Google发布Cisco ASA密码

Question

我正试图在Cisco上建立一个IPSec隧道。在我在google上的路线中，我可以看到只有172.0.99.0/24和172.0.100.0/24应该通过这个隧道路由。

谷歌似乎要求所有通过这条隧道的交通路线

思科日志：

%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing hash payload
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing SA payload
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing nonce payload
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing ke payload
%ASA-7-713906: Group = 35.234.136.243, IP = 35.234.136.243, processing ISA_KE for PFS in phase 2
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing ID payload
%ASA-7-714011: Group = 35.234.136.243, IP = 35.234.136.243, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
%ASA-7-713035: Group = 35.234.136.243, IP = 35.234.136.243, Received remote IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
%ASA-7-715047: Group = 35.234.136.243, IP = 35.234.136.243, processing ID payload
%ASA-7-714011: Group = 35.234.136.243, IP = 35.234.136.243, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
%ASA-7-713034: Group = 35.234.136.243, IP = 35.234.136.243, Received local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
%ASA-7-713906: Group = 35.234.136.243, IP = 35.234.136.243, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 35.234.136.243, IP = 35.234.136.243, Static Crypto Map check, checking map = outside_map, seq = 1...
%ASA-7-713222: Group = 35.234.136.243, IP = 35.234.136.243, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:0.0.0.0 dst:0.0.0.0
%6.243, processing ID payload
%ASA-7-714011: Group = 35.234.136.243, IP = 35.234.136.243, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0

google日志显示连接已经建立，然后Cisco在建立Quickmode时发送一个delete。

Answer 1

您可能在GCP中使用路由隧道，默认情况下它会将0.0.0.0/0作为有趣的通信量或加密域进行宣传。我建议使用基于策略的隧道，并且只在需要时为172.0.99.0/24和172.0.100.0/24做广告。