L2TP / IPSec do Windows 7 para o ASA 5520

9

Estou tentando configurar o L2TP / IPSec no nosso ASA5520 para oferecer suporte a um caso complementar para um de nossos desenvolvedores. O subsistema VPN do Windows aparentemente armazena o cookie kerberos ou NTLM para o logon quando você usa o subsistema vpn interno, e o cliente VPN da Cisco e o cliente AnyConnect não fazem isso.

Quando tento me conectar à VPN via Windows 7, a conexão falha:


%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713119: Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED
%ASA-3-713122: IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None)
%ASA-5-713257: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: UDP Tunnel(NAT-T)
%ASA-5-713904: Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
%ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x749f2490, mess id 0x1)!
%ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
%ASA-5-713259: Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch
%ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Especificamente, acho que esse erro tem relevância:

Tipos de atributos incompatíveis para a classe Modo de encapsulamento: Rcv'd: UDP Transport Cfg'd: UDP Tunnel (NAT-T)

A depuração dos drivers de criptografia não parece ser de muita ajuda; o abaixo está com isakmp nível 127 e ipsec nível 100:


7|Apr 26 2012|02:10:38|713236|||||IP = 1.2.3.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload
7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 1
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
4|Apr 26 2012|02:10:30|113019|||||Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Apr 26 2012|02:10:30|713259|||||Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=3a0d0c58) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing IKE delete payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:30|715065|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE QM Responder FSM error history (struct &0x766c58e8)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x766c58e8, mess id 0x1)!
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=bf34e4e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ipsec notify payload for msg id 1
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending notify message
5|Apr 26 2012|02:10:30|713904|||||Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing IPSec SA payload
7|Apr 26 2012|02:10:30|713066|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: OUTSIDE_DYN_MAP
7|Apr 26 2012|02:10:30|715059|||||Group = DefaultRAGroup, IP = 1.2.3.4, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Apr 26 2012|02:10:30|713224|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map Check by-passed: Crypto map entry incomplete!
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 65499...
7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 20, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 20...
7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 10, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 10...
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload
7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending Phase 1 Rcv Delete message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, L2TP/IPSec session detected.
7|Apr 26 2012|02:10:30|713024|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received local Proxy Host data in ID Payload:  Address 64.34.119.71, Protocol 17, Port 1701
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|713025|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received remote Proxy Host data in ID Payload:  Address 10.65.3.237, Protocol 17, Port 1701
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing nonce payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 324
7|Apr 26 2012|02:10:30|714003|||||IP = 1.2.3.4, IKE Responder starting QM: msg id = 00000001
7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending New Phase 1 SA message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit
7|Apr 26 2012|02:10:30|715080|||||Group = DefaultRAGroup, IP = 1.2.3.4, Starting P1 rekey timer: 21600 seconds.
3|Apr 26 2012|02:10:30|713122|||||IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None)
7|Apr 26 2012|02:10:30|713121|||||IP = 1.2.3.4, Keep-alive type for this connection: None
5|Apr 26 2012|02:10:30|713119|||||Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing dpd vid payload
7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing hash payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup
6|Apr 26 2012|02:10:30|713172|||||Group = DefaultRAGroup, IP = 1.2.3.4, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, Generating keys for Responder...
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload
7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing VID payload
7|Apr 26 2012|02:10:30|715038|||||IP = 1.2.3.4, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send IOS VID
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing xauth V6 VID payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Cisco Unity VID payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing nonce payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ke payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing nonce payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ISA_KE payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ke payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 260
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload
7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 1
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
5|Apr 26 2012|02:10:21|111005|||||1.2.3.4 end configuration: OK
7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, IKE SA MM:b1f927e6 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
7|Apr 26 2012|02:10:16|715065|||||IP = 1.2.3.4, IKE MM Responder FSM error history (struct &0x76bd68f8)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
5|Apr 26 2012|02:10:16|111010|||||User 'pgrace', running 'CLI' from IP 1.2.3.4, executed 'logging asdm debugging'

Aqui está a minha configuração:


ny-asa01# sh run crypto
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_DYN_MAP 10 set security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set reverse-route
crypto dynamic-map OUTSIDE_DYN_MAP 20 set ikev1 transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map OUTSIDE_DYN_MAP 20 set nat-t-disable
crypto dynamic-map L2TP_MAP 10 set ikev1 transform-set TRANS_ESP_3DES_MD5
crypto map vpnmap 10 match address A_to_B_vpn
crypto map vpnmap 10 set pfs
crypto map vpnmap 10 set peer 9.8.7.6
crypto map vpnmap 10 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 20 match address B_TO_C_vpn
crypto map vpnmap 20 set pfs
crypto map vpnmap 20 set peer 5.4.3.2
crypto map vpnmap 20 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 65500 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp nat-traversal 300
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

 tunnel-group DefaultRAGroup general-attributes
 address-pool stackvpn_pool
 authentication-server-group RADIUS_SERVER
 accounting-server-group RADIUS_SERVER
 default-group-policy stackvpn_l2tp
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap

group-policy stackvpn_l2tp internal
group-policy stackvpn_l2tp attributes
 dns-server value 5.6.7.8 9.10.11.12
 vpn-tunnel-protocol l2tp-ipsec
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT_TUNNEL
 address-pools value stackvpn_pool

Obviamente, uma incompatibilidade de fase 2 geralmente seria resolvida com a alteração de propostas, mas, infelizmente, parece que o Windows 7 não deixa você mexer nas configurações da proposta. Não há como ativar o NAT-T explicitamente na configuração do Win7.

Então, minha pergunta é a seguinte: minha configuração é complicada? Alguém tem o L2TP funcionando corretamente com o Windows 7 em um ASA com 8.4 carregado?

Peter Grace
fonte
1
Fase 1 falha porque você não configurou o cliente para usar o Grupo 2 Diffie-Helman. E, no entanto, o servidor exige.
Topdog

Respostas:

0

Eu tenho o IPSEC trabalhando no modo "lan-to-lan" entre o Windows 7 e um ASA com 8.3 (2) 13 (certificado FIPS).

Tenho certeza de que você está correto em relação ao erro - se ele não puder negociar um SA, você será processado.

Eu tentaria me livrar do "NAT Traversal". Obviamente, você pode estar tentando tentar passar por cima do NAT, caso em que pode ser necessário. Mas essa certeza se parece com a causa do seu problema.

Eu acho que sua outra opção é descobrir como obter o Windows 7 para fazer o tipo SA nat-traversal. Você pode tentar bisbilhotar netsh advfirewall consecnas janelas.

Aqui está uma referência que eu tinha marcado. http://technet.microsoft.com/en-us/library/dd736198(v=ws.10).aspx .

Uma observação - a documentação do Windows fala MUITO sobre o quanto é importante redigitar regularmente a conexão. No entanto, se você digitar novamente com muita freqüência, o ASA despeja e descarta a conexão. Certifique-se de não digitar novamente com mais frequência a cada 2 minutos. O uso do número de bytes recomendado da MS para a rekey fez com que ela ficasse abaixo de 2 minutos.

Quando abrimos um caso de suporte, o M $ não podia realmente dar nenhum motivo real para sua recomendação. Eles nos enviaram uma conta grande e gorda.

Dan Pritts
fonte
1
hah, apenas notei a data da pergunta. oh bem, talvez este seja útil para alguém ...
Dan Pritts
-1

Para quem vem aqui:

Solução de problemas da Cisco: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution14

Se pares estáticos e dinâmicos estiverem configurados no mesmo mapa criptográfico, a ordem das entradas do mapa criptográfico é muito importante. O número de sequência da entrada dinâmica do mapa criptográfico deve ser maior que todas as outras entradas estáticas do mapa criptográfico.

Gerrit
fonte