网络工程 - 由于可能的 VPN 配置问题，网络速度变慢？ - 吾爱随笔录

由于可能的 VPN 配置问题，网络速度变慢？

网络工程思科-ASA 虚拟专用网

2022-02-06 01:42:40

语境

我在我们的主站点和新的备份站点之间建立了 2 个 ASA-5515 之间的 VPN 连接。这是为了替换我们的旧备份站点，该站点当前使用 Racoon 在 ASA-5515（主站点）和 FreeBDS 之间连接。

问题

2 个 ASA-5515 之间的文件传输速度是 ASA-5515 与 FreeBDS 连接之间的连接速度的一半。

期望

我的期望是速度应该与旧备份站点位于法国和新备份站点位于我们主站点所在的英国的速度相同，甚至更好。

调查

我在进行一些磁盘 R/W 测试时已将文件从一台服务器传输到另一台服务器，并已排除这与磁盘 R/W 速度问题有关。

我还针对新旧备份站点执行了此测试：

root@main_site_server:# dd if=/dev/zero bs=1M count=10240 | ssh server@backup 'cat > /dev/null'

(https://www.commandlinefu.com/commands/view/5799/test-network-speed-without-wasting-disk)

transfer from primary_site to new_backup_site 
10240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 351.285 s, 30.6 MB/s

transfer from primary_site to old_backup_site
0240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 189.332 s, 56.7 MB/s

我的怀疑可能在于站点到站点 VPN 的配置方式。

站点到站点配置之间的唯一区别是，其中一个备份站点配置了 NAT 豁免，并在 SAL 下配置了无限流量（与 4608000 相对），并且在 SAL 中的优先级为 7（相对于 5）。它的密码映射条目。

问题

我的问题是您是否希望这些设置中的任何一个对传输速度产生如此大的影响？

技术的

所有服务器都通过以下 Cisco 交换机型号 ws-c2960x-48ts-l 连接

配置（这些已经尽可能地清理了）

主站点路由器配置 (Cisco ASA-5515)


ASA Version 9.8(2)
!
interface GigabitEthernet0/0
 description Link to redstation
 nameif outside
 security-level 0
 ip address <maindatacenter_external_ip> standby <main_site_secondary_ip>
!
interface GigabitEthernet0/1
 description prodsw - internal
 nameif inside
 security-level 100
 ip address <maindatacenter_gateway_ip> standby <main_site_secondary_gateway_ip>
!
interface GigabitEthernet0/2
 description prodsw - dmz
 nameif dmz
 security-level 50
 ip address <maindatacenter_dmz_gateway_ip>  standby <main_site_dmz_secondary_gateway_ip>
!
boot system disk0:/asa982-smp-k8.bin
!
object network network_internal
 subnet <main_site_internal_network> 
!
object network <old_backup_internal>
 subnet <old_backup_internal_network> 
!
object network <new_backup_internal>
 subnet <new_backup_internal_network> 
object network NETWORK_OBJ_<main_site_internal_network>
 subnet <main_site_internal_network> 
object network <new_backup_external>
 host <new_backup_external_ip>
!
 group-object hostgroup_connect
 network-object object <old_backup_internal>
 network-object object <new_backup_internal>
!
object-group network hostgroup_ike_peers
 network-object object <new_backup_external>
!
access-list outside_cryptomap_1 extended permit ip object network_internal object <old_backup_internal>
!
access-list outside_cryptomap_4 extended permit ip object network_internal object <new_backup_internal>
!
access-list inside_access_in extended permit ip any any
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,any) source static network_internal network_internal destination static no_nat no_nat no-proxy-arp route-lookup
nat (dmz,any) source static network_internal network_internal destination static no_nat no_nat no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (dmz,outside) source dynamic any interface
nat (inside,outside) source static network_internal network_internal destination static <new_backup_internal> <new_backup_internal>
!
access-group outside_access_in in interface outside control-plane
access-group outside_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_in in interface dmz
!
route outside 0.0.0.0 0.0.0.0 <main_site_external_ip> 1
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
!
crypto map outside_map 5 match address outside_cryptomap_1
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer <old_backup_external_ip>
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
!
crypto map outside_map 7 match address outside_cryptomap_4
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer <new_backup_external_ip>
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set security-association lifetime kilobytes unlimited
!
crypto isakmp identity address
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint6
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
!
 error-recovery disable
!
tunnel-group <old_backup_external_ip> type ipsec-l2l
tunnel-group <old_backup_external_ip> general-attributes
 default-group-policy GroupPolicy_Backup
tunnel-group <old_backup_external_ip> ipsec-attributes
 ikev1 pre-shared-key 
!
tunnel-group <new_backup_external_ip> type ipsec-l2l
tunnel-group <new_backup_external_ip> general-attributes
 default-group-policy GroupPolicy_<new_backup_external_ip>
tunnel-group <new_backup_external_ip> ipsec-attributes
 ikev1 pre-shared-key 
 ikev2 remote-authentication pre-shared-key
 ikev2 local-authentication pre-shared-key


: end

新的备份路由器配置 (Cisco ASA-5515)

Result of the command: "show running-config"

: Saved
:
ASA Version 9.1(1) 
!
interface GigabitEthernet0/0
 description LINK TO WAN
 nameif outside
 security-level 0
 ip address <newbackup_external_ip>  
!
interface GigabitEthernet0/1
 description LINK TO LAN
 nameif inside
 security-level 100
 ip address <newbackup_gateway_ip>  
!
ftp mode passive
!
object network my-inside-net
 subnet <newbackup_internal_network> 
object network <maindatacenter_internal_network>
 subnet <maindatacenter_internal_network> 
object network <maindatacenter_external_ip>
 host <maindatacenter_external_ip>
object network NETWORK_OBJ_<newbackup_internal_network>
 subnet <newbackup_internal_network> 
object network <oldbackup_internal_network>
 subnet <oldbackup_internal_network> 
object network <oldbackup_external_ip>
 host <oldbackup_external_ip>
object-group service 4500 udp
 description port 4500 adsm
 port-object eq 4500
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object echo
 icmp-object echo-reply
access-list OUTSIDE-IN extended permit icmp any any object-group DM_INLINE_ICMP_2 
access-list OUTSIDE-IN extended permit ip any any 
access-list outside_cryptomap_1 extended permit ip <newbackup_internal_network> object <maindatacenter_internal_network> 
access-list inside_access_in extended permit ip <newbackup_internal_network> object <maindatacenter_internal_network> 
access-list inside_access_in extended permit ip <newbackup_internal_network> object <oldbackup_internal_network> 
access-list inside_access_in extended permit ip object <maindatacenter_internal_network> <newbackup_internal_network> 
access-list inside_access_in extended permit ip object <oldbackup_internal_network> <newbackup_internal_network>
access-list inside_access_in extended permit ip object <maindatacenter_internal_network> object my-inside-net 
access-list inside_access_in extended permit icmp any object <maindatacenter_internal_network> object-group DM_INLINE_ICMP_1 
access-list inside_access_in extended permit ip any any 
access-list global_access extended permit ip object <maindatacenter_internal_network> interface inside 
access-list outside_access_in extended permit udp object <maindatacenter_external_ip> any eq isakmp 
access-list outside_access_in extended permit udp object <oldbackup_external_ip> any eq isakmp 
access-list outside_access_in extended permit ip any any 
access-list outside_cryptomap extended permit ip <newbackup_internal_network> object <oldbackup_internal_network> 
!
mtu outside 1500
mtu inside 1500
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
!
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_<newbackup_internal_network> NETWORK_OBJ_<newbackup_internal_network>_24 destination static <maindatacenter_internal_network> <maindatacenter_internal_network> no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_<newbackup_internal_network> NETWORK_OBJ_<newbackup_internal_network>_24 destination static <oldbackup_internal_network> <oldbackup_internal_network> no-proxy-arp route-lookup
!
object network my-inside-net
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside control-plane
access-group OUTSIDE-IN in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 <newbackup_external_ip> 1
!
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer <maindatacenter_external_ip> 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes 2147483647
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer <oldbackup_external_ip> 
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_<oldbackup_external_ip> internal
group-policy GroupPolicy_<oldbackup_external_ip> attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_<maindatacenter_external_ip> internal
group-policy GroupPolicy_<maindatacenter_external_ip> attributes
 vpn-tunnel-protocol ikev1 
!
tunnel-group <maindatacenter_external_ip> type ipsec-l2l
tunnel-group <maindatacenter_external_ip> general-attributes
 default-group-policy GroupPolicy_<maindatacenter_external_ip>
tunnel-group <maindatacenter_external_ip> ipsec-attributes
 ikev1 pre-shared-key 
tunnel-group <oldbackup_external_ip> type ipsec-l2l
tunnel-group <oldbackup_external_ip> general-attributes
 default-group-policy GroupPolicy_<oldbackup_external_ip>
tunnel-group <oldbackup_external_ip> ipsec-attributes
 ikev1 pre-shared-key 
!
class-map inspection_default
 match default-inspection-traffic
!
: end

旧的备份路由器配置 (FreeBSD/Racoon)

padding
{
    maximum_length  20;
    randomize       off;
    strict_check    off;
    exclusive_tail  off;
}

timers
{
    counter         5;
    interval        20 sec;
    persend         1;
    phase1          24 hour;
    phase2          3600 sec;
}

listen
{
    isakmp          <old_backup_external_ip> [500];
    isakmp_natt     <old_backup_external_ip> [4500];
}

remote <main_site_external_ip> [500]
{
    exchange_mode     main;
    situation         identity_only;
    my_identifier     address <old_backup_external_ip>;
    peers_identifier  address <main_site_external_ip>;
    lifetime          time 24 hour;
    passive           off;
    proposal_check    obey;
    generate_policy   off;

    proposal {
        encryption_algorithm    aes128;
        hash_algorithm          sha1;
        authentication_method   pre_shared_key;
        lifetime time           24 hour;
        dh_group                2;
    }
}

sainfo (address <old_backup_internal_network> any address <primary_site_internal_network> any)
{
    pfs_group                 2;
    lifetime                  time 3600 sec;
    encryption_algorithm      aes;
    authentication_algorithm  hmac_sha1;
    compression_algorithm     deflate;
}

sainfo (address <old_backup_internal_network> any address <internal_network_range> any)
{
    pfs_group                 2;
    lifetime                  time 3600 sec;
    encryption_algorithm      aes;
    authentication_algorithm  hmac_sha1;
    compression_algorithm     deflate;
}

remote <new_backup_external_ip> [500]
{
    exchange_mode     main;
    situation         identity_only;
    my_identifier     address <old_backup_external_ip>;
    peers_identifier  address <new_backup_external_ip>;
    lifetime          time 24 hour;
    passive           off;
    proposal_check    obey;
    generate_policy   off;

    proposal {
        encryption_algorithm    aes128;
        hash_algorithm          sha1;
        authentication_method   pre_shared_key;
        lifetime time           24 hour;
        dh_group                2;
    }
}

sainfo (address <old_backup_internal_network>/24 any address <new_backup_internal_network> any)
{
    pfs_group                 2;
    lifetime                  time 3600 sec;
    encryption_algorithm      aes;
    authentication_algorithm  hmac_sha1;
    compression_algorithm     deflate;
}

sainfo (address <new_backup_internal_network>/24 any address <old_backup_internal_network> any)
{
    pfs_group                 2;
    lifetime                  time 3600 sec;
    encryption_algorithm      aes;
    authentication_algorithm  hmac_sha1;
    compression_algorithm     deflate;
}

1个回答

对于一个控制两端的简单站点-2-站点隧道，此 IPSec 配置似乎有点负载。

我建议以下程序

首先：请务必了解您是在这两个 ASA 之间运行 IKEv1 还是 IKEv2。两者都有配置位和可能的配置剩余部分。删除您不使用的部分。使用一种 IKE 类型对 IPSec 连接进行故障排除已经够难了……

第二：禁用/删除您实际上不想使用的所有转换集：

crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

There's just no point in offering all of these during IKE negotiations and then having a hard time to find out which one is actually chosen, when the choice might have a performance impact, too. 如果您不严格控制实际使用的加密和完整性/散列算法，则几乎不可能进行分析、比较和优化。

建议：对 ESP-AES-xxx-SHA 品种出错，调查 SHA2 在您的 ASA 上是否可用于 IKE 配置文件和转换集，并提高 PFS 的标准。DH 组到 5、14 或更高。任何“DES”、“3DES”和“MD5”都应该消失，这些都是过时的（也可以说是 SHA/SHA1）。

另外：如果可能的话，减少到一个单一的 IKE 策略，所以无论选择哪一个都没有歧义。

第三： IPsec 的数据包开销随加密和散列算法以及正在使用的传输机制（NAT-T，有人吗？）而变化（最多 100 多个字节）。TCP MSS 钳制的值必须设置为适合剩余有效负载大小的值。

因此：确定您的 IPSec 隧道的 MTU。确保两端具有相同的 IKE/IPSec 配置并启动隧道。还要确保将df-bit-ignore或df-bit-clear设置为关闭（crypto ipsec df-bit copy-df根据https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-参考/AH/cmdref1/c5.html#pgfId-2356776），扩展：ASA 应该尊重并保留 df 位，并且不应该对太大而无法放入隧道的数据包进行分段（让 ASA 发回“ICMP 无法访问，需要分段”对于此测试是可选的）。

然后，开始向远程站点发送 ping，激活的 DF 位和指定的数据包大小接近预期的 MTU。增加/减少 ICMP 消息大小 [2]，直到找到适合隧道的最大数据包大小 [3]。不要使用 ASA 本身发送数据包，使用 LAN 中的终端系统 - 如果从 ASA 完成，结果可能会出现偏差。

第四：为避免分片，请将 TCP MSS 钳位值设置为（至少）比您刚刚建立的隧道 MTU 低 40 个字节。

从假设您的站点之间有完整的 1500 字节 MTU 开始，请务必检查任一站点是否使用 PPP（+8 字节开销）或（至少）一个 ASA 在 NAT 后面（然后 NAT-T 启动，还有另外+8字节的开销）。TCP MSS 限制在 1380 字节可能没问题，1360 相当安全，而 1350 将是一个非常安全的选择。但是，1400 可能还不够低。

sysopt connection tcpmss 1350

最终：确定您的应用程序是否使用 UDP 作为传输。您的配置中的访问列表似乎只匹配 ip 地址，而不匹配 L4 协议。TCP MSS 钳制无法帮助 UDP。对于 UDP，您只能做两件事：

将应用程序配置为发送不超过MTU -每个数据包 28 字节的有效负载
恢复为crypto ipsec df-bit clear-df这样 ASA 会忽略 df 位并在将数据包打包到隧道之前将其分段。[4]

可能适用于 UDP 但不要依赖它的一件事，因为PathMDUd并不总是可靠的，如下

保留 ASA，crypto ipsec df-bit copy-df并希望它将向发送主机发送所需的 ICMP 分段（类型 3，代码 4）消息，并且主机的 IP 和/或应用程序堆栈将接收该消息，并且该应用程序或 IP 堆栈遵守 MTU 建议消息包含。PathMTUd 有时会起作用，有时会中断，从而导致相当多的混合结果。

插件对于性能测试，我建议在单向 UDP模式下使用 iPerf 之类的工具从任一侧通过 VPN 隧道泵送流量。

第一个优势：检测带宽/吞吐量/性能问题的（可能）方向性。

单向测试很重要，因为端到端 MTU、网络带宽和 QoS 主题（如运营商的监管/整形）可能是单向的。使用 TCP 进行测试永远不会让您确切知道是在途中还是在返回途中发生了什么事。

另请参阅：UDP 带宽上的 Iperf 结果。不要忘记将 iPerf 在 UDP 模式下使用的有效负载大小限制为比 MTU 低 28 个字节（使用类似的东西-l 1372）。

一开始不使用 TCP 的第二个优点：UDP 没有流量控制的概念，也没有 TCP 窗口大小和缩放的概念。由于您在谈论 .fr <-> .uk，因此带宽 x 延迟乘积、网络 RTT 和 TCP 窗口缩放已经是一个重要的话题，首先，最好将其放在一边。

第三：测试 ASA 的加密性能。使用 UDP，没有像 TCP 那样的发送速率自适应。UDP 模式下的 iPerf 只会以给定的有效负载速率“爆炸”流量，而不关心数据包丢失或链路过载。因此，如果您将 NN Mbit/s 的 UDP 流量泵入 ASA 的内部接口，则 NN+一些 Mbit/s（请记住，每个数据包最多 100 字节的 IPsec 开销）应该来自 ASA 的外部/WAN 接口。如果不是，则给定的 ASA 不能胜任该任务。尝试计算成本较低的加密设置进行比较。

[2] 一些 ping 实现允许您指定整个 IP 数据包的大小（包括 20 字节的 IP 和 8 字节的 ICMP），而另一些则将命令行参数作为 ICMP 有效负载大小（不包括标头）。在开始测试之前，一定要眯着眼睛玩+- 28bytes 游戏以了解给定的 ping 变化。

[3] 请记住：丢失的 ping 响应并不能说明数据包是在途中丢失还是在返回途中丢失。可以肯定的是，在远程系统上运行数据包转储以查看是否通过了回显请求，或者回显回复是否离开了远程系统但在返回的途中丢失了。

[4] 是的，这会在 ASA 上重新打开碎片。但由于重负载通常由 TCP 完成，并且 TCP 由 TCP MSS 钳制处理，因此允许 ASA 分段并没有什么害处

其它你可能感兴趣的问题

上一篇交换机如何知道数据包需要第 2 层交换还是第 3 层路由？下一篇cisco 2600系列路由器可以升级到千兆吗？