我很乐意发布配置或日志以供参考,但是我无法使远程访问VPN在与站点到站点IPSEC VPN相同的接口上工作。我正在为远程访问vpn使用动态加密映射,但似乎无法尝试执行第一阶段。任何人都可以给我一个简单的示例配置来工作吗?

编辑:

这里是一个调试转储,它按照以下建议实施了ISAKMP配置文件后失败。系统提示我输入用户名和密码,但是超时。好像isakmp授权失败。当前,isakmp授权仅设置为本地用户列表。 

Jul  3 16:40:44.297: ISAKMP/aaa: unique id = 29277
Jul  3 16:40:44.297: ISAKMP:(0):Proposed key length does not match policy
Jul  3 16:40:44.297: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul  3 16:40:44.313: ISAKMP:(0):ISAKMP/tunnel: setting up tunnel REMOTEACCESS pw request
Jul  3 16:40:44.313: ISAKMP:(0):ISAKMP/tunnel: Tunnel REMOTEACCESS PW Request successfully sent to AAA
Jul  3 16:40:44.317: ISAKMP:(0):ISAKMP/tunnel: received callback from AAA
AAA/AUTHOR/IKE: Processing AV tunnel-password
AAA/AUTHOR/IKE: Processing AV addr-pool
AAA/AUTHOR/IKE: Processing AV inacl
AAA/AUTHOR/IKE: Processing AV dns-servers
AAA/AUTHOR/IKE: Processing AV wins-servers
AAA/AUTHOR/IKE: Processing AV route-metric
Jul  3 16:40:44.317: ISAKMP/tunnel: received tunnel atts
Jul  3 16:40:44.341: ISAKMP AAA: Deleting old aaa_uid = 29277
Jul  3 16:40:44.341: ISAKMP AAA: NAS Port Id is already set to 174.98.136.27
Jul  3 16:40:44.341: ISAKMP:(0):AAA: Nas Port ID set to 174.98.136.27.
Jul  3 16:40:44.341: ISAKMP AAA: Allocated new aaa_uid = 29278
Jul  3 16:40:44.341: ISAKMP AAA: Accounting is not enabled
Jul  3 16:40:48.337: ISAKMP AAA: NAS Port Id is already set to 174.98.136.27
Jul  3 16:40:48.337: ISAKMP/Authen: unique id = 29278
Jul  3 16:40:48.337: ISAKMP:(2110):AAA Authen: setting up authen_request
Jul  3 16:40:48.337: ISAKMP:(2110):AAA Authen: Successfully sent authen info to AAA

Jul  3 16:40:48.337: ISAKMP:(2110):AAA Authen: Local Authentication or no RADIUS atts recvd
Jul  3 16:40:48.349: ISAKMP:(2110):ISAKMP/author: setting up the authorization request for REMOTEACCESS
Jul  3 16:40:48.349: ISAKMP:(0):ISAKMP/author: received callback from AAA
AAA/AUTHOR/IKE: Processing AV tunnel-password
AAA/AUTHOR/IKE: Processing AV addr-pool
AAA/AUTHOR/IKE: Processing AV inacl
AAA/AUTHOR/IKE: Processing AV dns-servers
Jul  3 16:40:48.349: 
AAA/AUTHOR/IKE: no DNS addresses
AAA/AUTHOR/IKE: Processing AV wins-servers
Jul  3 16:40:48.349: 
AAA/AUTHOR/IKE: no WINS addresses
AAA/AUTHOR/IKE: Processing AV route-metric
Jul  3 16:40:48.349: ISAKMP:(2110):ISAKMP/author: No Class attributes
Jul  3 16:40:48.349: ISAKMP:FSM error - Message from AAA grp/user.


调试isakmp和ipsec错误并提取日志时,我也看到这些错误:

Jul  3 16:32:33.949: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
Jul  3 16:32:57.557: ISAKMP:(0):Proposed key length does not match policy
Jul  3 16:32:57.557: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul  3 16:33:00.637: ISAKMP:FSM error - Message from AAA grp/user.


评论

您正在运行哪个IOS主要版本?最好提一下,并用cisco-ios-15或其他标记。
您是否能够使这两个组件中的任何一个/全部独立运行?我将从这里开始,在组合它们之前确保对每个独立配置进行验证。
远程访问VLAN是什么意思?我了解您正在尝试通过将加密映射应用于接口来配置和启用IPSEC VPN,但这就是远程访问VLAN?
抱歉,应该说VPN,我会修复它。我确实使它们都正常运行,但目前只有站点到站点VPN可以正常工作。 ISR目前正在运行15.1。
有什么答案对您有帮助吗?如果是这样,您应该接受答案,这样问题就不会永远弹出来寻找答案。或者,您可以发布并接受自己的答案。

#1 楼

在这里进行黑暗拍摄是因为您没有提到很多变量。请更新问题,以包括您正在使用的特定技术,currnet配置以及出现的错误。但是,如果您使用的是DMVPN + EZVPN,则可能必须使用密钥环和多个ISAKMP配置文件。由于您指出了第一阶段的问题,因此我会进行检查。以下链接提供了DMVPN和EZVPN以及L2L + EZVPN的参考配置。您应该可以进行修改以满足自己的需求。

这里有一份ISAKMP配置文件参考,可供午餐时间阅读。

评论

我已经用原始记录更新了我的原始帖子,这些记录在出现时会出现。在您看来,故障在哪里?当前正在使用isakmp配置文件。

– Bill Gurling
13年7月3日在16:59

#2 楼

没有看到您的设置是什么,此示例将不完全准确。但是,这是我配置站点A的方式。站点B将是相似的,减去远程VPN件,然后反转站点A和站点B件。括号中的任何内容都需要填写您自己的信息。

此外,对于此特定示例,远程VPN将通过Cisco VPN客户端而不是AnyConnect客户端。 ShrewSoft VPN Client也可以使用。

ip local pool pool-remote-access 10.250.0.1 10.250.0.254

crypto logging ezvpn
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2

crypto isakmp key <pre-shared-site-to-site-key-here> address <site-b-ip>   no-xauth

!
crypto isakmp client configuration group Remote-Users-Group
 key <pre-shared-key-for-vpn-users>
 dns <internal-domain-dns-ip>
 domain <internal-domain-fqdn>
 pool pool-remote-access
 acl acl-remote-access
 split-dns <internal-domain-fqdn>
crypto isakmp profile Remote-Users-Profile
   description Remote VPN Clients
   match identity group Remote-Users-Group
   client authentication list <inset-aaa-group-for-remote-user-authentication>
   isakmp authorization list <inset-aaa-group-for-remote-user-authorization>
   client configuration address respond
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
!
!
crypto dynamic-map dynamic-vpn-map 1
 set transform-set esp-aes-sha 
 set isakmp-profile Remote-Users-Profile
 reverse-route
 qos pre-classify
!
!
crypto map vpn-map-all 1 ipsec-isakmp 
 description VPN to Site-B
 set peer <site-b-IP>
 set transform-set esp-aes-sha 
 match address acl-vpn-site-b
crypto map vpn-map-all 65535 ipsec-isakmp dynamic dynamic-vpn-map 

ip access-list extended acl-remote-access
 permit ip <site-a-subnet> 0.0.0.255 10.250.0.0 0.0.0.255

ip access-list extended acl-vpn-site-b
 permit ip <site-a-subnet> 0.0.0.255 <site-b-subnet> 0.0.0.255


interface <outside-interface>
 crypto map vpn-map-all

! These ports need to be open on the outside interface 
! permit udp any host <public-ip-of-outside-interface> eq non500-isakmp
! permit udp any host <public-ip-of-outside-interface> eq isakmp
! permit esp any host <public-ip-of-outside-interface>
! permit ahp any host <public-ip-of-outside-interface>

!
!If doing NAT... need to block VPN-VPN connections from being NAT'd
!The following is an example setup - not definitive
!



ip access-list extended acl-block-vpn
 deny   ip <site-a-subnet> 0.0.0.255 <site-b-subnet> 0.0.0.255  !Site-B
 deny   ip <site-a-subnet> 0.0.0.255 10.250.0.0 0.0.0.255       !Remote users 
 permit ip <site-a-subnet> 0.0.0.255 any

route-map rm-block-vpn-on-nat permit 1
 match ip address acl-block-vpn

ip nat inside source route-map rm-block-vpn-on-nat interface <overloaded-interface> overload


评论

非常感谢,我将把它与我的配置进行比较,并查看故障所在。我认为我的配置大概是正确的,但是我绝对没有ACL条目,所以这可能是我的问题。感谢响应。

– Bill Gurling
2013年7月8日21:00


#3 楼

这是DMVPN的另一个出色资源:

https://nwktimes.blogspot.com/search/label/DMVPN