Всем доброго времени суток! Имеется проблема: На ASA настроил с помощью wizardа IPsec (IKEv1) Remoute Access VPN (для win), но не работает (ошибка 800), если отключить PFS, то vpn поднимается. В чем может быть проблема?
Вот конфиг :
ASA Version 8.4(6)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
ospf cost 10
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.10
vlan 10
nameif dmz10
security-level 10
ip address 172.16.1.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 172.16.3.18 255.255.255.240
ospf cost 10
!
interface Ethernet0/3
description LAN Failover Interface
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
ospf cost 10
management-only
ftp mode passive
clock timezone MSK 4
dns domain-lookup outside
dns domain-lookup dmz10
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 195.14.50.1
domain-name rosavto.ru
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network l
subnet 172.16.3.0 255.255.255.240
object network h
host 172.16.3.4
object network 172.16.3.18
host 172.16.3.19
description 255.255.255.240
object network 172.16.3.19
host 172.16.3.19
description 255.255.255.240
object network NETWORK_OBJ_172.16.3.16_28
subnet 172.16.3.16 255.255.255.240
object network vpn
subnet 172.16.3.16 255.255.255.240
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu dmz10 1500
mtu inside 1500
mtu management 1500
ip local pool p 172.16.3.20-172.16.3.30 mask 255.255.255.240
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.3.16_28 NETWORK_OBJ_172.16.3.16_28 no-proxy-arp route-lookup
nat (inside,any) source static any any destination static vpn vpn
!
object network 172.16.3.19
nat (inside,outside) dynamic interface
object network vpn
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
!
router ospf 1
network 172.16.0.2 255.255.255.255 area 0
log-adj-changes
redistribute static subnets
!
route outside 0.0.0.0 0.0.0.0 x1.x1.x1.x1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.16.0.0 255.255.0.0 inside
http 172.16.3.0 255.255.255.240 inside
http 10.0.4.118 255.255.255.255 inside
http 172.16.0.128 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
quit
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.16.0.128 255.255.255.128 inside
ssh 10.0.4.118 255.255.255.255 inside
ssh 172.16.3.0 255.255.255.240 inside
ssh 172.16.0.10 255.255.255.255 inside
ssh timeout 20
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 194.190.168.1 source outside
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 195.14.50.1 172.16.2.2
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value rosavto.ru
group-policy DfltGrpPolicy attributes
dns-server value 195.14.50.1
username 12345 password eiGZD809dZlB5FxJDxQ9Xw== nt-encrypted privilege 0
username 12345 attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool p
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd ... DCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Вот что в логах на момент подключения :
[url=http://s2.ipicture.ru/][img]http://s2.ipictur...
|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
4|Aug 29 2013|15:29:01|113019|||||Group = DefaultRAGroup, Username = , IP = y.y.y.y, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Aug 29 2013|15:29:01|713259|||||Group = DefaultRAGroup, IP = y.y.y.y, Session is being torn down. Reason: Phase 2 Mismatch
3|Aug 29 2013|15:29:01|713902|||||Group = DefaultRAGroup, IP = y.y.y.y, Removing peer from correlator table failed, no match!
3|Aug 29 2013|15:29:01|713902|||||Group = DefaultRAGroup, IP = y.y.y.y, QM FSM error (P2 struct &0xac6ef730, mess id 0x70ce6747)!
5|Aug 29 2013|15:29:01|713904|||||Group = DefaultRAGroup, IP = y.y.y.y, All IPSec SA proposals found unacceptable!
6|Aug 29 2013|15:29:01|713177|||||Group = DefaultRAGroup, IP = y.y.y.y, Received remote Proxy Host FQDN in ID Payload: Host Name: ws-35.domen.ru Address y.y.y.y, Protocol 17, Port 1701
3|Aug 29 2013|15:29:01|713122|||||IP = y.y.y.y, Keep-alives configured on but peer does not support keep-alives (type = None)
5|Aug 29 2013|15:29:01|713119|||||Group = DefaultRAGroup, IP = y.y.y.y, PHASE 1 COMPLETED
6|Aug 29 2013|15:29:01|113009|||||AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup
6|Aug 29 2013|15:29:01|713172|||||Group = DefaultRAGroup, IP = y.y.y.y, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
6|Aug 29 2013|15:29:01|302015|y.y.y.y|47490|x.x.x.x|4500|Built inbound UDP connection 295 for outside:y.y.y.y/47490 (y.y.y.y/47490) to identity:x.x.x.x/4500 (x.x.x.x/4500)
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|Aug 29 2013|15:29:01|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2