隧道向上，但不通过交通

Question

我有两个办公室( IP 1.2.3.4为Victoria，IP 5.6.7.8为多伦多)，每个办事处都运行Strongswan，每个办事处都有一个IKEv2 IPSec隧道，每个隧道在IP9.8.7.6处返回思科ASA 5512。我最近更新了ASA的软件，从9.4.2(11)到9.4.3(4)，没有问题。两条隧道恢复正常运行了1天17小时，但维多利亚隧道现在已经停止通行。

隧道的建立没有问题，但show ipsec sa告诉我，没有流量通过。重新启动隧道没有什么区别。

ASA1# show ipsec sa peer 1.2.3.4
peer address: 1.2.3.4
    Crypto map tag: OUTSIDE_map, seq num: 1, local addr: 9.8.7.6

      access-list OUTSIDE_cryptomap_2 extended permit ip 192.168.242.0 255.255.255.0 192.168.244.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.242.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.244.0/255.255.255.0/0/0)
      current_peer: 1.2.3.4


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1428, #pkts decrypt: 1428, #pkts verify: 1428
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 9.8.7.6/500, remote crypto endpt.: 1.2.3.4/500
      path mtu 1500, ipsec overhead 55(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: CB3A6309
      current inbound spi : 5E3D8A13

    inbound esp sas:
      spi: 0x5E3D8A13 (1581091347)
         transform: esp-aes-gcm-256 esp-null-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
         slot: 0, conn_id: 167936, crypto-map: OUTSIDE_map
         sa timing: remaining key lifetime (sec): 2676
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xCB3A6309 (3409601289)
         transform: esp-aes-gcm-256 esp-null-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
         slot: 0, conn_id: 167936, crypto-map: OUTSIDE_map
         sa timing: remaining key lifetime (sec): 2676
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

一个寻找丢包的数据包捕获给了我这个，但是没有告诉我要应用什么规则。

939: 20:11:44.438591 0023.ab3f.8255 24e9.b315.cddf 0x0800 Length: 89
      192.168.244.114.51353 > 192.168.242.200.53:  [no cksum] udp 47 [tos 0x10]  (ttl 63, id 8826) Drop-reason: (acl-drop) Flow is denied by configured rule

下面是一些相关的配置；据我所见，这两个办公室是相同的。如果有人对这里可能发生的事情有任何建议，我会很感激的！

ASA1# show running-config crypto map
crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap_2
crypto map OUTSIDE_map 1 set pfs group14
crypto map OUTSIDE_map 1 set peer 1.2.3.4
crypto map OUTSIDE_map 1 set ikev2 ipsec-proposal AESGCM
crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 1 set nat-t-disable
crypto map OUTSIDE_map 2 match address OUTSIDE_cryptomap_3
crypto map OUTSIDE_map 2 set pfs group14
crypto map OUTSIDE_map 2 set peer 5.6.7.8
crypto map OUTSIDE_map 2 set ikev2 ipsec-proposal AESGCM
crypto map OUTSIDE_map 2 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 2 set nat-t-disable
crypto map OUTSIDE_map interface OUTSIDE

ASA1# show running-config access-list OUTSIDE_cryptomap_2
access-list OUTSIDE_cryptomap_2 extended permit ip object NOC-network object Victoria-network

ASA1# show running-config access-list OUTSIDE_cryptomap_3
access-list OUTSIDE_cryptomap_3 extended permit ip object NOC-network object Toronto-network

ASA1# show running-config nat
nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Victoria-network Victoria-network no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Toronto-network Toronto-network no-proxy-arp route-lookup

ASA1# show running-config tunnel-group 
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy GroupPolicy_Victoria
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 general-attributes
 default-group-policy GroupPolicy_Toronto
tunnel-group 5.6.7.8 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 15 retry 2
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

ASA1# show running-config crypto ikev2
crypto ikev2 policy 2
 encryption aes-gcm-256
 integrity null
 group 21 24
 prf sha512
 lifetime seconds 28800
crypto ikev2 policy 3
 encryption aes-256
 integrity sha512
 group 21 24
 prf sha512
 lifetime seconds 28800
crypto ikev2 enable OUTSIDE

ASA1# show running-config crypto ipsec
crypto ipsec ikev2 ipsec-proposal AES256-SHA512
 protocol esp encryption aes-256
 protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AESGCM
 protocol esp encryption aes-gcm-256
 protocol esp integrity sha-512
crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association pmtu-aging infinite

#ASA1 show running-config all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp OUTSIDE
no sysopt noproxyarp INSIDE
no sysopt noproxyarp DMZ1
no sysopt noproxyarp management

Answer 1

如果您的ASA上有一个过时的SPI，它“超过”有效的活动SPI，那么您的场景看起来非常类似于您将看到的东西。坏消息是，如果是这样的话，case...you只能通过重新启动ASA本身来纠正这个问题。

您可以尝试运行一个数据包跟踪程序来模拟流量，并检查您在输出中是否看到了一个"VPN加密阶段“。如果您这样做了，但是流量无法加密，那么它可能与不活动的陈旧SPI匹配。

您还可以使用show asp table classify crypto并在加密域中查找匹配项。您不希望看到同一个cs_id的多个匹配。参见这个示例：(注意它们的网络是如何完全相同的，但是它们有不同的cs_id，只有一个有命中计数？)

in  id=0x7fff370d6450, priority=70, domain=ipsec-tunnel-flow, deny=false
    hits=17302, user_data=0x8e0d6a4, **cs_id=0x7fff36c15af0**, reverse, flags=0x0, protocol=0
    src ip/id=10.202.140.0, mask=255.255.255.0, port=0, tag=0
    dst ip/id=10.202.126.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

in  id=0x7fff3d48dda0, priority=70, domain=ipsec-tunnel-flow, deny=false
    hits=0, user_data=0xaaf9b0c, **cs_id=0x7fff38d9d080**, reverse, flags=0x0, protocol=0
    src ip/id=10.202.140.0, mask=255.255.255.0, port=0, tag=0
    dst ip/id=10.202.126.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

上面的示例是我直接从您描述的问题的故障排除中学到的，在这种情况下，重新启动纠正了问题。我还遇到了一个问题，就是同一个防火墙在一个只有少数几个主机的活动隧道上停止通过通信量。回弹隧道纠正了这个问题。

这些问题是在将VPN升级到IKEv2之后才开始的。我怀疑，如果你重键，你是隧道，经常在IKEv2，这似乎是很可能你有问题的SPIs。您可能想要增加第二阶段隧道的生存期，因为您现在已经将其设置为3600 (我的客户每4分钟就会在第二阶段隧道上访问默认的数据生存期，因此我将数据生存期设置为无限)。