Re: VPN Connectエラー

RANRAN · ‎2020-02-26

VPN設定中問題があり確認をお願い致します。

c892(IOS 15.3(3))にIPSecのリモート設定を行い

Windows10を使っている端末で接続をしようとしています。

PacketTracerで一回動作を確認し問題なくVPNがつながることを確認していますがなぜか実際端末に適用するとphase1でエラーが発生します。

Windowsには

VPNプロバイダー：Windows(ビルトイン)

接続名：test

サーバー名またはアドレス：192.168.200.1

VPNの種類：事前共有キーを使ったL2TP/IPsec

事前共有キー：test

サインイン情報の種類：ユーザー名とパスワード

ユーザー名：test

パスワード：test

で設定しており

下にコンフィグとVPN接続中にスイッチ側で発生する

Debug内容を記載します。

Windowsでは789エラーが発生しました。

宜しくお願い致します。

Router#sh run

Building configuration...

Current configuration : 2443 bytes

!

! Last configuration change at 00:14:50 UTC Thu Feb 20 2020

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

aqm-register-fnf

!

aaa new-model

!

aaa authentication login REMOTE local

aaa authorization network REMOTE local

!

aaa session-id common

!

ip dhcp pool REMOTE

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO892-K9

!

vtp mode transparent

username test password 0 test

!

redundancy

!

vlan 51

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

!

crypto isakmp client configuration group test

key test

pool REMOTE_POOL

netmask 255.255.255.0

!

crypto ipsec security-association lifetime seconds 1800

!

crypto ipsec transform-set tset esp-aes esp-sha-hmac

mode tunnel

!

crypto dynamic-map dmap 10

set transform-set tset

reverse-route

!

crypto map cmap client authentication list REMOTE

crypto map cmap isakmp authorization list REMOTE

crypto map cmap client configuration address respond

crypto map cmap 10 ipsec-isakmp dynamic dmap

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

ip address 192.168.200.1 255.255.255.0

duplex auto

speed auto

crypto map cmap

!

interface GigabitEthernet0

ip address 192.168.0.1 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

!

router ospf 1

network 192.168.0.1 0.0.0.0 area 0

network 192.168.200.1 0.0.0.0 area 0

!

ip local pool REMOTE_POOL 192.168.0.200 192.168.0.210

ip forward-protocol nd

no ip http server

no ip http secure-server

!

control-plane

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

line con 0

line aux 0

line vty 0 4

transport input all

!

end

Router#

＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿

*Feb 20 00:18:21.599: ISAKMP (0): received packet from 192.168.200.2 dport 500 sport 500 Global (N) NEW SA

*Feb 20 00:18:21.599: ISAKMP: Created a peer struct for 192.168.200.2, peer port 500

*Feb 20 00:18:21.599: ISAKMP: New peer created peer = 0x8D2753FC peer_handle = 0x80000004

*Feb 20 00:18:21.599: ISAKMP: Locking peer struct 0x8D2753FC, refcount 1 for crypto_isakmp_process_block

*Feb 20 00:18:21.599: ISAKMP:(0):Setting client config settings 88688C60

*Feb 20 00:18:21.599: ISAKMP:(0):(Re)Setting client xauth list and state

*Feb 20 00:18:21.599: ISAKMP/xauth: initializing AAA request

*Feb 20 00:18:21.603: ISAKMP: local port 500, remote port 500

*Feb 20 00:18:21.603: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8B409DA0

*Feb 20 00:18:21.603: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Feb 20 00:18:21.603: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Feb 20 00:18:21.603: ISAKMP:(0): processing SA payload. message ID = 0

*Feb 20 00:18:21.603: ISAKMP:(0): processing vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0): processing IKE frag vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Feb 20 00:18:21.603: ISAKMP:(0): processing vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0): processing IKE frag vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Feb 20 00:18:21.603: ISAKMP:(0): processing vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Feb 20 00:18:21.603: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Feb 20 00:18:21.603: ISAKMP:(0): processing vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Feb 20 00:18:21.603: ISAKMP:(0): vendor ID is NAT-T v2

*Feb 20 00:18:21.603: ISAKMP:(0): processing vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch

*Feb 20 00:18:21.603: ISAKMP:(0): processing vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch

*Feb 20 00:18:21.603: ISAKMP:(0): processing vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch

*Feb 20 00:18:21.603: ISAKMP:(0): processing vendor id payload

*Feb 20 00:18:21.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch

*Feb 20 00:18:21.603: ISAKMP:(0):No pre-shared key with 192.168.200.2!

*Feb 20 00:18:21.603: ISAKMP:(0): Authentication by xauth preshared

*Feb 20 00:18:21.603: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Feb 20 00:18:21.603: ISAKMP: encryption AES-CBC

*Feb 20 00:18:21.603: ISAKMP: keylength of 256

*Feb 20 00:18:21.603: ISAKMP: hash SHA

*Feb 20 00:18:21.603: ISAKMP: default group 20

*Feb 20 00:18:21.603: ISAKMP: auth pre-share

*Feb 20 00:18:21.603: ISAKMP: life type in seconds

*Feb 20 00:18:21.603: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

*Feb 20 00:18:21.603: ISAKMP:(0):Preshared authentication offered but does not match policy!

*Feb 20 00:18:21.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Feb 20 00:18:21.603: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy

*Feb 20 00:18:21.603: ISAKMP: encryption AES-CBC

*Feb 20 00:18:21.603: ISAKMP: keylength of 128

*Feb 20 00:18:21.603: ISAKMP: hash SHA

*Feb 20 00:18:21.603: ISAKMP: default group 19

*Feb 20 00:18:21.603: ISAKMP: auth pre-share

*Feb 20 00:18:21.603: ISAKMP: life type in seconds

*Feb 20 00:18:21.603: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

*Feb 20 00:18:21.603: ISAKMP:(0):Proposed key length does not match policy

*Feb 20 00:18:21.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Feb 20 00:18:21.603: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy

*Feb 20 00:18:21.603: ISAKMP: encryption AES-CBC

*Feb 20 00:18:21.603: ISAKMP: keylength of 256

*Feb 20 00:18:21.603: ISAKMP: hash SHA

*Feb 20 00:18:21.603: ISAKMP: default group 14

*Feb 20 00:18:21.603: ISAKMP: auth pre-share

*Feb 20 00:18:21.603: ISAKMP: life type in seconds

*Feb 20 00:18:21.603: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

*Feb 20 00:18:21.603: ISAKMP:(0):Preshared authentication offered but does not match policy!

*Feb 20 00:18:21.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Feb 20 00:18:21.603: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy

*Feb 20 00:18:21.603: ISAKMP: encryption 3DES-CBC

*Feb 20 00:18:21.603: ISAKMP: hash SHA

*Feb 20 00:18:21.603: ISAKMP: default group 14

*Feb 20 00:18:21.603: ISAKMP: auth pre-share

*Feb 20 00:18:21.603: ISAKMP: life type in seconds

*Feb 20 00:18:21.603: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

*Feb 20 00:18:21.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Feb 20 00:18:21.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Feb 20 00:18:21.603: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy

*Feb 20 00:18:21.603: ISAKMP: encryption 3DES-CBC

*Feb 20 00:18:21.603: ISAKMP: hash SHA

*Feb 20 00:18:21.603: ISAKMP: default group 2

*Feb 20 00:18:21.603: ISAKMP: auth pre-share

*Feb 20 00:18:21.603: ISAKMP: life type in seconds

*Feb 20 00:18:21.603: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

*Feb 20 00:18:21.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Feb 20 00:18:21.603: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Feb 20 00:18:21.603: ISAKMP:(0):no offers accepted!

*Feb 20 00:18:21.607: ISAKMP:(0): phase 1 SA policy not acceptable! (local 192.168.200.1 remote 192.168.200.2)

*Feb 20 00:18:21.607: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

*Feb 20 00:18:21.607: ISAKMP:(0): Failed to construct AG informational message.

*Feb 20 00:18:21.607: ISAKMP:(0): sending packet to 192.168.200.2 my_port 500 peer_port 500 (R) MM_NO_STATE

*Feb 20 00:18:21.607: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Feb 20 00:18:21.607: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 20 00:18:21.607: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.200.2)