vpn问题，请大神帮忙

ahjxmsw

我在路由器上做了个ezvpn，客户端连接时报错Secure VPN Connection terminated locally by the client。Reason 412：The remote peer is no longer responding。路由器上debug 显示信息如下：
*Mar  1 04:48:02.366: ISAKMP0):Encryption algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 3
*Mar  1 04:48:02.366: ISAKMP0):Encryption algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 3
*Mar  1 04:48:02.366: ISAKMP0):Encryption algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 3
*Mar  1 04:48:02.366: ISAKMP0):Encryption algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 3
*Mar  1 04:48:02.366: ISAKMP0):Encryption algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 3
*Mar  1 04:48:02.366: ISAKMP0):Encryption algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 3
*Mar  1 04:48:02.366: ISAKMP0):Encryption algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 3
*Mar  1 04:48:02.366: ISAKMP0):Encryption algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 3
*Mar  1 04:48:02.366: ISAKMP0):Hash algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 3
*Mar  1 04:48:02.366: ISAKMP0):Hash algorithm offered does not match policy!
*Mar  1 04:48:02.366: ISAKMP0):atts are not acceptable. Next payload is 0
*Mar  1 04:48:02.366: ISAKMP0):no offers accepted!

配置信息如下：
!
aaa new-model
!
!
aaa authentication login LOGIN none
aaa authorization network test local
!
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
username cisco password 0 cisco
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 20 10
!
crypto isakmp client configuration group test
key cisco
dns 8.8.8.8
pool Remote-Pool
netmask 255.255.255.0
!
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
!
crypto dynamic-map MYMAP 10
set transform-set MYSET
reverse-route
!
!
crypto map MYMAP client configuration address respond
crypto map MYMAP 10 ipsec-isakmp dynamic MYMAP
!
!
!
!
interface FastEthernet0/0
ip address 200.200.200.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 192.168.210.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool Remote-Pool 172.16.1.1 172.16.1.100
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/0 overload
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication LOGIN
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login authentication LOGIN
!
!
end
有大神知道这个问题该怎么解决么？麻烦帮帮小弟啊

mobaia

ahjxmsw 发表于 2014-3-23 20:36
我重新做了一遍，客户端竟然就可以连接了。。。。。无语
只不过客户端连接后，还是无法和内网的机器通信 ...

我找到原因了，因为map上没有指定AAA认证策略，要加
crypto map MYMAP client authentication list LOGIN
crypto map MYMAP isakmp authorization list test
这样的话服务器才会启用本地group设置的组名和密钥进行认证。

我的已经完全测试成功，虚拟网卡起不来是因为没有关闭ICS服务，禁用掉后就OK了。

mobaia

你这个是啥客户端？看着貌似是第一阶段isakmp策略协商通不过.看提示是hash算法不匹配，客户端预设策略不支持这种组合，所以不能推送MD5给服务器判断？把isakmp的hash算法改成SHA试试、

ahjxmsw

mobaia 发表于 2014-3-20 11:32
你这个是啥客户端？看着貌似是第一阶段isakmp策略协商通不过.看提示是hash算法不匹配，客户端预设策略不支 ...

客户端是cisco VPN client 5.0.06。哈希算法sha和md5都改过了不行，路由器有3种加密算法des，3des，aes也都改过还是不行，一直报这个错。。。

mobaia

debug信息就这么多？不是应该有每次客户端发过来的transform 搭配吗，你这个最后的信息显示客户端发过来的所有策略集没有一个和服务器上匹配的。debug应该每次发过来的具体策略搭配啥的。类似：
Jun 25 09:30:35.051: ISAKMP0):Checking ISAKMP transform 11 against priority 10 policy
*Jun 25 09:30:35.051: ISAKMP:      encryption 3DES-CBC
*Jun 25 09:30:35.051: ISAKMP:      hash SHA
*Jun 25 09:30:35.051: ISAKMP:      default group 2
*Jun 25 09:30:35.051: ISAKMP:      auth pre-share
*Jun 25 09:30:35.051: ISAKMP:      life type in seconds
*Jun 25 09:30:35.051: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
这种，这已经是第11次协商了，第8次协商是这样的
*Jun 25 09:30:35.051: ISAKMP0):Checking ISAKMP transform 8 against priority 10 policy
*Jun 25 09:30:35.051: ISAKMP:      encryption AES-CBC
*Jun 25 09:30:35.051: ISAKMP:      hash MD5
*Jun 25 09:30:35.051: ISAKMP:      default group 2
*Jun 25 09:30:35.051: ISAKMP:      auth pre-share
*Jun 25 09:30:35.051: ISAKMP:      life type in seconds
*Jun 25 09:30:35.051: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 25 09:30:35.051: ISAKMP:      keylength of 128
失败后还会发另一种搭配，知道策略搭配和服务器端一致协商成功，你看看客户端发过来的所有策略搭配，如果没有一个和服务器端一致的，那就是客户端的问题，它不发这种服务器端设置的那种策略集搭配，肯定不能协商成功，换个系统或者pc重装下客户端试试，看看是不是安装的系统的兼容啥的原因。

宇宙飞侠cwb

你的1.5阶段呢  我是没看到你配了1.5的Xauth

mobaia

我昨晚回的贴呢？咋看不到。1.5阶段，推送给客户端的地址池啥的都配了。

mobaia

还有aaa

mobaia

我刚用gns3架ezvpn服务器，桥接到电脑上，电脑上装cisco VPN client 5.0.07试了，刚开始也是抱这个错，奇怪的是，我debug看到客户端发过来的策略集有和服务器上配的一致的，但是仍然通不过。后来创建了个crypto isakmp policy 1的策略集，莫名其妙就好了，而且把新建的删掉，使用原来一模一样的crypto isakmp policy 10，也能通过了，不知道为啥，蛋疼。看debug消息，我这个1.5阶段都已经通过，ipsec的策略集也已经匹配完成，就最后推送ip地址啥 的，那个虚拟网卡没起来，提示 fail to enable virtual adpter。不知道和虚拟环境有没啥关系。

ahjxmsw

mobaia 发表于 2014-3-21 15:44
我刚用gns3架ezvpn服务器，桥接到电脑上，电脑上装cisco VPN client 5.0.07试了，刚开始也是抱这个错，奇怪 ...

我重新做了一遍，客户端竟然就可以连接了。。。。。无语
只不过客户端连接后，还是无法和内网的机器通信，我的客户端是装在虚拟机上，本机做内网，不知道跟这个有没有关系。

mobaia

你这个配置有不少问题，nat的access-list也没配