我正在使用以下设置将远程 ASA 连接到中心站点:
Phase 1 IKE:
Encryption: DES
Authentication: MD5
DH: DH2
Phase 2:
Encryption: DES
Authentication: MD5
我收到以下错误Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping和Information Exchange processing failed。
然后我从我的 L2TP VPN 策略中删除了所有引用,一切开始正常工作 - 似乎我无法让 L2TP 和 Lan-2-Lan VPN 同时正常运行。
现在 Lan-2-Lan VPN 可以正常工作了,在我重新添加后 L2TP 不再起作用(而之前 L2TP 可以正常工作,但 lan2lan 不起作用)。我认为这与多个 IKE 策略有关。
如何让 Lan2Lan 和 L2TP(适用于 Windows 7 和 Mac 客户端)同时工作?
非常感谢。
我的配置如下:
names
name 192.168.40.0 othersite
!
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 othersite 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.30.192 255.255.255.192
access-list outside_1_cryptomap extended permit ip 192.168.30.0 255.255.255.0 othersite 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.30.0 255.255.255.0
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
ip local pool VPNLAN 192.168.30.210-192.168.30.240 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.30.0 255.255.255.0
nat (outside) 1 192.168.30.0 255.255.255.0
access-group OUTSIDE_IN_ACL in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 95.97.2.218
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.30.3
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool VPNLAN
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group 45.27.21.7 type ipsec-l2l
tunnel-group 45.27.21.7 ipsec-attributes
pre-shared-key *****