隧道上的 Cisco 站点到站点 vpn 多子网路由

网络工程 思科 思科-ASA 虚拟专用网 防火墙
2022-02-20 18:26:16

我们有一个site-to-siteVPN 隧道AWS运行良好,直到我将另一个子网添加到 ACL 列表中以获取有趣的流量,这导致了一个奇怪的问题。它只允许我为有趣的流量添加一个 ACL 子网,如果我尝试添加另一个,那么我的隧道就会关闭。

在此处输入图像描述

目前我有以下 ACL 并且它工作得很好!

access-list ACL-VPN extended permit tcp 10.0.0.0 255.0.0.0 10.100.1.0 255.255.255.0

但是一旦我添加我的另一个公共子网以通过 VPN 隧道路由数据,它就会启动新隧道,因为它看到了我可以看到的有趣流量的新 IP show crypto ipsec sa,一旦它看到新的有趣流量,它就会丢弃流量对于作为10.0.0.0/24子网的旧隧道。看起来它只允许单个 ACL 子网用于有趣的流量,我试过any但它抛出错误。

access-list ACL-VPN extended permit tcp 60.x.x.x 255.255.255.0 10.100.1.0 255.255.255.0

如何通过现有 VPN 隧道路由多个子网?

这是我的加密地图

crypto map AWS-VPN 1 match address ACL-VPN
crypto map AWS-VPN 1 set pfs
crypto map AWS-VPN 1 set peer 34.xx.xx.xx 52.xx.xx.xx
crypto map AWS-VPN 1 set ikev1 transform-set AWS-ESP-AES-SHA
crypto map AWS-VPN 1 set security-association lifetime seconds 3600

编辑

您可以在以下输出中看到所有三个子网隧道,目前我可以 ping 的 70 个网络隧道无法 ping,但如果我选择 10 个网络并 ping 它将中断 70 个网络 ping 并启动 10 个网络。这么奇怪

fw1/pri/act# sh crypto ipsec sa peer 13.xx.xx.30
peer address: 13.xx.xx.30

  Crypto map tag: AWS-VPN, seq num: 1, local addr: 66.xx.xx.51

  access-list ACL-VPN extended permit ip 10.0.0.0 255.255.255.0 10.100.1.0 255.255.255.0
  local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (10.100.1.0/255.255.255.0/0/0)
  current_peer: 13.xx.xx.30


  #pkts encaps: 635, #pkts encrypt: 635, #pkts digest: 635
  #pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 635, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt.: 66.xx.xx.51/4500, remote crypto endpt.: 13.xx.xx.30/4500
  path mtu 1500, ipsec overhead 82(52), media mtu 1500
  PMTU time remaining (sec): 0, DF policy: clear-df
  ICMP error validation: disabled, TFC packets: disabled
  current outbound spi: 2C59F831
  current inbound spi : 574D3919

inbound esp sas:
  spi: 0x574D3919 (1464678681)
     transform: esp-aes esp-sha-hmac no compression
     in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }
     slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
     sa timing: remaining key lifetime (kB/sec): (4373993/1587)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap:
      0x00000000 0x00001FFF 0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
  spi: 0x2C59F831 (744093745)
     transform: esp-aes esp-sha-hmac no compression
     in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }
     slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
     sa timing: remaining key lifetime (kB/sec): (4373946/1580)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap:
      0x00000000 0x00000000 0x00000000 0x00000001

Crypto map tag: AWS-VPN, seq num: 1, local addr: 66.xx.xx.51

  access-list ACL-VPN extended permit ip 60.xx.xx.0255.255.255.0 10.100.1.0 255.255.255.0
  local ident (addr/mask/prot/port): (60.xx.xx.100/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (10.100.1.0/255.255.255.0/0/0)
  current_peer: 13.xx.xx.30


  #pkts encaps: 549, #pkts encrypt: 549, #pkts digest: 549
  #pkts decaps: 149, #pkts decrypt: 128, #pkts verify: 128
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 549, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
  #send errors: 0, #recv errors: 21

  local crypto endpt.: 66.xx.xx.51/4500, remote crypto endpt.: 13.xx.xx.30/4500
  path mtu 1500, ipsec overhead 82(52), media mtu 1500
  PMTU time remaining (sec): 0, DF policy: clear-df
  ICMP error validation: disabled, TFC packets: disabled
  current outbound spi: A42787FD
  current inbound spi : FF78BA5E

inbound esp sas:
  spi: 0xFF78BA5E (4286102110)
     transform: esp-aes esp-sha-hmac no compression
     in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }
     slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
     sa timing: remaining key lifetime (kB/sec): (4373989/1662)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap:
      0xFFFFFFFF 0xFFFFFFFF 0xFFFFFD55 0x557FFFFF
outbound esp sas:
  spi: 0xA42787FD (2754054141)
     transform: esp-aes esp-sha-hmac no compression
     in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }
     slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
     sa timing: remaining key lifetime (kB/sec): (4373954/1655)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap:
      0x00000000 0x00000000 0x00000000 0x00000001

Crypto map tag: AWS-VPN, seq num: 1, local addr: 66.xx.xx.51

  access-list ACL-VPN extended permit ip 70.xx.x.0 255.255.255.0 10.100.1.0 255.255.255.0
  local ident (addr/mask/prot/port): (70.xx.x.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (10.100.1.0/255.255.255.0/0/0)
  current_peer: 13.xx.xx.30


  #pkts encaps: 327, #pkts encrypt: 327, #pkts digest: 327
  #pkts decaps: 1024, #pkts decrypt: 20, #pkts verify: 20
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 327, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
  #send errors: 0, #recv errors: 1004

  local crypto endpt.: 66.xx.xx.51/4500, remote crypto endpt.: 13.xx.xx.30/4500
  path mtu 1500, ipsec overhead 82(52), media mtu 1500
  PMTU time remaining (sec): 0, DF policy: clear-df
  ICMP error validation: disabled, TFC packets: disabled
  current outbound spi: 9F4A80A9
  current inbound spi : C87A19F0

inbound esp sas:
  spi: 0xC87A19F0 (3363445232)
     transform: esp-aes esp-sha-hmac no compression
     in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }
     slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
     sa timing: remaining key lifetime (kB/sec): (4373998/2417)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap:
      0x00000000 0x00000000 0x09200000 0x00000000
outbound esp sas:
  spi: 0x9F4A80A9 (2672459945)
     transform: esp-aes esp-sha-hmac no compression
     in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }
     slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
     sa timing: remaining key lifetime (kB/sec): (4373973/2416)
     IV size: 16 bytes
     replay detection support: Y
     Anti replay bitmap:
      0x00000000 0x00000000 0x00000000 0x00000001
2个回答

您可以尝试将所有子网放在单个网络对象组下,然后相应地修改您的 ACL、加密 ACL 和 NAT 豁免规则。这使配置看起来更好。

例如:

object-group network Local_subnets
 network-object 10.0.0.0 255.0.0.0
 network-object 60.x.x.x 255.255.255.0
 network-object 70.x.x.x 255.255.255.0

object-group network AWS_subnets
 network-object 10.100.1.0 255.255.255.0


access-list inside extended permit tcp object-group Local_subnets object-group AWS_subnets   

access-list ACL-VPN extended permit tcp object-group Local_subnets object-group AWS_subnets

nat (inside,outside) source static Local_subnets Local_subnets destination static AWS_subnets AWS_subnets no-proxy-arp route-lookup

请确保在 AWS 端反映相同的设置。

我希望它会有所帮助。

这太有趣了。解决方案是anyACL

access-list ACL-VPN extended permit ip any4 10.100.1.0 255.255.255.0

与 AWS 的站点到站点是不同的 :) 它们只支持与 Cisco ASA(可能还有其他供应商)的一个安全关联,这就是为什么建议在加密地图上只有一个 ACL,因为如果添加另一个 ACL,它将两者都将断开两个 ACL 之间的连接。

我在思科论坛上问了这个问题并从那里得到了答案:https: //supportforums.cisco.com/t5/remote-access/site-to-site-vpn-route-multiple-source-subnet-over-vpn-tunnel /mp/3204920/highlight/false#M17644

其它你可能感兴趣的问题
上一篇NETCONF/YANG 中的配置与操作 下一篇为什么 DNS 根区只有 13 个地址