我正在尝试在 AWS 和 Cisco ASA 之间建立站点到站点 VPN 连接,但隧道状态显示为“关闭”,详细信息部分下的消息为“IPSEC 已关闭”。请参阅以下隧道日志:
AWS tunnel is the IKE_SA initiator
AWS tunnel is sending request (id=0) for IKE_SA_INIT exchange
sending packet: from < tunnel ip> [UDP 500] to <CGW> [UDP 500] (304 bytes)
received packet: from <CGW> [UDP 500] to <tunnel ip> [UDP 500] (499 bytes)
AWS tunnel processed response (id=0) for IKE_SA_INIT exchange
AWS tunnel has selected proposals for Phase 1 SA
AWS tunnel detected NAT-T as enabled on local host and is sending keep-alive(s)
AWS tunnel detected NAT-T behind CGW / remote host
AWS tunnel is establishing Phase 2 CHILD_SA for CGW
AWS tunnel is sending request (id=1) for IKE_AUTH exchange
sending packet: from < tunnel ip> [UDP 4500] to <CGW> [UDP 4500] (256 bytes)
received packet: from <CGW> [UDP 4500] to < tunnel ip> [UDP 4500] (160 bytes)
AWS tunnel processed response (id=1) for IKE_AUTH exchange
AWS tunnel has successfully authenticated pre-shared key
ending packet: from < tunnel ip> [UDP 4500] to <CGW> [UDP 4500] (80 byte
并且相同的日志不断出现。
AWS 支持团队已通知我们身份检查失败,但我们不确定如何验证这一点。客户建议启用“ipsecovernatt”。我们该如何处理?此外,我们想知道在 AWS 端应该进行哪些更改,以便隧道日志中的“nat_t_detected”值为真
这是来自 Cisco ASA 端的日志
show vpn-sessiondb l2l
Index : 16777 IP Addr : ****
Protocol : IKEv2
Encryption : IKEv2: (1)AES256 Hashing : IKEv2: (1)SHA256
Bytes Tx : 0 Bytes Rx : 0
Login Time : 14:25:01 Tue Jun 27 2023
Duration : 0h:00m:19s
客户端表示 AWS 端未启用 IPsecOverNatT,因此 IPSec 隧道无法启动
答案1
在 Cisco ASA 端:访问 Cisco ASA 的 CLI。进入特权 EXEC 模式:enable。进入配置模式:configure terminal。启用 IPsec-over-NAT 遍历:crypto ikev2 ipsec-over-nat-t.
保存配置更改:write memory 或 wr mem。
在 AWS 端:访问 AWS 管理控制台。转到“虚拟专用网关”部分。选择与 VPN 连接关联的 VGW。单击“操作”>“编辑”。启用 NAT 遍历:在“启用 NAT 遍历”部分中选择“启用”。