我正在尝试在 Cisco ASA 5510(7.0(5) 固件,IP 222.222.222.222)和 Watchguard X750e 防火墙(10.2 固件,IP 111.111.111.111)之间建立局域网到局域网 VPN。
第 1 阶段启动,但日志中出现消息“IKE 与远程对等端失去联系,正在删除连接”,并且 ASa 从未启动第 2 阶段配置。这可能是什么原因造成的?
日志和配置信息如下,抱歉,文本看起来有些难看:
从ASA端的日志来看:
Jun 12 2009 21:00:51: %ASA-3-713119: Group = 111.111.111.111, IP = 111.111.111.111, PHASE 1 COMPLETED
Jun 12 2009 21:00:51: %ASA-7-713121: IP = 111.111.111.111, Keep-alive type for this connection: DPD
Jun 12 2009 21:00:51: %ASA-7-713906: Group = 111.111.111.111, IP = 111.111.111.111, Starting phase 1 rekey timer: 64800000 (ms)
Jun 12 2009 21:00:52: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de1)
Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:52: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=56732dee) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:54: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de2)
Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:54: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f3add2bd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:54: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Jun 12 2009 21:00:56: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de3)
Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:56: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f65762ed) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:57: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Jun 12 2009 21:00:58: %ASA-3-713123: Group = 111.111.111.111, IP = 111.111.111.111, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
在守望者队结束时:
11:08:36 iked Drop negotiation to peer 222.222.222.222:500 due to phase 1 retry timeout msg_id="0203-5161" Debug
11:08:40 iked WARNING: Mismatched ID settings at peer 222.222.222.222:500 caused an authentication failure msg_id="0203-5156" Debug
11:08:40 iked Process 5/6 Msg : failed to process ID payload Debug
11:17:00 iked Process 5/6 Msg : failed to process ID payload 4 Debug
11:17:00 iked Process INFO_EXCHANGE : EncryptBit set before SA created Debug
11:17:00 iked Cannot process the inform message from 222.222.222.222:500 to 111.111.111.111 cookies i=9a3397be 0547688f r=1665ee71 2185bf5c msg_id="0203-5059" Debug
我们这边的配置如下:
object-group network REMOTENETWORK
network-object 215.12.34.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 10.88.88.96 255.255.255.240 object-group REMOTENETWORK
access-list outside_cryptomap_100 extended permit ip 10.88.88.128 255.255.255.224 object-group REMOTENETWORK
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 111.111.111.111
crypto map outside_map 100 set transform-set ESP-3DES-SHA
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key SECRETKEY
第 1 阶段和第 2 阶段的远程 Watchguard 配置屏幕截图:
答案1
以下是有关 IKE SA 不匹配的一些提示的链接,可能会有所帮助(也包含一些需要查看的调试命令):
http://www.networkworld.com/subnets/cisco/1114-ch4-ipsec-vpn.html
答案2
您是否尝试过禁用 DPD?不同供应商之间的 DPD 可能效果一般... 两个设备都设置为使用主模式吗?反复检查设置...
答案3
您必须在第一阶段为网关 IP 提供一个 DNS 名称或 IP 地址。
输入IP地址,然后在其下方的下拉框中选择IP。