Openswan站点-到站点VPN -不能响应IPsec SA请求,因为不知道连接。
Openswan站点-到站点VPN -不能响应IPsec SA请求,因为不知道连接。
提问于 2014-04-08 20:16:19
我正在建立一个ISPEC隧道,连接运行Openswan和Cisco ASA 5505的Linux系统。奇怪的是,隧道出现了我相信(根据下面的截图),但我不能让交通穿越。我想知道这是否是一个问题,局域网是一个Looopback接口在Openswan系统。
总之,ASA侧(2.2.2.2)具有LAN 192.168.0.0/24,Openswan侧(1.1.1.1)具有LAN 172.16.255.1/32,这是Openwan系统上的一个回送接口。
我得到了以下错误,并且非常确信它与这一行有关:
"L2L-IPSEC" #1: cannot respond to IPsec SA request because no connection is known for 172.16.255.1/32===1.1.1.1<1.1.1.1>[+S=C]:1/0...2.2.2.2<2.2.2.2>[+S=C]:1/0===192.168.0.0/24
Openswan输出
"L2L-IPSEC" #1: initiating Main Mode
"L2L-IPSEC" #1: received Vendor ID payload [RFC 3947] method set to=109
"L2L-IPSEC" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
"L2L-IPSEC" #1: enabling possible NAT-traversal with method 4
"L2L-IPSEC" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"L2L-IPSEC" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"L2L-IPSEC" #1: received Vendor ID payload [Cisco-Unity]
"L2L-IPSEC" #1: received Vendor ID payload [XAUTH]
"L2L-IPSEC" #1: ignoring unknown Vendor ID payload [4fbc775ddcc5a56a715d9fb1a2c92d6a]
"L2L-IPSEC" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"L2L-IPSEC" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
"L2L-IPSEC" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"L2L-IPSEC" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"L2L-IPSEC" #1: received Vendor ID payload [Dead Peer Detection]
| protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
"L2L-IPSEC" #1: Main mode peer ID is ID_IPV4_ADDR: '68.99.157.15'
"L2L-IPSEC" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"L2L-IPSEC" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
"L2L-IPSEC" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:58792b0d proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
"L2L-IPSEC" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=58792b0d
"L2L-IPSEC" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"L2L-IPSEC" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6b58a97a <0x359aa18e xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
"L2L-IPSEC" #1: the peer proposed: 172.16.255.1/32:0/0 -> 192.168.0.0/24:0/0
"L2L-IPSEC" #1: cannot respond to IPsec SA request because no connection is known for 172.16.255.1/32===1.1.1.1<1.1.1.1>[+S=C]:1/0...2.2.2.2<2.2.2.2>[+S=C]:1/0===192.168.0.0/24
"L2L-IPSEC" #1: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:500思科输出:
Apr 08 2014 09:02:25: %ASA-3-713902: Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0xcc6e8cf8, mess id 0xd6971887)!
Apr 08 2014 09:02:25: %ASA-3-713902: Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Apr 08 2014 09:02:25: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside-cmap. Map Sequence Number = 40.
asa# show crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
asa# show crypto ipsec sa
interface: outside
Crypto map tag: outside-cmap, seq num: 40, local addr: 2.2.2.2
access-list VPN-TRAFFIC-VPS1 extended permit ip 192.168.0.0 255.255.255.0 host 172.16.255.1
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.255.1/255.255.255.255/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 529934CE
current inbound spi : CFD6928B
inbound esp sas:
spi: 0xCFD6928B (3486945931)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 917504, crypto-map: outside-cmap
sa timing: remaining key lifetime (kB/sec): (4374000/28735)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x529934CE (1385772238)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 917504, crypto-map: outside-cmap
sa timing: remaining key lifetime (kB/sec): (4374000/28735)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Openswan /etc/网络/接口:
auto lo
iface lo inet loopback
auto lo:1
iface lo:1 inet static
address 172.16.255.1
netmask 255.255.255.255
auto eth0
iface eth0 inet static
address 1.1.1.1
gateway 1.1.1.254
netmask 255.255.255.0
dns-nameservers 8.8.8.8 8.8.4.4Openswan Config:
config setup
listen=1.1.1.1
dumpdir=/var/run/pluto
nat_traversal=yes #pretty sure this isn't needed
virtual_private=%v4:192.168.0.0/24
oe=off
protostack=netkey
conn L2L-IPSEC
authby=secret #use shared secret
auto=start #automatically start if detected
type=tunnel #tunnel mode/not transport
###THIS SIDE###
left=1.1.1.1
leftsubnet=172.16.255.1/32
leftsourceip=172.16.255.1
###PEER SIDE###
right=2.2.2.2
rightsubnet=192.168.0.0/24
#phase 1 encryption-integrity-diffhellman
keyexchange=ike
ike=3des-md5-modp1024,aes256-sha1-modp1024
ikelifetime=86400s
#phase 2 encryption-pfsgroup
phase2=esp #esp for encryption | ah for authentication only
phase2alg=aes256-sha1;modp1024
pfs=noCisco ASA Config:
crypto ipsec ikev1 transform-set vps1TS esp-aes-256 esp-sha-hmac
crypto map outside-cmap 40 match address VPN-TRAFFIC-VPS1
crypto map outside-cmap 40 set peer 1.1.1.1
crypto map outside-cmap 40 set ikev1 transform-set vps1TS
crypto map outside-cmap interface outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
access-list VPN-TRAFFIC-VPS1; 2 elements; name hash: 0xa6c3fa81
access-list VPN-TRAFFIC-VPS1 line 1 extended permit icmp object inside-network object vps1-network (hitcnt=3183) 0xed457442
access-list VPN-TRAFFIC-VPS1 line 1 extended permit icmp 192.168.0.0 255.255.255.0 host 172.16.255.1 (hitcnt=3183) 0xed457442
access-list VPN-TRAFFIC-VPS1 line 2 extended permit ip object inside-network object vps1-network (hitcnt=88) 0xbddc26cf
access-list VPN-TRAFFIC-VPS1 line 2 extended permit ip 192.168.0.0 255.255.255.0 host 172.16.255.1 (hitcnt=88) 0xbddc26cf
object network inside-network
subnet 192.168.0.0 255.255.255.0
object network vps1-network
subnet 172.16.255.1 255.255.255.255
nat (inside,outside) source static inside-network inside-network destination static vps1-network vps1-network回答 2
Network Engineering用户
发布于 2014-04-10 19:37:56
实际上,问题似乎是在您的Openswan服务器上。来自ASA输出的这些行表示防火墙从未通过VPN接收过任何数据包:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0(来自命令“显示ipsec sa")
对不起,我对Openswan不太了解(或者根本不了解),所以我不能给出任何建议。:(
Network Engineering用户
发布于 2014-05-15 15:34:15
似乎自从我上次查看之后,您添加了更多的调试输出。我不知道这是否仍然是一个问题,但如果是的话,问题在于:
"L2L-IPSEC" #1: the peer proposed: 172.16.255.1/32:0/0 -> 192.168.0.0/24:0/0
"L2L-IPSEC" #1: cannot respond to IPsec SA request because no connection is known for 172.16.255.1/32===1.1.1.1<1.1.1.1>[+S=C]:1/0...2.2.2.2<2.2.2.2>[+S=C]:1/0===192.168.0.0/24
"L2L-IPSEC" #1: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:500这是从你的欧文森输出。这告诉您,配置的“加密域”(或“有趣的流量”或其他此类术语)不匹配。一方提出一套网络,另一方则期待另一组网络。
这也可能是两个同行的“身份”部分中的一个问题。我不知道如何在Openswan中检查它(或者更确切地说,如何检查"identity“部分的配置),但是在ASA上,如果您正在运行ikev1,您需要查找一个类似于"crypto标识”或潜在的“密码8.4+标识”的行。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/7278
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号