设为首页收藏本站 language 语言切换

开启辅助访问切换到宽版

鸿鹄论坛»鸿鹄论坛 › ≡□≡技术专题≡□≡ › 网络管理 › cisco路由器ezvpn如何用AD+ias验证？

发新帖

查看: 2337|回复: 4

收起左侧

cisco路由器ezvpn如何用AD+ias验证？

发表于 2012-9-5 23:46:12 | 显示全部楼层 |阅读模式

在cisco路由器上做的ezvpn如何使用IAS+AD做拨入认证？路由器启用aaa，telnet可以用AD帐户认证，但ezvpn不行。debug信息是不能计算出
hash，有高手遇到过这问题吗？请指点一下，谢谢。

debug信息

Crypto ISAKMP debugging is on
R1#
*Mar  1 00:29:37.903: ISAKMP (0:0): received packet from 12.1.1.3 dport 500 sport 57930 Global (N) NEW SA
*Mar  1 00:29:37.907: ISAKMP: Created a peer struct for 12.1.1.3, peer port 57930
*Mar  1 00:29:37.907: ISAKMP: New peer created peer = 0x64288970 peer_handle = 0x80000006
*Mar  1 00:29:37.911: ISAKMP: Locking peer struct 0x64288970, IKE refcount 1 for crypto_isakmp_process_block
*Mar  1 00:29:37.911: ISAKMP

0:0:N/A:0):Setting client config settings 63DECF70
*Mar 1 00:29:37.911: ISAKMP

0:0:N/A:0)

Re)Setting client xauth list  and state
*Mar  1 00:29:37.911: ISAKMP/xauth: initializing AAA request
*Mar  1 00:29:37.915: ISAKMP: local port 500, remote port 57930
*Mar  1 00:29:37.919: insert sa successfully sa = 64B1721C
*Mar  1 00:29:37.919: ISAKMP

0:0:N/A:0): processing SA payload. message ID = 0
*Mar 1 00:29:37.919: ISAKMP

0:0:N/A:0): processing ID payload. message ID = 0
*Mar  1 00:29:37.923: ISAKMP (0:0): ID payload
      next-payload : 13
      type       : 11
      group id    : ezvpn
      protocol    : 17
      port       : 500
      length    : 13
*Mar  1 00:29:37.923: ISAKMP

0:0:N/A:0):: peer matches *none* of the profiles
*Mar 1 00:29:37.923: ISAKMP

0:0:N/A:0): processing vendor id payload
*Mar 1 00:29:37.923: ISAKMP

0:0:N/A:0): vendor ID seems Unity/DPD but major 215 mismatch
*Mar 1 00:29:37.927: ISAKMP

0:0:N/A:0): vendor ID is XAUTH
*Mar 1 00:29:37.927: ISAKMP

0:0:N/A:0): processing vendor id payload
*Mar 1 00:29:37.927: ISAKMP

0:0:N/A:0): vendor ID is DPD
*Mar 1 00:29:37.927: ISAKMP

0:0:N/A:0): processing vendor id payload
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0): processing vendor id payload
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0): vendor ID is NAT-T v2
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0): processing vendor id payload
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0): vendor ID is Unity
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0): Authentication by xauth preshared
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 00:29:37.931: ISAKMP:    encryption AES-CBC
*Mar  1 00:29:37.931: ISAKMP:    hash SHA
*Mar  1 00:29:37.931: ISAKMP:    default group 2
*Mar  1 00:29:37.931: ISAKMP:    auth XAUTHInitPreShared
*Mar  1 00:29:37.931: ISAKMP:    life type in seconds
*Mar  1 00:29:37.931: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 00:29:37.931: ISAKMP:    keylength of 256
*Mar  1 00:29:37.931: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 2 against priority 10 policy
*Mar  1 00:29:37.931: ISAKMP:    encryption AES-CBC
*Mar  1 00:29:37.931: ISAKMP:    hash MD5
*Mar  1 00:29:37.931: ISAKMP:    default group 2
*Mar  1 00:29:37.931: ISAKMP:    auth XAUTHInitPreShared
*Mar  1 00:29:37.931: ISAKMP:    life type in seconds
*Mar  1 00:29:37.931: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 00:29:37.931: ISAKMP:    keylength of 256
*Mar  1 00:29:37.931: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 3 against priority 10 policy
*Mar  1 00:29:37.931: ISAKMP:    encryption AES-CBC
*Mar  1 00:29:37.931: ISAKMP:    hash SHA
*Mar  1 00:29:37.931: ISAKMP:    default group 2
*Mar  1 00:29:37.931: ISAKMP:    auth pre-share
*Mar  1 00:29:37.931: ISAKMP:    life type in seconds
*Mar  1 00:29:37.931: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 00:29:37.931: ISAKMP:    keylength of 256
*Mar  1 00:29:37.931: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 4 against priority 10 policy
*Mar  1 00:29:37.931: ISAKMP:    encryption AES-CBC
*Mar  1 00:29:37.931: ISAKMP:    hash MD5
*Mar  1 00:29:37.931: ISAKMP:    default group 2
*Mar  1 00:29:37.931: ISAKMP:    auth pre-share
*Mar  1 00:29:37.931: ISAKMP:    life type in seconds
*Mar  1 00:29:37.931: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 00:29:37.931: ISAKMP:    keylength of 256
*Mar  1 00:29:37.931: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 5 against priority 10 policy
*Mar  1 00:29:37.931: ISAKMP:    encryption AES-CBC
*Mar  1 00:29:37.931: ISAKMP:    hash SHA
*Mar  1 00:29:37.931: ISAKMP:    default group 2
*Mar  1 00:29:37.931: ISAKMP:    auth XAUTHInitPreShared
*Mar  1 00:29:37.931: ISAKMP:    life type in seconds
*Mar  1 00:29:37.931: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 00:29:37.931: ISAKMP:    keylength of 128
*Mar  1 00:29:37.931: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 6 against priority 10 policy
*Mar  1 00:29:37.931: ISAKMP:    encryption AES-CBC
*Mar  1 00:29:37.931: ISAKMP:    hash MD5
*Mar  1 00:29:37.931: ISAKMP:    default group 2
*Mar  1 00:29:37.931: ISAKMP:    auth XAUTHInitPreShared
*Mar  1 00:29:37.931: ISAKMP:    life type in seconds
*Mar  1 00:29:37.931: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 00:29:37.931: ISAKMP:    keylength of 128
*Mar  1 00:29:37.931: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 7 against priority 10 policy
*Mar  1 00:29:37.931: ISAKMP:    encryption AES-CBC
*Mar  1 00:29:37.931: ISAKMP:    hash SHA
*Mar  1 00:29:37.931: ISAKMP:    default group 2
*Mar  1 00:29:37.931: ISAKMP:    auth pre-share
*Mar  1 00:29:37.931: ISAKMP:    life type in seconds
*Mar  1 00:29:37.931: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 00:29:37.931: ISAKMP:    keylength of 128
*Mar  1 00:29:37.931: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 8 against priority 10 policy
*Mar  1 00:29:37.931: ISAKMP:    encryption AES-CBC
*Mar  1 00:29:37.931: ISAKMP:    hash MD5
*Mar  1 00:29:37.931: ISAKMP:    default group 2
*Mar  1 00:29:37.931: ISAKMP:    auth pre-share
*Mar  1 00:29:37.931: ISAKMP:    life type in seconds
*Mar  1 00:29:37.931: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 00:29:37.931: ISAKMP:    keylength of 128
*Mar  1 00:29:37.931: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
*Mar 1 00:29:37.931: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 9 against priority 10 policy
*Mar  1 00:29:37.931: ISAKMP:    encryption 3DES-CBC
*Mar  1 00:29:37.931: ISAKMP:    hash SHA
*Mar  1 00:29:37.931: ISAKMP:    default group 2
*Mar  1 00:29:37.931: ISAKMP:    auth XAUTHInitPreShared
*Mar  1 00:29:37.931: ISAKMP:    life type in seconds
*Mar  1 00:29:37.931: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 00:29:37.931: ISAKMP

0:0:N/A:0):atts are acceptable. Next payload is 3
*Mar 1 00:29:37.951: ISAKMP

0:1:SW:1): processing KE payload. message ID = 0
*Mar 1 00:29:37.987: ISAKMP

0:1:SW:1): processing NONCE payload. message ID = 0
*Mar 1 00:29:37.995: ISAKMP

0:1:SW:1): vendor ID is NAT-T v2
*Mar 1 00:29:37.995: ISAKMP

0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar 1 00:29:37.995: ISAKMP

0:1:SW:1):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
*Mar 1 00:29:38.059: ISAKMP

0:1:SW:1): constructed NAT-T vendor-02 ID
*Mar 1 00:29:38.059: ISAKMP

0:1:SW:1):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Mar  1 00:29:38.059: ISAKMP (0:134217729): ID payload
      next-payload : 10
      type       : 1
      address    : 12.1.1.1
      protocol    : 17
      port       : 0
      length    : 12
*Mar  1 00:29:38.063: ISAKMP

0:1:SW:1):Total payload length: 12
*Mar 1 00:29:38.063: ISAKMP

0:1:SW:1):error from epa_ikmp_gen_hmac (AG_NO_STATE)
*Mar 1 00:29:38.067: ISAKMP

0:1:SW:1): unable to compute hash!
*Mar 1 00:29:38.067: ISAKMP

0:1:SW:1): unable to compute hash!
*Mar 1 00:29:38.067: ISAKMP

0:1:SW:1):peer does not do paranoid keepalives.
*Mar 1 00:29:38.067: ISAKMP

0:1:SW:1):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 12.1.1.3)
*Mar 1 00:29:38.071: ISAKMP (0:134217729): FSM action returned error: 2
*Mar 1 00:29:38.071: ISAKMP

0:1:SW:1):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Mar 1 00:29:38.071: ISAKMP

0:1:SW:1):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
*Mar 1 00:29:38.071: ISAKMP

0:1:SW:1):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 12.1.1.3)
*Mar  1 00:29:38.071: ISAKMP: Unlocking IKE struct 0x64288970 for isadb_mark_sa_deleted(), count 0
*Mar  1 00:29:38.071: ISAKMP: Deleting peer node by peer_reap for 12.1.1.3: 64288970
*Mar  1 00:29:38.071: ISAKMP

0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 00:29:38.071: ISAKMP

0:1:SW:1):Old State = IKE_R_AM2  New State = IKE_DEST_SA
*Mar  1 00:29:43.051: ISAKMP (0:134217729): received packet from 12.1.1.3 dport 500 sport 57930 Global (R) MM_NO_STATE
*Mar  1 00:29:48.127: ISAKMP (0:134217729): received packet from 12.1.1.3 dport 500 sport 57930 Global (R) MM_NO_STATE
*Mar  1 00:29:53.207: ISAKMP (0:134217729): received packet from 12.1.1.3 dport 500 sport 57930 Global (R) MM_NO_STATE
R1#

路由器, cisco, 如何

相关帖子

回复

使用道具举报

楼主| 发表于 2012-9-5 23:48:30 | 显示全部楼层

本帖最后由 fy923 于 2012-9-5 23:51 编辑

aaa group 用在telnet上好使，调用在vpn上不行。帮我顶下吧，需要解答。。或者有其他方法可以实现，ezvpn拨入用AD域帐户认证。配置了ASA可以，路由器就不行了。各位有做过的给个方法，谢谢了。。

沙发 2012-9-5 23:48:30 回复收起回复

回复支持反对

使用道具举报

发表于 2012-9-6 06:18:46 | 显示全部楼层

板凳 2012-9-6 06:18:46 回复收起回复

回复支持反对

使用道具举报

楼主| 发表于 2013-3-22 16:52:24 | 显示全部楼层

啊哈，微软带的radius 挺好用，已解决

地板 2013-3-22 16:52:24 回复收起回复

回复支持反对

使用道具举报

发表于 2013-8-18 18:26:01 | 显示全部楼层

好文章

5^# 2013-8-18 18:26:01 回复收起回复

回复支持反对

使用道具举报

发新帖

|Archiver|手机版|小黑屋|sitemap|鸿鹄论坛 ( 京ICP备14027439号 )

GMT+8, 2025-5-22 17:42 , Processed in 0.092421 second(s), 27 queries , Redis On.

Powered by Discuz!

© 2001-2025 HH010.COM

快速回复 返回顶部 返回列表