OpenSwan 和 Cisco ASA 之间的站点到站点配置

OpenSwan 和 Cisco ASA 之间的站点到站点配置

我正在使用 amazon ec2 linux 和 cisco asa 路由器建立站点到站点的 vpn 连接(请注意,我无法访问路由器,仅提供配置。)

CISCO ASA 配置:

    Palisades Peer:                 xx.xx.xxx.xxx

    Palisades Local:                 6x.xx.xxx.2xx/29

    Pre-Shared key:               IKE v1     123456   

    No Device Certificates
Phase 1    
    IKE Policy 
    DH Group- 5
    IKE Version- 1
    Authentication: Pre-share
    Hash:                      SHA
    Encryption:                3DES
    Lifetime                   28800
Phase 2

               Encryption- 3DES
                Authentication- SHA1
                PFS- Disabled
                Keylife- 1800
    IPSec Proposal             ESP-DES-MD5
    Perfect Forward Secrecy:   Disable

我已经安装了 openswan。

配置 :

conn vpc-to-asa
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=xx.xx.xx.82
        leftnexthop=%defaultroute
        leftsubnet=200.3.2.0/24
        right=xx.xx.xxx.xxx
        rightsubnet=6x.xx.xxx.2xx/29
        keyexchange=ike
        ike=3des-sha;modp1536
        ikelifetime=28800s
        phase2=esp
        phase2alg=3des-md5
        aggrmode=no
        keyingtries=3
        rekey=no
        salifetime=28800s
        pfs=no
        auto=start

完成上述配置后,我执行了以下命令:

service ipsec restart
ipsec auto --add vpc-to-asa
ipsec auto --up vpc-to-asa

当我运行 ipsec auto --up vpc-to-asa 命令时,出现此错误:

104 "vpc-to-asa" #2: STATE_MAIN_I1: initiate
003 "vpc-to-asa" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "vpc-to-asa" #2: ignoring Vendor ID payload [Cisco IKE Fragmentation]
003 "vpc-to-asa" #2: next payload type of ISAKMP NAT-D Payload has an unknown value: 130
032 "vpc-to-asa" #2: STATE_MAIN_I1: internal error
003 "vpc-to-asa" #2: discarding duplicate packet; already STATE_MAIN_I1
003 "vpc-to-asa" #2: discarding duplicate packet; already STATE_MAIN_I1
003 "vpc-to-asa" #2: discarding duplicate packet; already STATE_MAIN_I1
My tunnel is not up.

I Have tired this command ipsec auto --status output :

000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 200.3.2.26
000 interface eth0/eth0 200.3.2.26
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 1 subnet: 200.3.2.0/24
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,3072} attrs={0,2,2048}
000
000 "vpc-to-asa": 200.3.2.0/24===200.3.2.26[<MY_SERVER_PUBLIC_IP>,+S=C]---200.3.2.1...REMOTE_VPN_PUBLIC_IP_ADDRESS<REMOTE_VPN_PUBLIC_IP_ADDRESS>[+S=C]===REMOTE_LOCAL_NETOWORK_IP/29; unrouted; eroute owner: #0
000 "vpc-to-asa":     myip=unset; hisip=unset;
000 "vpc-to-asa":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "vpc-to-asa":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,29; interface: eth0;
000 "vpc-to-asa":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpc-to-asa":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5); flags=-strict
000 "vpc-to-asa":   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)
000 "vpc-to-asa":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=-strict
000 "vpc-to-asa":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000
000

有谁能帮我解决这个问题。如何使用上述配置在 openswan 和 cisco asa 之间建立连接。

相关内容