从Windows 7到ASA 5520的L2TP / IPSec

我正在尝试在我们的ASA5520上安装L2TP / IPSec,以支持我们的开发人员的一个附带案例。 Windows VPN子系统在使用内置vpn子系统时明显存储login的Kerberos或NTLM cookie,而Cisco VPN客户端和AnyConnect客户端则不这样做。

当我尝试通过Windows 7连接到VPN时,连接失败:

%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713119: Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED %ASA-3-713122: IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None) %ASA-5-713257: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Transport Cfg'd: UDP Tunnel(NAT-T) %ASA-5-713904: Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable! %ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x749f2490, mess id 0x1)! %ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match! %ASA-5-713259: Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch %ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 

具体来说,我认为这个错误有相关性:

类封装模式的不匹配的属性types:Rcv'd:UDP传输Cfg'd:UDP隧道(NAT-T)

从encryption驱动程序的debugging似乎没有太大的帮助; 以下是isakmp级别127和ipsec级别100:

 7|Apr 26 2012|02:10:38|713236|||||IP = 1.2.3.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload 7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 1 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384 4|Apr 26 2012|02:10:30|113019|||||Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch 5|Apr 26 2012|02:10:30|713259|||||Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=3a0d0c58) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing IKE delete payload 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 terminating: flags 0x01000002, refcnt 0, tuncnt 0 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0 3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match! 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message 7|Apr 26 2012|02:10:30|715065|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE QM Responder FSM error history (struct &0x766c58e8) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH 3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x766c58e8, mess id 0x1)! 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=bf34e4e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ipsec notify payload for msg id 1 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending notify message 5|Apr 26 2012|02:10:30|713904|||||Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable! 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing IPSec SA payload 7|Apr 26 2012|02:10:30|713066|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: OUTSIDE_DYN_MAP 7|Apr 26 2012|02:10:30|715059|||||Group = DefaultRAGroup, IP = 1.2.3.4, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal 7|Apr 26 2012|02:10:30|713224|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map Check by-passed: Crypto map entry incomplete! 7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 65499... 7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 20, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71 7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 20... 7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 10, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71 7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 10... 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload 7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending Phase 1 Rcv Delete message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, L2TP/IPSec session detected. 7|Apr 26 2012|02:10:30|713024|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received local Proxy Host data in ID Payload: Address 64.34.119.71, Protocol 17, Port 1701 7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload 7|Apr 26 2012|02:10:30|713025|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received remote Proxy Host data in ID Payload: Address 10.65.3.237, Protocol 17, Port 1701 7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing nonce payload 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing SA payload 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 324 7|Apr 26 2012|02:10:30|714003|||||IP = 1.2.3.4, IKE Responder starting QM: msg id = 00000001 7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending New Phase 1 SA message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit 7|Apr 26 2012|02:10:30|715080|||||Group = DefaultRAGroup, IP = 1.2.3.4, Starting P1 rekey timer: 21600 seconds. 3|Apr 26 2012|02:10:30|713122|||||IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None) 7|Apr 26 2012|02:10:30|713121|||||IP = 1.2.3.4, Keep-alive type for this connection: None 5|Apr 26 2012|02:10:30|713119|||||Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing dpd vid payload 7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing hash payload 7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ID payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup 6|Apr 26 2012|02:10:30|713172|||||Group = DefaultRAGroup, IP = 1.2.3.4, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device 7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload 7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received 7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304 7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, Generating keys for Responder... 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload 7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send Altiga/Cisco VPN3000/Cisco ASA GW VID 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing VID payload 7|Apr 26 2012|02:10:30|715038|||||IP = 1.2.3.4, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) 7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send IOS VID 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing xauth V6 VID payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Cisco Unity VID payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing nonce payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ke payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing nonce payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ISA_KE payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ke payload 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 260 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload 7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload 7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 1 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload 7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable 7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload 7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384 5|Apr 26 2012|02:10:21|111005|||||1.2.3.4 end configuration: OK 7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, sending delete/delete with reason message 7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, IKE SA MM:b1f927e6 terminating: flags 0x01000002, refcnt 0, tuncnt 0 7|Apr 26 2012|02:10:16|715065|||||IP = 1.2.3.4, IKE MM Responder FSM error history (struct &0x76bd68f8) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent 5|Apr 26 2012|02:10:16|111010|||||User 'pgrace', running 'CLI' from IP 1.2.3.4, executed 'logging asdm debugging' 

这是我的configuration:

 ny-asa01# sh run crypto crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec security-association lifetime seconds 86400 crypto dynamic-map OUTSIDE_DYN_MAP 10 set ikev1 transform-set ESP-3DES-SHA crypto dynamic-map OUTSIDE_DYN_MAP 10 set security-association lifetime seconds 86400 crypto dynamic-map OUTSIDE_DYN_MAP 10 set reverse-route crypto dynamic-map OUTSIDE_DYN_MAP 20 set ikev1 transform-set TRANS_ESP_3DES_MD5 crypto dynamic-map OUTSIDE_DYN_MAP 20 set nat-t-disable crypto dynamic-map L2TP_MAP 10 set ikev1 transform-set TRANS_ESP_3DES_MD5 crypto map vpnmap 10 match address A_to_B_vpn crypto map vpnmap 10 set pfs crypto map vpnmap 10 set peer 9.8.7.6 crypto map vpnmap 10 set ikev1 transform-set ESP-3DES-SHA crypto map vpnmap 20 match address B_TO_C_vpn crypto map vpnmap 20 set pfs crypto map vpnmap 20 set peer 5.4.3.2 crypto map vpnmap 20 set ikev1 transform-set ESP-3DES-SHA crypto map vpnmap 65500 ipsec-isakmp dynamic OUTSIDE_DYN_MAP crypto map vpnmap interface outside crypto isakmp identity address crypto isakmp nat-traversal 300 crypto ikev1 enable outside crypto ikev1 ipsec-over-tcp port 10000 crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group DefaultRAGroup general-attributes address-pool stackvpn_pool authentication-server-group RADIUS_SERVER accounting-server-group RADIUS_SERVER default-group-policy stackvpn_l2tp tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes no authentication chap group-policy stackvpn_l2tp internal group-policy stackvpn_l2tp attributes dns-server value 5.6.7.8 9.10.11.12 vpn-tunnel-protocol l2tp-ipsec ipsec-udp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value VPN_SPLIT_TUNNEL address-pools value stackvpn_pool 

显然,第2阶段的不匹配通常会通过更改提议来解决,但不幸的是,Windows 7似乎并不会让您厌倦提案设置。 Win7configuration中无法明确打开NAT-T。

所以,我的问题是:我的configuration是否扭曲? 有没有人有L2TP与Windows 7在ASA与8.4加载正常工作?

  • Windows 7和打印作业logging
  • Windows 7与内部端口redirect,这可能吗?
  • VirtualBox:谷物表不一致
  • Windows事件查看器在较新版本的Windows上速度较慢
  • PATH中的环境variables未扩展到非pipe理员命令提示符?
  • 最佳实践 - Windows 7遥控战士笔记本电脑用户权限
  • Windows 7命令行提示符
  • 一切都说Applocker应该工作:为什么不呢?
  • One Solution collect form web for “从Windows 7到ASA 5520的L2TP / IPSec”

    我有IPSEC在Windows 7和ASA 8.3(2)13(FIPSauthentication)之间的“lan-to-lan”模式下工作。

    我很肯定你对这个错误是正确的 – 如果它不能协商一个你被解雇的SA。

    我会尝试摆脱“NAT穿越”。 当然,你可能会试图通过NAT,在这种情况下可能需要。 但是,这确实看起来像你的问题的原因。

    我想你的另一种select是弄清楚如何让Windows 7做自然穿越SAtypes。 你可以尝试在Windows上使用netsh advfirewall consec

    这是我已经书签的参考。 http://technet.microsoft.com/en-us/library/dd736198(v=ws.10).aspx 。

    一个注意事项 – Windows文档谈论了定期重新连接连接的重要性。 但是,如果您频繁地重新input密钥,ASA会转储并丢弃连接。 确保你不要每两分钟更换一次。 使用MS推荐的重新生成密钥的字节数,使其低于2分钟。

    当我们打开一个支持案例时,M $真的不能给出任何真正的推荐理由。 不过他们给我们发了一大笔钱。

    服务器问题集锦,包括 Linux(Ubuntu, Centos,Debian等)和Windows Server服务器.