Ladies and gentlemen, technical experts, there's something going on recently. We won't trouble everyone unless absolutely necessary...
Using AnyConnect to dial Ikev2's FlexVPN always fails. The device model is C1117-4P, version 17.7.6, and AnyConnect version 4.10. After dialing with AnyConnect, it prompts and then interrupts.
各位观众老爷,技术大拿,最近摊上点事情。不到万不得已是不会麻烦大家的。。。
用anyconnect拨号ikev2的flexvpn总是不成功,设备型号为C1117-4P,版本17.7.6,Anyconnect的版本为4.10,使用anyconnect拨号后提示,然后就中断。
设备配置如下:The device configuration is as follows:
aaa authorization network acvpn-aaa-author local
crypto pki trustpoint acvpn.local
enrollment url http://192.168.50.254:80
serial-number
subject-name cn=acvpn.local, ou=iteachs.com
subject-alt-name acvpn.local
revocation-check none
crypto pki certificate chain acvpn.local
certificate 02
3082035D 30820245 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
29311430 12060355 040B130B 69746561 6368732E 636F6D31 11300F06 03550403
13086361 2E6C6F63 616C301E 170D3234 31313230 30373237 30385A17 0D323531
31323030 37323730 385A306A 31143012 06035504 0B130B69 74656163 68732E63
6F6D3114 30120603 55040313 0B616376 706E2E6C 6F63616C 313C3012 06035504
05130B46 474C3233 34324C32 55513026 06092A86 4886F70D 01090216 194E4A2D
486F6D65 2D433131 31372E69 74656163 68732E63 6F6D3082 0122300D 06092A86
4886F70D 01010105 00038201 0F003082 010A0282 010100DC 6E809822 85D687B1
6EBCF38A 881285AA 37CDB78F 1CD03D2B F136732F 4F010063 319CA982 FE237837
0283E166 AA7F5032 BE0A2E68 3D324344 272EB8A7 D87E232B D502E9BA 44F97A1D
3FFE5891 CD10203C F43F46A0 0D570959 3B296224 EFA6F435 F43865A5 9BEAF799
787AC286 7D384385 58A7E796 5A8E1A03 1E2A1482 4EFD290C 487A8CCE 69AD0D9E
CA17AD45 3DFB054C 52860178 346F928D E1551F80 A17BF219 9D3520AA 94705243
91663ED3 417F6C48 7F9C3F06 72968CC6 D73AF10F 49AA9501 61DAF4BE 7DEDFB91
E16F787B 16C8ABF6 4BA0D8EC 37F31B95 C35CAA9D 7B221A55 348B3E62 6F920A44
97F12201 425A1742 CDF7AB55 694967A2 6DACCD57 E1129102 03010001 A34F304D
300B0603 551D0F04 04030205 A0301F06 03551D23 04183016 80147B8E 71A61E92
9C4FDE81 AB0BEFDD 8FAFC982 B655301D 0603551D 0E041604 140D6F03 3ADF936F
5793BF48 B36A5FA8 95E05EF4 DC300D06 092A8648 86F70D01 01050500 03820101
001B81AD 4F535060 11B04158 2D1A5819 CF8CB30A B9C63DF1 01C7B484 5D94A057
678B0288 C5BECC88 90C10A16 FBF2C8AF 953B9770 CF4827AB A7E05702 22373F86
85F8E00C 08E94EDE FFCE7488 45A42883 D1C90F6A 7BDD49DB 938FEAAD 43471A50
4CF68FA3 038D681A 3BF7699A 377BC2DC AC4B3D7A C5761FEC 00ACE560 77B911C0
5DEA48E3 06B55C02 DADDDB3B B5D2F9D6 378DC3A0 A31C2142 4079042E 24ABD6E1
EBC4CC7A 38019F5B 2889F214 3B6E3090 4CCB0C96 7F596C4F 8EF939C4 71920D40
D0B0A034 0A7B9167 99FD85E7 34444218 6B019A8B B40EABC2 ED6DB912 CBA3AA01
4A9935F5 1B65FE8A CCC01ABE 6A759BC1 E9D08FE9 D5482B92 66CA126B F5BD34C1 DD
quit
certificate ca 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
29311430 12060355 040B130B 69746561 6368732E 636F6D31 11300F06 03550403
13086361 2E6C6F63 616C301E 170D3234 31313230 30373036 31315A17 0D323731
31323030 37303631 315A3029 31143012 06035504 0B130B69 74656163 68732E63
6F6D3111 300F0603 55040313 0863612E 6C6F6361 6C308201 22300D06 092A8648
86F70D01 01010500 0382010F 00308201 0A028201 0100E86E DABBE980 4C4D3CF7
238C03A0 F4D1FCA0 9816869B 809D9911 413C5A23 18CDD687 71D1173D 1F4E3687
25E676DA A680A467 B62D0BB9 38AFE5AC 26FFC001 2FDE6694 EDEFDE28 219FD48A
22BDFC26 07327325 001B4B2E 2D0DFEE4 7A0C96DC 823B6CA1 07467C37 B0B06835
A54F1D5E 44793B7D A579B4E5 3D500A77 63EB062F F76DA5BD 116E59D3 FC103F08
951A9094 DF44C214 50C3AF28 72CBD069 FBC476F5 6F4D0857 45B5D3DA DAD4A3B2
AF21057B E3BC4D7C D2687E3A E2540793 855470FC 0D09C6A7 8FD55ED1 50C7E12C
7FA3C1C5 43A33894 BCD8B887 BC9E07EF FA5301D6 7D1A8064 AEE58D52 866E93CB
9BD92CC2 951912AC C327E03D 50CA1B7E 0AB79C7F 7F0B0203 010001A3 63306130
0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
301F0603 551D2304 18301680 147B8E71 A61E929C 4FDE81AB 0BEFDD8F AFC982B6
55301D06 03551D0E 04160414 7B8E71A6 1E929C4F DE81AB0B EFDD8FAF C982B655
300D0609 2A864886 F70D0101 04050003 82010100 199E6599 297071E9 343E03D1
5F5144B1 66D26AC0 2A80BE15 717D6265 898740E8 6CDE97A1 43009DC7 96A741C0
88C021B2 2BC85171 464FB5A5 7451D426 51B7E708 96F3D130 ED099C37 3132793A
19112A2D 062C0934 D8BEF0F3 5C094338 8AD55FE8 BCED7F9D 4167638E 0BA89F18
106532C4 B073ED5B C8ED2180 76AFD980 47A258E9 DDD21D9F 678DFBF5 182EFB3E
136B9846 E3CDB01F E65A1F69 9FFCBE35 4F9A7F44 D94BF465 AA4A7721 731DE65C
83AAD4E2 B648F8A9 C022DDEB A0A49398 AEDA9906 48689958 D022D139 4B8B1C20
141F8251 2B06D61B 02DFA7D0 EA5E52BB C306B56C B763C965 F65011D5 E6D49E49
35EA6164 0731D4BF 83B27F47 6984AD68 C4FC2D82
quit
username acvpn privilege 0 secret 9 $9$8BdJ39e86YA6/.$ETr4dZxCkZ5oAG25d3MneCLnjpUxhVU9RPQDQsLzFvA
crypto ikev2 authorization policy acvpn-ikev2-auth-policy
pool acvpn-ipv4-pool
def-domain iteachs.com
route set remote ipv4 192.168.0.0 255.255.0.0
crypto ikev2 proposal acvpn-ikev2-proposal
encryption aes-cbc-256
integrity sha256
group 15 19
crypto ikev2 policy acvpn-ikev2-policy
proposal acvpn-ikev2-proposal
crypto ikev2 profile acvpn-ikev2-profile
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint acvpn.local
aaa authentication anyconnect-eap acvpn-aaa-authen
aaa authorization group anyconnect-eap list acvpn-aaa-author acvpn-ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 10
anyconnect profile acvpn
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
crypto ipsec transform-set acvpn-ts esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec profile acvpn-profile
set transform-set acvpn-ts
set ikev2-profile acvpn-ikev2-profile
interface Virtual-Template10 type tunnel
description To:ACVPN-Client
ip unnumbered Dialer1
tunnel mode ipsec dual-overlay
tunnel protection ipsec profile acvpn-profile
ip local pool acvpn-ipv4-pool 192.168.51.1 192.168.51.100
设备show version 如下:The device show version is as follows:
Cisco IOS XE Software, Version 17.06.08a
Cisco IOS Software [Bengaluru], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.8a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2024 by Cisco Systems, Inc.
Compiled Mon 14-Oct-24 07:31 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2024 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: 17.5(1r)
NJ-Home-C1117 uptime is 1 day, 17 hours, 9 minutes
Uptime for this control processor is 1 day, 17 hours, 11 minutes
System returned to ROM by Reload Command at 16:38:36 Beijing Tue Nov 19 2024
System restarted at 16:42:18 Beijing Tue Nov 19 2024
System image file is "bootflash:c1100-universalk9.17.06.08a.SPA.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Suite License Information for Module:'esg'
--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None Smart License None
securityk9
appxk9
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 None Smart License None
uck9 None Smart License None
securityk9 securityk9 Smart License securityk9
ipbase ipbasek9 Smart License ipbasek9
The current throughput level is unthrottled
Smart Licensing Status: Registration Not Applicable/Not Applicable
cisco C1117-4P (1RU) processor with 1400278K/6147K bytes of memory.
Processor board ID FGL2342L2UQ
Router operating mode: Autonomous
1 Ethernet interface
3 Virtual Ethernet interfaces
5 Gigabit Ethernet interfaces
1 ATM interface
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
2863103K bytes of flash memory at bootflash:.
Configuration register is 0x2102
debug的相关信息:Debug related information:
Nov 21 09:46:56.673: IKEv2:Received Packet [From 114.222.31.28:17234/To 222.94.190.160:500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
Nov 21 09:46:56.674: IKEv2:(SESSION ID = 252,SA ID = 1):Verify SA init message
Nov 21 09:46:56.675: IKEv2:(SESSION ID = 252,SA ID = 1):Insert SA
Nov 21 09:46:56.675: IKEv2:Searching Policy with fvrf 0, local address 222.94.190.160
Nov 21 09:46:56.675: IKEv2:Found Policy 'acvpn-ikev2-policy'
Nov 21 09:46:56.675: IKEv2:(SESSION ID = 252,SA ID = 1):Processing IKE_SA_INIT message
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Received valid config mode data
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Config data recieved:
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Config-type: Config-request
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
Nov 21 09:46:56.676: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Set received config mode data
Nov 21 09:46:56.676: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Nov 21 09:46:56.676: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'acvpn.local' 'ca.local' 'nj-home.local' 'SLA-TrustPoint'
Nov 21 09:46:56.677: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Nov 21 09:46:56.677: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Nov 21 09:46:56.677: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Nov 21 09:46:56.677: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Nov 21 09:46:56.677: IKEv2:(SESSION ID = 252,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
Nov 21 09:46:56.679: IKEv2:(SESSION ID = 252,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Nov 21 09:46:56.679: IKEv2:(SESSION ID = 252,SA ID = 1):Request queued for computation of DH key
Nov 21 09:46:56.679: IKEv2:(SESSION ID = 252,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):Request queued for computation of DH secret
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Nov 21 09:46:56.687: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):Generating IKE_SA_INIT message
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
Nov 21 09:46:56.688: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Nov 21 09:46:56.688: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'acvpn.local' 'ca.local' 'nj-home.local' 'SLA-TrustPoint'
Nov 21 09:46:56.688: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Nov 21 09:46:56.688: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Nov 21 09:46:56.689: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17234/From 222.94.190.160:500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
Nov 21 09:46:56.690: IKEv2:(SESSION ID = 252,SA ID = 1):Completed SA init exchange
Nov 21 09:46:56.690: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (30 sec) to wait for auth message
Nov 21 09:46:56.729: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
Nov 21 09:46:56.731: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:46:56.731: IKEv2:(SESSION ID = 252,SA ID = 1):Checking NAT discovery
Nov 21 09:46:56.731: IKEv2:(SESSION ID = 252,SA ID = 1):NAT OUTSIDE found
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):NAT detected float to init port 17235, resp port 4500
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
Nov 21 09:46:56.732: IKEv2:found matching IKEv2 profile 'acvpn-ikev2-profile'
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Searching Policy with fvrf 0, local address 222.94.190.160
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Found Policy 'acvpn-ikev2-policy'
Nov 21 09:46:56.732: IKEv2:not a VPN-SIP session
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Verify peer's policy
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Peer's policy verified
Nov 21 09:46:56.732: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
Nov 21 09:46:56.733: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Nov 21 09:46:56.733: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
Nov 21 09:46:56.733: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint acvpn.local
Nov 21 09:46:56.734: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Check for EAP exchange
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Check for EAP exchange
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Generate my authentication data
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Get my authentication method
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):My authentication method is 'RSA'
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Sign authentication data
Nov 21 09:46:56.734: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
Nov 21 09:46:56.735: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
Nov 21 09:46:56.735: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
Nov 21 09:46:56.791: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authentication data PASSED
Nov 21 09:46:56.791: IKEv2:(SESSION ID = 252,SA ID = 1):Authentication material has been sucessfully signed
Nov 21 09:46:56.791: IKEv2:(SESSION ID = 252,SA ID = 1):Generating AnyConnect EAP request
Nov 21 09:46:56.791: IKEv2:(SESSION ID = 252,SA ID = 1):Sending AnyConnect EAP 'hello' request
Nov 21 09:46:56.791: IKEv2:(SESSION ID = 252,SA ID = 1):Constructing IDr payload: '222.94.190.160' of type 'IPv4 address'
Nov 21 09:46:56.792: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr CERT CERT AUTH EAP
Nov 21 09:46:56.793: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
Nov 21 09:46:56.794: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (90 sec) to wait for auth message
Nov 21 09:46:58.188: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 2
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
Nov 21 09:46:58.188: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:46:58.188: IKEv2:(SESSION ID = 252,SA ID = 1):Processing AnyConnect EAP response
Nov 21 09:46:58.189: IKEv2:(SESSION ID = 252,SA ID = 1):Checking for Dual Auth
Nov 21 09:46:58.189: IKEv2:(SESSION ID = 252,SA ID = 1):Generating AnyConnect EAP AUTH request
Nov 21 09:46:58.189: IKEv2:(SESSION ID = 252,SA ID = 1):Sending AnyConnect EAP 'auth-request'
Nov 21 09:46:58.189: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.
Payload contents:
EAP
Nov 21 09:46:58.190: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
Nov 21 09:46:58.191: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (90 sec) to wait for auth message
Nov 21 09:47:00.259: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
Nov 21 09:47:00.260: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:47:00.260: IKEv2:(SESSION ID = 252,SA ID = 1):Processing AnyConnect EAP response
Nov 21 09:47:00.261: IKEv2:Using authentication method list acvpn-aaa-authen
Nov 21 09:47:00.261: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent
Nov 21 09:47:00.357: IKEv2-ERROR:AnyConnect EAP - failed to get author list
Nov 21 09:47:00.359: IKEv2-ERROR:Address type 135748931 not supported
Nov 21 09:47:00.359: IKEv2:Received response from aaa for AnyConnect EAP
Nov 21 09:47:00.359: IKEv2:(SESSION ID = 252,SA ID = 1):Generating AnyConnect EAP VERIFY request
Nov 21 09:47:00.359: IKEv2:(SESSION ID = 252,SA ID = 1):Sending AnyConnect EAP 'VERIFY' request
Nov 21 09:47:00.359: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.
Payload contents:
EAP
Nov 21 09:47:00.360: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 3
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
Nov 21 09:47:00.361: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (90 sec) to wait for auth message
Nov 21 09:47:00.371: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 4
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
Nov 21 09:47:00.372: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:47:00.372: IKEv2:(SESSION ID = 252,SA ID = 1):Processing AnyConnect EAP ack response
Nov 21 09:47:00.372: IKEv2:(SESSION ID = 252,SA ID = 1):Generating AnyConnect EAP success request
Nov 21 09:47:00.372: IKEv2:(SESSION ID = 252,SA ID = 1):Sending AnyConnect EAP success status message
Nov 21 09:47:00.373: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.
Payload contents:
EAP
Nov 21 09:47:00.373: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 4
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
Nov 21 09:47:00.374: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (90 sec) to wait for auth message
Nov 21 09:47:00.381: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 5
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
AUTH
Nov 21 09:47:00.382: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:47:00.382: IKEv2:(SESSION ID = 252,SA ID = 1):Send AUTH, to verify peer after EAP exchange
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):Verify peer's authentication data
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):Use preshared key for id *$AnyConnectClient$*, key len 32
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):Verification of peer's authentication data PASSED
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):Processing INITIAL_CONTACT
Nov 21 09:47:00.384: IKEv2:Using mlist acvpn-aaa-author and username acvpn-ikev2-auth-policy for group author request
Nov 21 09:47:00.384: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
Nov 21 09:47:00.384: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Received valid config mode data
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Config data recieved:
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Config-type: Config-request
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-addr, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-netmask, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-dns, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-nbns, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: app-version, length: 29, data: AnyConnect Windows 4.10.06090
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-subnet, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv6-addr, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv6-dns, length: 0
Nov 21 09:47:00.386: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv6-subnet, length: 0Hale-HP-PC
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-cleanup-interval, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-dpd-interval, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: banner, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: smartcard-removal-disconnect, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 2, data: 0x5 0xFFFFFFFFFFFFFF86
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: def-domain, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: split-exclude, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: split-dns, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: pfs, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-token-id, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-session-id, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-session-data, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 16, data: 0x240xE 0x3 0xFFFFFFFFFFFFFFAF0x9 0x6 0xFFFFFFFFFFFFFFA10x250x5E0x710xD 0x420x2E0x4E0xFFFFFFFFFFFFFFBF0xFFFFFFFFFFFFFF80
Nov 21 09:47:00.390: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 4, data: 0xFFFFFFFFFFFFFFC00xFFFFFFFFFFFFFFA80xFFFFFFFFFFFFFFBD0x42
Nov 21 09:47:00.391: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 4, data: 0xFFFFFFFFFFFFFFDE0x5E0xFFFFFFFFFFFFFFBE0xFFFFFFFFFFFFFFA0
Nov 21 09:47:00.391: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.391: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 2, data: 0x5 0xFFFFFFFFFFFFFFDC
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-cleanup-interval in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-dpd-interval in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.394: IKEv2:(SESSION ID = 252,SA ID = 1):Set received config mode data
Nov 21 09:47:00.394: IKEv2:(SESSION ID = 252,SA ID = 1):Processing IKE_AUTH message
Nov 21 09:47:00.394: IKEv2:% DVTI create request sent for profile acvpn-ikev2-profile with PSH index 1.
Nov 21 09:47:00.395: IKEv2:(SESSION ID = 252,SA ID = 1):
Nov 21 09:47:00.396: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to down
Nov 21 09:47:00.413: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Nov 21 09:47:00.421: IKEv2-ERROR:Address type 2157777920 not supported
Nov 21 09:47:00.421: IKEv2-ERROR:(SESSION ID = 0,SA ID = 0):DVTI creation failed in OSAL
Nov 21 09:47:00.421: IKEv2-ERROR:Address type 2157777920 not supported
Nov 21 09:47:00.421: IKEv2-ERROR:(SESSION ID = 0,SA ID = 0):
Nov 21 09:47:00.421: IKEv2-ERROR:% Failed to process IPSEC READY KMI message with error 4.
Nov 21 09:47:02.392: IKEv2-ERROR:Address type 0 not supported
Nov 21 09:47:02.392: IKEv2-ERROR:: Negotiation context locked currently in use
Nov 21 09:47:06.395: IKEv2-ERROR:Address type 0 not supported
Nov 21 09:47:06.395: IKEv2-ERROR:: Negotiation context locked currently in use
Nov 21 09:47:14.406: IKEv2-ERROR:Address type 0 not supported
Nov 21 09:47:14.406: IKEv2-ERROR:: Negotiation context locked currently in use
Nov 21 09:47:25.396: IKEv2:(SESSION ID = 252,SA ID = 1):Verification of peer's authentication data FAILED
Nov 21 09:47:25.396: IKEv2:(SESSION ID = 252,SA ID = 1):Sending authentication failure notify
Nov 21 09:47:25.396: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
Nov 21 09:47:25.396: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0]
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 5
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
Nov 21 09:47:25.398: IKEv2:(SESSION ID = 252,SA ID = 1):Auth exchange failed
Nov 21 09:47:25.398: IKEv2-ERROR:(SESSION ID = 252,SA ID = 1):: Auth exchange failed
Nov 21 09:47:25.398: IKEv2:(SESSION ID = 252,SA ID = 1):Abort exchange
Nov 21 09:47:25.398: IKEv2:(SESSION ID = 252,SA ID = 1):Deleting SA
Nov 21 09:47:25.398: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Nov 21 09:47:25.398: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
但是有个奇怪的问题,相同的配置我再C8000v上就是正常的,版本也是相同的版本,真是纳闷了,难道硬件的盒子还有什么特殊的瘪瘪窍吗? 请各位观众老爷一起讨论。。。
But there's a strange question, the same configuration is normal on my C8000v, and the version is also the same. I'm really puzzled, is there any special dent in the hardware box? Please discuss together, esteemed audience members...
已解决! 转到解答。
各位看官,问题解决了,有个配置是我太想当然了,需要将tunnel mode ipsec dual-overlay 改成tunnel mode ipsec ipv4,本来我有双栈的地址以为可以配置双栈是可以的,没想到不行。但是这里还有几个注意点我和大家分享下。
1,官网说必须申请个人证书,我试了下使用自签名的证书也行。
2,anyconnect的profile的问题名称必须是acvpn.xml
3,我这边的IOS版本一个是17.7的一个是15.8都可以正常拨号成功,15.8需要将BypassDownloader选项设置为true,才能成功。
各位看官,问题解决了,有个配置是我太想当然了,需要将tunnel mode ipsec dual-overlay 改成tunnel mode ipsec ipv4,本来我有双栈的地址以为可以配置双栈是可以的,没想到不行。但是这里还有几个注意点我和大家分享下。
1,官网说必须申请个人证书,我试了下使用自签名的证书也行。
2,anyconnect的profile的问题名称必须是acvpn.xml
3,我这边的IOS版本一个是17.7的一个是15.8都可以正常拨号成功,15.8需要将BypassDownloader选项设置为true,才能成功。