使用数字证书在 Windows 2000 和 VPN 3000 集中器之间进行的 L2TP Over IPsec 配置示例

下载选项

  • PDF     (1.0 MB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (861.0 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (1.3 MB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2006 年 1 月 19 日
文档 ID:14117

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

简介

本文档显示使用L2TP/IPSec内置客户端从Windows 2000客户端连接到VPN 3000集中器的分步过程。假设您使用数字证书(无证书注册协议(CEP)的独立根证书颁发机构(CA))验证与VPN集中器的连接。本文档使用Microsoft证书服务进行说明。有关如何进行配置的文档,请参阅Microsoft leavingcisco.com 网站。

注意:这只是一个示例,因为Windows 2000屏幕的外观可以更改。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息适用于Cisco VPN 3000集中器系列。

目标

在此程序中,您可以完成以下步骤:

  1. 获取根证书。

  2. 获取客户端的身份证书。

  3. 在Network Connection Wizard的帮助下创建与VPN 3000的连接。

  4. 配置VPN 3000集中器.

规则

有关文件规则的更多信息请参见“ Cisco技术提示规则”。

获取根证书

完成以下说明以获取根证书:

  1. 打开浏览器窗口,键入Microsoft证书颁发机构的URL(通常为http://servername或CA/certsrv的IP地址)。

    系统将显示证书检索和请求的欢迎窗口。

  2. 在Welcome(欢迎)窗口的Select a task(选择任务)下,选择Retrieve the CA certificate or certificate revocation list,然后单击Next

    winclient01.gif

  3. 从Retrieve the CA certificate or certificate revocation list窗口中,单击左角的Install this CA certification path

    这会将CA证书添加到受信任的根证书颁发机构存储。这意味着此CA颁发给此客户端的所有证书都是受信任的。

    winclient02a.gif

获取客户端的身份证书

要获取客户端的身份证书,请完成以下步骤:

  1. 打开浏览器窗口,输入Microsoft证书颁发机构的URL(通常为http://servername或CA/certsrv的IP地址)。

    系统将显示证书检索和请求的欢迎窗口。

  2. 在“欢迎”窗口的“选择任务”下,选择请求证书,然后单击下一步

    winclient01a.gif

  3. 从“选择请求类型”窗口中选择高级请求,然后单击下一步

    winclient03.gif

  4. 在“高级证书请求”窗口中,选择使用表单向此CA提交证书请求

    winclient04.gif

  5. 按照本示例中的说明填写字段。

    部门(组织单位)的值需要与VPN集中器上配置的组匹配。请勿指定大于1024的密钥大小。请务必选中Use local machine store复选框。完成后,单击Next

    winclient05.gif

    根据CA服务器的配置,有时会出现此窗口。如果是,请联系CA管理员。

    winclient06.gif

  6. 单击Home返回主屏幕,选择Check on pending certificate,然后单击Next

    winclient07.gif

  7. 在Certificate Issued窗口中,单击Install this certificate

    winclient08.gif

  8. 要查看您的客户端证书,请选择开始 > 运行,然后执行Microsoft管理控制台(MMC)。

  9. 单击Console,然后选择Add/Remove Snap-in

  10. 单击Add,然后从列表中选择Certificate

  11. 当出现询问证书范围的窗口时,选择计算机帐户

  12. 验证CA服务器的证书是否位于受信任的根证书颁发机构下。此外,通过选择Console Root > Certificate(Local Computer) > Personal > Certificates,验证您是否有证书,如下图所示。

    winclient09.gif

使用网络连接向导创建与VPN 3000的连接

完成以下过程,以便在网络连接向导的帮助下创建到VPN 3000的连接:

  1. 右键单击My Network Places,选择Properties,然后单击Make New Connection

  2. 在Network Connection Type(网络连接类型)窗口中,选择Connect to a private network through the Internet,然后单击Next

    winclient10.gif

  3. 输入VPN集中器的公共接口的主机名或IP地址,然后单击Next

    winclient11.gif

  4. 在“连接可用性”窗口中,为我自己选择Only,然后单击下一步

    winclient12a.gif

  5. 在Public Network窗口中,选择是否自动拨打初始连接(ISP帐户)。

    winclient13a.gif

  6. 在Destination Address屏幕上,输入VPN 3000集中器的主机名或IP地址,然后点击Next

    winclient11.gif

  7. 在“网络连接向导”窗口中,输入连接的名称,然后单击完成

    在本示例中,连接命名为“Cisco corporate VPN”。

    winclient14a.gif

  8. 在“虚拟专用连接”窗口中,单击属性

    winclient15.gif

  9. 在“属性”窗口中,选择“网络”选项卡。

  10. 在Type of VPN server I am calling下,从下拉菜单中选择L2TP,突出显示Internet Protocol TCP/IP,然后单击Properties

    winclient16.gif

  11. 选择Advanced > Options > Properties

  12. 在IP Security窗口中,选择Use this IP security policy

    winclient14.gif

  13. 从下拉菜单中选择Client(Respond Only)策略,然后多次点击OK,直到返回Connect屏幕。

  14. 要发起连接,请输入您的用户名和密码,然后单击Connect

配置VPN 3000集中器

获取根证书

要获取VPN 3000集中器的根证书,请完成以下步骤:

  1. 将浏览器指向您的CA(通常是http://ip_add_of_ca/certsrv/),检索CA证书或证书撤销列表,然后单击下一步

  2. 单击Download CA certificate,并将文件保存到本地磁盘上的某个位置。

  3. 在VPN 3000集中器上,选择Administration > Certificate Management,然后单击Click here to install a certificateInstall CA Certificate

  4. 单击Upload File from Workstation

  5. 单击Browse,然后选择您刚才下载的CA证书文件。

  6. 突出显示文件名,然后单击Install

    winclient17.gif

获取VPN 3000集中器的身份证书

要获取VPN 3000集中器的身份证书,请完成以下步骤:

  1. 选择ConfAdministration > Certificate Management > Enroll > Identity Certificate,然后单击Enroll via PKCS10 Request(Manual)。 填写如下所示的表格,然后单击Enroll

    winclient18.gif

    浏览器窗口随证书请求弹出。它需要包含类似于以下输出的文本: 

    -----BEGIN NEW CERTIFICATE REQUEST----- 
MIIBPDCB5wIBADBQMRUwEwYDVQQDEwx2cG4zMDAwLW5hbWUxDDAKBgNVBAsTA3Nu 
czEOMAwGA1UEChMFY2lzY28xDDAKBgNVBAcTA2J4bDELMAkGA1UEBhMCYmUwWjAN 
BgkqhkiG9w0BAQEFAANJADBGAkEAx7K+pvE004qILNNw3kPVWXrdlqZV4yeOIPdh 
C8/V5Yuqq5tMWY3L1W6DC0p256bvGqzd5fhqSkOhBVnNJ1Y/KQIBA6A0MDIGCSqG 
SIb3DQEJDjElMCMwIQYDVR0RBBowGIIWdnBuMzAwMC1uYW1lLmNpc2NvLmNvbTAN 
BgkqhkiG9w0BAQQFAANBABzcG3IKaWnDLFtrNf1QDi+D7w8dxPu74b/BRHn9fsKI 
X6+X0ed0EuEgm1/2nfj8Ux0nV5F/c5wukUfysMmJ/ak= 
-----END NEW CERTIFICATE REQUEST-----

  2. 将浏览器指向您的CA服务器,选中Request a certificate,然后单击Next

  3. 选中Advanced Request,单击Next,然后选择Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file

  4. 单击 Next。剪切并粘贴文本区域中之前显示的证书请求文本。单击“Submit”。

  5. 根据CA服务器的配置方式,您可以单击Download CA certificate。或者,当CA颁发证书后,返回您的CA服务器并选中Check on a pending certificate

  6. 单击下一步,选择您的请求,然后再次单击下一步

  7. 单击Download CA certificate,然后将文件保存到本地磁盘上。

  8. 在VPN 3000集中器上,选择Administration > Certificate Management > Install,然后单击Install certificate obtain via enrollment

    然后,您会看到状态为“正在处理”的待处理请求,如下图所示。

    winclient19.gif

  9. 单击Install,然后单击Upload File from Workstation

  10. 单击Browse,然后选择包含CA颁发的证书的文件。

  11. 突出显示文件名,然后单击Install

  12. 选择 Administration > Certificate Management。系统将显示类似于此图像的屏幕。

    winclient20.gif

配置客户端池

要配置客户端池,请完成以下过程:

  1. 要分配可用的IP地址范围,请将浏览器指向VPN 3000集中器的内部接口,然后选择Configuration > System > Address Management > Pools > Add

  2. 指定不与内部网络上的任何其他设备冲突的IP地址范围,然后单击Add

    winclient21.gif

  3. 要告知VPN 3000集中器使用该池,请选择Configuration > System > Address Management > Assignment,选中Use Address Pools框,然后单击Apply,如此图所示。

    winclient22.gif

配置IKE提议

要配置IKE提议,请完成以下步骤:

  1. 选择Configuration > System > Tunneling Protocols > IPSec > IKE Proposals,单击Add并选择参数,如下图所示。

    winclient23.gif

  2. 单击Add,在右列中突出显示新建议书,然后单击Activate

配置SA

要配置安全关联(SA),请完成以下步骤:

  1. 选择Configuration > Policy Management > Traffic Management > SA,然后单击ESP-L2TP-TRANSPORT

    如果此SA不可用,或者您将其用于其他用途,请创建与此类似的一个新SA。可以接受不同的SA设置。根据您的安全策略更改此参数。

  2. Digital Certificate下拉菜单中选择之前配置的数字证书。选择IKE-for-win2k Internet Key Exchange(IKE)建议。

    注意:这不是必需的。当L2TP/IPSec客户端连接到VPN集中器时,将按顺序尝试在Configuration > System > Tunneling Protocols > IPSec > IKE Proposals页面的活动列下配置的所有IKE提议。

    下图显示了SA所需的配置:

    winclient24.gif

配置组和用户

要配置组和用户,请完成以下步骤:

  1. 选择Configuration > User Management > Base Group

  2. 在General选项卡下,确保选中L2TP over IPSec

  3. 在IPSec选项卡下,选择ESP-L2TP-TRANSPORT SA。

  4. 在PPTP/L2TP选项卡下,取消选中所有L2TP Encryption选项。

  5. 选择Configuration > User Management > Users,然后单击Add

  6. 输入用于从Windows 2000客户端连接的名称和密码。确保在“Group Selection”下选择Base Group

  7. 在General选项卡下,选中L2TP over IPSec隧道协议。

  8. 在IPSec选项卡下,选择ESP-L2TP-TRANSPORT SA。

  9. 在PPTP/L2TP选项卡下,取消选中所有L2TP Encryption选项,然后单击Add

    现在您可以通过L2TP/IPSec Windows 2000客户端进行连接。

    注意:您已选择将基本组配置为接受远程L2TP/IPSec连接。也可以配置与SA的Organization Unit(OU)字段匹配的组以接受传入连接。配置相同。

调试信息 

269 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3868 10.48.66.76 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 2 
    Cfg'd: Oakley Group 7 

271 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3869 10.48.66.76 
  Phase 1 failure against global IKE proposal # 16: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 2 
    Cfg'd: Oakley Group 1 

274 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3870 10.48.66.76 
Proposal # 1, Transform # 2, Type ISAKMP, Id IKE 
Parsing received transform: 
  Phase 1 failure against global IKE proposal # 1: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

279 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3871 10.48.66.76 
  Phase 1 failure against global IKE proposal # 2: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

282 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3872 10.48.66.76 
  Phase 1 failure against global IKE proposal # 3: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

285 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3873 10.48.66.76 
  Phase 1 failure against global IKE proposal # 4: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 2 
    Cfg'd: Oakley Group 1 

288 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3874 10.48.66.76 
  Phase 1 failure against global IKE proposal # 5: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 2 
    Cfg'd: Oakley Group 1 

291 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3875 10.48.66.76 
  Phase 1 failure against global IKE proposal # 6: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

294 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3876 10.48.66.76 
  Phase 1 failure against global IKE proposal # 7: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

297 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3877 10.48.66.76 
  Phase 1 failure against global IKE proposal # 8: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

300 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3878 10.48.66.76 
  Phase 1 failure against global IKE proposal # 9: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

303 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3879 10.48.66.76 
  Phase 1 failure against global IKE proposal # 10: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 2 
    Cfg'd: Oakley Group 1 

306 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3880 10.48.66.76 
  Phase 1 failure against global IKE proposal # 11: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 2 
    Cfg'd: Oakley Group 1 

309 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3881 10.48.66.76 
  Phase 1 failure against global IKE proposal # 12: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

312 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3882 10.48.66.76 
  Phase 1 failure against global IKE proposal # 13: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

315 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3883 10.48.66.76 
  Phase 1 failure against global IKE proposal # 14: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 2 
    Cfg'd: Oakley Group 1 

318 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3884 10.48.66.76 
  Phase 1 failure against global IKE proposal # 15: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 2 
    Cfg'd: Oakley Group 7 

321 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3885 10.48.66.76 
  Phase 1 failure against global IKE proposal # 16: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 2 
    Cfg'd: Oakley Group 1 

324 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3886 10.48.66.76 
Proposal # 1, Transform # 3, Type ISAKMP, Id IKE 
Parsing received transform: 
  Phase 1 failure against global IKE proposal # 1: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

329 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3887 10.48.66.76 
  Phase 1 failure against global IKE proposal # 2: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

332 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3888 10.48.66.76 
  Phase 1 failure against global IKE proposal # 3: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

335 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3889 10.48.66.76 
  Phase 1 failure against global IKE proposal # 4: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

338 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3890 10.48.66.76 
  Phase 1 failure against global IKE proposal # 5: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

341 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3891 10.48.66.76 
  Phase 1 failure against global IKE proposal # 6: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

344 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3892 10.48.66.76 
  Phase 1 failure against global IKE proposal # 7: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

347 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3893 10.48.66.76 
  Phase 1 failure against global IKE proposal # 8: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

350 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3894 10.48.66.76 
  Phase 1 failure against global IKE proposal # 9: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

353 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3895 10.48.66.76 
  Phase 1 failure against global IKE proposal # 10: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

356 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3896 10.48.66.76 
  Phase 1 failure against global IKE proposal # 11: 
  Mismatched attr types for class Hash Alg: 
    Rcv'd: SHA 
    Cfg'd: MD5 

358 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3897 10.48.66.76 
  Phase 1 failure against global IKE proposal # 12: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

361 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3898 10.48.66.76 
  Phase 1 failure against global IKE proposal # 13: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

364 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3899 10.48.66.76 
  Phase 1 failure against global IKE proposal # 14: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

367 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3900 10.48.66.76 
  Phase 1 failure against global IKE proposal # 15: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 7 

370 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3901 10.48.66.76 
  Phase 1 failure against global IKE proposal # 16: 
  Mismatched attr types for class Hash Alg: 
    Rcv'd: SHA 
    Cfg'd: MD5 

372 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3902 10.48.66.76 
Proposal # 1, Transform # 4, Type ISAKMP, Id IKE 
Parsing received transform: 
  Phase 1 failure against global IKE proposal # 1: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

377 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3903 10.48.66.76 
  Phase 1 failure against global IKE proposal # 2: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

380 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3904 10.48.66.76 
  Phase 1 failure against global IKE proposal # 3: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

383 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3905 10.48.66.76 
  Phase 1 failure against global IKE proposal # 4: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

386 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3906 10.48.66.76 
  Phase 1 failure against global IKE proposal # 5: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

389 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3907 10.48.66.76 
  Phase 1 failure against global IKE proposal # 6: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

392 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3908 10.48.66.76 
  Phase 1 failure against global IKE proposal # 7: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

395 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3909 10.48.66.76 
  Phase 1 failure against global IKE proposal # 8: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

398 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3910 10.48.66.76 
  Phase 1 failure against global IKE proposal # 9: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

401 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3911 10.48.66.76 
  Phase 1 failure against global IKE proposal # 10: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

404 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3912 10.48.66.76 
  Phase 1 failure against global IKE proposal # 11: 
  Mismatched attr types for class Auth Method: 
    Rcv'd: RSA signature with Certificates 
    Cfg'd: Preshared Key 

407 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3913 10.48.66.76 
  Phase 1 failure against global IKE proposal # 12: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

410 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3914 10.48.66.76 
  Phase 1 failure against global IKE proposal # 13: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 

413 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3915 10.48.66.76 
  Phase 1 failure against global IKE proposal # 14: 
  Mismatched attr types for class Encryption Alg: 
    Rcv'd: DES-CBC 
    Cfg'd: Triple-DES 

416 02/15/2002 12:47:24.430 SEV=8 IKEDBG/0 RPT=3916 10.48.66.76 
  Phase 1 failure against global IKE proposal # 15: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 7 

419 02/15/2002 12:47:24.430 SEV=7 IKEDBG/28 RPT=20 10.48.66.76 
IKE SA Proposal # 1, Transform # 4 acceptable 
Matches global IKE entry # 16 

420 02/15/2002 12:47:24.440 SEV=9 IKEDBG/0 RPT=3917 10.48.66.76 
constructing ISA_SA for isakmp 

421 02/15/2002 12:47:24.490 SEV=8 IKEDBG/0 RPT=3918 10.48.66.76 
SENDING Message (msgid=0) with payloads : 
HDR + SA (1) + NONE (0) ... total length : 80 

423 02/15/2002 12:47:24.540 SEV=8 IKEDBG/0 RPT=3919 10.48.66.76 
RECEIVED Message (msgid=0) with payloads : 
HDR + KE (4) + NONCE (10) + NONE (0) ... total length : 152 

425 02/15/2002 12:47:24.540 SEV=8 IKEDBG/0 RPT=3920 10.48.66.76 
RECEIVED Message (msgid=0) with payloads : 
HDR + KE (4) + NONCE (10) + NONE (0) ... total length : 152 

427 02/15/2002 12:47:24.540 SEV=9 IKEDBG/0 RPT=3921 10.48.66.76 
processing ke payload 

428 02/15/2002 12:47:24.540 SEV=9 IKEDBG/0 RPT=3922 10.48.66.76 
processing ISA_KE 

429 02/15/2002 12:47:24.540 SEV=9 IKEDBG/1 RPT=104 10.48.66.76 
processing nonce payload 

430 02/15/2002 12:47:24.600 SEV=9 IKEDBG/0 RPT=3923 10.48.66.76 
constructing ke payload 

431 02/15/2002 12:47:24.600 SEV=9 IKEDBG/1 RPT=105 10.48.66.76 
constructing nonce payload 

432 02/15/2002 12:47:24.600 SEV=9 IKEDBG/0 RPT=3924 10.48.66.76 
constructing certreq payload 

433 02/15/2002 12:47:24.600 SEV=9 IKEDBG/0 RPT=3925 10.48.66.76 
Using initiator's certreq payload data 

434 02/15/2002 12:47:24.600 SEV=9 IKEDBG/46 RPT=61 10.48.66.76 
constructing Cisco Unity VID payload 

435 02/15/2002 12:47:24.600 SEV=9 IKEDBG/46 RPT=62 10.48.66.76 
constructing xauth V6 VID payload 

436 02/15/2002 12:47:24.600 SEV=9 IKEDBG/48 RPT=39 10.48.66.76 
Send IOS VID 

437 02/15/2002 12:47:24.600 SEV=9 IKEDBG/38 RPT=20 10.48.66.76 
Constructing VPN 3000 spoofing IOS Vendor ID payload
(version: 1.0.0, capabilities: 20000001) 

439 02/15/2002 12:47:24.600 SEV=9 IKEDBG/46 RPT=63 10.48.66.76 
constructing VID payload 

440 02/15/2002 12:47:24.600 SEV=9 IKEDBG/48 RPT=40 10.48.66.76 
Send Altiga GW VID 

441 02/15/2002 12:47:24.600 SEV=9 IKEDBG/0 RPT=3926 10.48.66.76 
Generating keys for Responder... 

442 02/15/2002 12:47:24.610 SEV=8 IKEDBG/0 RPT=3927 10.48.66.76 
SENDING Message (msgid=0) with payloads : 
HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13)
+ VENDOR (13) + VENDOR (13) + NONE (0) ... total length : 229 

445 02/15/2002 12:47:24.640 SEV=8 IKEDBG/0 RPT=3928 10.48.66.76 
RECEIVED Message (msgid=0) with payloads : 
HDR + ID (5) + CERT (6) + SIG (9) + CERT_REQ (7) + NONE (0)
... total length : 1186 

448 02/15/2002 12:47:24.640 SEV=9 IKEDBG/1 RPT=106 10.48.66.76 
Processing ID 

449 02/15/2002 12:47:24.640 SEV=9 IKEDBG/0 RPT=3929 10.48.66.76 
processing cert payload 

450 02/15/2002 12:47:24.640 SEV=9 IKEDBG/1 RPT=107 10.48.66.76 
processing RSA signature 

451 02/15/2002 12:47:24.640 SEV=9 IKEDBG/0 RPT=3930 10.48.66.76 
computing hash 

452 02/15/2002 12:47:24.650 SEV=9 IKEDBG/0 RPT=3931 10.48.66.76 
processing cert request payload 

453 02/15/2002 12:47:24.650 SEV=9 IKEDBG/0 RPT=3932 10.48.66.76 
Storing cert request payload for use in MM msg 4 

454 02/15/2002 12:47:24.650 SEV=9 IKEDBG/23 RPT=20 10.48.66.76 
Starting group lookup for peer 10.48.66.76 

455 02/15/2002 12:47:24.650 SEV=9 IKE/21 RPT=12 10.48.66.76 
No Group found by matching IP Address of Cert peer 10.48.66.76 

456 02/15/2002 12:47:24.650 SEV=9 IKE/20 RPT=12 10.48.66.76 
No Group found by matching OU(s) from ID payload: 
 ou=sns, 

457 02/15/2002 12:47:24.650 SEV=9 IKE/0 RPT=12 10.48.66.76 
Group [VPNC_Base_Group] 
No Group name for IKE Cert session, defaulting to BASE GROUP 

459 02/15/2002 12:47:24.750 SEV=7 IKEDBG/0 RPT=3933 10.48.66.76 
Group [VPNC_Base_Group] 
Found Phase 1 Group (VPNC_Base_Group) 

460 02/15/2002 12:47:24.750 SEV=7 IKEDBG/14 RPT=20 10.48.66.76 
Group [VPNC_Base_Group] 
Authentication configured for Internal 

461 02/15/2002 12:47:24.750 SEV=9 IKEDBG/19 RPT=20 10.48.66.76 
Group [VPNC_Base_Group] 
IKEGetUserAttributes: default domain = fenetwork.com 

462 02/15/2002 12:47:24.770 SEV=5 IKE/79 RPT=4 10.48.66.76 
Group [VPNC_Base_Group] 
Validation of certificate successful 
(CN=my_name, SN=6102861F000000000005) 

464 02/15/2002 12:47:24.770 SEV=7 IKEDBG/0 RPT=3934 10.48.66.76 
Group [VPNC_Base_Group] 
peer ID type 9 received (DER_ASN1_DN) 

465 02/15/2002 12:47:24.770 SEV=9 IKEDBG/1 RPT=108 10.48.66.76 
Group [VPNC_Base_Group] 
constructing ID 

466 02/15/2002 12:47:24.770 SEV=9 IKEDBG/0 RPT=3935 10.48.66.76 
Group [VPNC_Base_Group] 
constructing cert payload 

467 02/15/2002 12:47:24.770 SEV=9 IKEDBG/1 RPT=109 10.48.66.76 
Group [VPNC_Base_Group] 
constructing RSA signature 

468 02/15/2002 12:47:24.770 SEV=9 IKEDBG/0 RPT=3936 10.48.66.76 
Group [VPNC_Base_Group] 
computing hash 

469 02/15/2002 12:47:24.800 SEV=9 IKEDBG/46 RPT=64 10.48.66.76 
Group [VPNC_Base_Group] 
constructing dpd vid payload 

470 02/15/2002 12:47:24.800 SEV=8 IKEDBG/0 RPT=3937 10.48.66.76 
SENDING Message (msgid=0) with payloads : 
HDR + ID (5) + CERT (6) + SIG (9) + VENDOR (13) + NONE (0)
... total length : 1112 

473 02/15/2002 12:47:24.800 SEV=4 IKE/119 RPT=4 10.48.66.76 
Group [VPNC_Base_Group] 
PHASE 1 COMPLETED 

474 02/15/2002 12:47:24.800 SEV=6 IKE/121 RPT=4 10.48.66.76 
Keep-alive type for this connection: None 

475 02/15/2002 12:47:24.800 SEV=6 IKE/122 RPT=4 10.48.66.76 
Keep-alives configured on but peer does not support keep-alives (type = None) 

476 02/15/2002 12:47:24.800 SEV=7 IKEDBG/0 RPT=3938 10.48.66.76 
Group [VPNC_Base_Group] 
Starting phase 1 rekey timer: 21600000 (ms) 

477 02/15/2002 12:47:24.810 SEV=8 IKEDBG/0 RPT=3939 10.48.66.76 
RECEIVED Message (msgid=781ceadc) with payloads : 
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
... total length : 1108 

480 02/15/2002 12:47:24.810 SEV=9 IKEDBG/0 RPT=3940 10.48.66.76 
Group [VPNC_Base_Group] 
processing hash 

481 02/15/2002 12:47:24.810 SEV=9 IKEDBG/0 RPT=3941 10.48.66.76 
Group [VPNC_Base_Group] 
processing SA payload 

482 02/15/2002 12:47:24.810 SEV=9 IKEDBG/1 RPT=110 10.48.66.76 
Group [VPNC_Base_Group] 
processing nonce payload 

483 02/15/2002 12:47:24.810 SEV=9 IKEDBG/1 RPT=111 10.48.66.76 
Group [VPNC_Base_Group] 
Processing ID 

484 02/15/2002 12:47:24.810 SEV=5 IKE/25 RPT=4 10.48.66.76 
Group [VPNC_Base_Group] 
Received remote Proxy Host data in ID Payload: 
Address 10.48.66.76, Protocol 17, Port 1701 

487 02/15/2002 12:47:24.810 SEV=9 IKEDBG/1 RPT=112 10.48.66.76 
Group [VPNC_Base_Group] 
Processing ID 

488 02/15/2002 12:47:24.810 SEV=5 IKE/24 RPT=4 10.48.66.76 
Group [VPNC_Base_Group] 
Received local Proxy Host data in ID Payload: 
Address 10.48.66.109, Protocol 17, Port 0 

491 02/15/2002 12:47:24.810 SEV=8 IKEDBG/0 RPT=3942 
QM IsRekeyed old sa not found by addr 

492 02/15/2002 12:47:24.810 SEV=5 IKE/66 RPT=4 10.48.66.76 
Group [VPNC_Base_Group] 
IKE Remote Peer configured for SA: ESP-L2TP-TRANSPORT 

493 02/15/2002 12:47:24.810 SEV=9 IKEDBG/0 RPT=3943 10.48.66.76 
Group [VPNC_Base_Group] 
processing IPSEC SA 

494 02/15/2002 12:47:24.810 SEV=7 IKEDBG/27 RPT=4 10.48.66.76 
Group [VPNC_Base_Group] 
IPSec SA Proposal # 1, Transform # 1 acceptable 

495 02/15/2002 12:47:24.810 SEV=7 IKEDBG/0 RPT=3944 10.48.66.76 
Group [VPNC_Base_Group] 
IKE: requesting SPI! 

496 02/15/2002 12:47:24.810 SEV=8 IKEDBG/6 RPT=4 
IKE got SPI from key engine: SPI = 0x10d19e33 

497 02/15/2002 12:47:24.810 SEV=9 IKEDBG/0 RPT=3945 10.48.66.76 
Group [VPNC_Base_Group] 
oakley constucting quick mode 

498 02/15/2002 12:47:24.810 SEV=9 IKEDBG/0 RPT=3946 10.48.66.76 
Group [VPNC_Base_Group] 
constructing blank hash 

499 02/15/2002 12:47:24.820 SEV=9 IKEDBG/0 RPT=3947 10.48.66.76 
Group [VPNC_Base_Group] 
constructing ISA_SA for ipsec 

500 02/15/2002 12:47:24.820 SEV=9 IKEDBG/1 RPT=113 10.48.66.76 
Group [VPNC_Base_Group] 
constructing ipsec nonce payload 

501 02/15/2002 12:47:24.820 SEV=9 IKEDBG/1 RPT=114 10.48.66.76 
Group [VPNC_Base_Group] 
constructing proxy ID 

502 02/15/2002 12:47:24.820 SEV=7 IKEDBG/0 RPT=3948 10.48.66.76 
Group [VPNC_Base_Group] 
Transmitting Proxy Id: 
  Remote host: 10.48.66.76  Protocol 17  Port 1701 
  Local host:  10.48.66.109  Protocol 17  Port 0 

506 02/15/2002 12:47:24.820 SEV=9 IKEDBG/0 RPT=3949 10.48.66.76 
Group [VPNC_Base_Group] 
constructing qm hash 

507 02/15/2002 12:47:24.820 SEV=8 IKEDBG/0 RPT=3950 10.48.66.76 
SENDING Message (msgid=781ceadc) with payloads : 
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
... total length : 156 

510 02/15/2002 12:47:24.820 SEV=8 IKEDBG/0 RPT=3951 10.48.66.76 
RECEIVED Message (msgid=781ceadc) with payloads : 
HDR + HASH (8) + NONE (0) ... total length : 48 

512 02/15/2002 12:47:24.830 SEV=9 IKEDBG/0 RPT=3952 10.48.66.76 
Group [VPNC_Base_Group] 
processing hash 

513 02/15/2002 12:47:24.830 SEV=9 IKEDBG/0 RPT=3953 10.48.66.76 
Group [VPNC_Base_Group] 
loading all IPSEC SAs 

514 02/15/2002 12:47:24.830 SEV=9 IKEDBG/1 RPT=115 10.48.66.76 
Group [VPNC_Base_Group] 
Generating Quick Mode Key! 

515 02/15/2002 12:47:24.830 SEV=9 IKEDBG/1 RPT=116 10.48.66.76 
Group [VPNC_Base_Group] 
Generating Quick Mode Key! 

516 02/15/2002 12:47:24.830 SEV=7 IKEDBG/0 RPT=3954 10.48.66.76 
Group [VPNC_Base_Group] 
Loading host: 
  Dst: 10.48.66.109 
  Src: 10.48.66.76 

517 02/15/2002 12:47:24.830 SEV=4 IKE/49 RPT=4 10.48.66.76 
Group [VPNC_Base_Group] 
Security negotiation complete for User () 
Responder, Inbound SPI = 0x10d19e33, Outbound SPI = 0x15895ab9 

520 02/15/2002 12:47:24.830 SEV=8 IKEDBG/7 RPT=4 
IKE got a KEY_ADD msg for SA: SPI = 0x15895ab9 

521 02/15/2002 12:47:24.830 SEV=8 IKEDBG/0 RPT=3955 
pitcher: rcv KEY_UPDATE, spi 0x10d19e33 

522 02/15/2002 12:47:24.830 SEV=4 IKE/120 RPT=4 10.48.66.76 
Group [VPNC_Base_Group] 
PHASE 2 COMPLETED (msgid=781ceadc) 

523 02/15/2002 12:47:24.840 SEV=8 IKEDBG/0 RPT=3956 
pitcher: recv KEY_SA_ACTIVE spi 0x10d19e33 

524 02/15/2002 12:47:24.840 SEV=8 IKEDBG/0 RPT=3957 
KEY_SA_ACTIVE no old rekey centry found with new spi 0x10d19e33, mess_id 0x0

故障排除信息

本节介绍一些常见问题及其各自的故障排除方法。

  • 无法启动服务器。

    winclient25.gif

    很可能未启动IPSec服务。选择开始>程序>管理工具>服务,并确保已启用IPSec服务

  • Error 786没有有效的计算机证书。

    winclient26.gif

    1. 此错误表示本地计算机上的证书存在问题。为了轻松查看证书,请选择开始>运行,然后执行MMC。单击Console,然后选择Add/Remove Snap-in。单击Add,然后从列表中选择Certificate。当出现询问证书范围的窗口时,选择计算机帐户

      现在您可以验证CA服务器的证书是否位于受信任的根证书颁发机构下。您还可以通过选择Console Root > Certificate(Local Computer)> Personal > Certificates来验证您是否有证书,如下图所示。

      winclient27.gif

    2. 单击certificate。检验是否一切正确。在本示例中,有一个与证书关联的私钥。但是,此证书已过期。这就是问题的原因。

      winclient28.gif

  • Error 792安全协商超时。

    此消息经过较长时间后显示。

    winclient29.gif

    按照Cisco VPN 3000集中器常见问题解答中的说明打开相关调试。仔细读一下。您需要看到类似于以下输出的内容: 

    9337 02/15/2002 15:06:13.500 SEV=8 IKEDBG/0 RPT=7002 10.48.66.76 
  Phase 1 failure against global IKE proposal # 6: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 2 
 
9340 02/15/2002 15:06:13.510 SEV=8 IKEDBG/0 RPT=7003 10.48.66.76 
  Phase 1 failure against global IKE proposal # 7: 
  Mismatched attr types for class Auth Method: 
    Rcv'd: RSA signature with Certificates 
    Cfg'd: Preshared Key 
 
9343 02/15/2002 15:06:13.510 SEV=8 IKEDBG/0 RPT=7004 10.48.66.76 
  Phase 1 failure against global IKE proposal # 8: 
  Mismatched attr types for class DH Group: 
    Rcv'd: Oakley Group 1 
    Cfg'd: Oakley Group 7 
 
9346 02/15/2002 15:06:13.510 SEV=7 IKEDBG/0 RPT=7005 10.48.66.76 
All SA proposals found unacceptable 
 
9347 02/15/2002 15:06:13.510 SEV=4 IKE/48 RPT=37 10.48.66.76 
Error processing payload: Payload ID: 1 
 
9348 02/15/2002 15:06:13.510 SEV=9 IKEDBG/0 RPT=7006 10.48.66.76 
IKE SA MM:261e40dd terminating: 
flags 0x01000002, refcnt 0, tuncnt 0 
 
9349 02/15/2002 15:06:13.510 SEV=9 IKEDBG/0 RPT=7007 
sending delete message

    这表示尚未正确配置IKE提议。验证本文档的配置IKE建议部分中的信息。

  • Error 789安全层遇到处理错误。

    winclient30.gif

    按照Cisco VPN 3000集中器常见问题解答中的说明打开相关调试。仔细读一下。您需要看到类似于以下输出的内容: 

    11315 02/15/2002 15:36:32.030 SEV=8 IKEDBG/0 RPT=7686 
Proposal # 1, Transform # 2, Type ESP, Id DES-CBC 
Parsing received transform: 
  Phase 2 failure: 
  Mismatched attr types for class Encapsulation: 
    Rcv'd: Transport 
    Cfg'd: Tunnel 
 
11320 02/15/2002 15:36:32.030 SEV=5 IKEDBG/0 RPT=7687 
AH proposal not supported 
 
11321 02/15/2002 15:36:32.030 SEV=4 IKE/0 RPT=27 10.48.66.76 
Group [VPNC_Base_Group] 
All IPSec SA proposals found unacceptable!

  • 使用的版本

    选择Monitoring > System Status以查看此输出: 

    VPN Concentrator Type: 3005 
Bootcode Rev: Altiga Networks/VPN Concentrator Version 2.2.int_9 Jan 19 2000 05:36:41 
Software Rev: Cisco Systems, Inc./VPN 3000 Concentrator Version 3.5.Rel Nov 27 2001 13:35:16 
Up For: 44:39:48 
Up Since: 02/13/2002 15:49:59 
RAM Size: 32 MB

相关信息

修订历史记录

版本 发布日期 备注
1.0
19-Jan-2006
初始版本

此文档是否有帮助?

Feedback反馈

联系我们

本文档适用于以下产品