Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
0
Helpful
1
Replies

Настройка VPN AnyConnect через IPSec ASA5525-X

Sergey Prishchepa
Spotlight
Spotlight

‎02-15-2013 05:42 AM - edited ‎02-21-2020 06:42 PM

Хочу настроить VPN AnyConnect через IPSec на  ASA5525-X IOS 9.1.1. Настраивал через VPN AnyConnect Wizard. Клиент  использую 3.1.02040, клиенту закинул файл  AnyConnectVPN_client_profile.xml в C:\program Files\Cisco AnyConnect  Secure Mobility Client\Profile\, который лежал на flash:. Похоже, что  клиент пытается соединиться по SSH, может я не туда xml положил или не  так его назвал? В чем может быть проблема?

Конфиг:

names
ip local pool vpn_pool_AnyConnect 192.168.1.1-192.168.1.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.248.3 255.255.255.248 standby 192.168.248.4
!
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 1.1.1.3 255.255.255.0 standby 1.1.1.4
!
!
interface Management0/0
description LAN/STATE Failover Interface
management-only
nameif management
security-level 100
ip address 192.168.250.58 255.255.255.248 standby 192.168.250.59
!
!
!
access-group inside_in in interface inside
access-group inside-guest_access_in in interface inside-guest
access-group outside_in in interface outside
access-group server-inside in interface server-inside
access-group tmg-dmz in interface tmg-dmz
access-group tmg_in in interface tmg
access-group dmzmgmt_in in interface dmz-mgmt
access-group dmz_in in interface dmz
!
router eigrp 168
network 192.168.238.0 255.255.255.0
network 192.168.239.0 255.255.255.0
network 192.168.247.0 255.255.255.0
network 192.168.248.0 255.255.255.248
network 192.168.248.64 255.255.255.192
network 1.1.1.0 255.255.255.248
!
router rip
!
route outside 0.0.0.0 0.0.0.0 1.1.1.5 1
route outside 1.0.0.0 255.0.0.0 1.1.1.5 1
!
!
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=MMK-F-01
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=MMK-F-01
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
certificate ae951d51
ааааааааааааааааааааааааааааааааа
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
!
!
webvpn
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles AnyConnectVPN_client_profile disk0:/AnyConnectVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
!
1
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
wins-server none
dns-server value 8.8.4.4
vpn-tunnel-protocol ikev2
default-domain none
webvpn
anyconnect profiles value AnyConnectVPN_client_profile type user
!
!
tunnel-group AnyConnectVPN type remote-access
tunnel-group AnyConnectVPN general-attributes
address-pool vpn_pool_AnyConnect
default-group-policy GroupPolicy_AnyConnectVPN
tunnel-group AnyConnectVPN webvpn-attributes
group-alias AnyConnectVPN enable

Лог соединения:

Feb  15 2013 06:51:55 MMK-F-01 : %ASA-6-302013: Built inbound TCP connection  112 for outside:1.1.1.2/64022 (1.1.1.2/64022) to identity:1.1.1.3/443  (1.1.1.3/443)
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/64022 for TLSv1 session.
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725010: Device supports the following 4 cipher(s).
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[1] : RC4-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[2] : AES128-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[3] : AES256-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[4] : DES-CBC3-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725008: SSL client outside:1.1.1.2/64022 proposes the following 8 cipher(s).
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[1] : AES128-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[2] : AES256-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[3] : RC4-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[4] : DES-CBC3-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-7-725011: Cipher[8] : RC4-MD5
Feb  15 2013 06:51:55 MMK-F-01 : %ASA-7-725012: Device chooses cipher :  RC4-SHA for the SSL session with client outside:1.1.1.2/64022
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-6-725002: Device completed SSL handshake with client outside:1.1.1.2/64022
Feb 15 2013 06:51:55 MMK-F-01 : %ASA-6-725007: SSL session with client outside:1.1.1.2/64022 terminated.
Feb  15 2013 06:51:55 MMK-F-01 : %ASA-6-302014: Teardown TCP connection 112  for outside:1.1.1.2/64022 to identity:1.1.1.3/443 duration 0:00:00 bytes  625 TCP Reset-I
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-6-302013: Built  inbound TCP connection 113 for outside:1.1.1.2/64023 (1.1.1.2/64023) to  identity:1.1.1.3/443 (1.1.1.3/443)
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-6-725001: Starting SSL handshake with client outside:1.1.1.2/64023 for TLSv1 session.
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725010: Device supports the following 4 cipher(s).
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[1] : RC4-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[2] : AES128-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[3] : AES256-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[4] : DES-CBC3-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725008: SSL client outside:1.1.1.2/64023 proposes the following 8 cipher(s).
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[1] : AES128-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[2] : AES256-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[3] : RC4-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[4] : DES-CBC3-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-725011: Cipher[8] : RC4-MD5
Feb  15 2013 06:51:58 MMK-F-01 : %ASA-7-725012: Device chooses cipher :  RC4-SHA for the SSL session with client outside:1.1.1.2/64023
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-6-725002: Device completed SSL handshake with client outside:1.1.1.2/64023
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-6-725007: SSL session with client outside:1.1.1.2/64023 terminated.
Feb  15 2013 06:51:58 MMK-F-01 : %ASA-6-302014: Teardown TCP connection 113  for outside:1.1.1.2/64023 to identity:1.1.1.3/443 duration 0:00:00 bytes  1104 TCP Reset-O
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-710005: TCP request discarded from 1.1.1.2/64023 to outside:1.1.1.3/443
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-710005: TCP request discarded from 1.1.1.2/64023 to outside:1.1.1.3/443
Feb 15 2013 06:51:58 MMK-F-01 : %ASA-7-710005: TCP request discarded from 1.1.1.2/64023 to outside:1.1.1.3/443

AnyConnectVPN_client_profile.xml

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
<ServerList>
<HostEntry>
<HostName>MMK-F-01 (IPsec)</HostName>
<HostAddress>1.1.1.3</HostAddress>
<PrimaryProtocol>IPsec</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Labels:
0 Helpful
1 Reply 1

Sergey Prishchepa
Spotlight
Spotlight

‎02-18-2013 03:32 AM

Мне кажется у меня лицензия не активирована? Я почему-то считал, что раз можно только через IPSec, то докупать ничего не надо.

Failover                        : Enabled

Encryption-DES                  : Enabled

Encryption-3DES-AES             : Enabled

Security Contexts               : Default

GTP/GPRS                        : Disabled

AnyConnect Premium Peers        : Default

Other VPN Peers                 : Default

Advanced Endpoint Assessment    : Disabled

AnyConnect for Mobile           : Disabled

AnyConnect for Cisco VPN Phone  : Disabled

Shared License                  : Disabled

UC Phone Proxy Sessions         : Default

Total UC Proxy Sessions         : Default

AnyConnect Essentials           : Disabled

Botnet Traffic Filter           : Disabled

Intercompany Media Engine       : Disabled

IPS Module                      : Enabled

0 Helpful
Customers Also Viewed These Support Documents