP:(0): SA request profile is (NULL) *Nov 1 23:17:52.851: ISAKMP: Created a peer struct for 10.200.38.167, peer port 500 *Nov 1 23:17:52.851: ISAKMP: New peer created peer = 0x8A531CE0 peer_handle = 0x80000897 *Nov 1 23:17:52.851: ISAKMP: Locking peer struct 0x8A531CE0, refcount 1 for isakmp_initiator *Nov 1 23:17:52.851: ISAKMP:(0):Setting client config settings 8B363960 *Nov 1 23:17:52.851: ISAKMP: local port 500, remote port 500 *Nov 1 23:17:52.851: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8A530C20 *Nov 1 23:17:52.851: ISAKMP:(0): client mode configured. *Nov 1 23:17:52.851: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID *Nov 1 23:17:52.851: ISAKMP:(0): constructed NAT-T vendor-07 ID *Nov 1 23:17:52.851: ISAKMP:(0): constructed NAT-T vendor-03 ID *Nov 1 23:17:52.851: ISAKMP:(0): constructed NAT-T vendor-02 ID *Nov 1 23:17:52.883: ISKAMP: growing send buffer from 1024 to 3072 *Nov 1 23:17:52.883: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID *Nov 1 23:17:52.883: ISAKMP (0): ID payload next-payload : 13 type : 11 group id : eznemgroup1 protocol : 17 port : 0 length : 19 *Nov 1 23:17:52.883: ISAKMP:(0):Total payload length: 19term *Nov 1 23:17:52.883: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM *Nov 1 23:17:52.883: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1 *Nov 1 23:17:52.883: ISAKMP:(0): beginning Aggressive Mode exchange *Nov 1 23:17:52.883: ISAKMP:(0): sending packet to 10.200.38.167 my_port 500 peer_port 500 (I) AG_INIT_EXCH *Nov 1 23:17:52.883: ISAKMP:(0):Sending an IKE IPv4 Packet. *Nov 1 23:17:52.883: ISAKMP:(0):purging SA., sa=89D10610, delme=89D10610 *Nov 1 23:17:53.987: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) AG_INIT_EXCH *Nov 1 23:17:53.987: ISAKMP:(0): processing SA payload. message ID = 0 *Nov 1 23:17:53.987: ISAKMP:(0): processing ID payload. message ID = 0 *Nov 1 23:17:53.987: ISAKMP (0): ID payload next-payload : 8 type : 2 FQDN name : server.demo.company.local protocol : 0 port : 0 length : 39 *Nov 1 23:17:53.987: ISAKMP:(0):: peer matches *none* of the profiles *Nov 1 23:17:53.987: ISAKMP:(0): processing vendor id payload *Nov 1 23:17:53.987: ISAKMP:(0): vendor ID is Unity *Nov 1 23:17:53.987: ISAKMP:(0): processing vendor id payload *Nov 1 23:17:53.987: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch *Nov 1 23:17:53.987: ISAKMP:(0): vendor ID is XAUTH *Nov 1 23:17:53.987: ISAKMP:(0): processing vendor id payload *Nov 1 23:17:53.987: ISAKMP:(0): vendor ID is DPD *Nov 1 23:17:53.987: ISAKMP:(0):Looking for a matching key for server.demo.company.local in default *Nov 1 23:17:53.987: ISAKMP: no pre-shared key based on hostname server.demo.company.local! *Nov 1 23:17:53.991: ISAKMP : Scanning profiles for xauth ... *Nov 1 23:17:53.991: ISAKMP:(0): Authentication by xauth preshared *Nov 1 23:17:53.991: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65515 policy *Nov 1 23:17:53.991: ISAKMP: encryption AES-CBC *Nov 1 23:17:53.991: ISAKMP: keylength of 256 *Nov 1 23:17:53.991: ISAKMP: hash SHA *Nov 1 23:17:53.991: ISAKMP: default group 2 *Nov 1 23:17:53.991: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:53.991: ISAKMP: life type in seconds *Nov 1 23:17:53.991: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:53.991: ISAKMP:(0):Proposed key length does not match policy *Nov 1 23:17:53.991: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65516 policy *Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.019: ISAKMP: keylength of 256 *Nov 1 23:17:54.019: ISAKMP: hash SHA *Nov 1 23:17:54.019: ISAKMP: default group 2 *Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.019: ISAKMP: life type in seconds *Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.019: ISAKMP:(0):Hash algorithm offered does not match policy! *Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65517 policy *Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.019: ISAKMP: keylength of 256 *Nov 1 23:17:54.019: ISAKMP: hash SHA *Nov 1 23:17:54.019: ISAKMP: default group 2 *Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.019: ISAKMP: life type in seconds *Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.019: ISAKMP:(0):Proposed key length does not match policy *Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65518 policy *Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.019: ISAKMP: keylength of 256 *Nov 1 23:17:54.019: ISAKMP: hash SHA *Nov 1 23:17:54.019: ISAKMP: default group 2 *Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.019: ISAKMP: life type in seconds *Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.019: ISAKMP:(0):Hash algorithm offered does not match policy! *Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65519 policy *Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.019: ISAKMP: keylength of 256 *Nov 1 23:17:54.019: ISAKMP: hash SHA *Nov 1 23:17:54.019: ISAKMP: default group 2 *Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.019: ISAKMP: life type in seconds *Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.019: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy! *Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65520 policy *Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.019: ISAKMP: keylength of 256 *Nov 1 23:17:54.019: ISAKMP: hash SHA *Nov 1 23:17:54.019: ISAKMP: default group 2 *Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.019: ISAKMP: life type in seconds *Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.019: ISAKMP:(0):Hash algorithm offered does not match policy! *Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65521 policy *Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.019: ISAKMP: keylength of 256 *Nov 1 23:17:54.019: ISAKMP: hash SHA *Nov 1 23:17:54.019: ISAKMP: default group 2 *Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.019: ISAKMP: life type in seconds *Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.019: ISAKMP:(0):Proposed key length does not match policy *Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65522 policy *Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.019: ISAKMP: keylength of 256 *Nov 1 23:17:54.019: ISAKMP: hash SHAno mon *Nov 1 23:17:54.019: ISAKMP: default group 2 *Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.019: ISAKMP: life type in seconds *Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.019: ISAKMP:(0):Hash algorithm offered does not match policy! *Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65523 policy *Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.019: ISAKMP: keylength of 256 *Nov 1 23:17:54.019: ISAKMP: hash SHA *Nov 1 23:17:54.019: ISAKMP: default group 2 *Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.019: ISAKMP: life type in seconds *Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.019: ISAKMP:(0):Proposed key length does not match policy *Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65524 policy *Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.019: ISAKMP: keylength of 256 *Nov 1 23:17:54.019: ISAKMP: hash SHA *Nov 1 23:17:54.019: ISAKMP: default group 2 *Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.023: ISAKMP: life type in seconds *Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.023: ISAKMP:(0):Hash algorithm offered does not match policy! *Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65525 policy *Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.023: ISAKMP: keylength of 256 *Nov 1 23:17:54.023: ISAKMP: hash SHA *Nov 1 23:17:54.023: ISAKMP: default group 2 *Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.023: ISAKMP: life type in seconds *Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.023: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy! *Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65526 policy *Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.023: ISAKMP: keylength of 256 *Nov 1 23:17:54.023: ISAKMP: hash SHA *Nov 1 23:17:54.023: ISAKMP: default group 2 *Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.023: ISAKMP: life type in seconds *Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.023: ISAKMP:(0):Hash algorithm offered does not match policy! *Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65527 policy *Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.023: ISAKMP: keylength of 256 *Nov 1 23:17:54.023: ISAKMP: hash SHA *Nov 1 23:17:54.023: ISAKMP: default group 2 *Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.023: ISAKMP: life type in seconds *Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.023: ISAKMP:(0):Encryption algorithm offered does not match policy! *Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65532 policy *Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.023: ISAKMP: keylength of 256 *Nov 1 23:17:54.023: ISAKMP: hash SHA *Nov 1 23:17:54.023: ISAKMP: default group 2 *Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.023: ISAKMP: life type in seconds *Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.023: ISAKMP:(0):Encryption algorithm offered does not match policy! *Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65533 policy *Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.023: ISAKMP: keylength of 256 *Nov 1 23:17:54.023: ISAKMP: hash SHA *Nov 1 23:17:54.023: ISAKMP: default group 2 *Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.023: ISAKMP: life type in seconds *Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.023: ISAKMP:(0):Encryption algorithm offered does not match policy! *Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65534 policy *Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC *Nov 1 23:17:54.023: ISAKMP: keylength of 256 *Nov 1 23:17:54.023: ISAKMP: hash SHA *Nov 1 23:17:54.023: ISAKMP: default group 2 *Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared *Nov 1 23:17:54.023: ISAKMP: life type in seconds *Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Nov 1 23:17:54.023: ISAKMP:(0):Encryption algorithm offered does not match policy! *Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Nov 1 23:17:54.023: ISAKMP:(0):no offers accepted! *Nov 1 23:17:54.027: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.200.38.205 remote 10.200.38.167) *Nov 1 23:17:54.027: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init *Nov 1 23:17:54.027: ISAKMP:(0): Failed to construct AG informational message. *Nov 1 23:17:54.027: ISAKMP:(0): sending packet to 10.200.38.167 my_port 500 peer_port 500 (I) AG_INIT_EXCH *Nov 1 23:17:54.027: ISAKMP:(0):Sending an IKE IPv4 Packet. *Nov 1 23:17:54.027: ISAKMP:(0):peer does not do paranoid keepalives. *Nov 1 23:17:54.027: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) AG_INIT_EXCH (peer 10.200.38.167) *Nov 1 23:17:54.027: ISAKMP:(0): processing KE payload. message ID = 0 *Nov 1 23:17:55.547: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_I_AM1 *Nov 1 23:17:55.547: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Nov 1 23:17:55.547: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_I_AM1 *Nov 1 23:17:55.571: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE *Nov 1 23:17:55.571: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE *Nov 1 23:17:55.575: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE *Nov 1 23:17:55.575: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) AG_INIT_EXCH (peer 10.200.38.167) *Nov 1 23:17:55.575: ISAKMP: Unlocking peer struct 0x8A531CE0 for isadb_mark_sa_deleted(), count 0 *Nov 1 23:17:55.575: ISAKMP: Deleting peer node by peer_reap for 10.200.38.167: 8A531CE0 *Nov 1 23:17:55.579: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Nov 1 23:17:55.579: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_DEST_SA *Nov 1 23:17:55.579: ISAKMP:(0):purging SA., sa=8B305C90, delme=8B305C90 *Nov 1 23:17:55.579: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE *Nov 1 23:17:55.583: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE *Nov 1 23:17:55.583: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE *Nov 1 23:17:55.587: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE *Nov 1 23:17:55.587: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=eznemgroup1 Client_public_addr=10.200.38.205 Server_public_addr=10.200.38.167 *Nov 1 23:17:57.103: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE *Nov 1 23:17:57.127: del_node src 10.200.38.205:500 dst 10.200.38.167:500 fvrf 0x0, ivrf 0x0
debugging输出的显着线是
*Nov 1 23:17:53.987: ISAKMP:(0):Looking for a matching key for server.demo.company.local in default *Nov 1 23:17:53.987: ISAKMP: no pre-shared key based on hostname server.demo.company.local!
这表明服务器ASA正试图通过server.demo.company.local来标识自己。 您可以更新客户端configuration以使用主机名,也可以更新服务器以通过IP地址标识自己。
要更新ASA以通过IP标识自己,请使用crypto isakmp identity address 。
server# conf t server(config)# crypto isakmp identity address server(config)# end server#