编辑:
这里是一个调试转储,它按照以下建议实施了ISAKMP配置文件后失败。系统提示我输入用户名和密码,但是超时。好像isakmp授权失败。当前,isakmp授权仅设置为本地用户列表。
Jul 3 16:40:44.297: ISAKMP/aaa: unique id = 29277
Jul 3 16:40:44.297: ISAKMP:(0):Proposed key length does not match policy
Jul 3 16:40:44.297: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 3 16:40:44.313: ISAKMP:(0):ISAKMP/tunnel: setting up tunnel REMOTEACCESS pw request
Jul 3 16:40:44.313: ISAKMP:(0):ISAKMP/tunnel: Tunnel REMOTEACCESS PW Request successfully sent to AAA
Jul 3 16:40:44.317: ISAKMP:(0):ISAKMP/tunnel: received callback from AAA
AAA/AUTHOR/IKE: Processing AV tunnel-password
AAA/AUTHOR/IKE: Processing AV addr-pool
AAA/AUTHOR/IKE: Processing AV inacl
AAA/AUTHOR/IKE: Processing AV dns-servers
AAA/AUTHOR/IKE: Processing AV wins-servers
AAA/AUTHOR/IKE: Processing AV route-metric
Jul 3 16:40:44.317: ISAKMP/tunnel: received tunnel atts
Jul 3 16:40:44.341: ISAKMP AAA: Deleting old aaa_uid = 29277
Jul 3 16:40:44.341: ISAKMP AAA: NAS Port Id is already set to 174.98.136.27
Jul 3 16:40:44.341: ISAKMP:(0):AAA: Nas Port ID set to 174.98.136.27.
Jul 3 16:40:44.341: ISAKMP AAA: Allocated new aaa_uid = 29278
Jul 3 16:40:44.341: ISAKMP AAA: Accounting is not enabled
Jul 3 16:40:48.337: ISAKMP AAA: NAS Port Id is already set to 174.98.136.27
Jul 3 16:40:48.337: ISAKMP/Authen: unique id = 29278
Jul 3 16:40:48.337: ISAKMP:(2110):AAA Authen: setting up authen_request
Jul 3 16:40:48.337: ISAKMP:(2110):AAA Authen: Successfully sent authen info to AAA
Jul 3 16:40:48.337: ISAKMP:(2110):AAA Authen: Local Authentication or no RADIUS atts recvd
Jul 3 16:40:48.349: ISAKMP:(2110):ISAKMP/author: setting up the authorization request for REMOTEACCESS
Jul 3 16:40:48.349: ISAKMP:(0):ISAKMP/author: received callback from AAA
AAA/AUTHOR/IKE: Processing AV tunnel-password
AAA/AUTHOR/IKE: Processing AV addr-pool
AAA/AUTHOR/IKE: Processing AV inacl
AAA/AUTHOR/IKE: Processing AV dns-servers
Jul 3 16:40:48.349:
AAA/AUTHOR/IKE: no DNS addresses
AAA/AUTHOR/IKE: Processing AV wins-servers
Jul 3 16:40:48.349:
AAA/AUTHOR/IKE: no WINS addresses
AAA/AUTHOR/IKE: Processing AV route-metric
Jul 3 16:40:48.349: ISAKMP:(2110):ISAKMP/author: No Class attributes
Jul 3 16:40:48.349: ISAKMP:FSM error - Message from AAA grp/user.
调试isakmp和ipsec错误并提取日志时,我也看到这些错误:
Jul 3 16:32:33.949: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
Jul 3 16:32:57.557: ISAKMP:(0):Proposed key length does not match policy
Jul 3 16:32:57.557: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 3 16:33:00.637: ISAKMP:FSM error - Message from AAA grp/user.
#1 楼
在这里进行黑暗拍摄是因为您没有提到很多变量。请更新问题,以包括您正在使用的特定技术,currnet配置以及出现的错误。但是,如果您使用的是DMVPN + EZVPN,则可能必须使用密钥环和多个ISAKMP配置文件。由于您指出了第一阶段的问题,因此我会进行检查。以下链接提供了DMVPN和EZVPN以及L2L + EZVPN的参考配置。您应该可以进行修改以满足自己的需求。这里有一份ISAKMP配置文件参考,可供午餐时间阅读。
评论
我已经用原始记录更新了我的原始帖子,这些记录在出现时会出现。在您看来,故障在哪里?当前正在使用isakmp配置文件。
– Bill Gurling
13年7月3日在16:59
#2 楼
没有看到您的设置是什么,此示例将不完全准确。但是,这是我配置站点A的方式。站点B将是相似的,减去远程VPN件,然后反转站点A和站点B件。括号中的任何内容都需要填写您自己的信息。此外,对于此特定示例,远程VPN将通过Cisco VPN客户端而不是AnyConnect客户端。 ShrewSoft VPN Client也可以使用。
ip local pool pool-remote-access 10.250.0.1 10.250.0.254
crypto logging ezvpn
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key <pre-shared-site-to-site-key-here> address <site-b-ip> no-xauth
!
crypto isakmp client configuration group Remote-Users-Group
key <pre-shared-key-for-vpn-users>
dns <internal-domain-dns-ip>
domain <internal-domain-fqdn>
pool pool-remote-access
acl acl-remote-access
split-dns <internal-domain-fqdn>
crypto isakmp profile Remote-Users-Profile
description Remote VPN Clients
match identity group Remote-Users-Group
client authentication list <inset-aaa-group-for-remote-user-authentication>
isakmp authorization list <inset-aaa-group-for-remote-user-authorization>
client configuration address respond
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
!
!
crypto dynamic-map dynamic-vpn-map 1
set transform-set esp-aes-sha
set isakmp-profile Remote-Users-Profile
reverse-route
qos pre-classify
!
!
crypto map vpn-map-all 1 ipsec-isakmp
description VPN to Site-B
set peer <site-b-IP>
set transform-set esp-aes-sha
match address acl-vpn-site-b
crypto map vpn-map-all 65535 ipsec-isakmp dynamic dynamic-vpn-map
ip access-list extended acl-remote-access
permit ip <site-a-subnet> 0.0.0.255 10.250.0.0 0.0.0.255
ip access-list extended acl-vpn-site-b
permit ip <site-a-subnet> 0.0.0.255 <site-b-subnet> 0.0.0.255
interface <outside-interface>
crypto map vpn-map-all
! These ports need to be open on the outside interface
! permit udp any host <public-ip-of-outside-interface> eq non500-isakmp
! permit udp any host <public-ip-of-outside-interface> eq isakmp
! permit esp any host <public-ip-of-outside-interface>
! permit ahp any host <public-ip-of-outside-interface>
!
!If doing NAT... need to block VPN-VPN connections from being NAT'd
!The following is an example setup - not definitive
!
ip access-list extended acl-block-vpn
deny ip <site-a-subnet> 0.0.0.255 <site-b-subnet> 0.0.0.255 !Site-B
deny ip <site-a-subnet> 0.0.0.255 10.250.0.0 0.0.0.255 !Remote users
permit ip <site-a-subnet> 0.0.0.255 any
route-map rm-block-vpn-on-nat permit 1
match ip address acl-block-vpn
ip nat inside source route-map rm-block-vpn-on-nat interface <overloaded-interface> overload
评论
非常感谢,我将把它与我的配置进行比较,并查看故障所在。我认为我的配置大概是正确的,但是我绝对没有ACL条目,所以这可能是我的问题。感谢响应。
– Bill Gurling
2013年7月8日21:00
#3 楼
这是DMVPN的另一个出色资源:https://nwktimes.blogspot.com/search/label/DMVPN
评论
您正在运行哪个IOS主要版本?最好提一下,并用cisco-ios-15或其他标记。您是否能够使这两个组件中的任何一个/全部独立运行?我将从这里开始,在组合它们之前确保对每个独立配置进行验证。
远程访问VLAN是什么意思?我了解您正在尝试通过将加密映射应用于接口来配置和启用IPSEC VPN,但这就是远程访问VLAN?
抱歉,应该说VPN,我会修复它。我确实使它们都正常运行,但目前只有站点到站点VPN可以正常工作。 ISR目前正在运行15.1。
有什么答案对您有帮助吗?如果是这样,您应该接受答案,这样问题就不会永远弹出来寻找答案。或者,您可以发布并接受自己的答案。