IKEv2站点从思科ASA 5506到Azure "RouteBased“VPN
我遇到了一点小问题,把一个IKEv2站点设置到Azure云站点。我正在使用来自IPSec文档的这 permaeters。
Phase1已经建立,但我无法计算出Phase2,下面是加密配置:
Config
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal azure-ikev2-ipsec-proposal-set
protocol esp encryption aes-gcm-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address vpn-traffic-ikev2
crypto map outside_map 10 set peer 1.1.1.1
crypto map outside_map 10 set ikev2 ipsec-proposal azure-ikev2-ipsec-proposal-set
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 5
encryption aes-256 3des
integrity sha256 sha
group 2
prf sha
lifetime seconds 10800
crypto ikev2 enable outside
crypto ikev2 enable ComcastDebug
它很长,所以我会粘贴到问题所在的地方:
IKEv2-PROTO-2: (34): Processing IKE_AUTH message
IKEv2-PROTO-1: (34): Failed to find a matching policy
IKEv2-PROTO-1: (34): Received Policies:
ESP: Proposal 1: AES-GCM-256 Don't use ESN
ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 3: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 4: AES-CBC-128 SHA96 Don't use ESN
ESP: Proposal 5: 3DES SHA96 Don't use ESN
ESP: Proposal 6: 3DES SHA256 Don't use ESN
ESP: Proposal 7: DES SHA96 Don't use ESN
ESP: Proposal 8: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 9: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 10: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 11: AES-CBC-128 SHA96 Don't use ESN
ESP: Proposal 12: AES-CBC-128 SHA96 Don't use ESN
ESP: Proposal 13: AES-CBC-128 SHA96 Don't use ESN
ESP: Proposal 14: 3DES SHA96 Don't use ESN
ESP: Proposal 15: 3DES SHA96 Don't use ESN
ESP: Proposal 16: 3DES SHA256 Don't use ESN
ESP: Proposal 17: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 18: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 19: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 20: AES-CBC-256 SHA96 Don't use ESN
ESP: Proposal 21: AES-CBC-256 SHA256 Don't use ESN
ESP: Proposal 22: AES-CBC-128 SHA256 Don't use ESN
ESP: Proposal 23: AES-CBC-128 SHA256 Don't use ESN
ESP: Proposal 24: AES-CBC-128 SHA256 Don't use ESN
ESP: Proposal 25: AES-CBC-128 SHA256 Don't use ESN
ESP: Proposal 26: 3DES SHA96 Don't use ESN
IKEv2-PROTO-1: (34): Failed to find a matching policy
IKEv2-PROTO-1: (34): Expected Policies:
IKEv2-PROTO-5: (34): Failed to verify the proposed policies
IKEv2-PROTO-1: (34): Failed to find a matching policy因此,从调试过程中可以明显看出,在Phase2协商过程中,策略被搞砸了,但是根据调试建议1应该是AES-GCM-256,这就是我所配置的。
Phase1隧道
IKEv2 SAs:
Session-id:44, Status:UP-IDLE, IKE count:1, CHILD count:0
Tunnel-id Local Remote Status Role
980175485 2.2.2.2/500 1.1.1.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 10800/26 sec回答 3
Network Engineering用户
发布于 2017-08-16 17:14:20
Azure Cloud“基于路由”的VPN不支持Cisco ASA,我在Azure端将隧道类型切换为"Policy Based“,修改ASA上的配置以使用IKEv1,隧道立即弹出。
Network Engineering用户
发布于 2018-01-05 18:08:42
基于Azure路由的VPN实际上支持Cisco ASA,但您必须在Azure网关上配置基于策略的流量选择器。
Network Engineering用户
发布于 2018-07-24 01:46:58
只需添加以下一行,它就能工作了。
crypto map outside_map 10 set pfs group24我相信ASA的VPN配置是使用Azure的下载配置脚本创建的。它没有在配置中添加下面一行,因此出现了这个问题。
https://docs.microsoft.com/sl-si/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa
希望这能帮上忙。
谢谢你,阿布斯
https://networkengineering.stackexchange.com/questions/37200
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号