Vpn
Strongswan - Cisco ASA 事務請求失敗
我正在嘗試在客戶端站點的 Ubuntu StrongSwan(在 Azure 中)和 Cisco ASA 之間創建 S2S VPN。
目前使用 ikev1(思科將在幾個月內不支持 v2)並且似乎在生成交易時遇到了困難,而思科從未回復過該交易。
思科配置
crypto map outside_map 56 match address xodia_56_cryptomap crypto map outside_map 56 set pfs crypto map outside_map 56 set peer 23.99.58.75 crypto map outside_map 56 set transform-set ESP-AES-256-SHA crypto map outside_map 56 set nat-t-disable tunnel-group 23.99.58.75 type ipsec-l2l tunnel-group 23.99.58.75 ipsec-attributes pre-shared-key ***** network-object host 10.110.120.10 network-object host 10.110.121.10 access-list xodia_56_cryptomap extended permit ip object-group DM_INLINE_NETWORK_86 object-group GROUP1 crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac強天鵝
closeaction=clear keyexchange=ikev1 dpdaction=clear leftsourceip=%config esp=aes256-modp1024 ike=aes-sha-modp1024 reauth=no mobike=no ikelifetime=86400s keylife=86400s keyingtries=%forever authby=secret left=%any #23.99.58.75 leftid=@local leftfirewall=no leftsubnet=10.110.120.10/32 right=xx.xx.xx.xx rightid=xx.xx.xx.xx rightsubnet=192.168.0.0/24 auto=startipsec.secrets 未顯示 - 它通過了 auth 部分
StrongSwan 調試 (charondebug=“ike 4, knl 2, cfg 2”)
[IKE] IKE_SA azure[1] state change: CONNECTING => ESTABLISHED [IKE] scheduling rekeying in 85436s [IKE] maximum IKE_SA lifetime 85976s [IKE] queueing MODE_CONFIG task [IKE] activating new tasks [IKE] activating MODE_CONFIG task [IKE] Hash => 20 bytes @ 0x5603d8dc2000 [ENC] generating TRANSACTION request 1632003282 [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ] [IKE] next IV for MID 1632003282 => 16 bytes @ 0x5603d8dc1440 [IKE] 0: 11 59 2E E1 00 9A 13 5D 39 54 FF F8 05 8B BF 19 .Y.....]9T...... [IKE] next IV for MID 1632003282 => 16 bytes @ 0x5603d8dc1a60 [IKE] 0: 32 F5 3A 90 1C 85 58 B6 00 5F 63 20 AC 0B 38 7F 2.:...X.._c ..8. [NET] sending packet: from 10.110.120.10[500] to xx.xx.xx.xx[500] (92 bytes) [IKE] sending retransmit 1 of request message ID 1632003282, seq 4 [NET] sending packet: from 10.110.120.10[500] to xx.xx.xx.xx[500] (92 bytes) [IKE] sending retransmit 2 of request message ID 1632003282, seq 4 [NET] sending packet: from 10.110.120.10[500] to xx.xx.xx.xx[500] (92 bytes)最後是網路跟踪
20:15:34.541555 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident 20:15:34.619380 IP xx.xx.xx.xx.500 > 10.110.120.10.500: isakmp: phase 1 R ident 20:15:34.620326 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident 20:15:34.698551 IP xx.xx.xx.xx.500 > 10.110.120.10.500: isakmp: phase 1 R ident 20:15:34.699464 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident[E] 20:15:34.777798 IP xx.xx.xx.xx.500 > 10.110.120.10.500: isakmp: phase 2/others ? inf[E] 20:15:34.777806 IP xx.xx.xx.xx.500 > 10.110.120.10.500: isakmp: phase 1 R ident[E] 20:15:34.778195 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 2/others I #6[E] 20:15:38.778508 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 2/others I #6[E] 20:15:45.978860 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 2/others I #6[E]
Cisco 機器可能不期望模式配置交換(即由 strongSwan 發起的 TRANSACTION 交換)。所以嘗試刪除
leftsourceip=%config.