Cisco路由器和谷歌云VPN之间的IKEv2

网络工程 思科 虚拟专用网 ipsec 艾克 ikev2
2022-02-03 09:40:58

嘿,我正在尝试在 cisco 路由器和谷歌云 vpn(客户端站点)之间创建一条隧道,但连接卡在第 2 阶段(UP-IDLE),需要帮助解决问题所在。我在我的网站上得到的一些调试:

May 10 12:52:23.430 CEST: map_db_find_best did not find matching map
May 10 12:52:23.430 CEST: Cannot find crypto swsb : in ipsec_process_proposal (), 1590
May 10 12:52:23.438 CEST: IPSEC(ipsec_process_proposal): proxy identities not supported
IPSEC(ipsec_process_proposal): transform proposal not supported for identity


May 10 11:54:19.554 CEST: IKEv2:(SESSION ID = 3090987,SA ID = 6):Received Packet [From XXX.XXX.XXX.XXX:500/To YYY.YYY.YYY.YYY:500/VRF i9:f0]
Initiator SPI : 84F2BC1F7A5C9044 - Responder SPI : 0C1D07CE85C56572 Message id: 20
IKEv2 CREATE_CHILD_SA Exchange REQUEST
Payload contents:
 SA N KE TSi TSr
 
May 10 11:55:49.566 CEST: IKEv2:(SESSION ID = 3090987,SA ID = 6):: There was no IPSEC policy found for received TS
May 10 11:55:49.566 CEST: IKEv2:(SESSION ID = 3090987,SA ID = 6):Sending TS unacceptable notify

从客户端站点相同的日志:

failed to establish CHILD_SA, keeping IKE_SA    2021-05-10T08:04:49.998898651Z
received TS_UNACCEPTABLE notify, no CHILD_SA built  2021-05-10T08:04:49.998893445Z
parsed CREATE_CHILD_SA response 94 [ N(TS_UNACCEPT) ]   2021-05-10T08:04:49.998863886Z
received packet: from YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (80 bytes)   2021-05-10T08:04:49.998762590Z
sending packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (640 bytes)   2021-05-10T08:04:49.959490053Z
generating CREATE_CHILD_SA request 94 [ SA No KE TSi TSr ]  2021-05-10T08:04:49.958783525Z
establishing CHILD_SA vpn_YYY.YYY.YYY.YYY{1}    2021-05-10T08:04:49.953584118Z
creating acquire job for policy with reqid {1}  2021-05-10T08:04:49.953505597Z

google cloud vpn 上的配置如下所示: GUI 编辑器,您可以在其中选择“远程对等 ip”、“ike 版本”、“预共享密钥”、“路由选项”等选项 客户端选择基于策略的路由,它提供了正确的远程网络和本地 IP 范围

就是这样,没有选择加密、完整性或 DH 组。从我读过的内容来看,谷歌会通过建议支持的东西自动执行此操作支持密码

我的思科网站:

crypto ikev2 keyring KEYRING
 peer CST-SITE
  address XXX.XXX.XXX.XXX
  pre-shared-key somekey

crypto ikev2 proposal IKE2-PROP
 encryption aes-cbc-256
 integrity sha256
 group 5

crypto ikev2 policy IKE2-POLICY
 match fvrf CST-001
 match address local XXX.XXX.XXX.XXX
 proposal IKE2-PROP

crypto ikev2 profile IKE2-PROF
 match identity remote address YYY.YYY.YYY.YYY 255.255.255.255
 identity local address XXX.XXX.XXX.XXX
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
 lifetime 36000
 ivrf CST-001
 dpd 60 5 periodic

crypto map CMAP_CST ipsec-isakmp
 description VPN-to-GOOGLE
 set peer YYY.YYY.YYY.YYY
 set security-association lifetime seconds 10800
 set transform-set TS-AES256-SHA256
 set pfs group5
 set ikev2-profile IKE2-PROF
 match address ACL-IPSEC-VPN

crypto ipsec transform-set TS-AES256-SHA256 esp-aes 256 esp-sha256-hmac


ip access-list extended ACL-IPSEC-VPN
 permit ip 10.0.0.0 0.0.0.255 172.15.0.0 0.0.0.255

ip route vrf CST-001 172.15.0.0 255.255.2550.0 GigabitEthernet0/0 XXX.XXX.XXX.XXX
ip route vrf CST-001 YYY.YYY.YYY.YYY 255.255.255.255 GigabitEthernet0/0 XXX.XXX.XXX.XXX
0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇CSMA/CD 计算机科学说明 下一篇arista pbr - 设置 ip 默认 nexthop