我已建立一条 ikev2 隧道,从左侧的 ubuntu 盒子启动,使用 strongswan 连接到 cisco asa。使用 ASA 到 ASA 多个网络可行,但我无法使用 strongswan 实现。
#config setup
# strictcrlpolicy=yes
# uniqueids = no
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=yes
# Add connections here.
conn host2
left=8.8.8.8 #Changed from real for this example
leftsubnet=172.27.1.0/20
right=8.8.4.4 # changed
rightsubnet=192.168.1.0/24,192.168.2.0/24
ike=aes256-sha512-modp2048s256
esp=aes256-sha512
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=add
keyexchange=ikev2
type=tunnel
连接后:ip xfm 策略
src 192.168.1.0/24 dst 8.8.8.8/32
dir fwd priority 185664
tmpl src 4.4.4.4 dst 8.8.8.8
proto esp reqid 1 mode tunnel
src 192.168.1.0/24 dst 8.8.8.8/32
dir in priority 185664
tmpl src 4.4.4.4 dst 8.8.8.8
proto esp reqid 1 mode tunnel
src 8.8.8.8/32 dst 192.168.1.0/24
dir out priority 185664
tmpl src 8.8.8.8 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
$ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.13.0-37-generic, x86_64):
uptime: 119 seconds, since Mar 23 09:08:33 2018
malloc: sbrk 2297856, mmap 532480, used 1224384, free 1073472
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Listening IP addresses:
8.8.8.8
172.27.1.3
Connections:
host2: 8.8.8.8...4.4.4.4 IKEv2
host2: local: [8.8.8.8] uses pre-shared key authentication
host2: remote: [4.4.4.4] uses pre-shared key authentication
host2: child: 8.8.8.8/32 === 192.168.1.0/24 192.168.2.0/24
TUNNEL
Security Associations (1 up, 0 connecting):
host2[1]: ESTABLISHED 115 seconds ago, 8.8.8.8[8.8.8.8]...4.4.4.4[4.4.4.4]
host2[1]: IKEv2 SPIs: 1f4ce050e3e482ac_i* 35d68fd4c114ef25_r, pre-shared key reauthentication in 2 hours
host2[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048_256
host2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca77e9b9_i a6993362_o
host2{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
host2{1}: 8.8.8.8/32 === 192.168.2.0/24
连接成功后的 ASA:
asa-fw1# show crypto ipsec sa peer 8.8.4.4 | include ident
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.240.0/0/0)
两个 ASA 之间有一条不同的隧道:
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.252/0/0)
remote ident (addr/mask/prot/port) : (192.168.10.2/255.255.255.255/0/0)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.2/255.255.255.255/0/0)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.2/255.255.255.255/0/0)
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.2/255.255.255.255/0/0)
我也尝试过自行放置额外的正确子网,例如:
conn host2
left=8.8.8.8 #Changed from real for this example
leftsubnet=172.27.1.0/20
right=4.4.4.4 # changed
rightsubnet=192.168.1.0/24
ike=aes256-sha512-modp2048s256
esp=aes256-sha512
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=add
keyexchange=ikev2
type=tunnel
conn host2-2
also=host2
rightsubnet=192.168.2.0/24
连接后:
$ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.13.0-37-generic, x86_64):
uptime: 52 seconds, since Mar 23 09:02:22 2018
malloc: sbrk 2293760, mmap 532480, used 1203936, free 1089824
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Listening IP addresses:
8.8.8.8
172.27.1.3
Connections:
host2: 8.8.8.8...4.4.4.4 IKEv2
host2: local: [8.8.8.8] uses pre-shared key authentication
host2: remote: [4.4.4.4] uses pre-shared key authentication
host2: child: 8.8.8.8/32 === 192.168.1.0/24 TUNNEL
host2-2: child: 8.8.8.8/32 === 192.168.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
host2[1]: ESTABLISHED 50 seconds ago,
8.8.8.8[8.8.8.8]...4.4.4.4[4.4.4.4]
host2[1]: IKEv2 SPIs: 98cf15596219b433_i* 8177dc2c8f0605d8_r, pre-shared key reauthentication in 2 hours
host2[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048_256
host2-2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ccc8bf25_i 1cec9278_o
host2-2{1}: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 40s ago), 336 bytes_o (4 pkts, 40s ago), rekeying in 41 minutes
host2-2{1}: 8.8.8.8/32 === 192.168.2.0/24
和 ip xfrm 策略:
src 192.168.2.0/24 dst 8.8.8.8/32
dir fwd priority 185664
tmpl src 4.4.4.4 dst 8.8.8.8
proto esp reqid 1 mode tunnel
src 192.168.2.0/24 dst 8.8.8.8/32
dir in priority 185664
tmpl src 4.4.4.4 dst 8.8.8.8
proto esp reqid 1 mode tunnel
src 8.8.8.8/32 dst 192.168.2.0/24
dir out priority 185664
tmpl src 8.8.8.8 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
使用上述方法时,我可以访问 192.168.2.0,但不能再访问 192.168.1.0
不管,xfrm 策略都是一样的,我只能访问 192.168.2.0/24
我尝试过向子网生成流量,但没有成功。有人能帮我确定为什么我只能访问右侧的一个远程子网吗?
答案1
答案很简单,思科 ASA不支持每个 CHILD_SA 有多个流量选择器。因此,您必须针对要建立隧道的每种本地和远程子网组合协商单独的 CHILD_SA。也就是说,类似于:
conn host2
...
rightsubnet=192.168.1.0/24
...
conn host2-2
also=host2
rightsubnet=192.168.2.0/24
conn host2-3
also=host2
rightsubnet=192.168.3.0/24