我正在使用 amazon ec2 linux 和 cisco asa 路由器建立站点到站点的 vpn 连接(请注意,我无法访问路由器,仅提供配置。)
CISCO ASA 配置:
Palisades Peer: xx.xx.xxx.xxx
Palisades Local: 6x.xx.xxx.2xx/29
Pre-Shared key: IKE v1 123456
No Device Certificates
Phase 1
IKE Policy
DH Group- 5
IKE Version- 1
Authentication: Pre-share
Hash: SHA
Encryption: 3DES
Lifetime 28800
Phase 2
Encryption- 3DES
Authentication- SHA1
PFS- Disabled
Keylife- 1800
IPSec Proposal ESP-DES-MD5
Perfect Forward Secrecy: Disable
我已经安装了 openswan。
配置 :
conn vpc-to-asa
type=tunnel
authby=secret
left=%defaultroute
leftid=xx.xx.xx.82
leftnexthop=%defaultroute
leftsubnet=200.3.2.0/24
right=xx.xx.xxx.xxx
rightsubnet=6x.xx.xxx.2xx/29
keyexchange=ike
ike=3des-sha;modp1536
ikelifetime=28800s
phase2=esp
phase2alg=3des-md5
aggrmode=no
keyingtries=3
rekey=no
salifetime=28800s
pfs=no
auto=start
完成上述配置后,我执行了以下命令:
service ipsec restart
ipsec auto --add vpc-to-asa
ipsec auto --up vpc-to-asa
当我运行 ipsec auto --up vpc-to-asa 命令时,出现此错误:
104 "vpc-to-asa" #2: STATE_MAIN_I1: initiate
003 "vpc-to-asa" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "vpc-to-asa" #2: ignoring Vendor ID payload [Cisco IKE Fragmentation]
003 "vpc-to-asa" #2: next payload type of ISAKMP NAT-D Payload has an unknown value: 130
032 "vpc-to-asa" #2: STATE_MAIN_I1: internal error
003 "vpc-to-asa" #2: discarding duplicate packet; already STATE_MAIN_I1
003 "vpc-to-asa" #2: discarding duplicate packet; already STATE_MAIN_I1
003 "vpc-to-asa" #2: discarding duplicate packet; already STATE_MAIN_I1
My tunnel is not up.
I Have tired this command ipsec auto --status output :
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 200.3.2.26
000 interface eth0/eth0 200.3.2.26
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 1 subnet: 200.3.2.0/24
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,3072} attrs={0,2,2048}
000
000 "vpc-to-asa": 200.3.2.0/24===200.3.2.26[<MY_SERVER_PUBLIC_IP>,+S=C]---200.3.2.1...REMOTE_VPN_PUBLIC_IP_ADDRESS<REMOTE_VPN_PUBLIC_IP_ADDRESS>[+S=C]===REMOTE_LOCAL_NETOWORK_IP/29; unrouted; eroute owner: #0
000 "vpc-to-asa": myip=unset; hisip=unset;
000 "vpc-to-asa": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "vpc-to-asa": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,29; interface: eth0;
000 "vpc-to-asa": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpc-to-asa": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5); flags=-strict
000 "vpc-to-asa": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)
000 "vpc-to-asa": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=-strict
000 "vpc-to-asa": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000
000
有谁能帮我解决这个问题。如何使用上述配置在 openswan 和 cisco asa 之间建立连接。