|
|
我是模拟器来做的。是Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T,
EZVPN client是:vpnclient-win-msi-5.0.04.0300-k9.exe
EZvpn-server#
*May 17 12:23:01.003: ISAKMP (0): received packet from 202.1.20.254 dport 500 sport 1196 Global (N) NEW SA
*May 17 12:23:01.007: ISAKMP: Created a peer struct for 202.1.20.254, peer port 1196
*May 17 12:23:01.007: ISAKMP: New peer created peer = 0x68A16090 peer_handle = 0x80000021
*May 17 12:23:01.007: ISAKMP: Locking peer struct 0x68A16090, refcount 1 for crypto_isakmp_process_block
*May 17 12:23:01.011: ISAKMP 0):Setting client config settings 676E47F8
*May 17 12:23:01.011: ISAKMP0)Re)Setting client xauth list and state
*May 17 12:23:01.011: ISAKMP/xauth: initializing AAA request
*May 17 12:23:01.019: ISAKMP: local port 500, remote port 1196
*May 17 12:23:01.019: ISAKMP0):insert sa successfully sa = 68A24324
*May 17 12:23:01.023: ISAKMP0): processing SA payload. message ID = 0
*May 17 12:23:01.023: ISAKMP0): processing ID payload. message ID = 0
*May 17 12:23:01.023: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : aaaa
pr
EZvpn-server#otocol : 17
port : 500
length : 12
*May 17 12:23:01.027: ISAKMP0):: peer matches *none* of the profiles
*May 17 12:23:01.027: ISAKMP0): processing vendor id payload
*May 17 12:23:01.027: ISAKMP0): vendor ID seems Unity/DPD but major 215 mismatch
*May 17 12:23:01.027: ISAKMP0): vendor ID is XAUTH
*May 17 12:23:01.031: ISAKMP0): processing vendor id payload
*May 17 12:23:01.031: ISAKMP0): vendor ID is DPD
*May 17 12:23:01.031: ISAKMP0): processing vendor id payload
*May 17 12:23:01.031: ISAKMP0): processing IKE frag vendor id payload
*May 17 12:23:01.031: ISAKMP0):Support for IKE Fragmentation not enabled
*May 17 12:23:01.035: ISAKMP0): processing vendor id payload
*May 17 12:23:01.035: ISAKMP0): vendor ID seems Unity/DPD but major 123 mismatch
*May 17 12:23:01.035: ISAKMP0): vendor ID is NAT-T v2
*May 17 12:23:01.035: ISAKMP0): processing vendor id payload
*May 17 12:23:01.039: ISAKMP0): vendor ID is Unity
*May 17 12:23
EZvpn-server#:01.039: ISAKMP0): Authentication by xauth preshared
*May 17 12:23:01.039: ISAKMP0):Checking ISAKMP transform 1 against priority 1 policy
*May 17 12:23:01.039: ISAKMP: encryption AES-CBC
*May 17 12:23:01.039: ISAKMP: hash SHA
*May 17 12:23:01.043: ISAKMP: default group 2
*May 17 12:23:01.043: ISAKMP: auth XAUTHInitPreShared
*May 17 12:23:01.043: ISAKMP: life type in seconds
*May 17 12:23:01.043: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 17 12:23:01.047: ISAKMP: keylength of 256
*May 17 12:23:01.047: ISAKMP0):Encryption algorithm offered does not match policy!
*May 17 12:23:01.047: ISAKMP0):atts are not acceptable. Next payload is 3
*May 17 12:23:01.047: ISAKMP0):Checking ISAKMP transform 2 against priority 1 policy
*May 17 12:23:01.047: ISAKMP: encryption AES-CBC
*May 17 12:23:01.051: ISAKMP: hash MD5
*May 17 12:23:01.051: ISAKMP: default group 2
*May 17 12:23:01.051: ISAKMP: auth XAUTHInitP
EZvpn-server#reShared
*May 17 12:23:01.051: ISAKMP: life type in seconds
*May 17 12:23:01.051: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 17 12:23:01.055: ISAKMP: keylength of 256
*May 17 12:23:01.055: ISAKMP0):Encryption algorithm offered does not match policy!
*May 17 12:23:01.055: ISAKMP0):atts are not acceptable. Next payload is 3
*May 17 12:23:01.055: ISAKMP0):Checking ISAKMP transform 3 against priority 1 policy
*May 17 12:23:01.059: ISAKMP: encryption AES-CBC
*May 17 12:23:01.059: ISAKMP: hash SHA
*May 17 12:23:01.059: ISAKMP: default group 2
*May 17 12:23:01.059: ISAKMP: auth pre-share
*May 17 12:23:01.059: ISAKMP: life type in seconds
*May 17 12:23:01.059: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 17 12:23:01.063: ISAKMP: keylength of 256
*May 17 12:23:01.063: ISAKMP0):Encryption algorithm offered does not match policy!
*May 17 12:23:01.063: ISAKMP0):atts are not acceptable. Next payloa
EZvpn-server#d is 3
*May 17 12:23:01.067: ISAKMP0):Checking ISAKMP transform 4 against priority 1 policy
*May 17 12:23:01.067: ISAKMP: encryption AES-CBC
*May 17 12:23:01.067: ISAKMP: hash MD5
*May 17 12:23:01.067: ISAKMP: default group 2
*May 17 12:23:01.067: ISAKMP: auth pre-share
*May 17 12:23:01.067: ISAKMP: life type in seconds
*May 17 12:23:01.071: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 17 12:23:01.071: ISAKMP: keylength of 256
*May 17 12:23:01.071: ISAKMP0):Encryption algorithm offered does not match policy!
*May 17 12:23:01.075: ISAKMP0):atts are not acceptable. Next payload is 3
*May 17 12:23:01.075: ISAKMP0):Checking ISAKMP transform 5 against priority 1 policy
*May 17 12:23:01.075: ISAKMP: encryption AES-CBC
*May 17 12:23:01.075: ISAKMP: hash SHA
*May 17 12:23:01.075: ISAKMP: default group 2
*May 17 12:23:01.075: ISAKMP: auth XAUTHInitPreShared
*May 17 12:23:01.079: ISAKMP: life type in
EZvpn-server# seconds
*May 17 12:23:01.079: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 17 12:23:01.079: ISAKMP: keylength of 128
*May 17 12:23:01.079: ISAKMP0):Encryption algorithm offered does not match policy!
*May 17 12:23:01.083: ISAKMP0):atts are not acceptable. Next payload is 3
*May 17 12:23:01.083: ISAKMP0):Checking ISAKMP transform 6 against priority 1 policy
*May 17 12:23:01.083: ISAKMP: encryption AES-CBC
*May 17 12:23:01.083: ISAKMP: hash MD5
*May 17 12:23:01.083: ISAKMP: default group 2
*May 17 12:23:01.087: ISAKMP: auth XAUTHInitPreShared
*May 17 12:23:01.087: ISAKMP: life type in seconds
*May 17 12:23:01.087: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 17 12:23:01.087: ISAKMP: keylength of 128
*May 17 12:23:01.091: ISAKMP0):Encryption algorithm offered does not match policy!
*May 17 12:23:01.091: ISAKMP0):atts are not acceptable. Next payload is 3
*May 17 12:23:01.091: ISAKMP0):Checkin
EZvpn-server#g ISAKMP transform 7 against priority 1 policy
*May 17 12:23:01.091: ISAKMP: encryption AES-CBC
*May 17 12:23:01.091: ISAKMP: hash SHA
*May 17 12:23:01.091: ISAKMP: default group 2
*May 17 12:23:01.091: ISAKMP: auth pre-share
*May 17 12:23:01.091: ISAKMP: life type in seconds
*May 17 12:23:01.091: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 17 12:23:01.091: ISAKMP: keylength of 128
*May 17 12:23:01.091: ISAKMP0):Encryption algorithm offered does not match policy!
*May 17 12:23:01.091: ISAKMP0):atts are not acceptable. Next payload is 3
*May 17 12:23:01.091: ISAKMP0):Checking ISAKMP transform 8 against priority 1 policy
*May 17 12:23:01.091: ISAKMP: encryption AES-CBC
*May 17 12:23:01.091: ISAKMP: hash MD5
*May 17 12:23:01.091: ISAKMP: default group 2
*May 17 12:23:01.091: ISAKMP: auth pre-share
*May 17 12:23:01.091: ISAKMP: life type in seconds
*May 17 12:23:01.091: ISAKMP: life duratio
EZvpn-server#n (VPI) of 0x0 0x20 0xC4 0x9B
*May 17 12:23:01.091: ISAKMP: keylength of 128
*May 17 12:23:01.091: ISAKMP0):Encryption algorithm offered does not match policy!
*May 17 12:23:01.091: ISAKMP0):atts are not acceptable. Next payload is 3
*May 17 12:23:01.091: ISAKMP0):Checking ISAKMP transform 9 against priority 1 policy
*May 17 12:23:01.091: ISAKMP: encryption 3DES-CBC
*May 17 12:23:01.091: ISAKMP: hash SHA
*May 17 12:23:01.091: ISAKMP: default group 2
*May 17 12:23:01.091: ISAKMP: auth XAUTHInitPreShared
*May 17 12:23:01.091: ISAKMP: life type in seconds
*May 17 12:23:01.091: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*May 17 12:23:01.091: ISAKMP0):atts are acceptable. Next payload is 3
*May 17 12:23:01.091: ISAKMP0):Acceptable atts:actual life: 86400
*May 17 12:23:01.091: ISAKMP0):Acceptable atts:life: 0
*May 17 12:23:01.091: ISAKMP0):Fill atts in sa vpi_length:4
*May 17 12:23:01.091: ISAKMP0):Fill atts in sa
EZvpn-server#life_in_seconds:2147483
*May 17 12:23:01.091: ISAKMP0):Returning Actual lifetime: 86400
*May 17 12:23:01.091: ISAKMP0)::Started lifetime timer: 86400.
*May 17 12:23:01.091: ISAKMP0): processing KE payload. message ID = 0
*May 17 12:23:01.123: ISAKMP0): processing NONCE payload. message ID = 0
*May 17 12:23:01.123: ISAKMP0): vendor ID is NAT-T v2
*May 17 12:23:01.127: ISAKMP0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*May 17 12:23:01.127: ISAKMP0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
*May 17 12:23:01.131: AAA/AUTHOR/IKMP/LOCAL: group aaaa does not exist
*May 17 12:23:01.135: %CRYPTO-6-VPN_TUNNEL_STATUS: Group: aaaa does not exist
*May 17 12:23:01.135: %AAA-3-BADSERVERTYPEERROR: Cannot process authorization server type radius (UNKNOWN)
*May 17 12:23:01.139: ISAKMP0): constructed NAT-T vendor-02 ID
*May 17 12:23:01.139: ISAKMP0):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*May 17 12:23:01.143: ISAKMP
EZvpn-server#(0): ID payload
next-payload : 10
type : 1
address : 202.1.10.254
protocol : 0
port : 0
length : 12
*May 17 12:23:01.143: ISAKMP0):Total payload length: 12
*May 17 12:23:01.147: ISAKMP0): sending packet to 202.1.20.254 my_port 500 peer_port 1196 (R) AG_INIT_EXCH
*May 17 12:23:01.147: ISAKMP0):Sending an IKE IPv4 Packet.
*May 17 12:23:01.147: ISAKMP0):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*May 17 12:23:01.151: ISAKMP0):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
*May 17 12:23:01.231: ISAKMP (0): received packet from 202.1.20.254 dport 500 sport 1196 Global (R) AG_INIT_EXCH
*May 17 12:23:01.231: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 202.1.20.254 was not encrypted and it should've been.
*May 17 12:23:01.231: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
*May 17 12:23:01.235: ISAKMP (0): received packet from 202.1.20.254 dport 500 sport 1196 Global (R) AG_I
EZvpn-server#NIT_EXCH
*May 17 12:23:01.235: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 202.1.20.254 was not encrypted and it should've been.
*May 17 12:23:01.239: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*May 17 12:23:02.239: ISAKMP0): retransmitting phase 1 AG_INIT_EXCH...
*May 17 12:23:02.239: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*May 17 12:23:02.239: ISAKMP0): retransmitting phase 1 AG_INIT_EXCH
*May 17 12:23:02.239: ISAKMP0): sending packet to 202.1.20.254 my_port 500 peer_port 1196 (R) AG_INIT_EXCH
*May 17 12:23:02.239: ISAKMP0):Sending an IKE IPv4 Packet.
EZvpn-server#
*May 17 12:23:12.239: ISAKMP0): retransmitting phase 1 AG_INIT_EXCH...
*May 17 12:23:12.239: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*May 17 12:23:12.239: ISAKMP0): retransmitting phase 1 AG_INIT_EXCH
*May 17 12:23:12.243: ISAKMP0): sending packet to 202.1.20.254 my_port 500 peer_port 1196 (R) AG_INIT_EXCH
*May 17 12:23:12.243: ISAKMP0):Sending an IKE IPv4 Packet.
EZvpn-server#
*May 17 12:23:22.243: ISAKMP0): retransmitting phase 1 AG_INIT_EXCH...
*May 17 12:23:22.243: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*May 17 12:23:22.243: ISAKMP0): retransmitting phase 1 AG_INIT_EXCH
*May 17 12:23:22.247: ISAKMP0): sending packet to 202.1.20.254 my_port 500 peer_port 1196 (R) AG_INIT_EXCH
*May 17 12:23:22.247: ISAKMP0):Sending an IKE IPv4 Packet.
EZvpn-server#
*May 17 12:23:32.247: ISAKMP0): retransmitting phase 1 AG_INIT_EXCH...
*May 17 12:23:32.247: ISAKMP0):peer does not do paranoid keepalives.
*May 17 12:23:32.247: ISAKMP0):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 202.1.20.254)
*May 17 12:23:32.247: ISAKMP0):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 202.1.20.254)
*May 17 12:23:32.247: ISAKMP: Unlocking peer struct 0x68A16090 for isadb_mark_sa_deleted(), count 0
*May 17 12:23:32.247: ISAKMP: Deleting peer node by peer_reap for 202.1.20.254: 68A16090
*May 17 12:23:32.247: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
EZvpn-server#
*May 17 12:23:32.247: ISAKMP0):Old State = IKE_R_AM2 New State = IKE_DEST_SA
*May 17 12:23:32.247: IPSEC(key_engine): got a queue event with 1 KMI message(s)
EZvpn-server#
*May 17 12:24:32.247: ISAKMP0):purging SA., sa=68A24324, delme=68A24324
EZvpn-server#
EZvpn-server#show run
Building configuration...
Current configuration : 1856 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EZvpn-server
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login cisco1 local group radius
aaa authorization network cisco2 local group radius
!
!
aaa session-id common
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
username cisco password 0 cisco
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn-policy
key cisco123
pool net172
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map vpnmap 1
set transform-set vpn
reverse-route
!
!
crypto map ezvpn client authentication list cisco1
crypto map ezvpn isakmp authorization list cisco2
crypto map ezvpn client configuration address respond
crypto map ezvpn 1 ipsec-isakmp dynamic vpnmap
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 202.1.10.254 255.255.255.0
duplex auto
speed auto
crypto map ezvpn
!
interface FastEthernet0/1
ip address 172.16.1.254 255.255.255.0
duplex auto
speed auto
!
interface POS1/0
no ip address
shutdown
!
ip local pool net172 172.16.1.100 172.16.1.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 2.2.2.0 255.255.255.0 172.16.1.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
!
end
EZVPN client报错信息:
Cisco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
696 12:30:14.509 05/17/13 Sev=Info/4 CM/0x63100002
Begin connection process
697 12:30:14.540 05/17/13 Sev=Info/4 CM/0x63100004
Establish secure connection
698 12:30:14.540 05/17/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "202.1.10.254"
699 12:30:14.555 05/17/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 202.1.10.254.
700 12:30:14.555 05/17/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
701 12:30:14.555 05/17/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 202.1.10.254
702 12:30:14.743 05/17/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
703 12:30:14.743 05/17/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
704 12:30:14.821 05/17/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 202.1.10.254
705 12:30:14.821 05/17/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 202.1.10.254
706 12:30:14.821 05/17/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
707 12:30:14.821 05/17/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
708 12:30:14.821 05/17/13 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
709 12:30:14.837 05/17/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
710 12:30:14.837 05/17/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
711 12:30:14.837 05/17/13 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
712 12:30:14.837 05/17/13 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
713 12:30:14.837 05/17/13 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)
714 12:30:14.837 05/17/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 202.1.10.254
715 12:30:14.837 05/17/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 202.1.10.254
716 12:30:14.837 05/17/13 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiatorNavigator:2263)
717 12:30:14.837 05/17/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=E8733CC47BF53B7B R_Cookie=55721DFE45B12905) reason = DEL_REASON_IKE_NEG_FAILED
718 12:30:15.727 05/17/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E8733CC47BF53B7B R_Cookie=55721DFE45B12905) reason = DEL_REASON_IKE_NEG_FAILED
719 12:30:15.727 05/17/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "202.1.10.254" because of "DEL_REASON_IKE_NEG_FAILED"
720 12:30:15.727 05/17/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
721 12:30:15.790 05/17/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
722 12:30:15.790 05/17/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
723 12:30:16.805 05/17/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
724 12:30:16.805 05/17/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
725 12:30:16.805 05/17/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
726 12:30:16.805 05/17/13 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
个人觉得蛮有意思的。解决不来,我用asa做EZVPN server也是不能成功。
能够看出问题在哪里吗???谢谢。。。。。。。。。。。。。。。。。
|
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2013-5-17 12:35:16
置顶卡
喧嚣卡
变色卡
千斤顶
楼主
