У меня есть Cisco 867VAE, подключающийся как клиент EzVPN NEM к серверу ASA 5505, который не подключается. Сервер ASA имеет повторяющиеся сообщения:
4 Nov 01 2017 23:16:45 713903 Group = eznemgroup1, IP = 10.200.38.205, Information Exchange processing failed
5 Nov 01 2017 23:16:45 713904 Group = eznemgroup1, IP = 10.200.38.205, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Клиент IOS постоянно регистрирует:
*Nov 1 23:19:23.395: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=eznemgroup1 Client_public_addr=10.200.38.205 Server_public_addr=10.200.38.167
Я убедился, что имена пользователей, пароли и группы клиента и сервера точно совпадают.
Конфигурация сервера ASA:
hostname server
domain-name demo.company.local
enable password *** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd *** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.210.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.200.38.167 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name demo.company.local
object network inside-net
subnet 192.168.210.0 255.255.255.0
object network remote-net
subnet 192.168.220.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list ezvpn-demo-group-networks standard permit 192.168.210.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static inside-net inside-net destination static remote-net remote-net no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 10.200.38.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_map0_dynamic 5 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map0 60 ipsec-isakmp dynamic outside_map0_dynamic
crypto map outside_map0 interface outside
crypto ca trustpool policy
crypto isakmp identity hostname
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 60
ssh stricthostkeycheck
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd lease 86400
dhcpd ping_timeout 2000
dhcpd domain demo.pharmacy.company.local
!
dhcpd address 192.168.210.100-192.168.210.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy ezvpn-demo-group internal
group-policy ezvpn-demo-group attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn-demo-group-networks
nem enable
username eznemuser1 password g5QR2tIDHRQx.3ti encrypted
tunnel-group ezvpn-demo-tunnelgroup type remote-access
tunnel-group ezvpn-demo-tunnelgroup general-attributes
default-group-policy ezvpn-demo-group
tunnel-group ezvpn-demo-tunnelgroup ipsec-attributes
ikev1 pre-shared-key ezvpn-demo-tunnelgrouppass
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Конфигурация клиента IOS:
!
! Last configuration change at 17:17:37 GMT Wed Nov 1 2017 by
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname demo-router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
wan mode ethernet
clock timezone GMT -6 0
!
!
!
!
!
ip dhcp excluded-address 192.168.220.0 192.168.220.99
ip dhcp excluded-address 192.168.220.132 192.168.220.255
!
ip dhcp pool inside-pool
network 192.168.220.0 255.255.255.0
default-router 192.168.220.1
domain-name demo.fac.company.local
!
!
!
ip domain name demo.fac.company.local
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2820013949
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2820013949
revocation-check none
rsakeypair TP-self-signed-2820013949
!
!
crypto pki certificate chain TP-self-signed-2820013949
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383230 30313339 3439301E 170D3137 30383133 31393434
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38323030
31333934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009AA7 75A9F518 9CB7FADA 9CA6F337 0E2F824E 9D6C85DB 8728D5B7 7898B175
12596F7E 97D7D6DE A74CE16C 2BDC5412 CC22F868 32799501 E8665C14 50483DD6
C373E5DE E5813F8F 971C2C83 DD0D23DA 51765EBD 667F3187 50C04C73 238642A7
27AFD3B0 0D58A242 60CC316D 6083C289 5A3E08E0 822342D7 AB76D337 DB8B5A63
41CF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1446E88F 2FE90577 93380B44 B79D10B4 40093F15 38301D06
03551D0E 04160414 46E88F2F E9057793 380B44B7 9D10B440 093F1538 300D0609
2A864886 F70D0101 05050003 8181007D 1A4A45FA 57354593 67FA4EBC D90685E5
306FB3E2 462E2B10 03769923 A50DD574 B2A68AC1 8B5537B7 02C23E65 E31C7A05
2A72D0F7 D9A86B99 6993623B 239EEE76 441749B7 502EC2B4 2CDD68CF 4745D575
A9569123 DEC09ACA EF674889 3182E6BA 41B2B1DD 3B9C51A8 42DFB2E7 799C7371
F542F5E8 3D858294 517C59BA BC9BBA
quit
!
!
object-group network inside-net
192.168.220.0 255.255.255.128
!
object-group network net-company
192.168.210.0 255.255.255.0
!
username cisco privilege 15 secret 5 ***
!
!
controller VDSL 0
shutdown
no cdp run
!
ip ssh time-out 60
ip ssh version 2
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
!
!
!
!
crypto ipsec client ezvpn ezvpn-demo-tunnelgroup
connect auto
group ezvpn-demo-tunnelgroup key ezvpn-demo-tunnelgrouppass
mode network-extension
peer 10.200.38.167
username eznemuser1 password eznemuser1pass
xauth userid mode local
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn ezvpn-demo-tunnelgroup
!
interface Vlan1
description $ETH_LAN$
ip address 192.168.220.1 255.255.255.128
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ezvpn-demo-tunnelgroup inside
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list nat-list interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1
!
ip access-list extended customer-in
remark Only allow access to Company
permit ip object-group inside-net object-group net-company
deny ip any any
ip access-list extended nat-list
deny ip object-group inside-net object-group net-company
deny ip object-group net-company object-group inside-net
permit ip object-group inside-net any
deny ip any any
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 60000 1000
!
end
Клиент debug ipsec isakmp
вывод:
*Nov 1 23:17:52.851: ISAKMP:(0): SA request profile is (NULL)
*Nov 1 23:17:52.851: ISAKMP: Created a peer struct for 10.200.38.167, peer port 500
*Nov 1 23:17:52.851: ISAKMP: New peer created peer = 0x8A531CE0 peer_handle = 0x80000897
*Nov 1 23:17:52.851: ISAKMP: Locking peer struct 0x8A531CE0, refcount 1 for isakmp_initiator
*Nov 1 23:17:52.851: ISAKMP:(0):Setting client config settings 8B363960
*Nov 1 23:17:52.851: ISAKMP: local port 500, remote port 500
*Nov 1 23:17:52.851: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8A530C20
*Nov 1 23:17:52.851: ISAKMP:(0): client mode configured.
*Nov 1 23:17:52.851: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Nov 1 23:17:52.851: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Nov 1 23:17:52.851: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Nov 1 23:17:52.851: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Nov 1 23:17:52.883: ISKAMP: growing send buffer from 1024 to 3072
*Nov 1 23:17:52.883: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*Nov 1 23:17:52.883: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : eznemgroup1
protocol : 17
port : 0
length : 19
*Nov 1 23:17:52.883: ISAKMP:(0):Total payload length: 19term
*Nov 1 23:17:52.883: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Nov 1 23:17:52.883: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1
*Nov 1 23:17:52.883: ISAKMP:(0): beginning Aggressive Mode exchange
*Nov 1 23:17:52.883: ISAKMP:(0): sending packet to 10.200.38.167 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Nov 1 23:17:52.883: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 1 23:17:52.883: ISAKMP:(0):purging SA., sa=89D10610, delme=89D10610
*Nov 1 23:17:53.987: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Nov 1 23:17:53.987: ISAKMP:(0): processing SA payload. message ID = 0
*Nov 1 23:17:53.987: ISAKMP:(0): processing ID payload. message ID = 0
*Nov 1 23:17:53.987: ISAKMP (0): ID payload
next-payload : 8
type : 2
FQDN name : server.demo.company.local
protocol : 0
port : 0
length : 39
*Nov 1 23:17:53.987: ISAKMP:(0):: peer matches *none* of the profiles
*Nov 1 23:17:53.987: ISAKMP:(0): processing vendor id payload
*Nov 1 23:17:53.987: ISAKMP:(0): vendor ID is Unity
*Nov 1 23:17:53.987: ISAKMP:(0): processing vendor id payload
*Nov 1 23:17:53.987: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Nov 1 23:17:53.987: ISAKMP:(0): vendor ID is XAUTH
*Nov 1 23:17:53.987: ISAKMP:(0): processing vendor id payload
*Nov 1 23:17:53.987: ISAKMP:(0): vendor ID is DPD
*Nov 1 23:17:53.987: ISAKMP:(0):Looking for a matching key for server.demo.company.local in default
*Nov 1 23:17:53.987: ISAKMP: no pre-shared key based on hostname server.demo.company.local!
*Nov 1 23:17:53.991: ISAKMP : Scanning profiles for xauth ...
*Nov 1 23:17:53.991: ISAKMP:(0): Authentication by xauth preshared
*Nov 1 23:17:53.991: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65515 policy
*Nov 1 23:17:53.991: ISAKMP: encryption AES-CBC
*Nov 1 23:17:53.991: ISAKMP: keylength of 256
*Nov 1 23:17:53.991: ISAKMP: hash SHA
*Nov 1 23:17:53.991: ISAKMP: default group 2
*Nov 1 23:17:53.991: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:53.991: ISAKMP: life type in seconds
*Nov 1 23:17:53.991: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:53.991: ISAKMP:(0):Proposed key length does not match policy
*Nov 1 23:17:53.991: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65516 policy
*Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.019: ISAKMP: keylength of 256
*Nov 1 23:17:54.019: ISAKMP: hash SHA
*Nov 1 23:17:54.019: ISAKMP: default group 2
*Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.019: ISAKMP: life type in seconds
*Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.019: ISAKMP:(0):Hash algorithm offered does not match policy!
*Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65517 policy
*Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.019: ISAKMP: keylength of 256
*Nov 1 23:17:54.019: ISAKMP: hash SHA
*Nov 1 23:17:54.019: ISAKMP: default group 2
*Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.019: ISAKMP: life type in seconds
*Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.019: ISAKMP:(0):Proposed key length does not match policy
*Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65518 policy
*Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.019: ISAKMP: keylength of 256
*Nov 1 23:17:54.019: ISAKMP: hash SHA
*Nov 1 23:17:54.019: ISAKMP: default group 2
*Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.019: ISAKMP: life type in seconds
*Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.019: ISAKMP:(0):Hash algorithm offered does not match policy!
*Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65519 policy
*Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.019: ISAKMP: keylength of 256
*Nov 1 23:17:54.019: ISAKMP: hash SHA
*Nov 1 23:17:54.019: ISAKMP: default group 2
*Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.019: ISAKMP: life type in seconds
*Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.019: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65520 policy
*Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.019: ISAKMP: keylength of 256
*Nov 1 23:17:54.019: ISAKMP: hash SHA
*Nov 1 23:17:54.019: ISAKMP: default group 2
*Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.019: ISAKMP: life type in seconds
*Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.019: ISAKMP:(0):Hash algorithm offered does not match policy!
*Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65521 policy
*Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.019: ISAKMP: keylength of 256
*Nov 1 23:17:54.019: ISAKMP: hash SHA
*Nov 1 23:17:54.019: ISAKMP: default group 2
*Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.019: ISAKMP: life type in seconds
*Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.019: ISAKMP:(0):Proposed key length does not match policy
*Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65522 policy
*Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.019: ISAKMP: keylength of 256
*Nov 1 23:17:54.019: ISAKMP: hash SHAno mon
*Nov 1 23:17:54.019: ISAKMP: default group 2
*Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.019: ISAKMP: life type in seconds
*Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.019: ISAKMP:(0):Hash algorithm offered does not match policy!
*Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65523 policy
*Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.019: ISAKMP: keylength of 256
*Nov 1 23:17:54.019: ISAKMP: hash SHA
*Nov 1 23:17:54.019: ISAKMP: default group 2
*Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.019: ISAKMP: life type in seconds
*Nov 1 23:17:54.019: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.019: ISAKMP:(0):Proposed key length does not match policy
*Nov 1 23:17:54.019: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.019: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65524 policy
*Nov 1 23:17:54.019: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.019: ISAKMP: keylength of 256
*Nov 1 23:17:54.019: ISAKMP: hash SHA
*Nov 1 23:17:54.019: ISAKMP: default group 2
*Nov 1 23:17:54.019: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.023: ISAKMP: life type in seconds
*Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.023: ISAKMP:(0):Hash algorithm offered does not match policy!
*Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65525 policy
*Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.023: ISAKMP: keylength of 256
*Nov 1 23:17:54.023: ISAKMP: hash SHA
*Nov 1 23:17:54.023: ISAKMP: default group 2
*Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.023: ISAKMP: life type in seconds
*Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.023: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65526 policy
*Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.023: ISAKMP: keylength of 256
*Nov 1 23:17:54.023: ISAKMP: hash SHA
*Nov 1 23:17:54.023: ISAKMP: default group 2
*Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.023: ISAKMP: life type in seconds
*Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.023: ISAKMP:(0):Hash algorithm offered does not match policy!
*Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65527 policy
*Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.023: ISAKMP: keylength of 256
*Nov 1 23:17:54.023: ISAKMP: hash SHA
*Nov 1 23:17:54.023: ISAKMP: default group 2
*Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.023: ISAKMP: life type in seconds
*Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.023: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65532 policy
*Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.023: ISAKMP: keylength of 256
*Nov 1 23:17:54.023: ISAKMP: hash SHA
*Nov 1 23:17:54.023: ISAKMP: default group 2
*Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.023: ISAKMP: life type in seconds
*Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.023: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65533 policy
*Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.023: ISAKMP: keylength of 256
*Nov 1 23:17:54.023: ISAKMP: hash SHA
*Nov 1 23:17:54.023: ISAKMP: default group 2
*Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.023: ISAKMP: life type in seconds
*Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.023: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.023: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65534 policy
*Nov 1 23:17:54.023: ISAKMP: encryption AES-CBC
*Nov 1 23:17:54.023: ISAKMP: keylength of 256
*Nov 1 23:17:54.023: ISAKMP: hash SHA
*Nov 1 23:17:54.023: ISAKMP: default group 2
*Nov 1 23:17:54.023: ISAKMP: auth XAUTHInitPreShared
*Nov 1 23:17:54.023: ISAKMP: life type in seconds
*Nov 1 23:17:54.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Nov 1 23:17:54.023: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Nov 1 23:17:54.023: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Nov 1 23:17:54.023: ISAKMP:(0):no offers accepted!
*Nov 1 23:17:54.027: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.200.38.205 remote 10.200.38.167)
*Nov 1 23:17:54.027: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Nov 1 23:17:54.027: ISAKMP:(0): Failed to construct AG informational message.
*Nov 1 23:17:54.027: ISAKMP:(0): sending packet to 10.200.38.167 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Nov 1 23:17:54.027: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 1 23:17:54.027: ISAKMP:(0):peer does not do paranoid keepalives.
*Nov 1 23:17:54.027: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) AG_INIT_EXCH (peer 10.200.38.167)
*Nov 1 23:17:54.027: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 1 23:17:55.547: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_I_AM1
*Nov 1 23:17:55.547: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Nov 1 23:17:55.547: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_I_AM1
*Nov 1 23:17:55.571: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 1 23:17:55.571: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 1 23:17:55.575: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 1 23:17:55.575: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) AG_INIT_EXCH (peer 10.200.38.167)
*Nov 1 23:17:55.575: ISAKMP: Unlocking peer struct 0x8A531CE0 for isadb_mark_sa_deleted(), count 0
*Nov 1 23:17:55.575: ISAKMP: Deleting peer node by peer_reap for 10.200.38.167: 8A531CE0
*Nov 1 23:17:55.579: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Nov 1 23:17:55.579: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_DEST_SA
*Nov 1 23:17:55.579: ISAKMP:(0):purging SA., sa=8B305C90, delme=8B305C90
*Nov 1 23:17:55.579: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 1 23:17:55.583: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 1 23:17:55.583: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 1 23:17:55.587: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 1 23:17:55.587: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=eznemgroup1 Client_public_addr=10.200.38.205 Server_public_addr=10.200.38.167
*Nov 1 23:17:57.103: ISAKMP (0): received packet from 10.200.38.167 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 1 23:17:57.127: del_node src 10.200.38.205:500 dst 10.200.38.167:500 fvrf 0x0, ivrf 0x0
Основные строки вывода отладки:
*Nov 1 23:17:53.987: ISAKMP:(0):Looking for a matching key for server.demo.company.local in default
*Nov 1 23:17:53.987: ISAKMP: no pre-shared key based on hostname server.demo.company.local!
которые указывают на то, что сервер ASA пытается идентифицировать себя с помощью server.demo.company.local
. Вы можете обновить конфигурацию клиента, чтобы также использовать имя хоста, или обновить сервер, чтобы он идентифицировал себя по IP-адресу.
Чтобы обновить ASA для идентификации себя по IP, используйте crypto isakmp identity address
.
server# conf t
server(config)# crypto isakmp identity address
server(config)# end
server#