CISCO 3662 IPSEC VPN 拨入的问题

我有一个CISCO 3662再上面配置了PPTP 和IPSEC VPN拨入,PPTP拨入没有问题,但是使用CISCO VPN CLIENT 4.01 始终拨不上去,提示:
SEVURE VPN CONNECTION TERMINATED LOCALLY BY THE CLIENT REASON:THE REMOTE PEER IS NO LONGER RESPONDING

下面是CISCO 3662 配置 :
cisco3662-1>en
welcome to you !!please input your password:
cisco3662-1#show runn
Building configuration...

Current configuration : 2441 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco3662-1
!
boot-start-marker
boot system tftp c3660-ik9s-mz.124-1a.bin 10.1.14.200
boot-end-marker
!
enable secret 5 $1$gqa0$FpG7mXkuYK3/DZfHRrqyP/
enable password 7 070C294540081506184259
!
aaa new-model
!
!
aaa authentication password-prompt "welcome to you !!please input your password:"
aaa authentication username-prompt "welcome to you !!please input your uasernam:"
aaa authentication login default local-case enable
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip domain lookup
no ip dhcp use vrf connected
!
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username chalco password 7 02050C5A0705007115
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp client configuration address-pool local ourpool
!
crypto isakmp client configuration group cisco
key cisco123
pool ourpool
!
!
crypto ipsec transform-set trans1 esp-des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans1
!
!
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
ip address 10.100.100.1 255.255.255.0
!
interface FastEthernet0/0
ip address 210.82.28.29 255.255.255.252
ip access-group deny-virus in
speed 10
full-duplex
!
interface FastEthernet0/1
ip address 10.1.14.100 255.255.255.0
speed auto
full-duplex
mls rp vlan-id 2
crypto map intmap
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool test
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap
!
ip local pool test 192.168.1.1 192.168.1.250
ip local pool ourpool 10.2.1.1 10.2.1.254
ip http server
no ip http secure-server
!
ip classless
ip route 0.0.0.0 0.0.0.0 210.82.28.30
ip route 10.1.1.0 255.255.255.0 210.82.32.141
!
!
!
ip access-list extended deny-virus
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny udp any any eq 1434
permit ip any any
deny tcp any any eq 1720
snmp-server community public RO
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
password 7 070C285F4D06
line aux 0
line vty 0 4
password 7 070C294540081506184259
!
!
end

请大家帮助看一下有什么问题么?
我是用一个SWITCH 连接F0/1 PC接在SWITCH上拨ROUTER的F0/1口 ROUTER F0/0口是DOWN的 !!1
多谢!!

顶 DEBUG完了以后总是提示 HASH算法与策略不匹配!!
encryption DES-CBC
hash MD5
default group 2
auth pre-share
life type in seconds
life duration (VPI) of 0x0 0x20 0xC4 0x9B

0:0:N/A:0):Hash algorithm offered does not match policy!
atts are not acceptable. Next payload is 0
no offers accepted!
phase 1 SA policy not acceptable! (local 192.168.1
.1 remote 192.168.1.2)
incrementing error counter on sa: construct_fail_ag
_init
sending packet to 192.168.1.2 my_port 500 peer_por
t 500 (R) AG_NO_STATE
peer does not do paranoid keepalives.

04:23:36: ISAKMP

0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not a
ccepted" state (R) AG_NO_STATE (peer 192.168.1.2)
04:23:36: ISAKMP

0:0:N/A:0): processing KE payload. message ID = 0

请问有谁知道原因??
多谢

加密方式

再发个配置你自己参照着修改吧

Router#sh run
Building configuration...

Current configuration : 1412 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
!
username cisco password 0 cisco
memory-size iomem 15
ip subnet-zero
!
!
!
--More-- !
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group test
key test
pool testpool
acl 101
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
--More-- !
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
description connect to vpn client
ip address 192.168.0.2 255.255.255.0
duplex auto
speed auto
crypto map clientmap
--More-- !
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip local pool testpool 192.168.0.20 192.168.0.30
ip classless
ip http server
!
!
access-list 101 permit ip any any
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
--More-- !
!
line con 0
line aux 0
line vty 0 4
!
!
end

Router#

按照上面的文档改了一下配置,
User Access Verification

welcome to you !!please input your uasernam:
welcome to you !!please input your uasernam:chalco
welcome to you !!please input your password:

cisco3662-1>en
welcome to you !!please input your password:
cisco3662-1#show runn
Building configuration...

Current configuration : 2468 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco3662-1
!
boot-start-marker
boot system tftp c3660-ik9s-mz.124-1a.bin 10.1.14.200
boot-end-marker
!
enable secret 5 $1$gqa0$FpG7mXkuYK3/DZfHRrqyP/
enable password 7 070C294540081506184259
!
aaa new-model
!
!
aaa authentication password-prompt "welcome to you !!please input your password:"
aaa authentication username-prompt "welcome to you !!please input your uasernam:"
aaa authentication login default local enable
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip domain lookup
no ip dhcp use vrf connected
!
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username chalco password 7 02050C5A0705007115
!
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local ourpool
!
crypto isakmp client configuration group cisco3000
key cisco123
pool ourpool
acl 101
!
!
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans1
!
!
crypto map intmap client authentication list default
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
ip address 10.100.100.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
speed auto
full-duplex
!
interface FastEthernet0/1
ip address 10.1.14.100 255.255.255.0
speed auto
full-duplex
mls rp vlan-id 2
crypto map intmap
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool test
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap
!
ip local pool ourpool 10.2.1.1 10.2.1.254
ip local pool test 192.168.1.10 192.168.1.250
ip http server
no ip http secure-server
!
ip classless
ip route 0.0.0.0 0.0.0.0 210.82.28.30
ip route 10.1.1.0 255.255.255.0 210.82.32.141
!
!
!
ip access-list extended deny-virus
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny udp any any eq 1434
permit ip any any
deny tcp any any eq 1720
access-list 101 permit ip any any
snmp-server community public RO
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
password 7 070C285F4D06
line aux 0
line vty 0 4
password 7 070C294540081506184259
!
!
end

还是不行!!
这回提示变成了 Preshared authentication offered but does not match
policy!

06:39:16: ISAKMP: encryption DES-CBC
06:39:16: ISAKMP: hash MD5
06:39:16: ISAKMP: default group 2
06:39:16: ISAKMP: auth pre-share
06:39:16: ISAKMP: life type in seconds
06:39:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
06:39:16: ISAKMP

0:0:N/A:0):Preshared authentication offered but does not match
policy!
06:39:16: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 0
06:39:16: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535
policy

你再对照对照吧 aaa 认证好像还有问题！
还有你的CLIENT设置的用户名和密码要和路由器配置的一致！

AAA 认证不知道哪里有问题 ??
用户名密码在VPN CLIENT GROUP AUTHENTICATION 中 name cisco3000 password:cisco123.
但是总是提示:
Preshared authentication offered but does not match
policy!
不知道是在那里有问题??
此外现在我的F0/0口不知道为什么不能够TELNET 只有F0/1口可以TELNET ????

顶有谁能知道呢??

顶有谁能知道呢??

再顶急,有谁知道问题大概出在哪里呢??

我也发个配置给你参考吧！两过的路由器的 crypto isakmp policy 要一样哈，不匹配是不行的哈

User Access Verification

Password:
Password:
Password:
zb>en
Password:
zb#shwo run
^
% Invalid input detected at '^' marker.

zb#show run
Building configuration...

Current configuration : 4717 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
!
hostname zb
!
logging buffered 4096 debugging
no logging console
enable secret level 2 5 $1$yPiT$y2KX2xAk4qwN5e3lJozr50
enable secret 5 $1$ut9m$1yeHdH8KJTFaYBEMZACA2.
!
username sclq password 0 sclq
username daqiao password 0 daqiao
!
!
ip subnet-zero
ip cef
!
!
ip host c3550 192.168.0.222
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
ip address-pool local
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
lcp renegotiation always
no l2tp tunnel authentication
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
crypto ipsec transform-set rtpset3 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset4 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset5 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset6 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset8 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset7 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset2 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto dynamic-map rtpmap 10
set transform-set rtpset
match address 115
crypto dynamic-map rtpmap 12
set transform-set rtpset2
match address 108
crypto dynamic-map rtpmap 13
set transform-set rtpset3
match address 117
crypto dynamic-map rtpmap 14
set transform-set rtpset4
match address 118
crypto dynamic-map rtpmap 15
set transform-set rtpset5
match address 119
crypto dynamic-map rtpmap 16
set transform-set rtpset6
match address 109
crypto dynamic-map rtpmap 17
set transform-set rtpset7
match address 107
!
!
crypto map rtptrans 12 ipsec-isakmp dynamic rtpmap
!
modemcap entry cx
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 220.167.25.153 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.3 255.255.255.0
ip access-group 160 in
ip nat inside
no keepalive
speed auto
full-duplex
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool pool1
ppp authentication pap
!
ip local pool pool1 192.168.0.66 192.168.0.80
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 220.167.25.1
no ip http server
ip pim bidir-enable
!
access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 107 permit ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 108 permit ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 117 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 118 permit ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 119 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
access-list 160 permit tcp any any eq 20021
access-list 160 permit udp any any eq 20021
access-list 160 permit tcp any any eq 20040
access-list 160 permit udp any any eq 20040
access-list 160 permit tcp any any eq 18080
access-list 160 permit udp any any eq 18080
access-list 160 permit tcp any any eq 22223
access-list 160 deny tcp any any eq 135
access-list 160 deny tcp any any eq 445
access-list 160 permit udp any any eq 8000
access-list 160 deny tcp any any range 10000 30000
access-list 160 deny udp any any range 10000 30000
access-list 160 permit ip any any
!
route-map nonat permit 10
match ip address 120
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
privilege exec level 2 show run
!
line con 0
line aux 0
line vty 0 3
exec-timeout 0 0
password sclq
login
line vty 4
exec-timeout 0 0
password sclq
login
transport input lat pad v120 lapb-ta telnet rlogin udptn ssh
line vty 5 134
password sclq
login

多谢楼上的但是我做的是VPN CLIENT 拨入不是SITE-TO-SITE的

顶！！！

问题已经解决了!!

啥原因？？？

感谢楼上的兄弟的确是AAA认证的问题!!
将原来配置中的
aaa authentication login default local enable
crypto map intmap client authentication list default
改为:
aaa authentication login userauth local
aaa authorization network groupauth local
crypto map intmap client authentication list userauth
crypto map intmap isakmp authorization list groupauth

旧一切OK了可以拨入上去获得IP地址 10.2.1.2
但是我不明白为什么??
而且我将上面的aaa authorization network groupauth local 和crypto map intmap isakmp authorization list groupauth NO掉也不行,将AAA认证取消也不行!!不知道为什么???

此外,现在的问题是VPN拨入进来以后获得了IP地址但是不能PING 通LOOPBAKC0口!!??
请问大家有谁知道原因??
多谢

ip route 0.0.0.0 0.0.0.0 210.82.28.30
ip route 10.1.1.0 255.255.255.0 210.82.32.141
请问这两句要不要颠倒一下啊?
我是才鸟!我要学习

收藏分享评分

回复引用

订阅 TOP

返回列表