Cisco ASA 9.0 和 StrongSwan 4.4 之间的 IPSec 站点到站点 VPN

网络工程 思科-ASA 虚拟专用网 ipsec
2022-02-06 20:17:55

问题是使用 ASA 作为启动器的 ikeV2 身份验证。

对于以下实验,我在 ASA 上设置了以下 PSK:local: 123, remote: 321

如果ASA 是发起方

现在ipsec.secrets在 StrongSwan 方面有几种组合:

左 123 右 321

ASA:Auth exchange failed

SWAN: tried 1 shared key for '%any' - 'XXX', but MAC mismatched

左 123 右 123

ASA:Failed to authenticate the IKE SA

charon: 11[IKE] authentication of 'a with pre-shared key successful
charon: 11[IKE] authentication of 'b' (myself) with pre-shared key
charon: 11[IKE] IKE_SA x[1] established between b[b]...a[a]

左 321 右 123(应该是工作的)

ASA:Failed to authenticate the IKE SA

charon: 08[IKE] authentication of 'a' with pre-shared key successful
charon: 08[IKE] authentication of 'b' (myself) with pre-shared key
charon: 08[IKE] x[1] established between b[b]...a[a]

左 321 右 321

ASA: Auth exchange failed

SWAN: ... but MAC mismatched

如果我在每一侧将两个 PSK 设置为相同,那么一切正常。

顺便说一句,IKEv2 有两个不同的 PSK 有什么意义呢?

哦,当它无法连接时,ASA 调试会显示以下内容:

REAL Decrypted packet:Data: 8 bytes
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED

现在,StrongSwan 是发起者:(仍然是 ASA local: 123, remote: 321

左 123 右 321!!!

SWAN ok

ASA ok

左 123 右 123 

SWAN: received AUTHENTICATION_FAILED notify error

ASA: Failed to authenticate the IKE SA

左 321 右 123 (应该是工作的)

SWAN: received AUTHENTICATION_FAILED notify error

ASA: Failed to authenticate the IKE SA

左 321 右 321!!!

SWAN ok

ASA ok

这是strongswan conf

# cat /var/lib/strongswan/ipsec.conf.inc

conn TEST
 left=l
 leftsubnet=n/24
 leftid=l
 leftfirewall=yes
 right=r
 rightsubnet=n/24
 rightid=r
 auto=add # or start
 ike=aes256-sha512-modp1024
 esp=aes256-sha1
 keyexchange=ikev2
        authby=secret

这是ASA conf,标准的东西

tunnel-group x type ipsec-l2l
tunnel-group x general-attributes
 default-group-policy VPN_x_GP
tunnel-group x ipsec-attributes
 ikev2 remote-authentication pre-shared-key 321
 ikev2 local-authentication pre-shared-key 123
group-policy VPN_x_GP internal
group-policy VPN_x_GP attributes
 vpn-filter value ACL_VPN_x
 vpn-tunnel-protocol ikev2
crypto ipsec ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto map internet_crypto_map 1 match address internet_cryptomap
crypto map internet_crypto_map 1 set pfs
crypto map internet_crypto_map 1 set peer x
crypto map internet_crypto_map 1 set ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
crypto map internet_crypto_map interface outside
crypto ikev2 policy 999
 encryption aes-256
 integrity sha512
 group 2
 prf sha512
 lifetime seconds 86400
crypto ikev2 policy 1000
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

ipsec.secrets

left : PSK "321"
right : PSK "123"

虽然我目前怀疑这并不完全正确,但我相信它适用于 ikev1,但我没有找到太多关于 ikev2(多个 PSK)的文档。现在,我将朝那个方向进行调查。

1个回答

在 strongSwan 邮件列表中进行了讨论

正如您从该线程中看到的那样,最终结果证明使用它没有真正意义,至少与 strongSwan 没有。

其它你可能感兴趣的问题
上一篇从子网以外的池中提取 DHCP 下一篇是否有可接受的暂停帧比例?