请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科服务支持社区 点击关注
思科服务支持社区

  
 找回密码
 立即注册

扫一扫,访问微社区

搜索
热搜: 邮件服务器
查看: 296|回复: 8

asa anyconnect ikev2 问题咨询(增加ipsec协议后 能拨上去,IKEV2 不通,DTLS 则通)

[复制链接]
发表于 2017-12-25 22:13:38 | 显示全部楼层 |阅读模式
0可用金钱
IKEV2.jpg DTLS.jpg
11250.jpg

使用同一个 策略组,profile, SSLVPN 拨上来能PING 通内部网段 断掉后,IKEV2 拨入没有问题但 PING 不通内部网段,怪哉。
拨上来的地址都一样 都在一个地址池获取的。

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2017-12-26 10:27:24 | 显示全部楼层
packet-input 是条好命令
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-1-2 15:04:28 | 显示全部楼层
楼主可以参考一下
Cannot ping from Anyconnect client IP toward LAN
https://supportforums.cisco.com/ ... rd-lan/td-p/2889683
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-1-4 12:24:26 | 显示全部楼层
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-1-8 10:59:08 | 显示全部楼层
感谢您的提问,若您的问题已解决,还请标记最佳答案,来鼓励一下为您解决问题的用户吧!
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-1-8 20:47:58 | 显示全部楼层
没有解决,继续郁闷中。 重启ASA 还是如此
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-1-8 20:48:49 | 显示全部楼层
没有解决,继续郁闷中。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-1-8 20:49:12 | 显示全部楼层
没有解决,继续郁闷中。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 前天 12:29 | 显示全部楼层
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal IKEv2
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map IKEv2-Dymap 100 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map IKEv2-Dymap 100 set reverse-route
crypto map IKEv2-Map 100 ipsec-isakmp dynamic IKEv2-Dymap
crypto map IKEv2-Map interface outside
crypto ca trustpoint ASA-CA
enrollment url http://10.144.46.33:80
fqdn asa.czxyzhb.org
subject-name cn=asa.czxyzhb.org, ou=zonghebu
keypair SSLVPN-Key
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASA-CA
certificate ca 01
    30820257 308201c0 a0030201 02020101 300d0609 2a864886 f70d0101 04050030
    3f310b30 09060355 040a1302 78793111 300f0603 55040b13 087a6f6e 67686562
    75311d30 1b060355 04031314 696e7465 726e6574 2e637a78 797a6862 2e6f7267
    301e170d 31383031 30383033 35343532 5a170d32 31303130 37303335 3435325a
    303f310b 30090603 55040a13 02787931 11300f06 0355040b 13087a6f 6e676865
    6275311d 301b0603 55040313 14696e74 65726e65 742e637a 78797a68 622e6f72
    6730819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 81008bea
    caf434b5 b52a6a0a 0a39c9cc f42f9b34 6b977607 3d83ce1a 82fd2ce0 c74231fa
    59816080 6624ccba 1d982a16 47267f61 8aed78bf 313a7dd5 72a4d43d 2daf2440
    a02276ae 84dc6e36 77497acb cde88c0d 2010aa85 dbb086f1 deed08a6 4c713031
    5759685c 9ce4d636 48023a9e d304d700 348fdeeb ab7ec6c1 31516fac bcd10203
    010001a3 63306130 0f060355 1d130101 ff040530 030101ff 300e0603 551d0f01
    01ff0404 03020186 301f0603 551d2304 18301680 14061cc1 3eb8ff6e c1581752
    e986706d e6a9ecfc c6301d06 03551d0e 04160414 061cc13e b8ff6ec1 581752e9
    86706de6 a9ecfcc6 300d0609 2a864886 f70d0101 04050003 8181005d 1f93197c
    b7b1258b 38988d74 275dfac9 99d84aef de8515ed a35c6abe 8ae6c45e 6ce04ecc
    52706dd0 e54528ad 9db501e9 6ff5dd63 5c348630 ef34b222 db9c8c03 05d60673
    5884b4fd b5c1a091 c74b65ac 4b8b72d8 86069bfc 79999fe2 a32a1485 ec6c954a
    97b3e9ad ba1f7427 294fa107 1d305b3c 2f388438 7a639684 b2aafc
  quit
certificate 02
    30820270 308201d9 a0030201 02020102 300d0609 2a864886 f70d0101 04050030
    3f310b30 09060355 040a1302 78793111 300f0603 55040b13 087a6f6e 67686562
    75311d30 1b060355 04031314 696e7465 726e6574 2e637a78 797a6862 2e6f7267
    301e170d 31383031 30383034 33313532 5a170d31 39303130 38303433 3135325a
    304d3111 300f0603 55040b13 087a6f6e 67686562 75311830 16060355 0403130f
    6173612e 637a7879 7a68622e 6f726731 1e301c06 092a8648 86f70d01 0902160f
    6173612e 637a7879 7a68622e 6f726730 819f300d 06092a86 4886f70d 01010105
    0003818d 00308189 02818100 cd8e9e1c 7084e582 5eb36f51 db248f9b 1766ab74
    2b56a2d3 01eb1420 800713d6 e6f96966 5684bf90 1c9c3192 c73d3214 7e461dd7
    d92c5092 892c3feb 13830f65 20f347d0 56bfe12c c1fde536 ce6bf81a 4afba30b
    1d515f77 941d4333 2440307a 213cc4dc 061ce92a 43d5f8d3 835092de 14eb8ed9
    9e476ca9 9ddae719 f8765a6b 02030100 01a36e30 6c301a06 03551d11 04133011
    820f6173 612e637a 78797a68 622e6f72 67300e06 03551d0f 0101ff04 04030205
    a0301f06 03551d23 04183016 8014061c c13eb8ff 6ec15817 52e98670 6de6a9ec
    fcc6301d 0603551d 0e041604 1413bcd5 cc141c6e 9e935712 2964d007 34c9245a
    a5300d06 092a8648 86f70d01 01040500 03818100 4ed3ef25 f74bb667 979f4cc5
    6944300c 48c8c850 012fefc4 dfc85a7b fbb837f9 1eb210b5 e74d5fa6 138f42e5
    cb9fa7b6 766c1685 0c1e4bb5 23069557 e6b92720 ff7bea23 5e691c21 764947b7
    1e8018b4 a4ad7235 b4754f18 75f8af5b d1b903b6 b274ee97 c23f90fc 9448a113
    f131d69a 3852528a 21084e07 1507e4f8 809716b6
  quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2   
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASA-CA
ssl trust-point ASA-CA
ssl trust-point ASA-CA outside
webvpn
port 12345   
enable outside
anyconnect image disk0:/anyconnect-win-4.5.02036-webdeploy-k9.pkg 1
anyconnect profiles CZkkk-VPN disk0:/czkkk-vpn.xml
anyconnect profiles test_client_profile disk0:/test_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
  disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy GroupPolicy_test internal
group-policy GroupPolicy_test attributes
wins-server none
dns-server value 10.57.113.132
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Vpnclient_splitTunnelAcl
default-domain value czxyzhb.org
webvpn
  anyconnect profiles value test_client_profile type user
group-policy czkkkpolicy internal
group-policy czkkkpolicy attributes
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Vpnclient_splitTunnelAcl
default-domain value asa.czxyzhb.org
address-pools value SSLClientPool
webvpn
  anyconnect profiles value CZkkk-VPN type user
username 略
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool Web-Access-Pool
authentication-server-group acs
default-group-policy GroupPolicy_test
tunnel-group test webvpn-attributes
group-alias Web-Access enable
group-alias test disable
tunnel-group Both-Pass type remote-access
tunnel-group Both-Pass general-attributes
address-pool SSLClientPool
authentication-server-group acs
default-group-policy czkkkpolicy
tunnel-group Both-Pass webvpn-attributes
group-alias Czxy enable
!
分配地址池与 nat 转换略 ,因为都是一个地址池 DTLS 拨入后通 ipesc ikev2 不通。都同一个地址池同一个ip 同一个 nat 转换
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科服务支持社区  

GMT+8, 2018-1-16 23:47 , Processed in 0.093490 second(s), 51 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表