Openswan Cisco ASA 9.1 — 无法响应 IPsec SA 请求,因为没有已知的连接

Openswan Cisco ASA 9.1 — 无法响应 IPsec SA 请求,因为没有已知的连接

好的,我有一个简单的 VPN IPSEC 设置,其中有一个 Linux 主机,该主机有一个公共 IP 地址和一个环回接口 172.16.255.1。在右侧,我有一台 Cisco ASA 5505 9.1。问题是 Cisco ASA 在调试时显示“第 2 阶段已完成”,所以我知道与我的 ISKMP 协商没有冲突。但是我收到以下内容,这应该表示网络 ACL 不匹配,但我无法弄清楚。

Apr 09 14:30:26 [IKEv1 DEBUG]Group = x.x.137.133, IP = x.x.137.133, IKE got a KEY_ADD msg for SA: SPI = 0x61af9f82
Apr 09 14:30:26 [IKEv1 DEBUG]Group = x.x.137.133, IP = x.x.137.133, Pitcher: received KEY_UPDATE, spi 0x95cad3f0
Apr 09 14:30:26 [IKEv1 DEBUG]Group = x.x.137.133, IP = x.x.137.133, Starting P2 rekey timer: 27360 seconds.
Apr 09 14:30:26 [IKEv1]Group = x.x.137.133, IP = x.x.137.133, PHASE 2 COMPLETED (msgid=0504e77c)
Apr 09 14:23:29 [IKEv1]Group = x.x.137.133, IP = x.x.137.133, Received non-routine Notify message: Invalid ID info (18)

在运行 OpenSwan 的 Linux 机器上,我看到:

"L2L-IPSEC-CT" #1: the peer proposed: 172.16.255.1/32:0/0 -> 192.168.0.0/24:0/0
"L2L-IPSEC-CT" #1: cannot respond to IPsec SA request because no connection is known for 172.16.255.1/32===x.x.137.133<x.x.137.133>[+S=C]:1/0...x.x.157.15<x.x.157.15>[+S=C]:1/0===192.168.0.0/24
"L2L-IPSEC-CT" #1: sending encrypted notification INVALID_ID_INFORMATION to x.x.157.15:500

经过一番研究,似乎问题出在允许穿越隧道的提议网络。然而,我对两者的配置是相同的

思科配置

access-list VPN-TRAFFIC-VPS1 line 1 extended permit icmp 192.168.0.0 255.255.255.0 host 172.16.255.1 (hitcnt=422) 0x150f2cfc
access-list VPN-TRAFFIC-VPS1 line 2 extended permit ip 192.168.0.0 255.255.255.0 host 172.16.255.1 (hitcnt=42) 0xfd98dbac

Openswan 配置

conn L2L-IPSEC-CT
        auto=start #automatically start if detected
        type=tunnel #tunnel mode/not transport
        compress=no

        ###THIS SIDE###
        left=x.x.137.133
        leftsubnet=172.16.255.1/32

        ###PEER SIDE###
        right=x.x.157.15
        rightsubnet=192.168.0.0/24

        #phase 1 encryption-integrity-diffhellman
        keyexchange=ike
        ike=3des-md5-modp1024,aes256-sha1-modp1024
        ikelifetime=86400s
        authby=secret #use presharedkey

        #phase 2 encryption-pfsgroup
        phase2=esp #esp for encryption | ah for authentication only
        phase2alg=3des-md5;modp1024
        pfs=no

我的测试是从 192.168.0.200 向 172.16.255.1 执行 ping 操作:以下是 show crypto ipsec sa

asa(config)# show crypto ipsec sa
interface: outside
    Crypto map tag: outside-cmap, seq num: 40, local addr: x.x.157.15

      access-list VPN-TRAFFIC-VPS1 extended permit ip 192.168.0.0 255.255.255.0 host 172.16.255.1
      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.255.1/255.255.255.255/0/0)
      current_peer: x.x.137.133

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.157.15/0, remote crypto endpt.: x.x.137.133/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 61AF9F82
      current inbound spi : 95CAD3F0

打开 swan ipsec auto --status

**000 "L2L-IPSEC-CT": 172.16.255.1/32===x.x.137.133<x.x.137.133>[+S=C]...x.x.157.15<x.x.157.15>[+S=C]===192.168.0.0/24; erouted; eroute owner: #4
000 "L2L-IPSEC-CT":     myip=unset; hisip=unset;
000 "L2L-IPSEC-CT":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "L2L-IPSEC-CT":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,24; interface: eth0;
000 "L2L-IPSEC-CT":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "L2L-IPSEC-CT":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2), AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "L2L-IPSEC-CT":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_128-MODP1024(2), AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "L2L-IPSEC-CT":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "L2L-IPSEC-CT":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict
000 "L2L-IPSEC-CT":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "L2L-IPSEC-CT":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000
000 #4: "L2L-IPSEC-CT":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27518s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate
000 #4: "L2L-IPSEC-CT" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #3: "L2L-IPSEC-CT":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85221s; newest ISAKMP; lastdpd=1s(seq in:0 out:0); idle; import:admin initiate
**

我真的不知道为什么这不管用。也许需要换个角度,因为我已经研究了三天了!哎呀!

感谢你的帮助服务器故障社区!

PS 是否有任何 OpenSwan 命令可用于验证相关子网是否被隧道“openswan”接收

答案1

好的,我相信我已经明白了。

因此,即使我的 Openswan 盒子不是位于 NAT 后面,并且具有具有公共 IP 的直接 NIC,因此我必须打开 NAT 穿越。考虑到这一点,我不得不添加左源IP=172.16.255.1告诉 Openswan 在与隧道右侧通信时使用哪个源地址。我要做的最后一件事是启用强力胶囊。不知为何,我这样做之后隧道就开始工作了。

config setup
     listen=x.x.137.133
     nat_traversal=yes
     virtual_private=%v:172.16.255.1/32,192.168.0.0/24
     oe=off
     protostack=netkey

conn L2L-IPSEC-CT
    auto=start #automatically start if detected
    type=tunnel #tunnel mode/not transport
    compress=no

    ###THIS SIDE###
    left=x.x.137.133
    leftid=x.x.137.133
    leftsubnet=172.16.255.1/32
    leftsourceip=172.16.255.1

    ###PEER SIDE###
    right=x.x.157.15
    rightid=x.x.157.15
    rightsubnet=192.168.0.0/24

    #phase 1 encryption-integrity-diffhellman
    keyexchange=ike
    ike=3des-md5-modp1024,aes256-sha1-modp1024
    ikelifetime=86400s
    authby=secret #use presharedkey

    #phase 2 encryption-pfsgroup
    phase2=esp #esp for encryption | ah for authentication only
    phase2alg=3des-md5;modp1024
    pfs=no
    forceencaps=yes

相关内容