Cisco 路由器 C3925 和防火墙 Sophos XG210 之间的 VPN 站点到站点连接出错

网络工程 思科 虚拟专用网 防火墙 索福斯
2022-03-04 06:05:54

我们无法在路由器 C3925 和防火墙 Sophos XG210 之间设置 VPN 连接。

附件是两台设备上的日志。请修改和建议,非常感谢!

防火墙 Sophos XG210 公网 IP 地址:{A}.{B}.{C}.{D}
防火墙局域网 IP 网络:172.16.16.0/24

路由器 C3925 的公网 IP 地址:{Q}.{W}.{E}.{R}
防火墙的 LAN IP 网络:192.168.6.0/24

这是Cisco路由器的日志:

Nov 21 10:15:12.570: ISAKMP (1005): received packet from {A}.{B}.{C}.{D} dport 500 sport 500 Global (R) QM_IDLE  
Nov 21 10:15:12.570: ISAKMP: set new node -2018918028 to QM_IDLE  
Nov 21 10:15:12.570: ISAKMP:(1005): processing HASH payload. message ID = 2276049268  
Nov 21 10:15:12.570: ISAKMP:(1005): processing SA payload. message ID = 2276049268  
Nov 21 10:15:12.570: ISAKMP:(1005):Checking IPSec proposal 0  
Nov 21 10:15:12.570: ISAKMP: transform 0, ESP_DES  
Nov 21 10:15:12.570: ISAKMP:   attributes in transform:  
Nov 21 10:15:12.570: ISAKMP:      group is 2  
Nov 21 10:15:12.570: ISAKMP:      encaps is 1 (Tunnel)  
Nov 21 10:15:12.570: ISAKMP:      SA life type in seconds  
Nov 21 10:15:12.570: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80  
Nov 21 10:15:12.570: ISAKMP:      authenticator is HMAC-MD5  
Nov 21 10:15:12.570: ISAKMP:(1005):atts are acceptable.  
Nov 21 10:15:12.570: ISAKMP:(1005):Checking IPSec proposal 0  
Nov 21 10:15:12.570: ISAKMP:(1005):transform 0, IPPCP DEFLATE  
Nov 21 10:15:12.570: ISAKMP:   attributes in transform:  
Nov 21 10:15:12.570: ISAKMP:      encaps is 1 (Tunnel)  
Nov 21 10:15:12.570: ISAKMP:      SA life type in seconds  
Nov 21 10:15:12.570: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80  
Nov 21 10:15:12.570: ISAKMP:(1005):atts are acceptable.  
Nov 21 10:15:12.570: ISAKMP:(1005): IPSec policy invalidated proposal with error 256  
Nov 21 10:15:12.570: ISAKMP:(1005): phase 2 SA policy not acceptable! (local {Q}.{W}.{E}.{R} remote {A}.{B}.{C}.{D})  
Nov 21 10:15:12.570: ISAKMP: set new node 247431745 to QM_IDLE  
Nov 21 10:15:12.570: ISAKMP:(1005):Sending NOTIFY PROPOSAL_NOT_CHOSEN   protocol 3  
        spi 563263588, message ID = 247431745  
Nov 21 10:15:12.570: ISAKMP:(1005): sending packet to {A}.{B}.{C}.{D} my_port 500 peer_port 500 (R) QM_IDLE  
Nov 21 10:15:12.570: ISAKMP:(1005):Sending an IKE IPv4 Packet.  
Nov 21 10:15:12.570: ISAKMP:(1005):purging node 247431745  
Nov 21 10:15:12.570: ISAKMP:(1005):deleting node -2018918028 error TRUE reason "QM rejected"  
Nov 21 10:15:12.570: ISAKMP:(1005):Node 2276049268, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH  
Nov 21 10:15:12.570: ISAKMP:(1005):Old State = IKE_QM_READY  New State = IKE_QM_READY  
Nov 21 10:15:22.524: ISAKMP:(1005):purging node -355390081  
Nov 21 10:15:22.590: ISAKMP (1005): received packet from {A}.{B}.{C}.{D} dport 500 sport 500 Global (R) QM_IDLE  
Nov 21 10:15:22.590: ISAKMP:(1005): phase 2 packet is a duplicate of a previous packet.  
Nov 21 10:15:22.590: ISAKMP:(1005): retransmitting due to retransmit phase 2  
Nov 21 10:15:22.590: ISAKMP:(1005): ignoring retransmission,because phase2 node marked dead -2018918028  
Nov 21 10:15:42.568: ISAKMP (1005): received packet from {A}.{B}.{C}.{D} dport 500 sport 500 Global (R) QM_IDLE  
Nov 21 10:15:42.568: ISAKMP:(1005): phase 2 packet is a duplicate of a previous packet.  
Nov 21 10:15:42.568: ISAKMP:(1005): retransmitting due to retransmit phase 2  
Nov 21 10:15:42.570: ISAKMP:(1005): ignoring retransmission,because phase2 node marked dead -2018918028  
Nov 21 10:16:02.570: ISAKMP:(1005):purging node -2018918028

这是我在路由器中的配置: 

interface GigabitEthernet0/1
 description "ISP 1"
 ip address {Q}.{W}.{E}.{R} 255.255.255.192
 ip access-group SECURITY-IN in
 ip access-group SECURITY-OUT out
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in max-fragments 16 max-reassemblies 64 timeout 5
 duplex auto
 speed auto
 crypto map MYMAP

crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 password_here address {A}.{B}.{C}.{D}
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
!

crypto map MYMAP 10 ipsec-isakmp
 set peer {A}.{B}.{C}.{D}
 set transform-set MYSET
 match address 106

access-list 106 permit ip 192.168.6.0 0.0.0.255 172.16.16.0 0.0.0.255

这是防火墙上的日志和配置

防火墙日志

防火墙 VPN

防火墙 IPSec 配置文件

防火墙规则

防火墙 IP 主机

1个回答

这是因为 IPSec 策略不匹配。您可以尝试以下操作:

在 Sophos 上

  1. 取消选中/禁用Pass Data in Compression Format

  2. 第 2 阶段,更改PFS Group (DH Group)None并更改Key Life: 86400Key Life: 1800以匹配 Cisco 路由器 C3925 ( crypto ipsec security-association lifetime seconds 1800) 上的值。

在思科

更新了加密 DES 和生存期 86400crypto isakmp policy 10以匹配 Sophos 上的第 1 阶段设置:

crypto isakmp policy 10
   encr des 
   hash md5
   authentication pre-share
   group 2
   lifetime 86400

=====

我没有看到两端的 NAT Exemption 配置(我们经常使用 VPN 隧道进行配置,因此真实的源和目标 IP 地址在通过隧道时不会被转换)。请确保您也已配置此部分。

=====

另一件事是:在转换集/组合方面,思科不再推荐使用 ah-md5-hmac、esp-md5-hmac、esp-des 或 esp-3des(链接在这里)。相反,您应该使用 ah-sha-hmac、esp-sha-hmac 或 esp-aes。

建议的变换集组合如下:

  • esp-aes 和 esp-sha-hmac

  • esp-aes 256 和 esp-sha-hmac

=====

您可以使用上述所有要点重新创建 VPN 隧道。

我希望它是有帮助的,你可以解决它。

其它你可能感兴趣的问题
上一篇即使在开放的端口上,协议如何被阻止? 下一篇运营商以太网