取消
显示结果 
搜索替代 
您的意思是: 
cancel
226
查看次数
0
有帮助
1
回复

使用Anyconnect连接FlexVPN遇到问题。

wuhao0015
Spotlight
Spotlight

Ladies and gentlemen, technical experts, there's something going on recently. We won't trouble everyone unless absolutely necessary...

Using AnyConnect to dial Ikev2's FlexVPN always fails. The device model is C1117-4P, version 17.7.6, and AnyConnect version 4.10. After dialing with AnyConnect, it prompts and then interrupts.

各位观众老爷,技术大拿,最近摊上点事情。不到万不得已是不会麻烦大家的。。。

用anyconnect拨号ikev2的flexvpn总是不成功,设备型号为C1117-4P,版本17.7.6,Anyconnect的版本为4.10,使用anyconnect拨号后提示,然后就中断。

wuhao0015_0-1732153647715.png

设备配置如下:The device configuration is as follows:

 

aaa authorization network acvpn-aaa-author local 
crypto pki trustpoint acvpn.local
 enrollment url http://192.168.50.254:80
 serial-number
 subject-name cn=acvpn.local, ou=iteachs.com
 subject-alt-name acvpn.local
 revocation-check none

crypto pki certificate chain acvpn.local
 certificate 02
  3082035D 30820245 A0030201 02020102 300D0609 2A864886 F70D0101 05050030 
  29311430 12060355 040B130B 69746561 6368732E 636F6D31 11300F06 03550403 
  13086361 2E6C6F63 616C301E 170D3234 31313230 30373237 30385A17 0D323531 
  31323030 37323730 385A306A 31143012 06035504 0B130B69 74656163 68732E63 
  6F6D3114 30120603 55040313 0B616376 706E2E6C 6F63616C 313C3012 06035504 
  05130B46 474C3233 34324C32 55513026 06092A86 4886F70D 01090216 194E4A2D 
  486F6D65 2D433131 31372E69 74656163 68732E63 6F6D3082 0122300D 06092A86 
  4886F70D 01010105 00038201 0F003082 010A0282 010100DC 6E809822 85D687B1 
  6EBCF38A 881285AA 37CDB78F 1CD03D2B F136732F 4F010063 319CA982 FE237837 
  0283E166 AA7F5032 BE0A2E68 3D324344 272EB8A7 D87E232B D502E9BA 44F97A1D 
  3FFE5891 CD10203C F43F46A0 0D570959 3B296224 EFA6F435 F43865A5 9BEAF799 
  787AC286 7D384385 58A7E796 5A8E1A03 1E2A1482 4EFD290C 487A8CCE 69AD0D9E 
  CA17AD45 3DFB054C 52860178 346F928D E1551F80 A17BF219 9D3520AA 94705243 
  91663ED3 417F6C48 7F9C3F06 72968CC6 D73AF10F 49AA9501 61DAF4BE 7DEDFB91 
  E16F787B 16C8ABF6 4BA0D8EC 37F31B95 C35CAA9D 7B221A55 348B3E62 6F920A44 
  97F12201 425A1742 CDF7AB55 694967A2 6DACCD57 E1129102 03010001 A34F304D 
  300B0603 551D0F04 04030205 A0301F06 03551D23 04183016 80147B8E 71A61E92 
  9C4FDE81 AB0BEFDD 8FAFC982 B655301D 0603551D 0E041604 140D6F03 3ADF936F 
  5793BF48 B36A5FA8 95E05EF4 DC300D06 092A8648 86F70D01 01050500 03820101 
  001B81AD 4F535060 11B04158 2D1A5819 CF8CB30A B9C63DF1 01C7B484 5D94A057 
  678B0288 C5BECC88 90C10A16 FBF2C8AF 953B9770 CF4827AB A7E05702 22373F86 
  85F8E00C 08E94EDE FFCE7488 45A42883 D1C90F6A 7BDD49DB 938FEAAD 43471A50 
  4CF68FA3 038D681A 3BF7699A 377BC2DC AC4B3D7A C5761FEC 00ACE560 77B911C0 
  5DEA48E3 06B55C02 DADDDB3B B5D2F9D6 378DC3A0 A31C2142 4079042E 24ABD6E1 
  EBC4CC7A 38019F5B 2889F214 3B6E3090 4CCB0C96 7F596C4F 8EF939C4 71920D40 
  D0B0A034 0A7B9167 99FD85E7 34444218 6B019A8B B40EABC2 ED6DB912 CBA3AA01 
  4A9935F5 1B65FE8A CCC01ABE 6A759BC1 E9D08FE9 D5482B92 66CA126B F5BD34C1 DD
        quit
 certificate ca 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  29311430 12060355 040B130B 69746561 6368732E 636F6D31 11300F06 03550403 
  13086361 2E6C6F63 616C301E 170D3234 31313230 30373036 31315A17 0D323731 
  31323030 37303631 315A3029 31143012 06035504 0B130B69 74656163 68732E63 
  6F6D3111 300F0603 55040313 0863612E 6C6F6361 6C308201 22300D06 092A8648 
  86F70D01 01010500 0382010F 00308201 0A028201 0100E86E DABBE980 4C4D3CF7 
  238C03A0 F4D1FCA0 9816869B 809D9911 413C5A23 18CDD687 71D1173D 1F4E3687 
  25E676DA A680A467 B62D0BB9 38AFE5AC 26FFC001 2FDE6694 EDEFDE28 219FD48A 
  22BDFC26 07327325 001B4B2E 2D0DFEE4 7A0C96DC 823B6CA1 07467C37 B0B06835 
  A54F1D5E 44793B7D A579B4E5 3D500A77 63EB062F F76DA5BD 116E59D3 FC103F08 
  951A9094 DF44C214 50C3AF28 72CBD069 FBC476F5 6F4D0857 45B5D3DA DAD4A3B2 
  AF21057B E3BC4D7C D2687E3A E2540793 855470FC 0D09C6A7 8FD55ED1 50C7E12C 
  7FA3C1C5 43A33894 BCD8B887 BC9E07EF FA5301D6 7D1A8064 AEE58D52 866E93CB 
  9BD92CC2 951912AC C327E03D 50CA1B7E 0AB79C7F 7F0B0203 010001A3 63306130 
  0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 
  301F0603 551D2304 18301680 147B8E71 A61E929C 4FDE81AB 0BEFDD8F AFC982B6 
  55301D06 03551D0E 04160414 7B8E71A6 1E929C4F DE81AB0B EFDD8FAF C982B655 
  300D0609 2A864886 F70D0101 04050003 82010100 199E6599 297071E9 343E03D1 
  5F5144B1 66D26AC0 2A80BE15 717D6265 898740E8 6CDE97A1 43009DC7 96A741C0 
  88C021B2 2BC85171 464FB5A5 7451D426 51B7E708 96F3D130 ED099C37 3132793A 
  19112A2D 062C0934 D8BEF0F3 5C094338 8AD55FE8 BCED7F9D 4167638E 0BA89F18 
  106532C4 B073ED5B C8ED2180 76AFD980 47A258E9 DDD21D9F 678DFBF5 182EFB3E 
  136B9846 E3CDB01F E65A1F69 9FFCBE35 4F9A7F44 D94BF465 AA4A7721 731DE65C 
  83AAD4E2 B648F8A9 C022DDEB A0A49398 AEDA9906 48689958 D022D139 4B8B1C20 
  141F8251 2B06D61B 02DFA7D0 EA5E52BB C306B56C B763C965 F65011D5 E6D49E49 
  35EA6164 0731D4BF 83B27F47 6984AD68 C4FC2D82
        quit

username acvpn privilege 0 secret 9 $9$8BdJ39e86YA6/.$ETr4dZxCkZ5oAG25d3MneCLnjpUxhVU9RPQDQsLzFvA

crypto ikev2 authorization policy acvpn-ikev2-auth-policy 
 pool acvpn-ipv4-pool
 def-domain iteachs.com
 route set remote ipv4 192.168.0.0 255.255.0.0

crypto ikev2 proposal acvpn-ikev2-proposal 
 encryption aes-cbc-256
 integrity sha256
 group 15 19

crypto ikev2 policy acvpn-ikev2-policy 
 proposal acvpn-ikev2-proposal

crypto ikev2 profile acvpn-ikev2-profile
 match identity remote key-id *$AnyConnectClient$*
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint acvpn.local
 aaa authentication anyconnect-eap acvpn-aaa-authen
 aaa authorization group anyconnect-eap list acvpn-aaa-author acvpn-ikev2-auth-policy
 aaa authorization user anyconnect-eap cached
 virtual-template 10
 anyconnect profile acvpn

crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
crypto ipsec transform-set acvpn-ts esp-aes 256 esp-sha256-hmac 
 mode transport

crypto ipsec profile acvpn-profile
 set transform-set acvpn-ts 
 set ikev2-profile acvpn-ikev2-profile

interface Virtual-Template10 type tunnel
 description To:ACVPN-Client
 ip unnumbered Dialer1
 tunnel mode ipsec dual-overlay
 tunnel protection ipsec profile acvpn-profile

ip local pool acvpn-ipv4-pool 192.168.51.1 192.168.51.100

 

设备show version 如下:The device show version is as follows:

 

Cisco IOS XE Software, Version 17.06.08a
Cisco IOS Software [Bengaluru], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.8a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2024 by Cisco Systems, Inc.
Compiled Mon 14-Oct-24 07:31 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2024 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: 17.5(1r)

NJ-Home-C1117 uptime is 1 day, 17 hours, 9 minutes
Uptime for this control processor is 1 day, 17 hours, 11 minutes
System returned to ROM by Reload Command at 16:38:36 Beijing Tue Nov 19 2024
System restarted at 16:42:18 Beijing Tue Nov 19 2024
System image file is "bootflash:c1100-universalk9.17.06.08a.SPA.bin"
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.



Suite License Information for Module:'esg' 

--------------------------------------------------------------------------------
Suite                 Suite Current         Type           Suite Next reboot     
--------------------------------------------------------------------------------
FoundationSuiteK9     None                  Smart License  None                  
securityk9
appxk9


Technology Package License Information: 

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot  
------------------------------------------------------------------
appxk9           None             Smart License    None
uck9             None             Smart License    None
securityk9       securityk9       Smart License    securityk9
ipbase           ipbasek9         Smart License    ipbasek9

The current throughput level is unthrottled 


Smart Licensing Status: Registration Not Applicable/Not Applicable

cisco C1117-4P (1RU) processor with 1400278K/6147K bytes of memory.
Processor board ID FGL2342L2UQ
Router operating mode: Autonomous
1 Ethernet interface
3 Virtual Ethernet interfaces
5 Gigabit Ethernet interfaces
1 ATM interface
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
2863103K bytes of flash memory at bootflash:.

Configuration register is 0x2102

 

 debug的相关信息:Debug related information:

 

Nov 21 09:46:56.673: IKEv2:Received Packet [From 114.222.31.28:17234/To 222.94.190.160:500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED) 

Nov 21 09:46:56.674: IKEv2:(SESSION ID = 252,SA ID = 1):Verify SA init message
Nov 21 09:46:56.675: IKEv2:(SESSION ID = 252,SA ID = 1):Insert SA
Nov 21 09:46:56.675: IKEv2:Searching Policy with fvrf 0, local address 222.94.190.160
Nov 21 09:46:56.675: IKEv2:Found Policy 'acvpn-ikev2-policy'
Nov 21 09:46:56.675: IKEv2:(SESSION ID = 252,SA ID = 1):Processing IKE_SA_INIT message
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Received valid config mode data
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Config data recieved:
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Config-type: Config-request 
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
Nov 21 09:46:56.676: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
Nov 21 09:46:56.676: IKEv2:(SESSION ID = 252,SA ID = 1):Set received config mode data
Nov 21 09:46:56.676: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Nov 21 09:46:56.676: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'acvpn.local'   'ca.local'   'nj-home.local'   'SLA-TrustPoint'   
Nov 21 09:46:56.677: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Nov 21 09:46:56.677: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Nov 21 09:46:56.677: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Nov 21 09:46:56.677: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Nov 21 09:46:56.677: IKEv2:(SESSION ID = 252,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
Nov 21 09:46:56.679: IKEv2:(SESSION ID = 252,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Nov 21 09:46:56.679: IKEv2:(SESSION ID = 252,SA ID = 1):Request queued for computation of DH key
Nov 21 09:46:56.679: IKEv2:(SESSION ID = 252,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):Request queued for computation of DH secret
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Nov 21 09:46:56.687: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):Generating IKE_SA_INIT message
Nov 21 09:46:56.687: IKEv2:(SESSION ID = 252,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_256_ECP/Group 19
Nov 21 09:46:56.688: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Nov 21 09:46:56.688: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'acvpn.local'   'ca.local'   'nj-home.local'   'SLA-TrustPoint'   
Nov 21 09:46:56.688: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Nov 21 09:46:56.688: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED 

Nov 21 09:46:56.689: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17234/From 222.94.190.160:500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ 

Nov 21 09:46:56.690: IKEv2:(SESSION ID = 252,SA ID = 1):Completed SA init exchange
Nov 21 09:46:56.690: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (30 sec) to wait for auth message 

Nov 21 09:46:56.729: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

Nov 21 09:46:56.731: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:46:56.731: IKEv2:(SESSION ID = 252,SA ID = 1):Checking NAT discovery
Nov 21 09:46:56.731: IKEv2:(SESSION ID = 252,SA ID = 1):NAT OUTSIDE found
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):NAT detected float to init port 17235, resp port 4500
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
Nov 21 09:46:56.732: IKEv2:found matching IKEv2 profile 'acvpn-ikev2-profile'
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Searching Policy with fvrf 0, local address 222.94.190.160
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Found Policy 'acvpn-ikev2-policy'
Nov 21 09:46:56.732: IKEv2:not a VPN-SIP session
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Verify peer's policy
Nov 21 09:46:56.732: IKEv2:(SESSION ID = 252,SA ID = 1):Peer's policy verified
Nov 21 09:46:56.732: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
Nov 21 09:46:56.733: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Nov 21 09:46:56.733: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

Nov 21 09:46:56.733: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint acvpn.local
Nov 21 09:46:56.734: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Check for EAP exchange
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Check for EAP exchange
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Generate my authentication data
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Get my authentication method
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):My authentication method is 'RSA'
Nov 21 09:46:56.734: IKEv2:(SESSION ID = 252,SA ID = 1):Sign authentication data
Nov 21 09:46:56.734: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
Nov 21 09:46:56.735: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
Nov 21 09:46:56.735: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
Nov 21 09:46:56.791: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authentication data PASSED
Nov 21 09:46:56.791: IKEv2:(SESSION ID = 252,SA ID = 1):Authentication material has been sucessfully signed
Nov 21 09:46:56.791: IKEv2:(SESSION ID = 252,SA ID = 1):Generating AnyConnect EAP request
Nov 21 09:46:56.791: IKEv2:(SESSION ID = 252,SA ID = 1):Sending AnyConnect EAP 'hello' request
Nov 21 09:46:56.791: IKEv2:(SESSION ID = 252,SA ID = 1):Constructing IDr payload: '222.94.190.160' of type 'IPv4 address'
Nov 21 09:46:56.792: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.  
Payload contents: 
 VID IDr CERT CERT AUTH EAP 

Nov 21 09:46:56.793: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

Nov 21 09:46:56.794: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (90 sec) to wait for auth message 

Nov 21 09:46:58.188: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 2
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 EAP 

Nov 21 09:46:58.188: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:46:58.188: IKEv2:(SESSION ID = 252,SA ID = 1):Processing AnyConnect EAP response
Nov 21 09:46:58.189: IKEv2:(SESSION ID = 252,SA ID = 1):Checking for Dual Auth
Nov 21 09:46:58.189: IKEv2:(SESSION ID = 252,SA ID = 1):Generating AnyConnect EAP AUTH request
Nov 21 09:46:58.189: IKEv2:(SESSION ID = 252,SA ID = 1):Sending AnyConnect EAP 'auth-request'
Nov 21 09:46:58.189: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.  
Payload contents: 
 EAP 

Nov 21 09:46:58.190: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

Nov 21 09:46:58.191: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (90 sec) to wait for auth message 

Nov 21 09:47:00.259: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 EAP 

Nov 21 09:47:00.260: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:47:00.260: IKEv2:(SESSION ID = 252,SA ID = 1):Processing AnyConnect EAP response
Nov 21 09:47:00.261: IKEv2:Using authentication method list acvpn-aaa-authen

Nov 21 09:47:00.261: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent
Nov 21 09:47:00.357: IKEv2-ERROR:AnyConnect EAP - failed to get author list
Nov 21 09:47:00.359: IKEv2-ERROR:Address type 135748931 not supported

Nov 21 09:47:00.359: IKEv2:Received response from aaa for AnyConnect EAP
Nov 21 09:47:00.359: IKEv2:(SESSION ID = 252,SA ID = 1):Generating AnyConnect EAP VERIFY request
Nov 21 09:47:00.359: IKEv2:(SESSION ID = 252,SA ID = 1):Sending AnyConnect EAP 'VERIFY' request
Nov 21 09:47:00.359: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.  
Payload contents: 
 EAP 

Nov 21 09:47:00.360: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 3
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

Nov 21 09:47:00.361: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (90 sec) to wait for auth message 

Nov 21 09:47:00.371: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 4
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 EAP 
          
Nov 21 09:47:00.372: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:47:00.372: IKEv2:(SESSION ID = 252,SA ID = 1):Processing AnyConnect EAP ack response
Nov 21 09:47:00.372: IKEv2:(SESSION ID = 252,SA ID = 1):Generating AnyConnect EAP success request
Nov 21 09:47:00.372: IKEv2:(SESSION ID = 252,SA ID = 1):Sending AnyConnect EAP success status message
Nov 21 09:47:00.373: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.  
Payload contents: 
 EAP 

Nov 21 09:47:00.373: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 4
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

Nov 21 09:47:00.374: IKEv2:(SESSION ID = 252,SA ID = 1):Starting timer (90 sec) to wait for auth message 

Nov 21 09:47:00.381: IKEv2:(SESSION ID = 252,SA ID = 1):Received Packet [From 114.222.31.28:17235/To 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 5
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 AUTH 

Nov 21 09:47:00.382: IKEv2:(SESSION ID = 252,SA ID = 1):Stopping timer to wait for auth message
Nov 21 09:47:00.382: IKEv2:(SESSION ID = 252,SA ID = 1):Send AUTH, to verify peer after EAP exchange
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):Verify peer's authentication data
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):Use preshared key for id *$AnyConnectClient$*, key len 32
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):Verification of peer's authentication data PASSED
Nov 21 09:47:00.383: IKEv2:(SESSION ID = 252,SA ID = 1):Processing INITIAL_CONTACT
Nov 21 09:47:00.384: IKEv2:Using mlist acvpn-aaa-author and username acvpn-ikev2-auth-policy for group author request
Nov 21 09:47:00.384: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
Nov 21 09:47:00.384: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Received valid config mode data
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Config data recieved:
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Config-type: Config-request 
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-addr, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-netmask, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-dns, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-nbns, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: app-version, length: 29, data: AnyConnect Windows 4.10.06090
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv4-subnet, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv6-addr, length: 0
Nov 21 09:47:00.385: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv6-dns, length: 0
Nov 21 09:47:00.386: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: ipv6-subnet, length: 0Hale-HP-PC
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-cleanup-interval, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-dpd-interval, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: banner, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: smartcard-removal-disconnect, length: 0
Nov 21 09:47:00.387: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 2, data: 0x5 0xFFFFFFFFFFFFFF86
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: def-domain, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: split-exclude, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: split-dns, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: pfs, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-token-id, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-session-id, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: reconnect-session-data, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.388: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.389: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 16, data: 0x240xE 0x3 0xFFFFFFFFFFFFFFAF0x9 0x6 0xFFFFFFFFFFFFFFA10x250x5E0x710xD 0x420x2E0x4E0xFFFFFFFFFFFFFFBF0xFFFFFFFFFFFFFF80
Nov 21 09:47:00.390: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 4, data: 0xFFFFFFFFFFFFFFC00xFFFFFFFFFFFFFFA80xFFFFFFFFFFFFFFBD0x42
Nov 21 09:47:00.391: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 4, data: 0xFFFFFFFFFFFFFFDE0x5E0xFFFFFFFFFFFFFFBE0xFFFFFFFFFFFFFFA0
Nov 21 09:47:00.391: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 0
Nov 21 09:47:00.391: IKEv2:(SESSION ID = 252,SA ID = 1):Attrib type: unknown, length: 2, data: 0x5 0xFFFFFFFFFFFFFFDC
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-cleanup-interval in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-dpd-interval in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.392: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.393: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
Nov 21 09:47:00.394: IKEv2:(SESSION ID = 252,SA ID = 1):Set received config mode data
Nov 21 09:47:00.394: IKEv2:(SESSION ID = 252,SA ID = 1):Processing IKE_AUTH message
Nov 21 09:47:00.394: IKEv2:% DVTI create request sent for profile acvpn-ikev2-profile with PSH index 1.

Nov 21 09:47:00.395: IKEv2:(SESSION ID = 252,SA ID = 1):
Nov 21 09:47:00.396: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to down
Nov 21 09:47:00.413: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Nov 21 09:47:00.421: IKEv2-ERROR:Address type 2157777920 not supported

Nov 21 09:47:00.421: IKEv2-ERROR:(SESSION ID = 0,SA ID = 0):DVTI creation failed in OSAL
          
Nov 21 09:47:00.421: IKEv2-ERROR:Address type 2157777920 not supported

Nov 21 09:47:00.421: IKEv2-ERROR:(SESSION ID = 0,SA ID = 0):
Nov 21 09:47:00.421: IKEv2-ERROR:% Failed to process IPSEC READY KMI message with error 4.

Nov 21 09:47:02.392: IKEv2-ERROR:Address type 0 not supported

Nov 21 09:47:02.392: IKEv2-ERROR:: Negotiation context locked currently in use
Nov 21 09:47:06.395: IKEv2-ERROR:Address type 0 not supported

Nov 21 09:47:06.395: IKEv2-ERROR:: Negotiation context locked currently in use
Nov 21 09:47:14.406: IKEv2-ERROR:Address type 0 not supported

Nov 21 09:47:14.406: IKEv2-ERROR:: Negotiation context locked currently in use
Nov 21 09:47:25.396: IKEv2:(SESSION ID = 252,SA ID = 1):Verification of peer's authentication data FAILED
Nov 21 09:47:25.396: IKEv2:(SESSION ID = 252,SA ID = 1):Sending authentication failure notify
Nov 21 09:47:25.396: IKEv2:(SESSION ID = 252,SA ID = 1):Building packet for encryption.  
Payload contents: 
 NOTIFY(AUTHENTICATION_FAILED) 

Nov 21 09:47:25.396: IKEv2:(SESSION ID = 252,SA ID = 1):Sending Packet [To 114.222.31.28:17235/From 222.94.190.160:4500/VRF i0:f0] 
Initiator SPI : 3B9723AE12F1065B - Responder SPI : 6F2138C6FAB1725E Message id: 5
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

Nov 21 09:47:25.398: IKEv2:(SESSION ID = 252,SA ID = 1):Auth exchange failed
Nov 21 09:47:25.398: IKEv2-ERROR:(SESSION ID = 252,SA ID = 1):: Auth exchange failed
Nov 21 09:47:25.398: IKEv2:(SESSION ID = 252,SA ID = 1):Abort exchange
Nov 21 09:47:25.398: IKEv2:(SESSION ID = 252,SA ID = 1):Deleting SA
Nov 21 09:47:25.398: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Nov 21 09:47:25.398: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

 

但是有个奇怪的问题,相同的配置我再C8000v上就是正常的,版本也是相同的版本,真是纳闷了,难道硬件的盒子还有什么特殊的瘪瘪窍吗? 请各位观众老爷一起讨论。。。

But there's a strange question, the same configuration is normal on my C8000v, and the version is also the same. I'm really puzzled, is there any special dent in the hardware box? Please discuss together, esteemed audience members...

1 个已接受解答

已接受的解答

wuhao0015
Spotlight
Spotlight

各位看官,问题解决了,有个配置是我太想当然了,需要将tunnel mode ipsec dual-overlay 改成tunnel mode ipsec ipv4,本来我有双栈的地址以为可以配置双栈是可以的,没想到不行。但是这里还有几个注意点我和大家分享下。

1,官网说必须申请个人证书,我试了下使用自签名的证书也行。

2,anyconnect的profile的问题名称必须是acvpn.xml

3,我这边的IOS版本一个是17.7的一个是15.8都可以正常拨号成功,15.8需要将BypassDownloader选项设置为true,才能成功。

官方文档:https://www.cisco.com/c/zh_cn/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

在原帖中查看解决方案

1 条回复1

wuhao0015
Spotlight
Spotlight

各位看官,问题解决了,有个配置是我太想当然了,需要将tunnel mode ipsec dual-overlay 改成tunnel mode ipsec ipv4,本来我有双栈的地址以为可以配置双栈是可以的,没想到不行。但是这里还有几个注意点我和大家分享下。

1,官网说必须申请个人证书,我试了下使用自签名的证书也行。

2,anyconnect的profile的问题名称必须是acvpn.xml

3,我这边的IOS版本一个是17.7的一个是15.8都可以正常拨号成功,15.8需要将BypassDownloader选项设置为true,才能成功。

官方文档:https://www.cisco.com/c/zh_cn/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

快捷链接