Google Cloud VPN 问题 Cisco ASA Cryptomap

Google Cloud VPN 问题 Cisco ASA Cryptomap

我正在尝试在 Cisco ASA 上设置 IPSec 隧道。在 Google 上的路由中,我可以看到只有 172.0.99.0/24 和 172.0.100.0/24 应通过此隧道路由。

谷歌似乎要求所有交通路线都通过这条隧道

Cisco 日志:

%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing hash payload
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing SA payload
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing nonce payload
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing ke payload
%ASA-7-713906: Group = 35.234.136.243, IP = 35.234.136.243, processing ISA_KE for PFS in phase 2
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing ID payload
%ASA-7-714011: Group = 35.234.136.243, IP = 35.234.136.243, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
%ASA-7-713035: Group = 35.234.136.243, IP = 35.234.136.243, Received remote IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing ID payload
%ASA-7-714011: Group = 35.234.136.243, IP = 35.234.136.243, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
%ASA-7-713034: Group = 35.234.136.243, IP = 35.234.136.243, Received local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
%ASA-7-713906: Group = 35.234.136.243, IP = 35.234.136.243, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 35.234.136.243, IP = 35.234.136.243, Static Crypto Map check, checking map = outside_map, seq = 1...
%ASA-7-713222: Group = 35.234.136.243, IP = 35.234.136.243, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:0.0.0.0 dst:0.0.0.0
%6.243, processing ID payload
%ASA-7-714011: Group = 35.234.136.243, IP = 35.234.136.243, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0

google 日志显示连接已建立,然后当 Quickmode 建立时,Cisco 发送删除。

答案1

您可能正在使用基于路由的隧道在 GCP 中,它将默认将 0.0.0.0/0 通告为有趣的流量或加密域。我建议使用基于策略的隧道并且仅根据需要通告 172.0.99.0/24 和 172.0.100.0/24。

相关内容