Strongswan 至 Cisco ASA

tag-icon tag-icon cisco ipsec strongswan
Strongswan 至 Cisco ASA

我在使用 IPsec 连接两个网络时遇到问题。一边是 Cisco ASA 55xx,另一边是 TP-Link 路由器,使用 Debian 8.3 和 StrongSwan,位于 NAT 后面。问题还在于我以某种方式在 TP-Link 端对网络进行了 NETMAP/SNAT。但即使没有这些规则,也不想建立连接。如何调试连接?

我的配置(ipsec.conf):

conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret


conn intel
        left=3.3.3.3 #Actual IP of Debian is 192.168.1.238
        leftsubnet=192.168.1.0/24 #This should be NETMAP/SNAT
        leftfirewall=yes
        leftid=3.3.3.3 #external IP of TP-Link
        right=4.4.4.4 #external IP of ASA
        rightsubnet=172.29.106.0/24
        rightid=4.4.4.4
        auto=start
        ike=3des-sha1-modp1024
        esp=3des-sha1
        keyexchange=ikev2
        dpdaction=restart
        dpddelay=30s
        forceencaps=yes
        type=tunnel

然后我检查状态,它显示了几分钟,但一两分钟后 - “安全关联(0 个启动,0 个连接):”:

root@vpnServer:/var/log# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):
  uptime: 35 seconds, since Feb 05 22:54:36 2016
  malloc: sbrk 2273280, mmap 0, used 316592, free 1956688
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
  192.168.1.238
Connections:
    intel:  3.3.3.3...4.4.4.4  IKEv2, dpddelay=30s
    intel:   local:  [3.3.3.3] uses pre-shared key authentication
    intel:   remote: [4.4.4.4] uses pre-shared key authentication
    intel:   child:  192.168.1.0/24 === 172.29.106.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
    intel[1]: CONNECTING, 3.3.3.3[%any]...4.4.4.4[%any]
    intel[1]: IKEv2 SPIs: 34262c8ac359acf7_i* 0000000000000000_r
    intel[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

看起来它启动了阶段 1,但无法收到任何答复。TP-LINK 有 500 和 4500 端口转发到 Debian。ifconfig 是:

root@vpnServer:/etc# ifconfig
eth0      Link encap:Ethernet  HWaddr 14:da:e9:98:06:1e
          inet addr:192.168.1.238  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::16da:e9ff:fe98:61e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:620211 errors:0 dropped:2641 overruns:0 frame:0
          TX packets:16517 errors:0 dropped:0 overruns:0 carrier:3
          collisions:0 txqueuelen:1000
          RX bytes:227442404 (216.9 MiB)  TX bytes:6795053 (6.4 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:202 errors:0 dropped:0 overruns:0 frame:0
          TX packets:202 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:32939 (32.1 KiB)  TX bytes:32939 (32.1 KiB)

路由

root@vpnServer:/etc# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    1024   0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

iptables 允许一切

root@vpnServer:/var/log# iptables -nvL
Chain INPUT (policy ACCEPT 129 packets, 21866 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 46 packets, 5360 bytes)
 pkts bytes target     prot opt in     out     source               destination

由于某些原因,tcpdump 没有看到任何到 4.4.4.4 的请求。允许转发

root@vpnServer:/var/log# cat  /proc/sys/net/ipv4/ip_forward
1

我被这个问题难住了。任何帮助我都会很感激。

相关内容