windows-7 – 从Windows 7到ASA 5520的L2TP / IPSec
发布时间:2021-01-24 14:31:35 所属栏目:Windows 来源:网络整理
导读:我正在尝试在ASA5520上设置L2TP / IPSec,以支持我们的一个开发人员的边缘情况.当您使用内置的vpn子系统时,Windows VPN子系统显然存储了用于登录的kerberos或NTLM cookie,并且Cisco VPN客户端和AnyConnect客户端不执行此操作. 当我尝试通过Windows 7连接到VPN
|
副标题[/!--empirenews.page--]
我正在尝试在ASA5520上设置L2TP / IPSec,以支持我们的一个开发人员的边缘情况.当您使用内置的vpn子系统时,Windows VPN子系统显然存储了用于登录的kerberos或NTLM cookie,并且Cisco VPN客户端和AnyConnect客户端不执行此操作. 当我尝试通过Windows 7连接到VPN时,连接失败: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713119: Group = DefaultRAGroup,IP = 1.2.3.4,PHASE 1 COMPLETED %ASA-3-713122: IP = 1.2.3.4,Keep-alives configured on but peer does not support keep-alives (type = None) %ASA-5-713257: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Transport Cfg'd: UDP Tunnel(NAT-T) %ASA-5-713904: Group = DefaultRAGroup,All IPSec SA proposals found unacceptable! %ASA-3-713902: Group = DefaultRAGroup,QM FSM error (P2 struct &0x749f2490,mess id 0x1)! %ASA-3-713902: Group = DefaultRAGroup,Removing peer from correlator table failed,no match! %ASA-5-713259: Group = DefaultRAGroup,Session is being torn down. Reason: Phase 2 Mismatch %ASA-4-113019: Group = DefaultRAGroup,Username =,Session disconnected. Session Type: IKEv1,Duration: 0h:00m:00s,Bytes xmt: 0,Bytes rcv: 0,Reason: Phase 2 Mismatch %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 具体来说,我认为此错误具有相关性:类封装模式的属性类型不匹配:Rcv’d:UDP传输Cfg’d:UDP隧道(NAT-T) 来自加密驱动程序的调试似乎没有多大帮助;以下是isakmp等级127和ipsec等级100: 7|Apr 26 2012|02:10:38|713236|||||IP = 1.2.3.4,IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4,constructing Fragmentation VID + extended capabilities payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4,constructing NAT-Traversal VID ver RFC payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4,constructing ISAKMP SA payload 7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4,IKE SA Proposal # 1,Transform # 5 acceptable Matches global IKE entry # 1 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,processing IKE SA payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,processing VID payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,processing VID payload 7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4,Received Fragmentation VID 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,Received NAT-Traversal ver 02 VID 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,Received NAT-Traversal RFC VID 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,processing VID payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4,Oakley proposal is acceptable 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,processing SA payload 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384 4|Apr 26 2012|02:10:30|113019|||||Group = DefaultRAGroup,Reason: Phase 2 Mismatch 5|Apr 26 2012|02:10:30|713259|||||Group = DefaultRAGroup,Session is being torn down. Reason: Phase 2 Mismatch 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE SENDING Message (msgid=3a0d0c58) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup,constructing qm hash payload 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup,constructing IKE delete payload 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup,constructing blank hash payload 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup,sending delete/delete with reason message 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup,IKE SA MM:c7159238 terminating: flags 0x01000002,refcnt 0,tuncnt 0 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup,IKE SA MM:c7159238 rcv'd Terminate: state MM_ACTIVE flags 0x00000042,refcnt 1,tuncnt 0 3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup,no match! 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup,sending delete/delete with reason message 7|Apr 26 2012|02:10:30|715065|||||Group = DefaultRAGroup,IKE QM Responder FSM error history (struct &0x766c58e8),: QM_DONE,EV_ERROR-->QM_BLD_MSG2,EV_NEGO_SA-->QM_BLD_MSG2,EV_IS_REKEY-->QM_BLD_MSG2,EV_CONFIRM_SA-->QM_BLD_MSG2,EV_PROC_MSG-->QM_BLD_MSG2,EV_HASH_OK-->QM_BLD_MSG2,NullEvent-->QM_BLD_MSG2,EV_COMP_HASH 3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup,QM FSM error (P2 struct &0x766c58e8,mess id 0x1)! 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE SENDING Message (msgid=bf34e4e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup,constructing qm hash payload 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup,constructing ipsec notify payload for msg id 1 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup,sending notify message 5|Apr 26 2012|02:10:30|713904|||||Group = DefaultRAGroup,All IPSec SA proposals found unacceptable! 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup,processing IPSec SA payload 7|Apr 26 2012|02:10:30|713066|||||Group = DefaultRAGroup,IKE Remote Peer configured for crypto map: OUTSIDE_DYN_MAP 7|Apr 26 2012|02:10:30|715059|||||Group = DefaultRAGroup,Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal 7|Apr 26 2012|02:10:30|713224|||||Group = DefaultRAGroup,Static Crypto Map Check by-passed: Crypto map entry incomplete! 7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup,Static Crypto Map check,checking map = vpnmap,seq = 65499... 7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup,map = vpnmap,seq = 20,ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71 7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup,seq = 20... 7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup,seq = 10,seq = 10... 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup,QM IsRekeyed old sa not found by addr 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup,processing NAT-Original-Address payload 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup,processing NAT-Original-Address payload 7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending Phase 1 Rcv Delete message (type RA,remote addr 1.2.3.4,my cookie C7159238,his cookie E973BA0F) to standby unit 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup,L2TP/IPSec session detected. 7|Apr 26 2012|02:10:30|713024|||||Group = DefaultRAGroup,Received local Proxy Host data in ID Payload: Address 64.34.119.71,Protocol 17,Port 1701 7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup,ID_IPV4_ADDR ID received 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup,processing ID payload 7|Apr 26 2012|02:10:30|713025|||||Group = DefaultRAGroup,Received remote Proxy Host data in ID Payload: Address 10.65.3.237,processing ID payload 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup,processing nonce payload 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup,processing SA payload 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup,processing hash payload 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 324 7|Apr 26 2012|02:10:30|714003|||||IP = 1.2.3.4,IKE Responder starting QM: msg id = 00000001 7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending New Phase 1 SA message (type RA,his cookie E973BA0F) to standby unit 7|Apr 26 2012|02:10:30|715080|||||Group = DefaultRAGroup,Starting P1 rekey timer: 21600 seconds. 3|Apr 26 2012|02:10:30|713122|||||IP = 1.2.3.4,Keep-alives configured on but peer does not support keep-alives (type = None) 7|Apr 26 2012|02:10:30|713121|||||IP = 1.2.3.4,Keep-alive type for this connection: None 5|Apr 26 2012|02:10:30|713119|||||Group = DefaultRAGroup,PHASE 1 COMPLETED 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup,constructing dpd vid payload 7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup,Computing hash for ISAKMP 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup,constructing hash payload 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup,constructing ID payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4,Connection landed on tunnel_group DefaultRAGroup 6|Apr 26 2012|02:10:30|713172|||||Group = DefaultRAGroup,Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device 7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup,Computing hash for ISAKMP 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup,processing hash payload 7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup,processing ID payload 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup,Generating keys for Responder... 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4,Connection landed on tunnel_group DefaultRAGroup 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4,computing NAT Discovery hash 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4,constructing NAT-Discovery payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4,constructing NAT-Discovery payload 7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4,Send Altiga/Cisco VPN3000/Cisco ASA GW VID 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4,constructing VID payload 7|Apr 26 2012|02:10:30|715038|||||IP = 1.2.3.4,Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0,capabilities: 20000001) 7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4,Send IOS VID 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4,constructing xauth V6 VID payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4,constructing Cisco Unity VID payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4,constructing nonce payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4,constructing ke payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4,computing NAT Discovery hash 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,processing NAT-Discovery payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4,processing NAT-Discovery payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,processing nonce payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,processing ISA_KE payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4,processing ke payload 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 260 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4,IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384 5|Apr 26 2012|02:10:21|111005|||||1.2.3.4 end configuration: OK 7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4,sending delete/delete with reason message 7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4,IKE SA MM:b1f927e6 terminating: flags 0x01000002,tuncnt 0 7|Apr 26 2012|02:10:16|715065|||||IP = 1.2.3.4,IKE MM Responder FSM error history (struct &0x76bd68f8),: MM_DONE,EV_ERROR-->MM_WAIT_MSG3,EV_TIMEOUT-->MM_WAIT_MSG3,NullEvent-->MM_SND_MSG2,EV_SND_MSG-->MM_SND_MSG2,EV_START_TMR-->MM_SND_MSG2,EV_RESEND_MSG-->MM_WAIT_MSG3,NullEvent 5|Apr 26 2012|02:10:16|111010|||||User 'pgrace',running 'CLI' from IP 1.2.3.4,executed 'logging asdm debugging' (编辑:宜春站长网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
