Thursday, November 27, 2014

Centralino IP PBX su Windows - 3CX Phone System which links here: http://www.3cx.it/centralino/index.html

 

 

RSS Feed RSS Feed

Login

Newsletter Newsletter

Registrati

Forum

 

Cisco ASA VPN L2TP/IPsec, errore 691
Last Post 02/09/2011 15:50 by Raffaele. 0 Replies.
AddThis - Bookmarking and Sharing Button Printer Friendly
  •  
  •  
  •  
  •  
  •  
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
RaffaeleUser is Offline Membro Effettivo Membro Effettivo Send Private Message Posts:153 Avatar
--
02/09/2011 15:50
salve a tutti, apro questo topic relativo al mio problema con la connessione VPN, per chiedervi aiuto!

vorrei configurare il mio ASA5510 per accettare le connessioni L2PT/IpSec da client Windows.

vorrei che l'autenticazione avvenisse tramite credenziali di accesso AD

quando provo a collegarmi viene dato l'errore 691.

ho abilitato i seguenti debug sulla macchina:

debug crypto isakmp 3
debug crypto ipsec 3
debug ldap 255

ho provato con diversi sistemi operativi (xp e seven) ma ricevo sempre lo stesso errore.

ho settato il client in questo modo:
sicurezza -> tipo di VPN -> L2TP/IPSec
crittografia -> richiedi crittografia (disconnetti in caso di rifiuto)
protocolli -> microsoft CHAO ver 2 (solo)
impostazioni avanzate -> pre-shared key

l'utente di dominio che viene utilizzato è abilitato a ricevere chiamate in ingresso.

il test di autenticazione ldap va a buon fine. Con le stesse credenziali riesco a collegarmi senza problemi al portale SSL e riesco a visualizzare tutte le risorse condivise

come si vede dal debug la chiamata ldap per l'autenticazione non viene mai effettuata.

di seguito tutte le informazioni relative

spero che mi possiate aiutare a risolvere questo problema, grazie

CONFIGURATION:

FIREWALLP01# show running-config

: Saved

:

ASA Version 8.2(5)

!

hostname FIREWALLP01

domain-name MAIOR.local

enable password xx encrypted

passwd xx encrypted

names

name 79.yy.yy.73 ROUTERP01

name 79.yy.yy.75 Pubblica_HTTP

name 79.yy.yy.76 Pubblica_VOIP

name 192.168.90.2 SERVERP02

name 192.168.90.3 SERVERP03

name 192.168.92.4 SERVERP04

!

interface Ethernet0/0

nameif Pubblica_SIADSL

security-level 0

ip address 79.yy.yy.74 255.255.255.248

!

interface Ethernet0/1

nameif LAN

security-level 100

ip address 192.168.90.254 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 98

ip address 192.168.92.254 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup Pubblica_SIADSL

dns domain-lookup LAN

dns domain-lookup DMZ

dns domain-lookup management

dns server-group DefaultDNS

name-server SERVERP02

domain-name MAIOR.local

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service rtp udp

port-object range 9000 9049

access-list Pubblica_SIADSL_access_in extended permit udp any host Pubblica_VOIP object-group rtp

access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_VOIP eq sip

access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_HTTP eq sip

access-list LAN_nat0_outbound extended permit ip any 192.168.90.0 255.255.255.0

pager lines 24

logging asdm informational

mtu Pubblica_SIADSL 1500

mtu LAN 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (Pubblica_SIADSL) 1 interface

global (DMZ) 1 interface

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 1 0.0.0.0 0.0.0.0

static (DMZ,Pubblica_SIADSL) Pubblica_HTTP SERVERP04 netmask 255.255.255.255

static (LAN,Pubblica_SIADSL) Pubblica_VOIP SERVERP03 netmask 255.255.255.255

access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL

route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  url-list value Link

aaa-server SERVERP02 protocol ldap

aaa-server SERVERP02 (LAN) host SERVERP02

ldap-base-dn DC=MAIOR,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=Administrator,CN=Users,DC=MAIOR,DC=local

server-type microsoft

http server enable

http 192.168.1.0 255.255.255.0 management

http authentication-certificate management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA

crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL

crypto isakmp enable Pubblica_SIADSL

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable Pubblica_SIADSL

enable LAN

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.90.2

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value MAIOR.local

username test password xx== nt-encrypted

username test attributes

service-type remote-access

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_pool

authentication-server-group SERVERP02

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group SERVERP02

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:ffe1f28f423d367f684be645cffe220b

: end

FIREWALLP01#

 

 

DEBUG:

Sep 02 12:30:37 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Sep 02 12:30:37 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Sep 02 12:30:37 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Sep 02 12:30:37 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Sep 02 12:30:38 [IKEv1]: IP = 82.xx.xx.84, Connection landed on tunnel_group DefaultRAGroup

Sep 02 12:30:38 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device

Sep 02 12:30:38 [IKEv1]: IP = 82.xx.xx.84, Connection landed on tunnel_group DefaultRAGroup

Sep 02 12:30:38 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, PHASE 1 COMPLETED

Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Received remote Proxy Host data in ID Payload:  Address 192.168.1.2, Protocol 17, Port 1701

Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Received local Proxy Host data in ID Payload:  Address 79.yy.yy.74, Protocol 17, Port 1701

Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP

Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, IKE: requesting SPI!

IPSEC: New embryonic SA created @ 0xDA884448,

    SCB: 0xD9211698,

    Direction: inbound

    SPI      : 0x17C543BD

    Session ID: 0x0004D000

    VPIF num  : 0x00000001

    Tunnel type: ra

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: New embryonic SA created @ 0xDA376928,

    SCB: 0xD9177400,

    Direction: outbound

    SPI      : 0xE0C5442F

    Session ID: 0x0004D000

    VPIF num  : 0x00000001

    Tunnel type: ra

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: Completed host OBSA update, SPI 0xE0C5442F

IPSEC: Creating outbound VPN context, SPI 0xE0C5442F

    Flags: 0x00000225

    SA   : 0xDA376928

    SPI  : 0xE0C5442F

    MTU  : 1500 bytes

    VCID : 0x00000000

    Peer : 0x00000000

    SCB  : 0x0723D533

    Channel: 0xD5E98360

IPSEC: Completed outbound VPN context, SPI 0xE0C5442F

    VPN handle: 0x00093414

IPSEC: New outbound encrypt rule, SPI 0xE0C5442F

    Src addr: 79.yy.yy.74

    Src mask: 255.255.255.255

    Dst addr: 82.xx.xx.84

    Dst mask: 255.255.255.255

    Src ports

      Upper: 1701

      Lower: 1701

      Op   : equal

    Dst ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Protocol: 17

    Use protocol: true

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed outbound encrypt rule, SPI 0xE0C5442F

    Rule ID: 0xD9177580

IPSEC: New outbound permit rule, SPI 0xE0C5442F

    Src addr: 79.yy.yy.74

    Src mask: 255.255.255.255

    Dst addr: 82.xx.xx.84

    Dst mask: 255.255.255.255

    Src ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Dst ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Protocol: 17

    Use protocol: true

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed outbound permit rule, SPI 0xE0C5442F

    Rule ID: 0xDA156058

Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Security negotiation complete for User ()  Responder, Inbound SPI = 0x17c543bd, Outbound SPI = 0xe0c5442f

IPSEC: Completed host IBSA update, SPI 0x17C543BD

IPSEC: Creating inbound VPN context, SPI 0x17C543BD

    Flags: 0x00000226

    SA   : 0xDA884448

    SPI  : 0x17C543BD

    MTU  : 0 bytes

    VCID : 0x00000000

    Peer : 0x00093414

    SCB  : 0x0723293D

    Channel: 0xD5E98360

IPSEC: Completed inbound VPN context, SPI 0x17C543BD

    VPN handle: 0x00094BB4

IPSEC: Updating outbound VPN context 0x00093414, SPI 0xE0C5442F

    Flags: 0x00000225

    SA   : 0xDA376928

    SPI  : 0xE0C5442F

    MTU  : 1500 bytes

    VCID : 0x00000000

    Peer : 0x00094BB4

    SCB  : 0x0723D533

    Channel: 0xD5E98360

IPSEC: Completed outbound VPN context, SPI 0xE0C5442F

    VPN handle: 0x00093414

IPSEC: Completed outbound inner rule, SPI 0xE0C5442F

    Rule ID: 0xD9177580

IPSEC: Completed outbound outer SPD rule, SPI 0xE0C5442F

    Rule ID: 0xDA156058

IPSEC: New inbound tunnel flow rule, SPI 0x17C543BD

    Src addr: 82.xx.xx.84

    Src mask: 255.255.255.255

    Dst addr: 79.yy.yy.74

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 1701

      Lower: 1701

      Op   : equal

    Protocol: 17

    Use protocol: true

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed inbound tunnel flow rule, SPI 0x17C543BD

    Rule ID: 0xDA1563E0

IPSEC: New inbound decrypt rule, SPI 0x17C543BD

    Src addr: 82.xx.xx.84

    Src mask: 255.255.255.255

    Dst addr: 79.yy.yy.74

    Dst mask: 255.255.255.255

    Src ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Dst ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Protocol: 17

    Use protocol: true

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed inbound decrypt rule, SPI 0x17C543BD

    Rule ID: 0xDA13F1F0

IPSEC: New inbound permit rule, SPI 0x17C543BD

    Src addr: 82.xx.xx.84

    Src mask: 255.255.255.255

    Dst addr: 79.yy.yy.74

    Dst mask: 255.255.255.255

    Src ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Dst ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Protocol: 17

    Use protocol: true

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed inbound permit rule, SPI 0x17C543BD

    Rule ID: 0xD9177340

Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, PHASE 2 COMPLETED (msgid=00000001)

Sep 02 12:30:39 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <82.xx.xx.84> mask <0xFFFFFFFF> port <4500>

 

[112] Session Start

[112] New request Session, context 0xd7b19410, reqType = Authentication

[112] Fiber started

[112] Failed: The username or password is blank

[112] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3

[112] Session End

IPSEC: Deleted outbound encrypt rule, SPI 0xE0C5442F

    Rule ID: 0xD9177580

IPSEC: Deleted outbound permit rule, SPI 0xE0C5442F

    Rule ID: 0xDA156058

IPSEC: Deleted outbound VPN context, SPI 0xE0C5442F

    VPN handle: 0x00093414

IPSEC: Deleted inbound decrypt rule, SPI 0x17C543BD

    Rule ID: 0xDA13F1F0

IPSEC: Deleted inbound permit rule, SPI 0x17C543BD

    Rule ID: 0xD9177340

IPSEC: Deleted inbound tunnel flow rule, SPI 0x17C543BD

    Rule ID: 0xDA1563E0

IPSEC: Deleted inbound VPN context, SPI 0x17C543BD

    VPN handle: 0x00094BB4

Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Session is being torn down. Reason: L2TP initiated

 

 

LICENSING:

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 50

Inside Hosts                   : Unlimited

Failover                       : Disabled

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

Security Contexts              : 0

GTP/GPRS                       : Disabled

SSL VPN Peers                  : 2

Total VPN Peers                : 250

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

 

This platform has a Base license.


You are not authorized to post a reply.
Condividi su Facebook



 Newsletter Settimanale

Nome

Cognome

Email

  

 

Copyright 2011 by SysAdmin.it