我在 Cisco IPSEC 配置上苦苦挣扎。
我的目标是通过 IPSEC 隧道将 CGN 网关后面的分支站点终止到 MPLS L3VPN 网络中。
集线器站点的路由器是运行 IOS XE 3.16 Spoke 站点的 ASR1k 路由器是随机的,我目前正在使用 C819 4G 模型进行测试。
这是我的中心站点配置:
!
crypto keyring KEYRING
pre-shared-key hostname router1-xxx key somekey
!
crypto isakmp policy 103
encr aes 256
authentication pre-share
group 5
lifetime 7200
!
crypto isakmp profile IKEPROFILE
keyring WISY-TURIN-KEYRING
match identity user-fqdn router1-xxx
virtual-template 103
!
!
crypto ipsec transform-set AES_256-SHA ah-sha-hmac esp-aes 256
mode tunnel
!
crypto ipsec profile IPSECPROFILE
description some description
set security-association lifetime seconds 7200
set transform-set AES_256-SHA
set pfs group5
responder-only
!
!
interface Virtual-Template103 type tunnel
description some description
vrf forwarding CUSTOMER
ip address 10.1.1.1 255.255.255.252
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROFILE
!
这里是辐条配置
crypto isakmp policy 103
encr aes 256
authentication pre-share
group 5
lifetime 7200
crypto isakmp keepalive 10
!
crypto isakmp peer address 212.218.X.X
set aggressive-mode password somekey
set aggressive-mode client-endpoint user-fqdn router1-xxx
!
!
crypto ipsec transform-set AES_256-SHA ah-sha-hmac esp-aes 256
mode tunnel
!
crypto ipsec profile WIPSECPROFILE
description Wirth Systems Standort Turin
set security-association lifetime seconds 7200
set transform-set AES_256-SHA
set pfs group5
!
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
tunnel source Cellular0
tunnel mode ipsec ipv4
tunnel destination 212.218.x.x
tunnel protection ipsec profile IPSECPROFILE
Phase1 即将启动 OK,但我在启动 Phase2 时遇到问题。
这是输出
显示加密 ipsec sa在集线器路由器上:
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 212.218.X.X
protected vrf: CUSTOMER
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 5.90.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 212.218.154.5, remote crypto endpt.: 5.90.10.185
path mtu 1576, ip mtu 1576, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
所以没有创建 SA。我也对这个输出说的事实感到困惑
PFS (Y/N):N,DH 组:无尽管配置了 PFS。
调试加密 ipsec带来以下输出:
*Jun 30 18:42:05.074: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 212.218.X.X:0, remote= 5.90.X.X:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= AH, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 30 18:42:05.075: IPSEC(validate_proposal_request): proposal part #2
*Jun 30 18:42:05.075: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 212.218.X.X:0, remote= 5.90.X.X:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 30 18:42:05.075: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
*Jun 30 18:42:05.081: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 30 18:42:05.081: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 256
src port : 0
dst port : 0
*Jun 30 18:42:05.081: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Virtual-Access2-head-0
*Jun 30 18:42:05.082: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0xC30; opcode 0x60; param 0x1F79; error 0x5; retry cnt 0
*Jun 30 18:42:05.082: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0xC32; opcode 0x60; param 0x1F7A; error 0x5; retry cnt 0
知道如何解决这个问题吗?
提前感谢所有回复。