отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
cancel
Объявления
Community Live

375
Просмотры
0
Полезный материал
0
Ответы
Denis Ivanov
Beginner

ASA-5508 Не работает сервер IPsec (IKEv1)

Добрый день. Не работает сервер IPsec (IKEv1). Клиентам при подключении выдает ошибку 412. Т.е. нет соединения. 

AnyConnect работает без проблем. Подскажите, где ошибка?

enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto
ip local pool VPN-POOL 192.168.6.45-192.168.6.60 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.6.10 255.255.255.0
!
interface GigabitEthernet1/8
nameif outside
security-level 0
ip address 84.*** 255.255.255.248
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-15-1-lfbff-k8.SPA
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name orto.ru
object network NETWORK_OBJ_192.168.6.32_27
subnet 192.168.6.32 255.255.255.224
object network NETWORK_OBJ_192.168.6.0_24
subnet 192.168.6.0 255.255.255.0
access-list split-acl standard permit 192.168.6.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.6.32_27 NETWORK_OBJ_192.168.6.32_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.6.0_24 NETWORK_OBJ_192.168.6.0_24 destination static NETWORK_OBJ_192.168.6.32_27 NETWORK_OBJ_192.168.6.32_27 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 84.*** 1
timeout xlate 3:00:00
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 192.168.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=IMPEX
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 00f5debc5f
308201d4 3082013d a0030201 02020500 f5debc5f 300d0609 2a864886 f70d0101
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 192.168.6.0 255.255.255.0 inside
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.8.02045-webdeploy-k9.pkg 1
anyconnect profiles anyconnect_vpn_client_profile disk0:/anyconnect_vpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy EVPN-GROUP internal
group-policy EVPN-GROUP attributes
wins-server value 192.168.6.4
dns-server value 192.168.6.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
default-domain value orto.ru
group-policy GroupPolicy_anyconnect_vpn internal
group-policy GroupPolicy_anyconnect_vpn attributes
wins-server value 192.168.6.4
dns-server value 192.168.6.4
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
split-tunnel-all-dns disable
webvpn
anyconnect profiles value anyconnect_vpn_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username denis password ***** pbkdf2 privilege 15
tunnel-group anyconnect_vpn type remote-access
tunnel-group anyconnect_vpn general-attributes
address-pool VPN-POOL
default-group-policy GroupPolicy_anyconnect_vpn
tunnel-group anyconnect_vpn webvpn-attributes
group-alias anyconnect_vpn enable
tunnel-group EVPN-GROUP type remote-access
tunnel-group EVPN-GROUP general-attributes
address-pool VPN-POOL
default-group-policy EVPN-GROUP
tunnel-group EVPN-GROUP ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:2e1abdfae2962f3a5f39d8415a011522
: end

 

----

нашел причину.

0 ОТВЕТОВ 0
Создать
Выразить признание своим коллегам
Опросы
Какой контент Вы хотели бы чаще видеть в Сообществе?
Content for Community-Ad

Сообщество Помогает Сообществу

Помощь по сообществу