ASA5516 9.8(2) IKEv2 (无BGP)站点与Azure连接失败

Question

我有一个Azure订阅，有一个虚拟网络，网关子网是172.26.0.0/27，然后我有一些子网，例如172.26.1.0/24、172.26.2.0/24、172.26.3.0/24、.

在路由器端，我已经为172.26.0.0/27和172.26.1.0/24配置了网络对象。

本地网络为10.0.0.0/8。

这是我用来在路由器上设置站点到站点连接的配置：

object network HQ-LAN
subnet 10.0.0.0 255.0.0.0
description The HQ LAN
object network AzureLabNet-LAN
subnet 172.26.1.0 255.255.255.0
description The Azure AzureLabNet LAN range
object network AzureLabNet-Gateway
subnet 172.26.0.0 255.255.255.224
object-group network AzureLabNet-network
description Azure AzureLabNet Virtual Network
network-object object AzureLabNet-LAN
network-object object AzureLabNet-Gateway
object-group network HQ-network
description HQ on-premises Network
network-object object HQ-LAN

access-list azure-vpn-acl extended permit ip object-group HQ-network object-group AzureLabNet-network log notifications 
nat (LAN,INTERNET) source static HQ-network HQ-network destination static AzureLabNet-network AzureLabNet-network no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup

crypto map CRYPTO-MAP 1 match address azure-vpn-acl
crypto map CRYPTO-MAP 1 set peer 40.a.b.c 
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal AZURE-TRANSFORM-2
crypto map CRYPTO-MAP 1 set ikev2 pre-shared-key ********
crypto map CRYPTO-MAP 1 set security-association lifetime seconds 3600
crypto map CRYPTO-MAP 1 set nat-t-disable
crypto map CRYPTO-MAP interface INTERNET

crypto ca trustpool policy

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800

crypto ikev2 enable INTERNET

group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2

dynamic-access-policy-record DfltAccessPolicy
tunnel-group 40.a.b.c type ipsec-l2l
tunnel-group 40.a.b.c general-attributes
default-group-policy AzureGroupPolicy
tunnel-group 40.a.b.c ipsec-attributes
ikev2 remote-authentication pre-shared-key ********
ikev2 local-authentication pre-shared-key ********
no tunnel-group-map enable peer-ip
tunnel-group-map default-group 40.a.b.c

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

连接似乎达到了设置IKEv2隧道的程度，但是当隧道被拒绝时，会出现以下错误：

751022                  Local:80.x.y.w:500 Remote:40.a.b.c:500 Username:40.a.b.c IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!

在调试过程中，我发现：

IKEv2-PROTO-2: (404): Processing IKE_AUTH message
IKEv2-PLAT-2: (404): Crypto Map: No proxy match on map CRYPTO-MAP seq 1
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Received Policies:
ESP: Proposal 1: AES-GCM-256 Don't use ESN

ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 3: 3DES SHA96 Don't use ESN

ESP: Proposal 4: AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 5: AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 6: 3DES SHA256 Don't use ESN

IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Expected Policies:
IKEv2-PROTO-5: (404): Failed to verify the proposed policies
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404):

还包括：

IKEv2-PROTO-5: (237): SM Trace-> SA: I_SPI=8D624530AA96162A R_SPI=4A613765BD92DF8F (I) MsgID = 00000004 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-2: (237): Deleting SA
IKEv2-PROTO-1: session is not there in tree
IKEv2-PLAT-2:
CONNECTION STATUS: DOWN... peer: 40.a.b.c:500, phase1_id: 40.a.b.c
IKEv2-PLAT-2: (237): IKEv2 session deregistered from session manager. Reason: 6
IKEv2-PLAT-2: (237): session manager killed ikev2 tunnel. Reason: IKE Delete
IKEv2-PLAT-2: (237): PSH cleanup
IKEv2-PLAT-5: Active ike sa request deleted
IKEv2-PLAT-5: Decrement count for incoming active
IKEv2-PLAT-2: (404): Encrypt success status returned via ipc 1
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xAA15ED6E error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xFBC930C6 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xDA2A46C2 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x2EDA754D error FALSE

<#>更新

关于Azure方面:虚拟网络上的地址空间为172.26.0.0/16，网关子网为172.26.0.0/27，子网为172.26.1.0/24、172.26.2.0/24、172.26.3.0/24、172.26.4.0/24、172.26.5.0/24、172.26.6.0/24、172.26.7.0/24、172.26.8.0/24、172.26.9.0/24，172.26.10.0/24,172.26.11.0/24。目前，我在172.26.1.0/24上只有一个VM，用于测试VPN (以及其他子网中分布的大量VM)。

对如何修复此站点与站点连接有任何建议吗？

Answer 1

我找到了一个解决办法：

gateway# show crypto isa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:*****, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
********** 80.x.w.y/500                                   40.a.b.c/500                                         READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/3135 sec
Child sa: local selector  10.0.0.0/0 - 10.255.255.255/65535
          remote selector 172.26.1.0/0 - 172.26.1.255/65535
          ESP spi in/out: 0x********/0x********

阅读“关于站点到站点VPN网关连接的VPN设备和IPsec/IKE参数”页面中的Microsoft验证VPN设备列表和设备配置指南，在Cisco行中，在IKEv2旁边，我注意到一个星号，在下面我读到的列表下面。

Cisco版本8.4+添加IKEv2支持，可以使用自定义IPsec/IKE策略与"UsePolicyBasedTrafficSelectors“选项连接到Azure网关。请参阅这篇文章。。

从这一点我了解到，我必须设置UsePolicyBasedTrafficSelectors属性，从而创建一个定制的IKE/IPSEC策略，这是我在Azure上使用以下代码所做的：

$RG          = "MyRG"
$ConnectionName = "STS-Azure-HQ"

$connection  = Get-AzureRmVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $RG

$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup PFS2 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 2048

Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy

然后，我重新配置了ASA路由器，以匹配IKE/IPSEC策略：

configure terminal
crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
 protocol esp encryption aes-256
 protocol esp integrity sha-256
 exit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 2
 prf sha256 sha
 lifetime seconds 28800
 exit

prf的sha256沙是我最后一次改变，我想它可能也适用于sha256，但我还没有试过。

在此之前，我还在我的ASA流量选择器中添加了所有的12个Azure子网，这可能也有帮助。

object network AzureLabNet-Gateway
 subnet 172.26.0.0 255.255.224.0
 description The Azure Gateway range
 exit
object network AzureLabNet-LAN-1
 subnet 172.26.1.0 255.255.255.0
 description The Azure AzureLabNet LAN #1 range
 exit
object network AzureLabNet-LAN-2
 subnet 172.26.2.0 255.255.255.0
 description The Azure AzureLabNet LAN #2 range
 exit
object network AzureLabNet-LAN-3
 subnet 172.26.3.0 255.255.255.0
 description The Azure AzureLabNet LAN #3 range
 exit
object network AzureLabNet-LAN-4
 subnet 172.26.4.0 255.255.255.0
 description The Azure AzureLabNet LAN #4 range
 exit
object network AzureLabNet-LAN-5
 subnet 172.26.5.0 255.255.255.0
 description The Azure AzureLabNet LAN #5 range
 exit
object network AzureLabNet-LAN-6
 subnet 172.26.6.0 255.255.255.0
 description The Azure AzureLabNet LAN #6 range
 exit
object network AzureLabNet-LAN-7
 subnet 172.26.7.0 255.255.255.0
 description The Azure AzureLabNet LAN #7 range
 exit
object network AzureLabNet-LAN-8
 subnet 172.26.8.0 255.255.255.0
 description The Azure AzureLabNet LAN #8 range
 exit
object network AzureLabNet-LAN-9
 subnet 172.26.9.0 255.255.255.0
 description The Azure AzureLabNet LAN #9 range
 exit
object network AzureLabNet-LAN-10
 subnet 172.26.10.0 255.255.255.0
 description The Azure AzureLabNet LAN #10 range
 exit
object network AzureLabNet-LAN-11
 subnet 172.26.11.0 255.255.255.0
 description The Azure AzureLabNet LAN #11 range
 exit
object-group network AzureLabNet-network
 description Azure AzureLabNet Virtual Network
 network-object object AzureLabNet-LAN-1
 network-object object AzureLabNet-LAN-2
 network-object object AzureLabNet-LAN-3
 network-object object AzureLabNet-LAN-4
 network-object object AzureLabNet-LAN-5
 network-object object AzureLabNet-LAN-6
 network-object object AzureLabNet-LAN-7
 network-object object AzureLabNet-LAN-8
 network-object object AzureLabNet-LAN-9
 network-object object AzureLabNet-LAN-10
 network-object object AzureLabNet-LAN-11
 network-object object AzureLabNet-Gateway
exit