思科站点到站点 VPN 隧道找不到匹配的策略

网络工程 思科 思科-ASA 虚拟专用网 ipsec
2022-02-21 09:52:15

我有PaloAlto (PA)并且Cisco ASA 5585-X位于两个不同的站点上,试图配置 IPsec VPN 隧道。

[PA]-----------(internet)-----------[Cisco ASA]

如果我从 Cisco ASA 侧 lan ping 到 PA,那么我的隧道就会出现,PC 两侧的一切正常都可以通信。但是,当隧道关闭时,如果 LAN 的 PA 端尝试向 Cisco ASA 发送流量,则无法启动隧道。

当我在 Cisco ASA 上运行调试时,我发现以下,当隧道启动时,我在调试中看到以下消息,不确定发生了什么。如果我的配置有误,那么当 Cisco ASA 发送流量时隧道不应该出现。我在这里缺少什么

Palo Alto IP: 1.1.1.1
Cisco ASA IP: 2.2.2.2

Cisco ASA iKev2 和 IPsec 参数:

crypto ikev2 policy 30
 encryption aes
 integrity sha256
 group 2
 prf sha256
 lifetime seconds 28800

crypto ipsec ikev2 ipsec-proposal TRANSFORM-ESP-AES-SHA
 protocol esp encryption aes
 protocol esp integrity sha-256

调试:

IKEv2-PROTO-2: (282): Received Packet [From 1.1.1.1:500/To 2.2.2.2:500/VRF i0:f0]
(282): Initiator SPI : D34E003E0752B818 - Responder SPI : 00AA509B0EC33790 Message id: 379
(282): IKEv2 CREATE_CHILD_SA Exchange REQUESTIKEv2-PROTO-3: (282): Next payload: ENCR, version: 2.0 (282): Exchange type: CREATE_CHILD_SA, flags: INITIATOR (282): Message id: 379, length: 444(282):
Payload contents:
(282):
(282): Decrypted packet:(282): Data: 444 bytes
(282): REAL Decrypted packet:(282): Data: 368 bytes
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: READY Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-5: (282): Action: Action_Null
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_INIT Event: EV_RECV_CREATE_CHILD
IKEv2-PROTO-5: (282): Action: Action_Null
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-2: (282): Validating create child message
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_INIT Event: EV_CHK_CC_TYPE
IKEv2-PROTO-2: (282): Check for create child response message type
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_IPSEC Event: EV_PROC_MSG
IKEv2-PROTO-2: (282): Processing CREATE_CHILD_SA exchange
IKEv2-PROTO-1: (282): Failed to find a matching policy
IKEv2-PROTO-1: (282): Received Policies:
IKEv2-PROTO-1: (282): Failed to find a matching policy
IKEv2-PROTO-1: (282): Expected Policies:
IKEv2-PROTO-5: (282): Failed to verify the proposed policies
IKEv2-PROTO-1: (282): Failed to find a matching policy
IKEv2-PROTO-1: (282):
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_IPSEC Event: EV_NO_PROP_CHOSEN
IKEv2-PROTO-2: (282): Sending no proposal chosen notify
IKEv2-PROTO-2: (282): Building packet for encryption.
(282):
Payload contents:
(282):  NOTIFY(NO_PROPOSAL_CHOSEN)(282):   Next payload: NONE, reserved: 0x0, length: 8
(282):     Security protocol id: ESP, spi size: 0, type: NO_PROPOSAL_CHOSEN
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_IPSEC Event: EV_ENCRYPT_MSG
IKEv2-PROTO-2: (282):
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_IPSEC Event: EV_NO_EVENT
IKEv2-PROTO-5: (282): Locked SA.Event EV_FREE_NEG queued in the state EXIT
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_IPSEC Event: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-5: (282): Action: Action_Null
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_IPSEC Event: EV_TRYSEND
(282):
IKEv2-PROTO-2: (282): Sending Packet [To 1.1.1.1:500/From 2.2.2.2:500/VRF i0:f0]
(282): Initiator SPI : D34E003E0752B818 - Responder SPI : 00AA509B0EC33790 Message id: 379
(282): IKEv2 CREATE_CHILD_SA Exchange RESPONSEIKEv2-PROTO-3: (282): Next payload: ENCR, version: 2.0 (282): Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE (282): Message id: 379, length: 76(282):
Payload contents:
(282):  ENCR(282):   Next payload: NOTIFY, reserved: 0x0, length: 48
(282): Encrypted data: 44 bytes
(282):
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: CHILD_R_DONE Event: EV_FAIL
IKEv2-PROTO-1: (282): Create child exchange failed
IKEv2-PROTO-1: (282):
IKEv2-PROTO-2: (282): IPSec SA create failed
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (282): Sent response with message id 379, Requests can be accepted from range 380 to 380
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017B CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (282): Abort exchange
IKEv2-PROTO-5: (282): Deleting negotiation context for peer message ID: 0x17b
IKEv2-PROTO-5: (282): SM Trace-> SA: I_SPI=D34E003E0752B818 R_SPI=00AA509B0EC33790 (R) MsgID = 0000017A CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (282): Deleting negotiation context for peer message ID: 0x17a
0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇在传出路由更新上分发列表行为 下一篇HP ProCurve Switch 4100 series - 从 CLI 检查 PSU 状态和 S/N