CiscoAsa9.0与IPSec 4.4之间的IPSec站点间VPN

Question

问题是以ASA作为发起者的ikeV2身份验证。

对于下面的经验，我在ASA上设置了下面的PSKs：local: 123, remote: 321

如果ASA是发起者的话：

现在，ipsec.secrets中的几个组合在StrongSwan端：

左123号右321号

ASA:Auth exchange failed

SWAN: tried 1 shared key for '%any' - 'XXX', but MAC mismatched

左123号右123号

ASA:Failed to authenticate the IKE SA

charon: 11[IKE] authentication of 'a with pre-shared key successful
charon: 11[IKE] authentication of 'b' (myself) with pre-shared key
charon: 11[IKE] IKE_SA x[1] established between b[b]...a[a]

左321右123 (应该是工作的)

ASA:Failed to authenticate the IKE SA

charon: 08[IKE] authentication of 'a' with pre-shared key successful
charon: 08[IKE] authentication of 'b' (myself) with pre-shared key
charon: 08[IKE] x[1] established between b[b]...a[a]

左321号右321号

ASA: Auth exchange failed

SWAN: ... but MAC mismatched

，如果我在每一侧设置两个PSKs，那么一切都正常.

顺便说一句，IKEv2有两个不同的PSKs，到底有什么意义？

在无法连接时，ASA调试将显示以下内容：

REAL Decrypted packet:Data: 8 bytes
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED

现在以StrongSwan为发起者：(ASA仍然是local: 123, remote: 321)

左123右321

SWAN ok

ASA ok

左123号右123号

SWAN: received AUTHENTICATION_FAILED notify error

ASA: Failed to authenticate the IKE SA

左321右123 (应该是工作的)

SWAN: received AUTHENTICATION_FAILED notify error

ASA: Failed to authenticate the IKE SA

左321右321

SWAN ok

ASA ok

这是圆天鹅餐厅

# cat /var/lib/strongswan/ipsec.conf.inc

conn TEST
 left=l
 leftsubnet=n/24
 leftid=l
 leftfirewall=yes
 right=r
 rightsubnet=n/24
 rightid=r
 auto=add # or start
 ike=aes256-sha512-modp1024
 esp=aes256-sha1
 keyexchange=ikev2
        authby=secret

这是ASA餐厅，标准的东西

tunnel-group x type ipsec-l2l
tunnel-group x general-attributes
 default-group-policy VPN_x_GP
tunnel-group x ipsec-attributes
 ikev2 remote-authentication pre-shared-key 321
 ikev2 local-authentication pre-shared-key 123
group-policy VPN_x_GP internal
group-policy VPN_x_GP attributes
 vpn-filter value ACL_VPN_x
 vpn-tunnel-protocol ikev2
crypto ipsec ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto map internet_crypto_map 1 match address internet_cryptomap
crypto map internet_crypto_map 1 set pfs
crypto map internet_crypto_map 1 set peer x
crypto map internet_crypto_map 1 set ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
crypto map internet_crypto_map interface outside
crypto ikev2 policy 999
 encryption aes-256
 integrity sha512
 group 2
 prf sha512
 lifetime seconds 86400
crypto ikev2 policy 1000
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

ipsec.secrets

left : PSK "321"
right : PSK "123"

虽然我目前怀疑这是不完全正确的，但我相信这是针对ikev1的，但是我没有找到太多关于ikev2 (多PSKs)的文档。现在，我会朝那个方向调查。

Answer 1

这是在strongSwan邮件列表中讨论。

从这个线程中可以看到，最后发现使用它是没有意义的，至少在strongSwan中是没有意义的。