10 Dezember 2018, 18:18:05

Autor Thema: Problem mit L2tp/IPSec VPN  (Gelesen 280 mal)

0 Mitglieder und 1 Gast betrachten dieses Thema.

gnatsum

  • Cisco User
  • *
  • Beiträge: 2
  • Karma: 0
    • Profil anzeigen
Problem mit L2tp/IPSec VPN
« am: 24 Oktober 2018, 16:03:14 »
Hallo,

habe ein Problemmit einem L2tp/Ipsec VPN auf einer Asa 5506X.

Habe das L2tp/IPSec Vpn eingerichtet und einen user tester eingerichtet. Verbindung funktioniert, komme an die Host an die ich muss. Nun habe weitere User angelegt und die können sich nicht verbinden. Ich nutze den gleichen Windows 10 PC,  mit User tester funktioniert es, aber  mit keinem der anderen neu angelegten Usern. Und zwar scheitern die Clients an der IP-Zuweisung wie es scheint.

User Tester:
Oct 24 15:14:45 172.16.1.46 %ASA-6-713172: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end   IS   behind a NAT device
Oct 24 15:14:45 172.16.1.46 %ASA-6-713905: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, Floating NAT-T from 19x.xx.xxx.xx port 500 to 19x.xx.xxx.xx port 4500
Oct 24 15:14:45 172.16.1.46 %ASA-5-713119: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, PHASE 1 COMPLETED
Oct 24 15:14:45 172.16.1.46 %ASA-3-713122: IP = 19x.xx.xxx.xx, Keep-alives configured on but peer does not support keep-alives (type = None)
Oct 24 15:14:45 172.16.1.46 %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x4B3CD91E) between 172.16.1.46 and 19x.xx.xxx.xx (user= DefaultRAGroup) has been created.
Oct 24 15:14:45 172.16.1.46 %ASA-5-713049: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, Security negotiation complete for User ()  Responder, Inbound SPI = 0xeecf4cfc, Outbound SPI = 0x4b3cd91e
Oct 24 15:14:45 172.16.1.46 %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0xEECF4CFC) between 172.16.1.46 and 19x.xx.xxx.xx (user= DefaultRAGroup) has been created.
Oct 24 15:14:45 172.16.1.46 %ASA-5-713120: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, PHASE 2 COMPLETED (msgid=00000001)
Oct 24 15:14:46 172.16.1.46 %ASA-6-302016: Teardown UDP connection 13521077 for outside:19x.xx.xxx.xx/1701 to identity:172.16.1.46/1701 duration 0:01:12 bytes 673
Oct 24 15:14:48 172.16.1.46 %ASA-6-302015: Built inbound UDP connection 13521364 for outside:19x.xx.xxx.xx/1701 (19x.xx.xxx.xx/1701) to identity:172.16.1.46/1701 (172.16.1.46/1701)
Oct 24 15:14:48 172.16.1.46 %ASA-6-734001: DAP: User tester, Addr 19x.xx.xxx.xx, Connection L2TP: The following DAP records were selected for this connection: DfltAccessPolicy
Oct 24 15:14:48 172.16.1.46 %ASA-6-603106: L2TP Tunnel created, tunnel_id is 78, remote_peer_ip is 19x.xx.xxx.xx, ppp_virtual_interface_id is 1, client_dynamic_ip is 10.10.10.1, username is *****
Oct 24 15:15:28 172.16.1.46 %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x6AE50BB4) between 172.16.1.46 and 19x.xx.xxx.xx (user= tester) has been created.
Oct 24 15:15:28 172.16.1.46 %ASA-5-713049: Group = DefaultRAGroup, Username = tester, IP = 19x.xx.xxx.xx, Security negotiation complete for User (tester)  Responder, Inbound SPI = 0x49f1afc7, Outbound SPI = 0x6ae50bb4
Oct 24 15:15:28 172.16.1.46 %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x49F1AFC7) between 172.16.1.46 and 19x.xx.xxx.xx (user= tester) has been created.
Oct 24 15:15:28 172.16.1.46 %ASA-5-713120: Group = DefaultRAGroup, Username = tester, IP = 19x.xx.xxx.xx, PHASE 2 COMPLETED (msgid=00000002)

andere User:
Oct 24 15:25:06 172.16.1.46 %ASA-6-713172: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end   IS   behind a NAT device
Oct 24 15:25:06 172.16.1.46 %ASA-6-713905: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, Floating NAT-T from 19x.xx.xxx.xx port 500 to 19x.xx.xxx.xx port 4500
Oct 24 15:25:06 172.16.1.46 %ASA-5-713119: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, PHASE 1 COMPLETED
Oct 24 15:25:06 172.16.1.46 %ASA-3-713122: IP = 19x.xx.xxx.xx, Keep-alives configured on but peer does not support keep-alives (type = None)
Oct 24 15:25:06 172.16.1.46 %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x32915C7C) between 172.16.1.46 and 19x.xx.xxx.xx (user= DefaultRAGroup) has been created.
Oct 24 15:25:06 172.16.1.46 %ASA-5-713049: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, Security negotiation complete for User ()  Responder, Inbound SPI = 0xa258b6a9, Outbound SPI = 0x32915c7c
Oct 24 15:25:06 172.16.1.46 %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0xA258B6A9) between 172.16.1.46 and 19x.xx.xxx.xx (user= DefaultRAGroup) has been created.
Oct 24 15:25:06 172.16.1.46 %ASA-5-713120: Group = DefaultRAGroup, IP = 19x.xx.xxx.xx, PHASE 2 COMPLETED (msgid=00000001)
Oct 24 15:25:07 172.16.1.46 %ASA-6-302015: Built inbound UDP connection 13523964 for outside:19x.xx.xxx.xx/1701 (19x.xx.xxx.xx/1701) to identity:172.16.1.46/1701 (172.16.1.46/1701)
Oct 24 15:25:07 172.16.1.46 %ASA-6-734001: DAP: User libra, Addr 19x.xx.xxx.xx, Connection L2TP: The following DAP records were selected for this connection: DfltAccessPolicy
Oct 24 15:25:07 172.16.1.46 %ASA-6-603106: L2TP Tunnel created, tunnel_id is 86, remote_peer_ip is 19x.xx.xxx.xx, ppp_virtual_interface_id is 1, client_dynamic_ip is 0.0.0.0, username is *****
Oct 24 15:25:07 172.16.1.46 %ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 86, remote_peer_ip = 19x.xx.xxx.xx
Oct 24 15:25:07 172.16.1.46 %ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x32915C7C) between 172.16.1.46 and 19x.xx.xxx.xx (user= libra) has been deleted.
Oct 24 15:25:07 172.16.1.46 %ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0xA258B6A9) between 19x.xx.xxx.xx and 172.16.1.46 (user= libra) has been deleted.
Oct 24 15:25:07 172.16.1.46 %ASA-5-713259: Group = DefaultRAGroup, Username = libra, IP = 19x.xx.xxx.xx, Session is being torn down. Reason: User Requested
Oct 24 15:25:07 172.16.1.46 %ASA-4-113019: Group = DefaultRAGroup, Username = libra, IP = 19x.xx.xxx.xx, Session disconnected. Session Type: L2TPOverIPsecOverNatT, Duration: 0h:00m:01s, Bytes xmt: 1261, Bytes rcv: 2963, Reason: User Requested

Stat einer IP aus dem IP-Pool wird dem Client bei den anderen Usern 0.0.0.0  zu gewiesen. Windows zeigt kurz verbunden an und trennt dann sofort.

Die User sind gleich konfiguriert.

username tester password xxx nt-encrypted privilege 0
username tester attributes
 vpn-group-policy DefaultRAGroup
 service-type remote-access
username libra password xxx nt-encrypted privilege 0
username libra attributes
 vpn-group-policy DefaultRAGroup
 service-type remote-access

Hat jemand ne Idee woran das liegen kann? Danke schon mal.



 
« Letzte Änderung: 25 Oktober 2018, 08:30:37 von gnatsum »

Olek

  • Cisco User
  • *
  • Beiträge: 2
  • Karma: 0
    • Profil anzeigen
Re: Problem mit L2tp/IPSec VPN
« Antwort #1 am: 29 November 2018, 12:22:26 »
Sind denn auch genügend Ip's aus dem VPN-Local-Pool vorhanden? Mehr kommt mir dazu aktuell nicht in den Sinn....

Deutschsprachiges Cisco Forum

Re: Problem mit L2tp/IPSec VPN
« Antwort #1 am: 29 November 2018, 12:22:26 »

 


SimplePortal 2.3.2 © 2008-2010, SimplePortal