Tôi đang cố gắng thiết lập L2TP / IPSec trên ASA5520 của chúng tôi để hỗ trợ trường hợp bên lề cho một trong những nhà phát triển của chúng tôi. Hệ thống con Windows VPN rõ ràng lưu trữ cookie kerberos hoặc NTLM để đăng nhập khi bạn sử dụng hệ thống con vpn tích hợp và máy khách Cisco VPN và máy khách AnyConnect không làm điều này.
Khi tôi cố gắng kết nối với VPN qua Windows 7, kết nối không thành công:
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
%ASA-5-713119: Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED
%ASA-3-713122: IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None)
%ASA-5-713257: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Transport Cfg'd: UDP Tunnel(NAT-T)
%ASA-5-713904: Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
%ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x749f2490, mess id 0x1)!
%ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
%ASA-5-713259: Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch
%ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Cụ thể, tôi nghĩ lỗi này có liên quan: Các
loại thuộc tính không khớp cho Chế độ đóng gói lớp: Rcv'd: UDP Transport Cfg'd: UDP Tunnel (NAT-T)
Việc gỡ lỗi từ trình điều khiển tiền điện tử dường như không giúp ích nhiều; bên dưới là với cấp độ isakmp 127 và cấp độ ipsec 100:
7|Apr 26 2012|02:10:38|713236|||||IP = 1.2.3.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload
7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 1
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
4|Apr 26 2012|02:10:30|113019|||||Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Apr 26 2012|02:10:30|713259|||||Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=3a0d0c58) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing IKE delete payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 terminating: flags 0x01000002, refcnt 0, tuncnt 0
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:30|715065|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE QM Responder FSM error history (struct &0x766c58e8) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x766c58e8, mess id 0x1)!
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=bf34e4e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ipsec notify payload for msg id 1
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending notify message
5|Apr 26 2012|02:10:30|713904|||||Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing IPSec SA payload
7|Apr 26 2012|02:10:30|713066|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: OUTSIDE_DYN_MAP
7|Apr 26 2012|02:10:30|715059|||||Group = DefaultRAGroup, IP = 1.2.3.4, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Apr 26 2012|02:10:30|713224|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map Check by-passed: Crypto map entry incomplete!
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 65499...
7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 20, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 20...
7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 10, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 10...
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload
7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending Phase 1 Rcv Delete message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, L2TP/IPSec session detected.
7|Apr 26 2012|02:10:30|713024|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received local Proxy Host data in ID Payload: Address 64.34.119.71, Protocol 17, Port 1701
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|713025|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received remote Proxy Host data in ID Payload: Address 10.65.3.237, Protocol 17, Port 1701
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing nonce payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 324
7|Apr 26 2012|02:10:30|714003|||||IP = 1.2.3.4, IKE Responder starting QM: msg id = 00000001
7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending New Phase 1 SA message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit
7|Apr 26 2012|02:10:30|715080|||||Group = DefaultRAGroup, IP = 1.2.3.4, Starting P1 rekey timer: 21600 seconds.
3|Apr 26 2012|02:10:30|713122|||||IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None)
7|Apr 26 2012|02:10:30|713121|||||IP = 1.2.3.4, Keep-alive type for this connection: None
5|Apr 26 2012|02:10:30|713119|||||Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing dpd vid payload
7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing hash payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup
6|Apr 26 2012|02:10:30|713172|||||Group = DefaultRAGroup, IP = 1.2.3.4, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, Generating keys for Responder...
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload
7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing VID payload
7|Apr 26 2012|02:10:30|715038|||||IP = 1.2.3.4, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send IOS VID
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing xauth V6 VID payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Cisco Unity VID payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing nonce payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ke payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing nonce payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ISA_KE payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ke payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 260
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload
7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 1
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
5|Apr 26 2012|02:10:21|111005|||||1.2.3.4 end configuration: OK
7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, IKE SA MM:b1f927e6 terminating: flags 0x01000002, refcnt 0, tuncnt 0
7|Apr 26 2012|02:10:16|715065|||||IP = 1.2.3.4, IKE MM Responder FSM error history (struct &0x76bd68f8) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
5|Apr 26 2012|02:10:16|111010|||||User 'pgrace', running 'CLI' from IP 1.2.3.4, executed 'logging asdm debugging'
Đây là cấu hình của tôi:
ny-asa01# sh run crypto
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_DYN_MAP 10 set security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set reverse-route
crypto dynamic-map OUTSIDE_DYN_MAP 20 set ikev1 transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map OUTSIDE_DYN_MAP 20 set nat-t-disable
crypto dynamic-map L2TP_MAP 10 set ikev1 transform-set TRANS_ESP_3DES_MD5
crypto map vpnmap 10 match address A_to_B_vpn
crypto map vpnmap 10 set pfs
crypto map vpnmap 10 set peer 9.8.7.6
crypto map vpnmap 10 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 20 match address B_TO_C_vpn
crypto map vpnmap 20 set pfs
crypto map vpnmap 20 set peer 5.4.3.2
crypto map vpnmap 20 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 65500 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp nat-traversal 300
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
address-pool stackvpn_pool
authentication-server-group RADIUS_SERVER
accounting-server-group RADIUS_SERVER
default-group-policy stackvpn_l2tp
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
group-policy stackvpn_l2tp internal
group-policy stackvpn_l2tp attributes
dns-server value 5.6.7.8 9.10.11.12
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT_TUNNEL
address-pools value stackvpn_pool
Rõ ràng, sự không phù hợp giai đoạn 2 thường sẽ được giải quyết bằng cách thay đổi các đề xuất, nhưng thật không may là Windows 7 không cho phép bạn thực hiện các cài đặt đề xuất. Không có cách nào để bật NAT-T một cách rõ ràng trong cấu hình Win7.
Vì vậy, câu hỏi của tôi là: Cấu hình của tôi có bị hỏng không? Có ai có L2TP hoạt động đúng với Windows 7 trên ASA với 8.4 được tải không?